Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How Do I Remove Raze Spyware?


  • Please log in to reply
27 replies to this topic

#1 Corindia

Corindia

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 12 November 2005 - 03:53 PM

I have had this red screen on my computer for at least the past week possibly longer. I have found the 'Install RazeSpyware.exe' and deleted it hoping that it would remove the red screen over my desktop. It didn't. I came across this website and was hoping that someone could help me. I have run 'Hijackthis' on my computer and it came up with the following:

Logfile of HijackThis v1.99.1
Scan saved at 3:42:29 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\1124332747\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124332747\ee\AOLServiceHost.exe
c:\program files\common files\aol\1124332747\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1124332747\ee\AOLServiceHost.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\DOCUME~1\Henry\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29836
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=29836
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.your-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/1/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FFD1153-9937-2D9A-D777-6D550AF42B45} - (no file)
O2 - BHO: sr - {5742F79A-1D91-42c4-990C-B46CF55A6478} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124332747\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Systweak Ad and Popup Blocker] "C:\Program Files\Advanced System Optimizer\adblock.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099122520375
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1451/ftp...02/cpbrkpie.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0015.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab
O19 - User stylesheet: (file missing) (HKLM)
O20 - Winlogon Notify: mdfpro - mdfpro.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)

Please tell me what I should do! Thank you!
Rebecca

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:10 PM

Posted 12 November 2005 - 03:54 PM

* Click here to download smitRem.zip.
  • Save the file to your desktop.
  • Unzip smitRem.zip to extract the files it contains.
  • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.
*Download Cleanup from Here
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • DO NOT RUN IT YET



* Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.
* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:
si

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan and the ewido scan

David

#3 Corindia

Corindia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 12 November 2005 - 05:53 PM

Okay. Thank you so much! I have done as you specified and the following are my new results:
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 5:47:20 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\AOL\1124332747\ee\AOLHostManager.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\1124332747\ee\AOLServiceHost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Documents and Settings\Rebecca\Desktop\ewido folder\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\common files\aol\1124332747\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1124332747\ee\AOLServiceHost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Rebecca\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29836
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=29836
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/1/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FFD1153-9937-2D9A-D777-6D550AF42B45} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124332747\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099122520375
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1451/ftp...02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0015.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab
O19 - User stylesheet: (file missing) (HKLM)
O20 - Winlogon Notify: mdfpro - mdfpro.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Rebecca\Desktop\ewido folder\security suite\ewidoctrl.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)

Active Scan Log:

Incident Status Location

Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\SYSTEM32\z11.exe
Adware:adware/searchaid No disinfected C:\iefeatslinstaller.log
Adware:adware/gator No disinfected C:\WINDOWS\GatorPdpLoudInstaller.log
Adware:adware/portalscan No disinfected C:\WINDOWS\jawa32e.bin
Adware:adware/ncase No disinfected C:\TEMP\FLEOK
Dialer:dialer.yz No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/OLE32WS.DLL
Adware:adware/coupons No disinfected Windows Registry
Ewido Scan Log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:20:09 PM, 11/12/2005
+ Report-Checksum: 25355EAD

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F} -> Spyware.JKSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5742F79A-1D91-42c4-990C-B46CF55A6478} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5742F79A-1D91-42c4-990C-B46CF55A6478}\TypeLib\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B3B79DD5-4CD5-4F97-8829-5E1F08D46C66} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B3B79DD5-4CD5-4F97-8829-5E1F08D46C66}\TypeLib\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C19EB5B1-FC58-456E-8793-384532ED5970} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{CABBB49A-4D7B-415B-8250-15C3B854E9FF} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\sr.sr\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\sr.sr.1\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject -> Spyware.FizzleBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject\CLSID -> Spyware.FizzleBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject\CurVer -> Spyware.FizzleBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject.1 -> Spyware.FizzleBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{C89E0F84-3C34-43D1-A72C-AF1A160A7C07} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{CF87E7D9-D16A-485C-9104-943A0C088EF3} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5742F79A-1D91-42c4-990C-B46CF55A6478} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F} -> Spyware.JKSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/MaConnect.dll\\.Owner -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/MaConnect.dll\\{02C20140-76F8-4763-83D5-B660107B7A90} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PSOCX.dll\\.Owner -> Spyware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PSOCX.dll\\{7704D8D8-9EFE-4D82-9C89-0ECBA8434EEE} -> Spyware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Ole32ws.dll\\.Owner -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Ole32ws.dll\\{02C20140-76F8-4763-83D5-B660107B7A90} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\sr -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\sr\sr -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-3666959609-3597314318-3965274173-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5742F79A-1D91-42C4-990C-B46CF55A6478} -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Henry\Cookies\henry@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Henry\Cookies\henry@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Henry\Cookies\henry@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Henry\Cookies\henry@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Henry\Cookies\henry@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Henry\Cookies\henry@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Judy\Cookies\judy@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Judy\Cookies\judy@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Judy\Cookies\judy@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Judy\Cookies\judy@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Judy\Cookies\judy@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Judy\Cookies\judy@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Judy\Cookies\judy@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Judy\Cookies\judy@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Judy\Cookies\judy@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Judy\Cookies\judy@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Program Files\Beach Islands Screensaver\BI1Helper.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@ads.addynamix[2].txt.bak -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@advertising[1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@advertising[2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@atdmt[1].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@atdmt[2].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@bfast[2].txt.bak -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@bluestreak[1].txt.bak -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@casalemedia[1].txt.bak -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@casalemedia[2].txt.bak -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@centrport[1].txt.bak -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@clickagents[1].txt.bak -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@clickagents[2].txt.bak -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@doubleclick[1].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@doubleclick[2].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@fastclick[1].txt.bak -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@fastclick[2].txt.bak -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@gator[1].txt.bak -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@hg1.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@mediaplex[1].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@questionmarket[1].txt.bak -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@revenue[1].txt.bak -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@revenue[2].txt.bak -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@servedby.advertising[1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@trafficmp[1].txt.bak -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@trafficmp[2].txt.bak -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@xxxcounter[1].txt.bak -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@xxxtoolbar[2].txt.bak -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\henry@z1.adserver[1].txt.bak -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Magic Waterfall Screensaver\MW1Helper.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Midnight Lake Screensaver\ML1Helper.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@ads.specificpop[1].txt.bak -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@advertising[1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@advertising[2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@atdmt[1].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@atdmt[2].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@casalemedia[1].txt.bak -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@casalemedia[2].txt.bak -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@doubleclick[1].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@doubleclick[2].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@mediaplex[1].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@offshoreclicks[2].txt.bak -> Spyware.Cookie.Offshoreclicks : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@qksrv[1].txt.bak -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@qksrv[2].txt.bak -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@revenue[2].txt.bak -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@servedby.advertising[1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@servedby.advertising[2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@trafficmp[2].txt.bak -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\SpyHunter\Backup\henry@z1.adserver[1].txt.bak -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1169\A0456650.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1169\A0456651.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1169\A0456652.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1169\A0456653.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1169\A0456654.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1169\A0456655.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1169\A0456656.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1169\A0456657.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1169\A0456658.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\cpbrkpie.ocx -> Spyware.Coupons : Cleaned with backup
C:\WINDOWS\hyxx8407.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\2537078.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\2540546.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\42291156.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\42299437.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\z12.exe -> TrojanDownloader.Small.awa : Cleaned with backup


::Report End

Okay. What next? :)
Rebecca

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:10 PM

Posted 13 November 2005 - 05:38 AM

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things should most certainly help getting it back to how it was
_____________________

Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.
_____________________

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29836
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=29836
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/1/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: (no name) - {4FFD1153-9937-2D9A-D777-6D550AF42B45} - (no file)
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1451/ftp...02/cpbrkpie.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0015.exe
O19 - User stylesheet: (file missing) (HKLM)
O20 - Winlogon Notify: mdfpro - mdfpro.dll (file missing)

_____________________

Boot into Safe Mode

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\SYSTEM32\z11.exe
C:\iefeatslinstaller.log
C:\WINDOWS\GatorPdpLoudInstaller.log
C:\WINDOWS\jawa32e.bin

_____________________

Manually delete this folder:

C:\TEMP\FLEOK
_____________________

Please Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. (if you cannot delete some items it's fine!)
_____________________

Then go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
_____________________

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.
_____________________

Empty the Recycle Bin.
_____________________

Reboot to normal mode and post a new HJT log
David

#5 Corindia

Corindia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 13 November 2005 - 03:47 PM

Okay! I've got the second round of instructions completed and here is my new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:42:55 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\1124332747\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124332747\ee\AOLServiceHost.exe
c:\program files\common files\aol\1124332747\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1124332747\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Documents and Settings\Rebecca\Desktop\ewido folder\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Rebecca\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124332747\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099122520375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Rebecca\Desktop\ewido folder\security suite\ewidoctrl.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)

What's next? *SSS* Thank you so much for your help! My family greatly appreciates it!
Rebecca

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:10 PM

Posted 13 November 2005 - 04:16 PM

Clean Log!! Posted Image
How's everything running? :up: or :down: ?

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

How's everything running? :up: or :down: ?

#7 Corindia

Corindia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 14 November 2005 - 12:32 PM

Everything seems to be working fine. However... I still have no desktop. How do I get my desktop back now? I have a cream and white screen. It is cream colored when I have the mouse on it but when the mouse is hovering over an icon the screen becomes white. I don't have the red Raze screen anymore. I right clicked on the cream screen and clicked on Properties and it gave me a Properties box with this in it...

General
pic Not Available

Protocol: File Protocol

Type: HTML Document

Connection: Not Encrypted

Address: file://C:WINDOWS\desktop.html
(URL)

Size: Not Available

Created: Not Available

Modified: Not Available

Certificates

OK Cancel Apply

That's the Properties box layout. When I clicked on Certificates I get a box labeled Certificate Information. Box is as follows:

Certificate Information

This type of document does not have a security certificate

OK



What's wrong with the desktop? Why don't I see my background? I've gone into the Control Panel and tried to see if it was something there but after I selected a background and Apply I still have the cream screen. ????? What am I doing wrong?
Rebecca

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:10 PM

Posted 14 November 2005 - 01:45 PM

Download this to your desktop:
http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.

After the merged successfully prompt, using Windows Explorer, navigate to the following folder:

C:\Windows\Prefetch

If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)

Reboot your computer.

You should be able to change your desktop back to normal now.

Let me know how it goes! :thumbsup:

David

#9 Corindia

Corindia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 14 November 2005 - 03:01 PM

Well it didn't work this round. My parent's computer has three users on it. I tried the last step on just my 'user' section and it didn't work.
So I downloaded smitfraud.reg to each user's desktop and ran it from each desktop, deleting the stuff in each Prefetch folder as well and then rebooted. It still didn't like it.
When the screen comes up after being rebooted I have my Stonehenge background with no icons on it. The screen then changes to solid blue and adds the icons then the solid blue changes to the cream colored screen again.
Is there anything else I can do?
Rebecca

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:10 PM

Posted 14 November 2005 - 03:08 PM

Try this:

This fix is only for XP & Windows 2000

Download and Save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe and double click on the cleandesktop.exe

It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script

If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

If you get a message when you first run it "Can not find script file "blah blah blah" then don't worry just doubleclick the cleandesktop.vbs script again you sometimes get that message when a script blocker blocks the script

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

I have included another vbs to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the c:\desktopclean folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then press F5

You will need to do this step for every user account

David

#11 Corindia

Corindia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 14 November 2005 - 03:27 PM

I got down to the 'C:\desktopclean and doubleclick' part.
I got a Self-Extracting Archive box which explained what it would do once started working. I clicked Yes.
It mentions what it is extracting and then suddenly an error message appears that goes like this:
Windows Script Host
Script: C:\DESKTO~1\CLEAND~1.VBS
Line: 14
Char: 2
Error: Could not create object named "WScript.Shell".
Code: 80040111
Source: WScript.CreateObject
OK

Once I click OK it just sends me back to the desktop. Should I continue on to the other users or do I need to fix something else first?
Rebecca

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:10 PM

Posted 14 November 2005 - 03:29 PM

If it doesn't open then go to c:\desktopclean


Did it not originally open then?

David

#13 Corindia

Corindia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 14 November 2005 - 03:32 PM

No It came up and asked me if I wanted to run it first and I clicked on Run. Then it 'ran' and I got all of the messages I posted above.
Rebecca

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:10 PM

Posted 14 November 2005 - 03:37 PM

I just want to check something before we try another way, sorry if you find yourself repeating things:

Navigate to this folder:
c:\desktopclean

double click on the cleandesktop.vbs

Tell me what happens

David

#15 Corindia

Corindia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 14 November 2005 - 03:44 PM

[quote name='D-Trojanator' post='192022' date='Nov 14 2005, 03:37 PM']
I just want to check something before we try another way, sorry if you find yourself repeating things:

Navigate to this folder:
c:\desktopclean

double click on the cleandesktop.vb script: C:\desktopclean\cleandesktop.vbs
Line: 14
Char: 2
Error: Could not create object named "Wscript.Shell".
Code: 80040111
Source: WScript.CreateObject
OK

I clicked on the OK button and was left in the desktopclean folder with nothing else going on.
Rebecca




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users