spyware prob (bad) please help (hijackthis log available)

andrew87 · Post by **andrew87** » Sat Mar 19, 2005 3:19 am

hey everyone,

all this spyware came onto my comp 1 day after i formatted and its ****tin me. i removed all of it and then when i look at the desktop it has a wallpaper sayin ur computer is infected by spyware download these programs and it has a web link. i cant right click on the screen, and all my icons have gone except for the originals. when i go into display settins through cont panel its all shaded in the wallpaper section and wont let me select a wallpaper.

anyone had this before,

help please

DREW

Croc · Post by **Croc** » Sat Mar 19, 2005 7:31 am

Weblink and some details of what you removed would help a bit.
Gotta know what you were/are dealing with.

Croc.

mnosteele52 · Post by **mnosteele52** » Sat Mar 19, 2005 8:20 am

andrew87 I don't know if you were being a sarcastic in the Software Forum about HijackThis or not, if not do the following:

Prior to doing anything XP users MUST disable System Restore!!! You can re enable it after you are clean.

Please download Ad-Aware SE and SpyBot Search & Destroy 1.3TX then set them up EXACTLY as I have written HERE. This will offer much deeper scanning than the default settings that will find more spyware/malware.

Install and run CWShredder 2.13.

Then do a FREE online virus scan from TrenMicro.

Download the FREE 30-day trial of Kaspersky Personal 5.0 Antivirus and set it up EXACLTY as I have written HERE. KAV is the most comprehensive virus/malware scanner available, it will detect and eradicate any type of malware.

Also make sure you have ALL of the latest Windows Updates (only install SP2 for XP once you are spyware FREE).

I also HIGHLY recommend you download, update and scan with Spy Sweeper, there is a FREE 30-day trial and it is an EXCELLENT product.

It it also a good idea to run the Winsock Fix to repair your TCP/IP stack. (you will have to redo any tweaks for your connection if this is used)

If after doing ALL of the above and you are still having problems please scan with HijackThis 1.99.1 as shown HERE and post a log here in this forum for us to look at.

Once you are clean download SpywareBlaster 3.3 and set it up as shown HERE to help stay spyware free.

Norm · Post by **Norm** » Sat Mar 19, 2005 12:08 pm

Boot to safe mode.
Go into Display properties>Desktop tab>Customize Desktop>Web Tab

Highlight the web page in the window, and select 'delete'

Basically, the setting for viewing your desktop 'as a web page' is enabled, and it's put a web page as your background. Depending on your version of windows, the fix will vary, the above instructions are for XP

andrew87 · Post by **andrew87** » Sat Mar 19, 2005 8:09 pm

ok, sorry but both those didnt work.
i installed everythin and treid but nothin happened.

heres the hijack this log

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\System32\RunDll32.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\Administrator\Application Data\wrss.exe
D:\WINDOWS\System32\?srss.exe
D:\WINDOWS\System32\cisvc.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\cidaemon.exe
C:\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D11DE5BA-580C-7ED0-2E25-78C2B72246C4} - D:\WINDOWS\System32\kggavtir.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HGTXPEI] D:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKLM\..\Run: [FastStart] D:\WINDOWS\system32\ntnut32.exe home
O4 - HKLM\..\Run: [Tkp] D:\WINDOWS\Vdl.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKCU\..\Run: [Aham] D:\Documents and Settings\Administrator\Application Data\wrss.exe
O4 - HKCU\..\Run: [Wqblsm] D:\WINDOWS\System32\?srss.exe
O4 - HKCU\..\Run: [Tkp] D:\WINDOWS\Vdl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 0962582388

mnosteele52 · Post by **mnosteele52** » Sat Mar 19, 2005 11:21 pm

andrew87 wrote:ok, sorry but both those didnt work.
i installed everythin and treid but nothin happened.

No you didn't, you have Norton Antivirus installed. You don't have SpyBot, SpySweeper or Kaspersky installed.

andrew87 · Post by **andrew87** » Sun Mar 20, 2005 1:10 am

ok nortons uninstalled, spybot was installed already and kaspersky is scannin now.

triniwasp · Post by **triniwasp** » Sun Mar 20, 2005 1:48 am

thnx Dr. Tweak, didn't know I had to disable system restore, but it makes sense.

Adaware Se was locking up and it always seemed to do so when it was scanning the restore files.

Questions for ya: If I run adaware, spybot, spyware blaster, and MS anti-spyware beta, do I still need Webroot spy sweeper?

Thnx for any advice.

andrew87 · Post by **andrew87** » Sun Mar 20, 2005 6:16 am

ok heres the new one the annoying spyware i talked about in the first post is still there after kaspersky ran.

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\?srss.exe
D:\WINDOWS\System32\cisvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\cidaemon.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Winamp\winamp.exe
C:\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {D11DE5BA-580C-7ED0-2E25-78C2B72246C4} - D:\WINDOWS\System32\kggavtir.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HGTXPEI] D:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKLM\..\Run: [FastStart] D:\WINDOWS\system32\ntnut32.exe home
O4 - HKLM\..\Run: [Tkp] D:\WINDOWS\Vdl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKCU\..\Run: [Aham] D:\Documents and Settings\Administrator\Application Data\wrss.exe
O4 - HKCU\..\Run: [Wqblsm] D:\WINDOWS\System32\?srss.exe
O4 - HKCU\..\Run: [Tkp] D:\WINDOWS\Vdl.exe

Post by **YeOldeStonecat** » Sun Mar 20, 2005 8:09 am

I also recommend getting Microsofts Antispyware tool in the mix, top notch product.

Scott · Post by **Scott** » Sun Mar 20, 2005 8:47 am

These should be fine to remove:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm

O4 - HKLM\..\Run: [FastStart] D:\WINDOWS\system32\ntnut32.exe home

And these look very suspicious, but I can't find any information on them...

D:\WINDOWS\System32\?srss.exe

O4 - HKLM\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKLM\..\Run: [Tkp] D:\WINDOWS\Vdl.exe
O4 - HKCU\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKCU\..\Run: [Wqblsm] D:\WINDOWS\System32\?srss.exe
O4 - HKCU\..\Run: [Tkp] D:\WINDOWS\Vdl.exe

andrew87 · Post by **andrew87** » Sun Mar 20, 2005 9:17 pm

i removed the first 2 but no difference,

im not gonna touch the others until theres more opinions.

mnosteele52 · Post by **mnosteele52** » Sun Mar 20, 2005 9:47 pm

First make a new folder on your hard drive named HijackThis, then move HijackThis into it. Then close ALL other programs and do a scan and have HijackThis fix the following items:

D:\Program Files\Common Files\Real\Update_OB\realsched.exe <---- not needed
D:\WINDOWS\System32\?srss.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
O2 - BHO: (no name) - {D11DE5BA-580C-7ED0-2E25-78C2B72246C4} - D:\WINDOWS\System32\kggavtir.dll
O4 - HKLM\..\Run: [HGTXPEI] D:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime <---- not needed
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot <---- not needed
O4 - HKLM\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKLM\..\Run: [FastStart] D:\WINDOWS\system32\ntnut32.exe home
O4 - HKLM\..\Run: [Tkp] D:\WINDOWS\Vdl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe <---- if Norton is uninstalled then not needed
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe <---- if Norton is uninstalled then not needed
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe <---- not needed
O4 - HKCU\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKCU\..\Run: [Wqblsm] D:\WINDOWS\System32\?srss.exe
O4 - HKCU\..\Run: [Tkp] D:\WINDOWS\Vdl.exe

andrew87 · Post by **andrew87** » Mon Mar 21, 2005 1:28 am

its still not fixed, i dont know wat to do, and its really annoying

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\?srss.exe
D:\WINDOWS\System32\cisvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\cidaemon.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {D11DE5BA-580C-7ED0-2E25-78C2B72246C4} - D:\WINDOWS\System32\kggavtir.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HGTXPEI] D:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKLM\..\Run: [Tkp] D:\WINDOWS\Vdl.exe
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKCU\..\Run: [Aham] D:\Documents and Settings\Administrator\Application Data\wrss.exe
O4 - HKCU\..\Run: [Wqblsm] D:\WINDOWS\System32\?srss.exe
O4 - HKCU\..\Run: [Tkp] D:\WINDOWS\Vdl.exe
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 0962582388

mnosteele52 · Post by **mnosteele52** » Mon Mar 21, 2005 6:38 am

andrew87 are you sure you setup Kaspersky as I wrote, using the extended database and did a full system scan?

I can honestly say I have never seen a virus slip past Kapsersky and you have a few things that are not being removed by HijackThis.

Also did you use SpySweeper as well?

andrew87 · Post by **andrew87** » Mon Mar 21, 2005 8:20 am

heres the hijack in safe mode where the problem still exists,

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
C:\Desktop\HijackThis.exe
D:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {D11DE5BA-580C-7ED0-2E25-78C2B72246C4} - D:\WINDOWS\System32\kggavtir.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HGTXPEI] D:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKLM\..\Run: [Tkp] D:\WINDOWS\Vdl.exe
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKCU\..\Run: [Aham] D:\Documents and Settings\Administrator\Application Data\wrss.exe
O4 - HKCU\..\Run: [Wqblsm] D:\WINDOWS\System32\?srss.exe
O4 - HKCU\..\Run: [Tkp] D:\WINDOWS\Vdl.exe
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 0962582388

i ran spy sweeper and that cleared a couple of things, but im runnin kaspersky in safe mode now to see wat it gets.

andrew87 · Post by **andrew87** » Mon Mar 21, 2005 5:23 pm

ok kaspersky finished and then shutdown my comp, whewn i restarted the background was the "aACTIVE DESKTOP RECOVERY" wallpaper. but i still cant change the background in settings. another hijack this

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\RunDll32.exe
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\?srss.exe
D:\WINDOWS\System32\cisvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {D11DE5BA-580C-7ED0-2E25-78C2B72246C4} - D:\WINDOWS\System32\kggavtir.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HGTXPEI] D:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKLM\..\Run: [Tkp] D:\WINDOWS\Vdl.exe
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe
O4 - HKCU\..\Run: [Aham] D:\Documents and Settings\Administrator\Application Data\wrss.exe
O4 - HKCU\..\Run: [Wqblsm] D:\WINDOWS\System32\?srss.exe
O4 - HKCU\..\Run: [Tkp] D:\WINDOWS\Vdl.exe
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 0962582388

mnosteele52 · Post by **mnosteele52** » Mon Mar 21, 2005 6:01 pm

Have HijackThis fix the following:

D:\WINDOWS\System32\?srss.exe <--- see the ? in this file, it should not be there, boot into safe mode and delete this exact file, not the legitamite srss.exe

O2 - BHO: (no name) - {D11DE5BA-580C-7ED0-2E25-78C2B72246C4} - D:\WINDOWS\System32\kggavtir.dll
O4 - HKLM\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe <--- if HijackThis does not remove this then boot into safe mode and delete this exact file
O4 - HKLM\..\Run: [Tkp] D:\WINDOWS\Vdl.exe <--- if HijackThis does not remove this then boot into safe mode and delete this exact file
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Pvn] D:\WINDOWS\System32\Enu.exe <--- if HijackThis does not remove this then boot into safe mode and delete this exact file
O4 - HKCU\..\Run: [Wqblsm] D:\WINDOWS\System32\?srss.exe <--- see the ? in this file, it should not be there, boot into safe mode and delete this exact file, not the legitamite srss.exe
O4 - HKCU\..\Run: [Tkp] D:\WINDOWS\Vdl.exe <--- if HijackThis does not remove this then boot into safe mode and delete this exact file
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com

andrew87 · Post by **andrew87** » Tue Mar 22, 2005 6:16 am

im sorry mno but i tried that and nothin happened. im lost now.

greEd · Post by **greEd** » Tue Mar 22, 2005 1:54 pm

Remove these trusted zones:
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com

andrew87 · Post by **andrew87** » Wed Mar 23, 2005 2:03 am

i removed them,

nothin happened.

the thing this stupid spyware/virus has disabled my right click in file windows but not on the start menu or IE. it freaks me out.

mnosteele52 · Post by **mnosteele52** » Wed Mar 23, 2005 10:45 am

Were you able to delete the files I said to manually delete? Please post a new log. Also you might try repairing XP or insert your XP cd and go to start - run and type sfc /scannow and let it replace any systems files that have been corrupted.

andrew87 · Post by **andrew87** » Wed Mar 23, 2005 9:44 pm

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\logonui.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\cisvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\system32\?srss.exe
D:\WINDOWS\System32\cidaemon.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {D11DE5BA-580C-7ED0-2E25-78C2B72246C4} - D:\WINDOWS\System32\kggavtir.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HGTXPEI] D:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 0962582388

?srss is still as a process but i cant find a profile or a trace of it anyware??

mnosteele52 · Post by **mnosteele52** » Wed Mar 23, 2005 10:42 pm

Looks clean now except the ?srss.exe, are things working properly now?

andrew87 · Post by **andrew87** » Thu Mar 24, 2005 3:34 am

nah the background thing is still there, and i still cant right click in file windows. and i did that file system restore and that just ****ed up my sound now, and im tryin to fix it.

mnosteele52 · Post by **mnosteele52** » Thu Mar 24, 2005 5:58 am

It sounds now like you need to repair XP, boot to your XP cd and choose repair, you will have to redo all of your updates but most likely it will fix things.