0

I think i am hit by a virus/spyware. I got a windows security alert balloon. when i restarted my computer, it disappeared but my desktop background is stuck with a blue color and when i try to change it, the option seems to be locked or diabled. I tried to delete all spyware using AVG anti-spyware. Though it shows Deleted, the problem still exists. Your help to resolve this problem will be appreciated.

I am posting a copy of the log file:

Logfile of HijackThis v1.99.1
Scan saved at 6:59:13 PM, on 2/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\SYSTEM32\SVCHOST.EXE
D:\WINDOWS\system32\ACS.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
D:\WINDOWS\system32\DVDRAMSV.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\dla\tfswctrl.exe
D:\Program Files\EzButton\EzButton.EXE
D:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
D:\Program Files\TOSHIBA\Power Management\CePMTray.exe
D:\Program Files\ltmoh\Ltmoh.exe
D:\WINDOWS\AGRSMMSG.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
D:\Program Files\Winamp\winampa.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
D:\WINDOWS\system32\RAMASST.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\PROGRA~1\WINZIP\winzip32.exe
D:\Documents and Settings\Saju Abraham K\Local Settings\Temp\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - D:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] D:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EzButton] D:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] D:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] D:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [LtMoh] D:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = D:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - D:\WINDOWS\system32\ACS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - D:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - D:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

2
Contributors
8
Replies
9
Views
10 Years
Discussion Span
Last Post by PhilliePhan
0

I think i am hit by a virus/spyware. I got a windows security alert balloon. when i restarted my computer, it disappeared but my desktop background is stuck with a blue color and when i try to change it, the option seems to be locked or diabled. I tried to delete all spyware using AVG anti-spyware. Though it shows Deleted, the problem still exists. Your help to resolve this problem will be appreciated.

-- Can you give us a fresh AVG Scanlog?

Please relocate HijackThis to a safer location. Most Forum volunteers expect to find it at C:\Program Files\HijackThis or C:\HijackThis.

THEN:
-- Please download Peekaboo.bat to your Desktop.
-- DoubleClick peekaboo.bat and give it a couple seconds to run.
A log should pop up in Notepad. Please attach that (peek.txt) for me using the "manage attachments" button when you post back (scroll down).

BTW - You should be advised that anytime somebody in any forum gives you an unknown program to run (even a simple batch like this one), it is strictly a "Use At Your Own Risk" proposition!

Anyhoo, it is up to you if you want to trust me :)


Cheers :)
PP

0

I have attached the AVG Scan log and the peekaboo log. I hav also place the HijackThis log file in the path C:\Hijack This\hijackthis.txt.. pls have a luk at these.. thnxx

I tried to atttach these files but for some reason its gving an error on the page!! So, i am posting the two files here:

Peekaboo log:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
"WallpaperFileTime"=hex:b4,55,a7,70,3d,46,c7,01
"WallpaperLocalFileTime"=hex:b4,4d,d1,87,13,46,c7,01
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"Wallpaper"=""
"DisableRegistryTools"=dword:00000000
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]
"BackupWallpaper"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,\
49,00,4c,00,45,00,25,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,20,00,53,00,65,\
00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,70,00,70,00,6c,00,69,00,\
63,00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4d,\
00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,61,00,6c,00,\
6c,00,70,00,61,00,70,00,65,00,72,00,31,00,2e,00,62,00,6d,00,70,00,00,00
"WallpaperFileTime"=hex:b4,55,a7,70,3d,46,c7,01
"WallpaperLocalFileTime"=hex:b4,4d,d1,87,13,46,c7,01
"TileWallpaper"="0"
"WallpaperStyle"="2"
"Wallpaper"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,\
4c,00,45,00,25,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,20,00,53,00,65,00,74,\
00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,70,00,70,00,6c,00,69,00,63,00,\
61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4d,00,69,\
00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,61,00,6c,00,6c,00,\
70,00,61,00,70,00,65,00,72,00,31,00,2e,00,62,00,6d,00,70,00,00,00
"ComponentsPositioned"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Old WorkAreas]
"NoOfOldWorkAreas"=dword:00000001
"OldWorkAreaRects"=hex:00,00,00,00,00,00,00,00,00,05,00,00,02,03,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode\General]
"Wallpaper"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,57,00,65,00,62,00,5c,00,53,00,61,00,66,00,65,00,4d,00,6f,\
00,64,00,65,00,2e,00,68,00,74,00,74,00,00,00
"VisitGallery"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Scheme]
"Edit"=""
"Display"=""


AVG Sacn_log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:47:18 PM 2/1/2007
+ Scan result:

D:\Temp\acc.exe/ADPROT.EXE -> Adware.AdBlaster : Ignored.
D:\Temp\acc.exe/Sngpw36.exe -> Adware.AdBlaster : Ignored.
D:\Temp\acc.exe/Sngsh33.dll -> Adware.AdBlaster : Ignored.
D:\Temp\acc.exe/ngpw36.exe -> Adware.AdBlaster : Ignored.
D:\Temp\acc.exe/ngsh33.dll -> Adware.AdBlaster : Ignored.
D:\System Volume Information\_restore{96A8E3CB-2DB8-49B3-B45A-D27D2307B3D6}\RP43\A0011862.dll -> Adware.Minibug : Ignored.
D:\System Volume Information\_restore{96A8E3CB-2DB8-49B3-B45A-D27D2307B3D6}\RP43\A0011861.exe -> Adware.SaveNow : Ignored.
D:\System Volume Information\_restore{96A8E3CB-2DB8-49B3-B45A-D27D2307B3D6}\RP43\A0011863.exe -> Backdoor.DSNX.05.a : Ignored.

::Report end

0

You should have AVG CLEAN the items it finds. You have a couple things hiding in System Restore.....

-- Please download FixxIt.zip and Extract FixxIt.reg to your desktop.
DoubleClick on FixxIt.reg and allow it to merge into the registry.
REBOOT

You ought to be able to reset your Desktop now.

Cheers :)
PP

0

thnxx a lot.. my desktop background is back.. but now a new problem has occured.. it seeems, when i try to connect to my wireless network, its giving "Limited or no connectivity " error all the time.. wat do i do now?

0

this happened immediately after i fixed the previous problem of the desktop background,.

0

this happened immediately after i fixed the previous problem of the desktop background,.

This would be completely unrelated to what we just did.

The registry keys we addressed have nothing to do with your wireless network.


You could try this:
Click Start > Run > type CMD > Enter
Type or Copy&Paste: ipconfig /flushdns > Press Enter
(Be sure to leave the space between the g and the / )

If that doesn't help, we can try a few other things....

PP :)

0

i rebooted my computer after a long time.. everything luks normal nw.. i didnt do anythin to fix the network isuue.. perhaps ur rite tht it has nothin to do with wat we js did..

anyway, thnx a lot for helpin me gettin rid of tht annoyin desktop stuff.. really appreciate.. :-))

0

i rebooted my computer after a long time.. everything luks normal nw.. i didnt do anythin to fix the network isuue.. perhaps ur rite tht it has nothin to do with wat we js did..

anyway, thnx a lot for helpin me gettin rid of tht annoyin desktop stuff.. really appreciate.. :-))

Happy to help! :)

-- I think I initially misinterpreted your connection problem. Looking at it again, it looks like some troubleshooting of your wireless network might be in order.
It could be related to any number of things: Firewall settings, Winsock, Network Card, Router, and so on.....

Best Luck :)
PP

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.