1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: blue wallpaper that says "SPYWARE INFECTION..."

Discussion in 'Virus & Other Malware Removal' started by andwhutnot, Jan 1, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. andwhutnot

    andwhutnot Thread Starter

    Joined:
    Jan 1, 2006
    Messages:
    5
    Someone else had this exact same issue... here is a link to the thread:

    http://forums.techguy.org/security/...blue-wallpaper-stating-spyware-infection.html

    His issue is exactly the same as mine. None of my removal tools seem to help. He wrote: "My wallpaper is blue with a black rectangle in the center with the message "SPYWARE INFECTION Your system is infected with spyware. Windows recomments you to use a spyware removal tool" etc. My taskbar tray has a red "X" on it that pops up with "Your computer is infected" etc. I have some new processes running that I've never seen before (most notably paytime.exe). Below is my hijackthis log. Any help would be IMMENSELY appriciated. Many thanks in advace."

    Since my logfile is slightly different, I thought I would paste mine in and ask the experts for custom removal instructions. I really appreciate any advice you have to offer. Please see my HYJACK THIS logfile below: Thank you again.

    Logfile of HijackThis v1.99.1
    Scan saved at 11:03:11 PM, on 1/1/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\appny32.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wfxsnt40.exe
    F:\APPLIC~2\WinFax\WFXSWTCH.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\Program Files\Windows Media Connect 2\WMCCFG.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\ipel32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\Application_Setups\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ntlyk.dll/sp.html#49977%resultposition.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ntlyk.dll/sp.html#49977%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ntlyk.dll/sp.html#49977%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ntlyk.dll/sp.html#49977%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ntlyk.dll/sp.html#49977%resultposition.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ntlyk.dll/sp.html#49977%resultposition.net
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O2 - BHO: Class - {8F81986D-802E-D9AA-0FD3-B0937653C654} - C:\WINDOWS\system32\d3zs.dll
    O2 - BHO: Class - {EFF87883-66F6-9160-FD29-AC68E9F94CEC} - C:\WINDOWS\system32\d3th32.dll
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [WFXSwtch] f:\APPLIC~2\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ipel32.exe] C:\WINDOWS\ipel32.exe
    O4 - HKLM\..\Run: [B3.tmp] C:\DOCUME~1\Joe\LOCALS~1\Temp\B3.tmp.exe
    O4 - HKLM\..\Run: [B3.tmp.exe] C:\DOCUME~1\Joe\LOCALS~1\Temp\B3.tmp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093993674920
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
    O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appny32.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
     
  2. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Please save or print these instructions before beginning.
    • Save smitRem to your Desktop and run smitRem.exe
    • Download and install Ewido Security Suite
    • During the installation, uncheck the following under Additional Options:

      Install background guard
      Install scan via context menu
    • Run Ewido and click OK when prompted to update the program
    • On the left side of the screen, click update>>Start
    • When the update is finished, exit Ewido
    • Extract About:Buster to your Desktop
    • Run About:Buster and click OK>>Update>>Check for Update
    • Download any available updates by clicking Download Update
    • Exit About:Buster
    • Save CWShredder to your Desktop
    • Run CWShredder and click I Agree>>Check For Update
    • Exit CWShredder
    • Run About:Buster and click Start>>OK
    • Click Yes when prompted to shutdown explorer.exe
    • Allow the program to make a second pass through your system if it asks you to do so
    • Click Save Log and save this log to your Desktop
    • Run About:Buster and click Start>>OK
    • Click Yes when prompted to shutdown explorer.exe
    • Allow the program to make a second pass through your system if it asks you to do so
    • Click Save Log and save this log to your Desktop
    • Run CWShredder
    • Click I Agree>>Fix>>Next and allow it to fix any problems it finds
    • Exit CWShredder
    • Run SpSeHjFix
    • Run CleanUp! and go to Options>>Custom CleanUp!
    • Put a checkmark next to each of the following items:

      Empty Recycle Bins
      Delete Cookies
      Delete Prefetch files
      Scan local drives for temporary files
      Cleanup! All Users
    • Click OK>>CleanUp!
    • Exit CleanUp!
    • Run HijackThis and click Do a system scan only
    • Put a checkmark next to any of the following entries that appear, and click Fix Checked:

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ntlyk.dll/sp.html#49977%resultposition.net
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ntlyk.dll/sp.html#49977%resultposition.net
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ntlyk.dll/sp.html#49977%resultposition.net
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ntlyk.dll/sp.html#49977%resultposition.net
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ntlyk.dll/sp.html#49977%resultposition.net
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ntlyk.dll/sp.html#49977%resultposition.net
      R3 - Default URLSearchHook is missing
      O2 - BHO: Class - {8F81986D-802E-D9AA-0FD3-B0937653C654} - C:\WINDOWS\system32\d3zs.dll
      O2 - BHO: Class - {EFF87883-66F6-9160-FD29-AC68E9F94CEC} - C:\WINDOWS\system32\d3th32.dll
      O4 - HKLM\..\Run: [ipel32.exe] C:\WINDOWS\ipel32.exe
      O4 - HKLM\..\Run: [B3.tmp] C:\DOCUME~1\Joe\LOCALS~1\Temp\B3.tmp.exe
      O4 - HKLM\..\Run: [B3.tmp.exe] C:\DOCUME~1\Joe\LOCALS~1\Temp\B3.tmp.exe
      O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
      O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appny32.exe
    • Exit HijackThis
    • Open the smitRem folder and run RunThis.bat. Follow the onscreen prompts
    • Run Ewido Security Suite
    • Click scanner>>Complete System Scan
    • Click OK when prompted to clean the problems found
    • When the scan is finished, click Save Report and save a copy of this log to your Desktop
    • Exit Ewido
    • Go to Start>>Control Panel>>Internet Options>>Programs
    • Click Reset Web Settings>>Apply>>OK
    • Go to Start>>Control Panel>>Display>>Desktop
    • Click Customize Desktop>>Web
    • If you see an entry called Security info or something similar, select it and click Delete>>OK>>Apply>>OK
    • Run KillBox and select Delete on Reboot
    • Copy this list of file and folder locations:

      C:\WINDOWS\system32\d3zs.dll
      C:\WINDOWS\system32\d3th32.dll
      C:\WINDOWS\appny32.exe
    • Go to File>>Paste from clipboard. Click All Files
    • Press the button with a red circle with an X in it, then Yes when prompted to restart your computer
      WARNING: Your computer will be restarted. Any unsaved work in open applications will be lost.​
    • Post the contents of the About:Buster log you saved earlier
    • Post the contents of SpSeHjFix.log
    • Post the contents of C:\smitfiles.txt
    • Post the contents of the Ewido Security Suite report that you saved to your Desktop earlier
    • Run HijackThis and click Do a system scan and save a log file
    • Your HijackThis log will open in Notepad. Post the contents of the log here
     
  3. andwhutnot

    andwhutnot Thread Starter

    Joined:
    Jan 1, 2006
    Messages:
    5
    Ok... I went through all of those steps and the problem appears to be corrected. Strangely, one of the steps changed the appearance of my operating system. It no longer looks like Windows XP. It has the "classic" Windows '98 look. This is a minor problem, but I cannot figure how how it happened or how to fix it. (I suspect it was About:BUSTER that made the change).

    I really do appreciate all of the help. Below is the information you requested:

    HyjackTHIS logfile - Post removal steps:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:35:18 AM, on 1/2/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\wfxsnt40.exe
    F:\APPLIC~2\WinFax\WFXSWTCH.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\Program Files\Windows Media Connect 2\WMCCFG.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wscntfy.exe
    F:\Application_Setups\hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [WFXSwtch] f:\APPLIC~2\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093993674920
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
    O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

    About:BUSTER: No logfile saved (there was no option for it).

    SpSeHjFix Log:

    (1/1/06 11:35:03 PM) SPSeHjFix started v1.1.2
    (1/1/06 11:35:03 PM) OS: WinXP Service Pack 2 (5.1.2600)
    (1/1/06 11:35:03 PM) Language: english
    (1/1/06 11:35:03 PM) Win-Path: C:\WINDOWS
    (1/1/06 11:35:03 PM) System-Path: C:\WINDOWS\system32
    (1/1/06 11:35:03 PM) Temp-Path: C:\DOCUME~1\Joe\LOCALS~1\Temp\
    (1/1/06 11:35:05 PM) Disinfection started
    (1/1/06 11:35:05 PM) Bad-Dll(IEP): (not found)
    (1/1/06 11:35:05 PM) Bad-Dll(IEP) in BHO: (not found)
    (1/1/06 11:35:05 PM) UBF: 8 - UBB: 3 - UBR: 21
    (1/1/06 11:35:05 PM) UBF: 8 - UBB: 3 - UBR: 21
    (1/1/06 11:35:05 PM) Bad IE-pages: (none)
    (1/1/06 11:35:05 PM) Stealth-String not found
    (1/1/06 11:35:05 PM) Not infected->END

    Ewido Security Suite:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 1:48:54 AM, 1/2/2006
    + Report-Checksum: 65821E54

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
    HKU\S-1-5-21-602162358-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{13197ACE-6851-45C3-A7FF-C281324D5489} -> Spyware.2nsSearch : Cleaned with backup
    HKU\S-1-5-21-602162358-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
    HKU\S-1-5-21-602162358-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30000273-8230-4DD4-BE4F-6889D1E74167} -> Spyware.VX2 : Cleaned with backup
    HKU\S-1-5-21-602162358-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
    HKU\S-1-5-21-602162358-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{386A771C-E96A-421F-8BA7-32F1B706892F} -> Spyware.ISTBar : Cleaned with backup
    HKU\S-1-5-21-602162358-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
    HKU\S-1-5-21-602162358-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
    C:\Documents and Settings\Joe\Cookies\[email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\n.exe -> Downloader.Small.cdo : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\SahHtml_.exe -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\system32\ATPartners.dll -> Downloader.Rameh.c : Cleaned with backup
    C:\WINDOWS\system32\b5s.dll -> Adware.eZula : Cleaned with backup

    ::Report End

    Kaspersky Online Scanner: (did not do a full system scan b/c it kept crashing):

    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Monday, January 02, 2006 10:13:41
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 2/01/2006
    Kaspersky Anti-Virus database records: 158433
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - Critical Areas:
    C:\WINDOWS
    C:\DOCUME~1\Joe\LOCALS~1\Temp\

    Scan Statistics:
    Total number of scanned objects: 17841
    Number of viruses found: 0
    Number of infected objects: 0
    Number of suspicious objects: 0
    Duration of the scan process: 1431 sec
    No malware has been detected. The sections that have been scanned are CLEAN.

    Scan process completed.


    Does it look ok? Is there a way to get my XP look back to windows? I have already tried changing the theme... it did not work.
     
  4. awalker0878

    awalker0878 Removed by request

    Joined:
    Dec 16, 2005
    Messages:
    407
    Make Sure Themes Service is Started:

    start/run: cmd (copy text from form right click on blinking cursor and click paste one line at a time)

    sc config Themes start= auto
    net start Themes
    exit
     
  5. andwhutnot

    andwhutnot Thread Starter

    Joined:
    Jan 1, 2006
    Messages:
    5
    I tried that to no avail... here's what it says:

    C:\Documents and Settings\Joe>sc config Themes start= auto
    [SC] ChangeServiceConfig SUCCESS

    C:\Documents and Settings\Joe>net start Themes
    The requested service has already been started.

    More help is available by typing NET HELPMSG 2182.

    Basically, nothing has changed... I wonder what happened...
     
  6. awalker0878

    awalker0878 Removed by request

    Joined:
    Dec 16, 2005
    Messages:
    407
    try a reboot and then select the windows xp theme again
     
  7. andwhutnot

    andwhutnot Thread Starter

    Joined:
    Jan 1, 2006
    Messages:
    5
    No dice. It appears that one of these removal tools erased components of the XP theme...
     
  8. awalker0878

    awalker0878 Removed by request

    Joined:
    Dec 16, 2005
    Messages:
    407
    I think you might have better with more luck if you create a new thread with the problem along with the work we have already done.

    Also you have already went to
    start/control panel/display/theme: Windows XP?
     
  9. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Extract luna.zip to C:\WINDOWS\Resources\Themes\Luna

    Restart your computer and see if you can change it back to the XP theme.
     
  10. andwhutnot

    andwhutnot Thread Starter

    Joined:
    Jan 1, 2006
    Messages:
    5
    That worked. I extracted the Luna theme into that folder and I got the XP theme back... Thanks a million Brendan. Btw, do you see any outstanding issues with the results of my scans? Again, thank you.
     
  11. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Looks good to me (y)
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/430191

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice