Computer Hope

Software => Computer viruses and spyware => Topic started by: wilmsp on March 14, 2008, 02:59:40 PM

Title: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 14, 2008, 02:59:40 PM

Wow - this is a very tenacious one.  I don't know how it came in but it starts with a persistent page apparently originating from a site called GoDaddy and in the form of a so called "free virus scan" offer [absolutely unsolicited.  "Just click here".  I didn't but my desktop turned brilliant red with the following title "Your Privacy Is In Danger" and beneath that a link titled "Download Privacy Protection Software Now".  I immediately effected a SUPERAntiSpyware Free Edition scan which finished with 7 viruses titled "DesktopHighjacker AboutYour Privacy"  Though quarantined, the Internet Explorer site [I use Mozilla} returns offering me a "free" scan again.  Of course, I close it, but it seems to trigger the malware again.  I then run SUPERantispy again - sometimes it rids me of the malware, but more recently it reappears in the form of the red desktop wallpaper almost before I have used the quarantine function of SUPERantiSpy...".  This sequence has happened a dozen times.  I've tried the same routine with Avast but no better.  Help guys! - I need help.

Bill S.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 14, 2008, 03:09:58 PM

I'm sorry _ I should have remembered to read the suggested item first.  I will do so now and I also note Andrea's post re a problem sounding exactly like mine.  I will proceed now to read the pre-help suggestions, plus download the Microsoft thing.  I did this before with a virus, but it got lost when I finally had to reformat.  I'll be back.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 15, 2008, 08:48:05 AM

Saturday morning so I realize you folks may be to heck away from the net - so I won't necessarily expect response till Monday.  Anyway, I have read and run all of the suggestions in Read This First.  I think I MAY have rid my computer of this nuisance [read that threat] to my computer.  I have retained the log/reports from SuperSpy, Dr.  Web and Hijack this.  I will attach/upload  the last of the 3 - Hijack, but will retain the other 2 for review if needed.  I really appreciate the help provided and this is the 2nd time I've had to seek it for a miserable trojan.  Thanks again and please get back after reviewing the attached HiJackThis report.

Bill S.

[recovering space - attachment deleted by admin]

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: evilfantasy on March 15, 2008, 08:50:35 AM

Yes I need the other logs. We need to know what was removed and what we are dealing with.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 15, 2008, 10:22:37 AM

OK _ I hope this works.

ListDlls.cfexe;C:\ComboFix;Trojan.Proxy.2804;Deleted.;
CUSOFTWARE;C:\Documents and Settings\Owner\Application Data\ErrorSmart\Full Backups\FULL 2008-02-20_11-05-25.reg;Probably BATCH.Virus;;


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:16 AM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Avast4\aswUpdSv.exe
C:\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\svchost.exe
C:\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WeatherEye\WeatherEye.exe
C:\101 Clips\101Clips.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\INCRED~1\bin\ImApp.exe
C:\Avast4\ashMaiSv.exe
C:\Avast4\ashWebSv.exe
C:\WeatherEye\WeatherEye.exe
C:\WeatherEye\WeatherEye.exe
C:\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experienceexchange.com/ShopperLogon.do
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nexicom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experienceexchange.comShopperLogon
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O1 - Hosts: 127,0.0.1 www.bhf.org.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: RDL Rolex - {A955C496-7376-4B03-81D1-B828ED96C665} - C:\WINDOWS\drnpfdxsvw.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\WeatherEye\WeatherEye.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: 101Clips.lnk = C:\101 Clips\101Clips.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\IncrediMail\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.nexicom.net
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: bokpkov - {172DF6F9-9382-4692-A595-B30E32F8336E} - (no file)
O21 - SSODL: altvxvm - {1A39D243-B255-4451-B154-2811294FCA8D} - C:\WINDOWS\altvxvm.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast4\ashWebSv.exe

--
End of file - 5213 bytes

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: evilfantasy on March 15, 2008, 10:48:23 AM

Superantispyware log?

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 15, 2008, 11:06:17 AM

Yup - sorry.

Bill

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/15/2008 at 08:08 AM

Application Version : 4.0.1154

Core Rules Database Version : 3373
Trace Rules Database Version: 1368

Scan type       : Quick Scan
Total Scan Time : 01:19:35

Memory items scanned      : 420
Memory threats detected   : 0
Registry items scanned    : 308
Registry threats detected : 0
File items scanned        : 15504
File threats detected     : 2

Desktop Hijacker.AboutYourPrivacy
   C:\WINDOWS\privacy_danger\images
   C:\WINDOWS\privacy_danger

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: evilfantasy on March 15, 2008, 11:20:26 AM

Download SDFix.exe (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
  
• Finally add the contents of the Report.txt in your next post along with a NEW hijackthis log.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 15, 2008, 12:34:24 PM

OK - Please find the 2 logfiles below.  Of academic interest [maybe] I had to reboot manually after the RunThis.bat finished, but all appeared to go as expected after it rebooted.  Here is the SDFIX report, followed by the Hijackthis file.


SDFix: Version 1.157

Run by Owner on Sat 03/15/2008 at 02:12 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\drnpfdxsvw.dll - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\ac8zt2.dat  - Deleted
C:\WINDOWS\fmsxwqs.exe  - Deleted
C:\WINDOWS\rs.txt  - Deleted





Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 14:22:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\IncrediMail\\bin\\IncMail.exe"="C:\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\IncrediMail\\bin\\ImApp.exe"="C:\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\IncrediMail\\bin\\ImpCnt.exe"="C:\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri  8 Feb 2008       145,920 ..SHR --- "C:\WinPatrol\Setup.exe"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:10 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Avast4\aswUpdSv.exe
C:\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Avast4\ashMaiSv.exe
C:\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\INCRED~1\bin\ImApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WeatherEye\WeatherEye.exe
C:\101 Clips\101Clips.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\WeatherEye\WeatherEye.exe
C:\WeatherEye\WeatherEye.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experienceexchange.com/ShopperLogon.do
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nexicom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experienceexchange.comShopperLogon
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\WeatherEye\WeatherEye.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: 101Clips.lnk = C:\101 Clips\101Clips.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\IncrediMail\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.nexicom.net
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast4\ashWebSv.exe

--
End of file - 4899 bytes

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: evilfantasy on March 15, 2008, 12:38:34 PM

Looking better.

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O4 - Startup: PowerReg SchedulerV2.exe

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Do you know what this is? C:\101 Clips\101Clips.exe

How is the computer now?

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 15, 2008, 01:02:28 PM

C:\101 Clips\101Clips.exe --- is just a "copy" extension enabling multiple copies.  It's ok.

Computer is running great now Evil, but of course I will proceed with the last step you have mentioned though I may not be able to report back for about an hour from now.

Bill.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 15, 2008, 01:11:24 PM

OK ---  Here's the last [final] HighJackThis report.  I did delete "O4 - Startup: PowerReg SchedulerV2.exe

"Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:04 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Avast4\aswUpdSv.exe
C:\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Avast4\ashMaiSv.exe
C:\Avast4\ashWebSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\INCRED~1\bin\ImApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WeatherEye\WeatherEye.exe
C:\101 Clips\101Clips.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\WeatherEye\WeatherEye.exe
C:\WeatherEye\WeatherEye.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experienceexchange.com/ShopperLogon.do
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nexicom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experienceexchange.comShopperLogon
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\WeatherEye\WeatherEye.exe
O4 - Global Startup: 101Clips.lnk = C:\101 Clips\101Clips.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\IncrediMail\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.nexicom.net
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2C6D877-85F6-47EC-9B92-962005869F40}: NameServer = 216.168.96.13 216.168.96.10
O20 - Winlogon Notify: !SASWinLogon - C:\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast4\ashWebSv.exe

--
End of file - 4963 bytes

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: evilfantasy on March 15, 2008, 01:21:31 PM

Looks good now.

Time to do some cleanup and secure the work you have done.

Download OTMoveIt2 by OldTimer  OTMoveIt2.exe (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

This is a good time to clear your infected system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and click Next.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Next to System Restore click Clean up...

This will remove all restore points except the new one you just created.

Here are some great tools to help you keep from getting infected again.

 Spybot Search & Destroy (http://fileforum.betanews.com/detail/Spybot_Search_and_Destroy/1043809773/1) - A safe and effective spyware scanner.
*  (http://www.safer-networking.org/en/tutorial/index.html)Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers (http://www.bleepingcomputer.com/forums/tutorial43.html)

 AVG Anti-Spyware Free Edition (http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0) - Very reliable with a high detection rate.
*  AVG Anti-Spyware User Manual (http://free.grisoft.com/doc/5390/us/frt/0?prd=asf)

 SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
*  (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)

 Comodo BOClean (http://www.comodo.com/boclean/CBO_download.html) - Stops trojans and many more malicious attacks.

       Use a Firewall - It can not be stressed enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over.
*  Click here (http://www.freebyte.com/antivirus/#freefirewalls) for a list of free firewalls.
*  Why would I consider a third party firewall? (http://www.microsoft.com/windowsxp/using/security/learnmore/atkin_firewall.mspx#EGF)
* Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)

 UPDATE!!! UPDATE!!! UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer.
*  Help with Windows updates (http://support.microsoft.com/?scid=ph;en-us;6527)

Learn more about how to protect yourself while on the internet read this article by Tony Klien:  So how did I get infected in the first place? (http://www.castlecops.com/postlite7736-.html)

Let us know if anything else comes up.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 15, 2008, 02:19:08 PM

Faaaaaannnnttttaaassstttiiiccccc! Thanks Evil..... but then again Whoa!  There is an icon on my desktop that I simply can't get rid of despite how often I delete it.  It's gone, but then later it reappears.  Its title appears to be "Clean Registry for Free!" but of course I have never clicked on it.  I do believe that it may have been the original source of my problem.  Could you suggest a program that would permanently destroy it rather than just delete? 

I appreciate the items you suggest downloading and retaining.  Terrific.  Thanks very much.

Bill S.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: evilfantasy on March 15, 2008, 02:25:23 PM

Download  SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) to your Desktop.

• Extract all the files to your Destop.
• A folder named SmitfraudFix will be created on your Desktop.

• Open the SmitfraudFix folder and double-click smitfraudfix.cmd

• Select option #1 - Search by typing 1 and press Enter
  • This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
  • When it is done, the results of the scan will be displayed and it will create a log named rapport.txt
    • This is in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
  • Please attach that log in your next reply.

• Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/processutil/processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

.
Next post Smitfraudfix log

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 15, 2008, 02:37:45 PM

I am now downloading Smitfraudfix.  I should mention though that otmoveit.exe seems to be a dead link, taking me only to "Problem loading page..." plus the same for "Spybot Searchand Destroy"

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: evilfantasy on March 15, 2008, 02:41:47 PM

All links fixed.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 15, 2008, 03:33:38 PM

Uh - as far as I can tell, they are all dead links.  Tried 'em all - I remain in idle.

Bill  By the way, I downloaded SmitFraudFix and can't seem to open it.  The icon is there but it doesn't go anywhere.  It toes to a "message" stating "Process exe file missing."

Bill.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: evilfantasy on March 15, 2008, 03:57:10 PM

I just now opened each link.

Lets try this instead of smitfraudfix Bill, I'm Kevin.

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from either of these two links.

• Link 1 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
  
• Link 2 (http://www.besttechie.net/tools/mbam-setup.exe)

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad.
• Please  copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 15, 2008, 05:07:17 PM

I ran MBAM and it did a nice job - extensive.  However, I still have that pesky and very questionable icon which returns.  I think now I will [and you too Kevin] leave things to at least tomorrow afternoon, if not maybe Monday even.  I will repost on this thread then, but meanwhile thanks ever so much for your assistance so far.  Here's the MBAM report and which I deleted all of.

Malwarebytes' Anti-Malware 1.08
Database version: 471

Scan type: Full Scan (C:\|)
Objects scanned: 59742
Time elapsed: 13 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 11
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\the weather channel desktop (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.brxd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Sammsoft (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Sammsoft (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50 (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{633899DE-AE4D-4DF3-AA36-7E143BF52292}\RP28\A0002279.exe (Rogue.BugDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer\Advanced Registry Optimizer.lnk (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer\Uninstall Advanced Registry Optimizer.lnk (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\ARO.chm (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\ARO.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\AROSS.dll (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\CheckForV4.dll (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\CleanSchedule.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\EmailAddressCapture.hta (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\NoSpam.jpg (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\RCBanner.jpg (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\soref.dll (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\unins000.dat (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\unins000.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\uninstall.hta (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather\eula.html (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather\INSTALL.LOG (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather\uninstall.bat (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather\UNWISE.EXE (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Log\2008 Jan 01 - 05_38_05 PM_218.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Log\2008 Jan 01 - 05_38_08 PM_515.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\1204819820.reg (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\backup.bin (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\ExcludeList.aro (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\results.aro (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000001.rmb (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000001.rmi (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Check PC For Errors.lnk (Rogue.Link) -> Quarantined and deleted successfully.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: evilfantasy on March 15, 2008, 05:14:07 PM

Try restarting the computer in safe mode and deleting it.

 Also try this if safe mode doesn't work.

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 15, 2008, 06:53:16 PM

As the cliche goes - "Been there, did that" and couldn't find the blame thing, but it wasn't on normal desktop when I rebooted back to it.  If it shows up tomorrow, I will follows the above routine again.  I have kept you long enough - mucho gracias from Buckhorn, ON and I will likely touch base with this thread Monday, so have a really good weekend - or what's left of it.

Thanks,
Bill S.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: evilfantasy on March 15, 2008, 08:47:46 PM

Hopefully it stays gone.....

You have a good weekend as well.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: wilmsp on March 18, 2008, 07:30:52 AM

Good Morning:

All seems well - even the mysterious icon I mentioned is now gone.  I will now download a couple of the "stay-clean' programs you mentioned.

Thanks so much for all your help!

Bill S.

Title: Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
Post by: evilfantasy on March 18, 2008, 10:05:05 AM

Sounds good.

Safe surfing....