Desktop Hijacked and can't find a fix

Question

jmholt78 0 Newbie Poster

18 Years Ago

hi....after trying ewido, spy sweeper, norton, macromedia, stinger, panda, and a few more tools.... I still can't get rid of this virus PLEASE HELP... it started out as a false security desktop and now the desktop is just black,

here is my hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 9:31:52 PM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Joe Holt\Desktop\Ewido\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Joe Holt\Desktop\Hijack Log\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guitarnoise.com/article.php?id=57
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{811CA0D1-BE1F-49F2-B88D-137EF58AFEAF}: NameServer = 85.255.113.198,85.255.112.194
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B806C38-3AA5-43D7-94C4-4331BABD857E}: NameServer = 85.255.113.198,85.255.112.194
O17 - HKLM\System\CS1\Services\Tcpip\..\{811CA0D1-BE1F-49F2-B88D-137EF58AFEAF}: NameServer = 85.255.113.198,85.255.112.194
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Joe Holt\Desktop\Ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

\thanks.. joe

windows-virus

2 Contributors
12 Replies
810 Views
1 Week Discussion Span
Latest Post 18 Years Ago Latest Post by jmholt78

All 12 Replies

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,
Go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" or "Desktop Uninstall" if present.

Perform an online virus scan at Kaspersky Online Scanner (Click the "Kaspersky Online Scanner" button). Save the log it gives after the scan and please post back the same.

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,
Download CCleaner and install it. Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Download KillBox, extract it to your desktop.

Open Killbox.exe. Check the following box:-
Delete on Reboot
Highlight all the entries in the quote box below and then Copy them.

C:\WINDOWS\system32\sockdebug.exe
C:\~WRF0409.tmp

Then in Killbox click File > Paste from Clipboard. At this point the "All Files" button should be enabled so you can click it. Click the "All Files" button.

Then click the Red X button and for the confirmation message that will appear, you will need to click "Yes". A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.

[If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.]

After the reboot, please post a new HijackThis log. And, by the way, is your Desktop background back to normal?

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,
Right-click on this link and click "Save Target As" (or "Save Link As") and save the file with the default filename (default filename would be smitfraud). Save the file in a convinient location.

Now, close the Ewido and Spysweeper backgroud guards (by right-clicking their System Tray icons and choosing shut down or exit option).

Next, double-click on the smitfraud.reg file and click "Yes" to merge it to Registry. Restart the PC and check whether the background is back to normal or not. Pleae post back the result.

Also, download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

jmholt78 0 Newbie Poster · Answer 1 · 2006-02-22T09:18:31+00:00

Tuesday, February 21, 2006 7:17:54 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 22/02/2006
Kaspersky Anti-Virus database records: 167196

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 83536
Number of viruses found 2
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 00:24:23

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\sockdebug.exe/data0003 Infected: Trojan-Clicker.Win32.VB.dn skipped

C:\WINDOWS\system32\sockdebug.exe NSIS: infected - 1 skipped

C:\~WRF0409.tmp Infected: Trojan-Downloader.Win32.Zlob.dy skipped

Scan process completed.

jmholt78 0 Newbie Poster · Answer 2 · 2006-02-23T03:33:51+00:00

Hi,

I did exactly as you asked, and here is the new hijack Log. My desktop is still blank and I cannot change it.

Logfile of HijackThis v1.99.1
Scan saved at 1:31:44 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Joe Holt\Desktop\Ewido\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\Joe Holt\Desktop\Hijack Log\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guitarnoise.com/article.php?id=57
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{811CA0D1-BE1F-49F2-B88D-137EF58AFEAF}: NameServer = 85.255.113.198,85.255.112.194
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B806C38-3AA5-43D7-94C4-4331BABD857E}: NameServer = 85.255.113.198,85.255.112.194
O17 - HKLM\System\CS1\Services\Tcpip\..\{811CA0D1-BE1F-49F2-B88D-137EF58AFEAF}: NameServer = 85.255.113.198,85.255.112.194
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Joe Holt\Desktop\Ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

jmholt78 0 Newbie Poster · Answer 3 · 2006-02-26T12:03:44+00:00

Hello again,
Yes my desktop is now back ;) and here is the log that you requested.
joe

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.


If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.


»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 2    Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180


»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»


Checking %SystemDrive% folder...


Checking %ProgramFilesDir% folder...


Checking %WinDir% folder...
PECompact2           6/21/2005 1:43:28 PM        15215605   C:\WINDOWS\LPT$VPN.699
qoologic             6/21/2005 1:43:28 PM        15215605   C:\WINDOWS\LPT$VPN.699
SAHAgent             6/21/2005 1:43:28 PM        15215605   C:\WINDOWS\LPT$VPN.699
UPX!                 6/21/2005 1:43:28 PM        170053     C:\WINDOWS\tsc.exe
PECompact2           6/21/2005 1:43:28 PM        15215605   C:\WINDOWS\VPTNFILE.699
qoologic             6/21/2005 1:43:28 PM        15215605   C:\WINDOWS\VPTNFILE.699
SAHAgent             6/21/2005 1:43:28 PM        15215605   C:\WINDOWS\VPTNFILE.699
UPX!                 6/21/2005 3:08:08 PM        1044560    C:\WINDOWS\vsapi32.dll
aspack               6/21/2005 3:08:08 PM        1044560    C:\WINDOWS\vsapi32.dll


Checking %System% folder...
aspack               3/18/2005 5:19:58 PM        2337488    C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2                 3/31/2003 4:00:00 AM        41397      C:\WINDOWS\SYSTEM32\dfrg.msc
PTech                11/4/2005 4:27:24 PM        534280     C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2           2/7/2006 9:23:40 PM         4513120    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               2/7/2006 9:23:40 PM         4513120    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               8/3/2004 11:56:36 PM        708096     C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor             8/3/2004 11:56:44 PM        657920     C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync              3/31/2003 4:00:00 AM        1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu


Checking %System%\Drivers folder and sub-folders...
PTech                8/3/2004 9:41:38 PM         1309184    C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys


Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts



Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/25/2006 9:40:34 PM      S 2048       C:\WINDOWS\bootstat.dat
1/19/2006 12:15:04 AM    HS 389867     C:\WINDOWS\system32\cccdd.bak1
1/23/2006 8:48:08 PM     HS 390233     C:\WINDOWS\system32\cccdd.ini
1/24/2006 2:34:28 AM     HS 390867     C:\WINDOWS\system32\cccdd.tmp
1/3/2006 1:17:06 PM       S 8792       C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911564.cat
1/13/2006 12:34:32 PM     S 7898       C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911565.cat
1/3/2006 9:39:38 PM       S 11223      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911927.cat
1/2/2006 3:09:36 PM       S 11223      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/13/2006 11:28:32 AM     S 10925      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB913446.cat
1/31/2006 12:23:28 AM     S 18394      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem21.CAT
2/25/2006 9:41:04 PM     H  1024       C:\WINDOWS\system32\config\default.LOG
2/25/2006 9:40:40 PM     H  1024       C:\WINDOWS\system32\config\SAM.LOG
2/25/2006 9:41:04 PM     H  1024       C:\WINDOWS\system32\config\SECURITY.LOG
2/25/2006 9:42:26 PM     H  1024       C:\WINDOWS\system32\config\software.LOG
2/25/2006 9:41:40 PM     H  1024       C:\WINDOWS\system32\config\system.LOG
2/20/2006 9:26:10 PM     H  1024       C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2/20/2006 9:21:52 PM     HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\02a43cd8-8e07-42f6-a5a4-8be6f730cb95
1/5/2006 3:59:26 PM      HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\52589ff1-daf7-4379-b83c-8a6ded02c0d8
2/20/2006 9:21:52 PM     HS 24         C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
1/13/2006 4:53:38 PM     HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\bea5c595-9df5-4d83-a629-d4e7f557a07d
2/20/2006 9:26:34 PM     HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\f41f6732-4456-4490-9a3c-5e51cc4d307e
2/20/2006 9:26:34 PM     HS 24         C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
2/25/2006 9:40:34 PM     H  6          C:\WINDOWS\Tasks\SA.DAT


Checking for CPL files...
Microsoft Corporation          8/3/2004 11:56:58 PM        68608      C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        549888     C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        110592     C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        135168     C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        80384      C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        155136     C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        358400     C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        129536     C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        380416     C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        68608      C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc.         11/10/2005 1:03:50 PM       49265      C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          3/31/2003 4:00:00 AM        187904     C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        618496     C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          3/31/2003 4:00:00 AM        35840      C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        25600      C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        257024     C:\WINDOWS\SYSTEM32\nusrmgr.cpl
11/11/2005 1:47:00 PM       73728      C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        32768      C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        114688     C:\WINDOWS\SYSTEM32\powercfg.cpl
Silicon Image                  10/19/2005 11:17:00 AM      77824      C:\WINDOWS\SYSTEM32\SilSupp.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        298496     C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          3/31/2003 4:00:00 AM        28160      C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        94208      C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation          8/3/2004 11:56:58 PM        148480     C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation          5/26/2005 3:16:30 AM        174360     C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          3/31/2003 4:00:00 AM        187904     C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation          3/31/2003 4:00:00 AM        35840      C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation          3/31/2003 4:00:00 AM        28160      C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation          5/26/2005 3:16:30 AM        174360     C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
NVIDIA Corporation             9/24/2003 3:32:00 AM    R   73728      C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\nvtuicpl.cpl
Silicon Image                  11/26/2003 2:59:36 PM       69120      C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\SilSupp.cpl


»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»


Checking files in %ALLUSERSPROFILE%\Startup folder...
4/17/2004 7:51:54 PM     HS 84         C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini


Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/18/2004 12:42:10 AM    HS 62         C:\Documents and Settings\All Users\Application Data\desktop.ini


Checking files in %USERPROFILE%\Startup folder...
4/17/2004 7:51:54 PM     HS 84         C:\Documents and Settings\Joe Holt\Start Menu\Programs\Startup\desktop.ini


Checking files in %USERPROFILE%\Application Data folder...
4/18/2004 12:42:10 AM    HS 62         C:\Documents and Settings\Joe Holt\Application Data\desktop.ini
1/5/2006 3:53:52 PM         1850883    C:\Documents and Settings\Joe Holt\Application Data\Install.dat
5/29/2005 10:14:00 AM       12         C:\Documents and Settings\Joe Holt\Application Data\uns.tmp


»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1  =


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Macromedia.FlashPaper.ContextMenu
{9DED7A30-D572-4D21-8D82-6945EA697400}   = C:\Program Files\Macromedia\FlashPaper 2\FlashPaperContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin   = %SystemRoot%\system32\SHELL32.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B}   = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll


[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText     = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} =    :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    ctfmon
hkey    HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    ctfmon
hkey    HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    NvCpl
hkey    HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    NvCpl
hkey    HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    qttask
hkey    HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    qttask
hkey    HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpySweeper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    SpySweeper
hkey    HKLM
command "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    SpySweeper
hkey    HKLM
command "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    jusched
hkey    HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    jusched
hkey    HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini  0
win.ini 0
bootini 2
services    0
startup 1



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon    1
undockwithoutlogon  1



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun  223
NoBandCustomize 1


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder                {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn                          {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit    = C:\WINDOWS\system32\userinit.exe,
Shell       = Explorer.exe
System      = csagu.exe


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs



»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/25/2006 9:44:44 PM

swatkat 14 Practically a Master Poster · Answer 4 · 2006-02-26T12:37:22+00:00

Hi,
Good to hear that the Desktop background is back to normal :) . Now, to remove some "bad" files.

Open Killbox.exe. Check the following box:-
Delete on Reboot
Highlight all the entries in the quote box below and then Copy them.

C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.ini
C:\WINDOWS\system32\cccdd.tmp
C:\Documents and Settings\Joe Holt\Application Data\Install.dat
C:\Documents and Settings\Joe Holt\Application Data\uns.tmp

Then in Killbox click File > Paste from Clipboard. At this point the "All Files" button should be enabled so you can click it. Click the "All Files" button.

Then click the Red X button and for the confirmation message that will appear, you will need to click "Yes". A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.

[If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.]

Can you do one more thing? After the reboot, please search (using Start Menu > Search funtion) for the file csagu.exe and if you find it, upload it to www.virustotal.com to scan the file. Plese post back whether the scan came out clean or not.
[Configure the Search to look for hidden/system files too. Here's how to do it:
Open the "Search" window by click Start Menu > Search. Here click "All files and folders" in the left pane. Next, click on "More advanced options". Here select the options "Search system folders", "Search hidden files and folders" and "Search subfolders". After this, type/copy the filename to be searched and click the start the search]

jmholt78 0 Newbie Poster · Answer 5 · 2006-02-27T00:15:41+00:00

I did all that you asked. I then ran Ewido again to see if the system was clean and this is what it found. BTW everytime I run Ewido I find the same tracking cookie. Sometimes it is as few as 5 files sometimes there are as many as 21.
joe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:13:40 AM, 2/26/2006
+ Report-Checksum: F2A99082

+ Scan result:

C:\Documents and Settings\Joe Holt\Cookies\joe [email]holt@cs.sexcounter[2].txt[/email] -> TrackingCookie.Sexcounter : Cleaned without backup
C:\Documents and Settings\Joe Holt\Cookies\joe [email]holt@cz7.clickzs[2].txt[/email] -> TrackingCookie.Clickzs : Cleaned without backup
C:\Documents and Settings\Joe Holt\Cookies\joe [email]holt@edge.ru4[2].txt[/email] -> TrackingCookie.Ru4 : Cleaned without backup
C:\Documents and Settings\Joe Holt\Cookies\joe [email]holt@marinedepot.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\Joe Holt\Cookies\joe [email]holt@rotator.adjuggler[1].txt[/email] -> TrackingCookie.Adjuggler : Cleaned without backup
C:\Documents and Settings\Joe Holt\Cookies\joe [email]holt@tacoda[1].txt[/email] -> TrackingCookie.Tacoda : Cleaned without backup
C:\Documents and Settings\Joe Holt\Cookies\joe [email]holt@tribalfusion[1].txt[/email] -> TrackingCookie.Tribalfusion : Cleaned without backup
C:\Documents and Settings\Joe Holt\Cookies\joe [email]holt@www.myaffiliateprogram[1].txt[/email] -> TrackingCookie.Myaffiliateprogram : Cleaned without backup
C:\Documents and Settings\Joe Holt\Cookies\joe [email]holt@zedo[2].txt[/email] -> TrackingCookie.Zedo : Cleaned without backup

::Report End

swatkat 14 Practically a Master Poster · Answer 6 · 2006-02-27T00:50:21+00:00

Hi,
Cookies are not a major spyware threat. They are used by online advertisement services and some websites to "remember" the user's preferences. They can be deleted from within the web browser's options itself. But, CCleaner is a very good tool to delete these cookies and other junk files. Just run it after browsing Internet or before shutting down the system.

By the way, is the PC running fine now?

jmholt78 0 Newbie Poster · Answer 7 · 2006-02-27T10:20:03+00:00

Well If the ad aware is no big deal then I think we are cured. Will I have to run a scan every time I log on to remove that or should CC get it completely?

and a HUGE THANK YOU.. this PC has been driving me crazy for over a month

joe

swatkat 14 Practically a Master Poster · Answer 8 · 2006-02-28T01:14:06+00:00

Hi,
CCleaner can take care of those Tracking Cookies. But, do run Ewido or Antivirus scan regularly. I will mark this topic as "Solved" then :D

jmholt78 0 Newbie Poster · Answer 9 · 2006-02-28T15:23:27+00:00

Thanks Again. I am starting a new web site myself and I will link to your site as a place to get tech help.
joe

Desktop Hijacked and can't find a fix

Recommended Answers Collapse Answers

All 12 Replies

Recommended Answers