12 replies to this topic

[jophen]

The Desktop Icons changed into white instead of trasnlucent. And I started getting pop ups about changing my homepage. I always said no. I tried running anti virus and spyware programs such as Malewarebytes. I will attach a picture of it if that helps. ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/14 12:56 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB657A000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBADE2000 Size: 8192 File Visible: No Signed: - Status: - Name: giveio.sys Image Path: giveio.sys Address: 0xBAE71000 Size: 1664 File Visible: No Signed: - Status: - Name: PCI_PNP2228 Image Path: \Driver\PCI_PNP2228 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB4DA1000 Size: 49152 File Visible: No Signed: - Status: - Name: speedfan.sys Image Path: speedfan.sys Address: 0xBADAC000 Size: 5248 File Visible: No Signed: - Status: - Name: spln.sys Image Path: spln.sys Address: 0xBA6A7000 Size: 1048576 File Visible: No Signed: - Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - SSDT ------------------- #: 041 Function Name: NtCreateKey Status: Hooked by "spln.sys" at address 0xba6a80e0 #: 071 Function Name: NtEnumerateKey Status: Hooked by "spln.sys" at address 0xba6c6ca2 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "spln.sys" at address 0xba6c7030 #: 119 Function Name: NtOpenKey Status: Hooked by "spln.sys" at address 0xba6a80c0 #: 160 Function Name: NtQueryKey Status: Hooked by "spln.sys" at address 0xba6c7108 #: 177 Function Name: NtQueryValueKey Status: Hooked by "spln.sys" at address 0xba6c6f88 #: 247 Function Name: NtSetValueKey Status: Hooked by "spln.sys" at address 0xba6c719a ==EOF== DDS (Ver_09-10-13.01) - NTFSx86 Run by John Baron at 12:54:40.56 on Wed 10/14/2009 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2708 [GMT -7:00] AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe E:\Other Applications\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\Program Files\Java\jre6\bin\jusched.exe E:\Other Applications\Microsoft Office\Office12\GrooveMonitor.exe E:\Other Applications\WinPatrol\winpatrol.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\Other Applications\MultiScreen\MultiScreen.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe E:\Other Applications\Uniblue\RegistryBooster 2\RegistryBooster.exe E:\Other Applications\NaturalColour\NCProTray.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\ALCFDRTM.EXE C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Documents and Settings\John Baron\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\other applications\microsoft office\office12\GrooveShellExtensions.dll BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0 uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Uniblue RegistryBooster 2] e:\other applications\uniblue\registrybooster 2\RegistryBooster.exe /S uRun: [NVIDIA nTune] "e:\other applications\nvidia corporation\ntune\nTuneCmd.exe" clear mRun: [RTHDCPL] RTHDCPL.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [GrooveMonitor] "e:\other applications\microsoft office\office12\GrooveMonitor.exe" mRun: [WinPatrol] e:\other applications\winpatrol\winpatrol.exe -expressboot mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide mRun: [MultiScreen] e:\other applications\multiscreen\MultiScreen.exe StartupFolder: c:\docume~1\johnba~1\startm~1\programs\startup\onenot~1.lnk - e:\other applications\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ncprotray.lnk - e:\other applications\naturalcolour\NCProTray.exe IE: E&xport to Microsoft Excel - e:\othera~1\micros~1\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\othera~1\micros~1\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\othera~1\micros~1\office12\REFIEBAR.DLL Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\other applications\microsoft office\office12\GrooveSystemServices.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\other applications\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\johnba~1\applic~1\mozilla\firefox\profiles\t3m951hr.default\ FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: e:\other applications\quicktime\plugins\npqtplugin.dll FF - plugin: e:\other applications\quicktime\plugins\npqtplugin2.dll FF - plugin: e:\other applications\quicktime\plugins\npqtplugin3.dll FF - plugin: e:\other applications\quicktime\plugins\npqtplugin4.dll FF - plugin: e:\other applications\quicktime\plugins\npqtplugin5.dll FF - plugin: e:\other applications\quicktime\plugins\npqtplugin6.dll FF - plugin: e:\other applications\quicktime\plugins\npqtplugin7.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2008-7-22 13696] R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [2008-7-22 16768] R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-9-8 12672] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-29 210216] S2 gupdate1c9948ffb128b4;Google Update Service (gupdate1c9948ffb128b4);c:\program files\google\update\GoogleUpdate.exe [2009-2-21 133104] S3 BS_Flash;BS_Flash;c:\program files\tseries bios update\award\BS_Flash.sys [2008-7-22 3604] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064] S4 0251031237344700mcinstcleanup;McAfee Application Installer Cleanup (0251031237344700);c:\windows\temp\025103~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\025103~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?] =============== Created Last 30 ================ ==================== Find3M ==================== 2009-10-02 16:50 69,285 a------- c:\windows\War3Unin.dat 2009-09-08 23:11 139,584 a------- c:\windows\system32\drivers\PnkBstrK.sys 2009-09-08 23:11 189,104 a------- c:\windows\system32\PnkBstrB.exe 2009-09-07 21:33 75,064 a------- c:\windows\system32\PnkBstrA.exe 2009-09-02 21:29 22,328 a------- c:\docume~1\johnba~1\applic~1\PnkBstrK.sys 2009-08-07 19:51 15,308,424 a------- c:\windows\system32\xlive.dll 2009-08-07 19:51 13,642,888 a------- c:\windows\system32\xlivefnt.dll 2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll 2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll 2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-07-28 21:37 119,808 a------- c:\windows\system32\t2embed.dll 2009-07-28 21:37 81,920 a------- c:\windows\system32\fontsub.dll 2009-07-20 09:34 70,936 a------- c:\windows\system32\PhysXLoader.dll 2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll 2008-08-05 09:28 47,360 a------- c:\docume~1\johnba~1\applic~1\pcouffin.sys ============= FINISH: 12:55:04.10 ===============

Attached Files

•  Attach.txt   15.86KB   590 downloads
•  Wierd.bmp   419.66KB   286 downloads

[Tomk]

Hi jophen,



My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

What did Malwarebytes' find?

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Scroll down to where it says "JRE 6 Update 16".
• Click the "Download" button to the right.
• Select your Platform: "Windows".
• Select your Language: "Multi-language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.

Now to Clean out the Java cache:

Go into the Control Panel and double-click the Java Icon.

• Under Temporary Internet Files, click the Settings... button
• click the Delete Files button.
• There are two options in the window to clear the cache - Leave both Checked
  
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Settings
• Click OK to leave the Java Control Panel.

Download Rooter.exe to your desktop

• Then doubleclick it to start the tool
  
• A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

[jophen]

Thank you for replying to my post. My Malwarebytes did not find anything...sry Rooter.exe (v1.0.2) by Eric_71 . SeDebugPrivilege granted successfully ... . Windows XP Home Edition (5.1.2600) Service Pack 3 [32_bits] - x86 Family 6 Model 23 Stepping 6, GenuineIntel . [wscsvc] (Security Center) RUNNING (state:4) [SharedAccess] RUNNING (state:4) Windows Firewall -> Disabled ! . Internet Explorer 6.0.2900.5512 . A:\ [Removable] C:\ [Fixed-NTFS] .. ( Total:48 Go - Free:12 Go ) D:\ [CD_Rom] E:\ [Fixed-NTFS] .. ( Total:416 Go - Free:171 Go ) F:\ [CD_Rom] G:\ [Fixed-NTFS] .. ( Total:931 Go - Free:739 Go ) . Scan : 18:54.55 Path : C:\Documents and Settings\John Baron\Desktop\Rooter.exe User : John Baron ( Administrator -> YES ) . ----------------------\\ Processes . Locked [System Process] (0) ______ System (4) ______ \SystemRoot\System32\smss.exe (788) ______ \??\C:\WINDOWS\system32\csrss.exe (848) ______ \??\C:\WINDOWS\system32\winlogon.exe (872) ______ C:\WINDOWS\system32\services.exe (916) ______ C:\WINDOWS\system32\lsass.exe (928) ______ C:\WINDOWS\system32\svchost.exe (1116) ______ C:\WINDOWS\system32\svchost.exe (1220) ______ C:\WINDOWS\System32\svchost.exe (1572) ______ C:\WINDOWS\system32\svchost.exe (1608) ______ C:\WINDOWS\system32\svchost.exe (1704) ______ C:\WINDOWS\system32\spoolsv.exe (1952) ______ C:\WINDOWS\Explorer.EXE (524) ______ C:\WINDOWS\RTHDCPL.EXE (672) ______ C:\WINDOWS\system32\RUNDLL32.EXE (696) ______ C:\Program Files\Nero\Nero 7\InCD\InCD.exe (756) ______ E:\Other Applications\Microsoft Office\Office12\GrooveMonitor.exe (796) ______ E:\Other Applications\WinPatrol\winpatrol.exe (812) ______ C:\Program Files\Common Files\Real\Update_OB\realsched.exe (844) ______ C:\Program Files\McAfee.com\Agent\mcagent.exe (840) ______ E:\Other Applications\MultiScreen\MultiScreen.exe (1144) ______ C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe (1280) ______ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (1308) ______ C:\WINDOWS\system32\ctfmon.exe (1316) ______ E:\Other Applications\Uniblue\RegistryBooster 2\RegistryBooster.exe (1348) ______ C:\WINDOWS\ALCFDRTM.EXE (1376) ______ E:\Other Applications\NaturalColour\NCProTray.exe (1412) ______ C:\WINDOWS\system32\svchost.exe (1484) ______ C:\Program Files\Bonjour\mDNSResponder.exe (1516) ______ C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (568) ______ C:\Program Files\Common Files\LightScribe\LSSrvc.exe (476) ______ C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (1384) ______ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (1444) ______ c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (688) ______ c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (320) ______ C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (2036) ______ C:\Program Files\McAfee\MPF\MPFSrv.exe (2096) ______ C:\Program Files\McAfee\MSK\MskSrver.exe (2184) ______ E:\Other Applications\NVIDIA Corporation\nTune\nTuneService.exe (2252) ______ C:\WINDOWS\system32\nvsvc32.exe (2336) ______ C:\WINDOWS\system32\PnkBstrA.exe (2348) ______ C:\WINDOWS\system32\PnkBstrB.exe (2364) ______ C:\WINDOWS\system32\svchost.exe (2424) ______ C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (2896) ______ C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (3380) ______ C:\WINDOWS\System32\alg.exe (2228) ______ C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (2620) ______ C:\WINDOWS\system32\msiexec.exe (2616) ______ C:\Program Files\Java\jre6\bin\jqs.exe (2728) ______ C:\Program Files\Google\Chrome\Application\chrome.exe (3624) ______ C:\Program Files\Google\Chrome\Application\chrome.exe (288) ______ C:\Program Files\Google\Chrome\Application\chrome.exe (2688) ______ C:\Documents and Settings\John Baron\Desktop\Rooter.exe (3336) . ----------------------\\ Device\Harddisk0\ . \Device\Harddisk0 [Sectors : 63 x 512 Bytes] . \Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:52427902464) \Device\Harddisk0\Partition0 (Start_Offset:52427934720 | Length:447669089280) \Device\Harddisk0\Partition2 (Start_Offset:52427966976 | Length:447669057024) . ----------------------\\ Scheduled Tasks . C:\WINDOWS\Tasks\AppleSoftwareUpdate.job C:\WINDOWS\Tasks\desktop.ini C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job C:\WINDOWS\Tasks\McDefragTask.job C:\WINDOWS\Tasks\McQcTask.job C:\WINDOWS\Tasks\SA.DAT . ----------------------\\ Registry . . ----------------------\\ Files & Folders . ----------------------\\ Scan completed at 18:55.06 . C:\Rooter$\Rooter_1.txt - (19/10/2009 | 18:55.06)

[Tomk]

jophen,

I'm not seeing anything either.

Let's try an online scan.


Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

[jophen]

Well the scan found nothing...which is a good thing maybe? I was thinking maybe if I just say yes to it, it might not be a bad site or something...but if it is a bad site or a bad thing to do. I can just rescan my computer after I have said "yes" and see if its a problem. I don't know, what do you think? My problem is not really a problem it seems, so if there is anyone that needs your help more than I need it. I can wait -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Tuesday, October 20, 2009 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Tuesday, October 20, 2009 03:58:23 Records in database: 3036889 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ Scan statistics: Objects scanned: 220504 Threats found: 0 Infected objects found: 0 Suspicious objects found: 0 Scan duration: 04:03:14 No threats found. Scanned area is clean. Selected area has been scanned.

[Tomk]

jophen,

My problem is not really a problem it seems, so if there is anyone that needs your help more than I need it. I can wait

There is and always will be someone else who needs help. We do what we can so... my top priority is whomever I'm helping at the time.

Let's try these issues one at a time. What exactly is WinPatrol telling you?

[jophen]

Well every time I turn on my computer WinPatrol pop ups a warning saying

"A change has been detected in Background page displayed on your Desktop

Your new page is http://vthumb.ak.fbc...1177515_734.jpg

If this is ok, then click yes or press enter,

Click No and we'll restore your page to the default
About:Home"

I always click No but it keeps popping up :S
thanks

[Tomk]

jophen,

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

Then let me know what happens.

[jophen]

haha yay its fixed! thank you so much! everything is back to normal now, no more pop ups and such

[Tomk]

jophen,

Cool.

Log looks good


You need to create a new Clean restore point:

Click Start Menu > Run > copy and paste

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Remove all previous Restore Points
Click Start Menu > Run > copy and paste

cleanmgr

You may be asked to choose drive. Choose C: At top, click on More Options tab. Click Clean up... button in the System Restore box. Click on Yes button. When finished, click on Cancel button to exit.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.

Now to remove most of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
• Download OTC to your desktop and run it
• A list of tool components used in the cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Go ahead and delete any tools that may be left.


The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.

[jophen]

I have done everything . Thanks for the help!

[Tomk]

jophen, You are very welcome. Good Luck and Be Well.

[Tomk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.