Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Bad, bad Malware - "Desktop Hijacker About Your Privacy.  (Read 17424 times)

0 Members and 2 Guests are viewing this topic.

wilmsp

    Topic Starter


    Beginner

    Bad, bad Malware - "Desktop Hijacker About Your Privacy.
    « on: March 14, 2008, 02:59:40 PM »
    Wow - this is a very tenacious one.  I don't know how it came in but it starts with a persistent page apparently originating from a site called GoDaddy and in the form of a so called "free virus scan" offer [absolutely unsolicited.  "Just click here".  I didn't but my desktop turned brilliant red with the following title "Your Privacy Is In Danger" and beneath that a link titled "Download Privacy Protection Software Now".  I immediately effected a SUPERAntiSpyware Free Edition scan which finished with 7 viruses titled "DesktopHighjacker AboutYour Privacy"  Though quarantined, the Internet Explorer site [I use Mozilla} returns offering me a "free" scan again.  Of course, I close it, but it seems to trigger the malware again.  I then run SUPERantispy again - sometimes it rids me of the malware, but more recently it reappears in the form of the red desktop wallpaper almost before I have used the quarantine function of SUPERantiSpy...".  This sequence has happened a dozen times.  I've tried the same routine with Avast but no better.  Help guys! - I need help.

    Bill S.

    wilmsp

      Topic Starter


      Beginner

      Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
      « Reply #1 on: March 14, 2008, 03:09:58 PM »
      I'm sorry _ I should have remembered to read the suggested item first.  I will do so now and I also note Andrea's post re a problem sounding exactly like mine.  I will proceed now to read the pre-help suggestions, plus download the Microsoft thing.  I did this before with a virus, but it got lost when I finally had to reformat.  I'll be back.

      wilmsp

        Topic Starter


        Beginner

        Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
        « Reply #2 on: March 15, 2008, 08:48:05 AM »
        Saturday morning so I realize you folks may be to heck away from the net - so I won't necessarily expect response till Monday.  Anyway, I have read and run all of the suggestions in Read This First.  I think I MAY have rid my computer of this nuisance [read that threat] to my computer.  I have retained the log/reports from SuperSpy, Dr.  Web and Hijack this.  I will attach/upload  the last of the 3 - Hijack, but will retain the other 2 for review if needed.  I really appreciate the help provided and this is the 2nd time I've had to seek it for a miserable trojan.  Thanks again and please get back after reviewing the attached HiJackThis report.

        Bill S.

        [recovering space - attachment deleted by admin]

        evilfantasy

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Calm like a bomb
        • Thanked: 493
        • Experience: Experienced
        • OS: Windows 11
        Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
        « Reply #3 on: March 15, 2008, 08:50:35 AM »
        Yes I need the other logs. We need to know what was removed and what we are dealing with.

        wilmsp

          Topic Starter


          Beginner

          Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
          « Reply #4 on: March 15, 2008, 10:22:37 AM »

          OK _ I hope this works.

          ListDlls.cfexe;C:\ComboFix;Trojan.Proxy.2804;Deleted.;
          CUSOFTWARE;C:\Documents and Settings\Owner\Application Data\ErrorSmart\Full Backups\FULL 2008-02-20_11-05-25.reg;Probably BATCH.Virus;;


          Logfile of Trend Micro HijackThis v2.0.2
          Scan saved at 10:35:16 AM, on 3/15/2008
          Platform: Windows XP SP2 (WinNT 5.01.2600)
          MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
          Boot mode: Normal

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\WINDOWS\Explorer.EXE
          C:\Avast4\aswUpdSv.exe
          C:\Avast4\ashServ.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\Program Files\Analog Devices\Core\smax4pnp.exe
          C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
          C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
          C:\WINDOWS\system32\svchost.exe
          C:\Avast4\ashDisp.exe
          C:\WINDOWS\system32\hkcmd.exe
          C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
          C:\WINDOWS\system32\igfxpers.exe
          C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
          C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
          C:\Program Files\Messenger\msmsgs.exe
          C:\WeatherEye\WeatherEye.exe
          C:\101 Clips\101Clips.exe
          C:\WINDOWS\DvzCommon\DvzMsgr.exe
          C:\INCRED~1\bin\ImApp.exe
          C:\Avast4\ashMaiSv.exe
          C:\Avast4\ashWebSv.exe
          C:\WeatherEye\WeatherEye.exe
          C:\WeatherEye\WeatherEye.exe
          C:\Microsoft Office\Office\WINWORD.EXE
          C:\WINDOWS\system32\wuauclt.exe
          C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experienceexchange.com/ShopperLogon.do
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nexicom.net
          R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experienceexchange.comShopperLogon
          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
          R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
          R3 - URLSearchHook: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
          O1 - Hosts: 127,0.0.1 www.bhf.org.uk
          O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
          O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
          O2 - BHO: RDL Rolex - {A955C496-7376-4B03-81D1-B828ED96C665} - C:\WINDOWS\drnpfdxsvw.dll
          O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
          O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
          O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
          O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
          O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
          O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
          O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
          O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
          O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
          O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
          O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
          O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
          O4 - HKCU\..\Run: [IncrediMail] C:\IncrediMail\bin\IncMail.exe /c
          O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
          O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
          O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
          O4 - HKCU\..\Run: [WeatherEye] C:\WeatherEye\WeatherEye.exe
          O4 - Startup: PowerReg SchedulerV2.exe
          O4 - Global Startup: 101Clips.lnk = C:\101 Clips\101Clips.exe
          O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
          O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE
          O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\IncrediMail\bin\resources\WebMenuImg.htm
          O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
          O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
          O14 - IERESET.INF: START_PAGE_URL=http://www.nexicom.net
          O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
          O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
          O20 - Winlogon Notify: !SASWinLogon - C:\SUPERAntiSpyware\SASWINLO.dll
          O21 - SSODL: bokpkov - {172DF6F9-9382-4692-A595-B30E32F8336E} - (no file)
          O21 - SSODL: altvxvm - {1A39D243-B255-4451-B154-2811294FCA8D} - C:\WINDOWS\altvxvm.dll (file missing)
          O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast4\aswUpdSv.exe
          O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast4\ashServ.exe
          O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast4\ashMaiSv.exe
          O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast4\ashWebSv.exe

          --
          End of file - 5213 bytes

          evilfantasy

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Calm like a bomb
          • Thanked: 493
          • Experience: Experienced
          • OS: Windows 11
          Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
          « Reply #5 on: March 15, 2008, 10:48:23 AM »
          Superantispyware log?

          wilmsp

            Topic Starter


            Beginner

            Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
            « Reply #6 on: March 15, 2008, 11:06:17 AM »

            Yup - sorry.

            Bill

            SUPERAntiSpyware Scan Log
            http://www.superantispyware.com

            Generated 03/15/2008 at 08:08 AM

            Application Version : 4.0.1154

            Core Rules Database Version : 3373
            Trace Rules Database Version: 1368

            Scan type       : Quick Scan
            Total Scan Time : 01:19:35

            Memory items scanned      : 420
            Memory threats detected   : 0
            Registry items scanned    : 308
            Registry threats detected : 0
            File items scanned        : 15504
            File threats detected     : 2

            Desktop Hijacker.AboutYourPrivacy
               C:\WINDOWS\privacy_danger\images
               C:\WINDOWS\privacy_danger

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 493
            • Experience: Experienced
            • OS: Windows 11
            Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
            « Reply #7 on: March 15, 2008, 11:20:26 AM »
            Download SDFix.exe and save it to your Desktop.

            Double click SDFix.exe and it will extract the files to %systemdrive%
            (Drive that contains the Windows Directory, typically C:\SDFix)

            Please then reboot your computer in Safe Mode by doing the following:

            • Restart your computer
            • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
            • Instead of Windows loading as normal, the Advanced Options Menu should appear;
            • Select the first option, to run Windows in Safe Mode, then press Enter.
            • Choose your usual account.
            • Open the extracted SDFix folder and double click RunThis.bat to start the script.
            • Type Y to begin the cleanup process.
            • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
            • Press any Key and it will restart the PC.
            • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
            • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
              (Report.txt will also be copied to Clipboard).
            • Finally add the contents of the Report.txt in your next post along with a NEW hijackthis log.

            wilmsp

              Topic Starter


              Beginner

              Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
              « Reply #8 on: March 15, 2008, 12:34:24 PM »
              OK - Please find the 2 logfiles below.  Of academic interest [maybe] I had to reboot manually after the RunThis.bat finished, but all appeared to go as expected after it rebooted.  Here is the SDFIX report, followed by the Hijackthis file.


              SDFix: Version 1.157

              Run by Owner on Sat 03/15/2008 at 02:12 PM

              Microsoft Windows XP [Version 5.1.2600]
              Running From: C:\SDFix

              Checking Services :


              Restoring Windows Registry Values
              Restoring Windows Default Hosts File
              Restoring Default HomePage Value
              Restoring Default Desktop Components Value

              Rebooting


              Checking Files :

              Trojan Files Found:

              C:\WINDOWS\drnpfdxsvw.dll - Deleted
              C:\DOCUME~1\Owner\LOCALS~1\Temp\ac8zt2.dat  - Deleted
              C:\WINDOWS\fmsxwqs.exe  - Deleted
              C:\WINDOWS\rs.txt  - Deleted





              Removing Temp Files

              ADS Check :
               


                                               Final Check :

              catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
              Rootkit scan 2008-03-15 14:22:04
              Windows 5.1.2600 Service Pack 2 NTFS

              scanning hidden processes ...

              scanning hidden services & system hive ...

              scanning hidden registry entries ...

              scanning hidden files ...

              scan completed successfully
              hidden processes: 0
              hidden services: 0
              hidden files: 0


              Remaining Services :



              Authorized Application Key Export:

              [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
              "C:\\IncrediMail\\bin\\IncMail.exe"="C:\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
              "C:\\IncrediMail\\bin\\ImApp.exe"="C:\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
              "C:\\IncrediMail\\bin\\ImpCnt.exe"="C:\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"

              [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

              Remaining Files :


              File Backups: - C:\SDFix\backups\backups.zip

              Files with Hidden Attributes :

              Fri  8 Feb 2008       145,920 ..SHR --- "C:\WinPatrol\Setup.exe"

              Finished!

              Logfile of Trend Micro HijackThis v2.0.2
              Scan saved at 2:27:10 PM, on 3/15/2008
              Platform: Windows XP SP2 (WinNT 5.01.2600)
              MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
              Boot mode: Normal

              Running processes:
              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\Explorer.EXE
              C:\Avast4\aswUpdSv.exe
              C:\Avast4\ashServ.exe
              C:\WINDOWS\system32\spoolsv.exe
              C:\WINDOWS\system32\svchost.exe
              C:\Avast4\ashMaiSv.exe
              C:\Avast4\ashWebSv.exe
              C:\WINDOWS\system32\wuauclt.exe
              C:\WINDOWS\system32\notepad.exe
              C:\Program Files\Analog Devices\Core\smax4pnp.exe
              C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
              C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
              C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
              C:\Avast4\ashDisp.exe
              C:\WINDOWS\system32\hkcmd.exe
              C:\WINDOWS\system32\igfxpers.exe
              C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
              C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
              C:\INCRED~1\bin\ImApp.exe
              C:\Program Files\Messenger\msmsgs.exe
              C:\WeatherEye\WeatherEye.exe
              C:\101 Clips\101Clips.exe
              C:\WINDOWS\DvzCommon\DvzMsgr.exe
              C:\WeatherEye\WeatherEye.exe
              C:\WeatherEye\WeatherEye.exe
              C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experienceexchange.com/ShopperLogon.do
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nexicom.net
              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experienceexchange.comShopperLogon
              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
              R3 - URLSearchHook: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
              O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
              O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
              O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
              O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
              O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
              O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
              O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
              O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
              O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
              O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
              O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
              O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
              O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
              O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
              O4 - HKCU\..\Run: [IncrediMail] C:\IncrediMail\bin\IncMail.exe /c
              O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
              O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
              O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
              O4 - HKCU\..\Run: [WeatherEye] C:\WeatherEye\WeatherEye.exe
              O4 - Startup: PowerReg SchedulerV2.exe
              O4 - Global Startup: 101Clips.lnk = C:\101 Clips\101Clips.exe
              O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
              O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE
              O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\IncrediMail\bin\resources\WebMenuImg.htm
              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
              O14 - IERESET.INF: START_PAGE_URL=http://www.nexicom.net
              O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
              O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
              O20 - Winlogon Notify: !SASWinLogon - C:\SUPERAntiSpyware\SASWINLO.dll
              O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast4\aswUpdSv.exe
              O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast4\ashServ.exe
              O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast4\ashMaiSv.exe
              O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast4\ashWebSv.exe

              --
              End of file - 4899 bytes

              evilfantasy

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Calm like a bomb
              • Thanked: 493
              • Experience: Experienced
              • OS: Windows 11
              Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
              « Reply #9 on: March 15, 2008, 12:38:34 PM »
              Looking better.

              Open Hijackthis and select Do a system scan only.

              Place a check mark next to the following entries: (if there)

              O4 - Startup: PowerReg SchedulerV2.exe

              Important: Close all windows except for Hijackthis and then click Fix checked.

              Exit Hijackthis.

              ----------

              Do you know what this is? C:\101 Clips\101Clips.exe

              How is the computer now?

              wilmsp

                Topic Starter


                Beginner

                Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                « Reply #10 on: March 15, 2008, 01:02:28 PM »
                C:\101 Clips\101Clips.exe --- is just a "copy" extension enabling multiple copies.  It's ok.

                Computer is running great now Evil, but of course I will proceed with the last step you have mentioned though I may not be able to report back for about an hour from now.

                Bill.

                wilmsp

                  Topic Starter


                  Beginner

                  Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                  « Reply #11 on: March 15, 2008, 01:11:24 PM »
                  OK ---  Here's the last [final] HighJackThis report.  I did delete "O4 - Startup: PowerReg SchedulerV2.exe

                  "Logfile of Trend Micro HijackThis v2.0.2
                  Scan saved at 3:07:04 PM, on 3/15/2008
                  Platform: Windows XP SP2 (WinNT 5.01.2600)
                  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
                  Boot mode: Normal

                  Running processes:
                  C:\WINDOWS\System32\smss.exe
                  C:\WINDOWS\system32\winlogon.exe
                  C:\WINDOWS\system32\services.exe
                  C:\WINDOWS\system32\lsass.exe
                  C:\WINDOWS\system32\svchost.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\WINDOWS\Explorer.EXE
                  C:\Avast4\aswUpdSv.exe
                  C:\Avast4\ashServ.exe
                  C:\WINDOWS\system32\spoolsv.exe
                  C:\WINDOWS\system32\svchost.exe
                  C:\Avast4\ashMaiSv.exe
                  C:\Avast4\ashWebSv.exe
                  C:\Program Files\Analog Devices\Core\smax4pnp.exe
                  C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
                  C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
                  C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
                  C:\Avast4\ashDisp.exe
                  C:\WINDOWS\system32\hkcmd.exe
                  C:\WINDOWS\system32\igfxpers.exe
                  C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
                  C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
                  C:\INCRED~1\bin\ImApp.exe
                  C:\Program Files\Messenger\msmsgs.exe
                  C:\WeatherEye\WeatherEye.exe
                  C:\101 Clips\101Clips.exe
                  C:\WINDOWS\DvzCommon\DvzMsgr.exe
                  C:\WeatherEye\WeatherEye.exe
                  C:\WeatherEye\WeatherEye.exe
                  C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
                  C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experienceexchange.com/ShopperLogon.do
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nexicom.net
                  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experienceexchange.comShopperLogon
                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
                  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
                  R3 - URLSearchHook: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
                  O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
                  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                  O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
                  O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
                  O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
                  O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
                  O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
                  O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
                  O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
                  O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
                  O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
                  O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
                  O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
                  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
                  O4 - HKCU\..\Run: [IncrediMail] C:\IncrediMail\bin\IncMail.exe /c
                  O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
                  O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
                  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                  O4 - HKCU\..\Run: [WeatherEye] C:\WeatherEye\WeatherEye.exe
                  O4 - Global Startup: 101Clips.lnk = C:\101 Clips\101Clips.exe
                  O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
                  O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE
                  O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\IncrediMail\bin\resources\WebMenuImg.htm
                  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                  O14 - IERESET.INF: START_PAGE_URL=http://www.nexicom.net
                  O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
                  O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
                  O17 - HKLM\System\CCS\Services\Tcpip\..\{C2C6D877-85F6-47EC-9B92-962005869F40}: NameServer = 216.168.96.13 216.168.96.10
                  O20 - Winlogon Notify: !SASWinLogon - C:\SUPERAntiSpyware\SASWINLO.dll
                  O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast4\aswUpdSv.exe
                  O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast4\ashServ.exe
                  O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast4\ashMaiSv.exe
                  O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast4\ashWebSv.exe

                  --
                  End of file - 4963 bytes

                  evilfantasy

                  • Malware Removal Specialist
                  • Moderator


                  • Genius
                  • Calm like a bomb
                  • Thanked: 493
                  • Experience: Experienced
                  • OS: Windows 11
                  Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                  « Reply #12 on: March 15, 2008, 01:21:31 PM »
                  Looks good now.

                  Time to do some cleanup and secure the work you have done.

                  Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

                  1. Double click OTMoveIt2.exe to launch it.
                  Vista users right click and choose Run As Administrator
                  2. Click on the CleanUp! button.
                  3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
                  4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
                  5. Once complete exit out of OTMoveIt2

                  This is a good time to clear your infected system restore points and establish a new clean restore point:
                  • Go to Start > All Programs > Accessories > System Tools > System Restore
                  • Select Create a restore point, and click Next.
                  • Next, go to Start > Run and type in cleanmgr
                  • Select the More options tab
                  • Next to System Restore click Clean up...
                  This will remove all restore points except the new one you just created.

                  Here are some great tools to help you keep from getting infected again.

                  Spybot Search & Destroy - A safe and effective spyware scanner.
                  * Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

                  AVG Anti-Spyware Free Edition - Very reliable with a high detection rate.
                  * AVG Anti-Spyware User Manual

                  SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
                  * Using SpywareBlaster to protect your computer from Spyware and Malware

                  Comodo BOClean - Stops trojans and many more malicious attacks.

                         Use a Firewall - It can not be stressed enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over.
                  * Click here for a list of free firewalls.
                  * Why would I consider a third party firewall?
                  * Understanding and Using Firewalls

                   UPDATE!!! UPDATE!!! UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer.
                  * Help with Windows updates

                  Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

                  Let us know if anything else comes up.
                  « Last Edit: March 15, 2008, 02:41:11 PM by evilfantasy »

                  wilmsp

                    Topic Starter


                    Beginner

                    Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                    « Reply #13 on: March 15, 2008, 02:19:08 PM »

                    Faaaaaannnnttttaaassstttiiiccccc! Thanks Evil..... but then again Whoa!  There is an icon on my desktop that I simply can't get rid of despite how often I delete it.  It's gone, but then later it reappears.  Its title appears to be "Clean Registry for Free!" but of course I have never clicked on it.  I do believe that it may have been the original source of my problem.  Could you suggest a program that would permanently destroy it rather than just delete? 

                    I appreciate the items you suggest downloading and retaining.  Terrific.  Thanks very much.

                    Bill S.

                    evilfantasy

                    • Malware Removal Specialist
                    • Moderator


                    • Genius
                    • Calm like a bomb
                    • Thanked: 493
                    • Experience: Experienced
                    • OS: Windows 11
                    Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                    « Reply #14 on: March 15, 2008, 02:25:23 PM »
                    Download SmitfraudFix (by S!Ri) to your Desktop.
                    • Extract all the files to your Destop.
                    • A folder named SmitfraudFix will be created on your Desktop.
                    • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
                    • Select option #1 - Search by typing 1 and press Enter
                      • This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
                      • When it is done, the results of the scan will be displayed and it will create a log named rapport.txt
                        • This is in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
                      • Please attach that log in your next reply.
                    • Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
                    .
                    Next post Smitfraudfix log

                    wilmsp

                      Topic Starter


                      Beginner

                      Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                      « Reply #15 on: March 15, 2008, 02:37:45 PM »
                      I am now downloading Smitfraudfix.  I should mention though that otmoveit.exe seems to be a dead link, taking me only to "Problem loading page..." plus the same for "Spybot Searchand Destroy"

                      evilfantasy

                      • Malware Removal Specialist
                      • Moderator


                      • Genius
                      • Calm like a bomb
                      • Thanked: 493
                      • Experience: Experienced
                      • OS: Windows 11
                      Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                      « Reply #16 on: March 15, 2008, 02:41:47 PM »
                      All links fixed.

                      wilmsp

                        Topic Starter


                        Beginner

                        Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                        « Reply #17 on: March 15, 2008, 03:33:38 PM »

                        Uh - as far as I can tell, they are all dead links.  Tried 'em all - I remain in idle.

                        Bill  By the way, I downloaded SmitFraudFix and can't seem to open it.  The icon is there but it doesn't go anywhere.  It toes to a "message" stating "Process exe file missing."

                        Bill.

                        evilfantasy

                        • Malware Removal Specialist
                        • Moderator


                        • Genius
                        • Calm like a bomb
                        • Thanked: 493
                        • Experience: Experienced
                        • OS: Windows 11
                        Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                        « Reply #18 on: March 15, 2008, 03:57:10 PM »
                        I just now opened each link.

                        Lets try this instead of smitfraudfix Bill, I'm Kevin.

                        Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from either of these two links.
                        • Double-click mbam-setup.exe and follow the prompts to install the program.
                        • At the end, be sure a checkmark is placed next to
                          • Update Malwarebytes' Anti-Malware
                          • Launch Malwarebytes' Anti-Malware
                          • Click Finish.
                          • If an update is found, it will download and install the latest version.
                          • Once the program has loaded, select Perform full scan, then click Scan.
                          • When the scan is complete, click OK, then Show Results to view the results.
                          • Be sure that everything is checked, and click Remove Selected.
                          • When completed, a log will open in Notepad.
                          • Please  copy and paste the log into your next reply
                            • If you accidently close it, the log file is saved here and will be named like this:
                            • C:\Documents and Settings\Username\Application Data\\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

                          wilmsp

                            Topic Starter


                            Beginner

                            Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                            « Reply #19 on: March 15, 2008, 05:07:17 PM »
                            I ran MBAM and it did a nice job - extensive.  However, I still have that pesky and very questionable icon which returns.  I think now I will [and you too Kevin] leave things to at least tomorrow afternoon, if not maybe Monday even.  I will repost on this thread then, but meanwhile thanks ever so much for your assistance so far.  Here's the MBAM report and which I deleted all of.

                            Malwarebytes' Anti-Malware 1.08
                            Database version: 471

                            Scan type: Full Scan (C:\|)
                            Objects scanned: 59742
                            Time elapsed: 13 minute(s), 18 second(s)

                            Memory Processes Infected: 0
                            Memory Modules Infected: 0
                            Registry Keys Infected: 6
                            Registry Values Infected: 0
                            Registry Data Items Infected: 0
                            Folders Infected: 11
                            Files Infected: 32

                            Memory Processes Infected:
                            (No malicious items detected)

                            Memory Modules Infected:
                            (No malicious items detected)

                            Registry Keys Infected:
                            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\the weather channel desktop (Adware.Hotbar) -> Quarantined and deleted successfully.
                            HKEY_CURRENT_USER\Software\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
                            HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.brxd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
                            HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
                            HKEY_CURRENT_USER\Software\Sammsoft (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

                            Registry Values Infected:
                            (No malicious items detected)

                            Registry Data Items Infected:
                            (No malicious items detected)

                            Folders Infected:
                            C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\The Weather Channel FW (Adware.Hotbar) -> Quarantined and deleted successfully.
                            C:\Program Files\The Weather Channel FW\Desktop Weather (Adware.Hotbar) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\Sammsoft (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50 (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.

                            Files Infected:
                            C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
                            C:\System Volume Information\_restore{633899DE-AE4D-4DF3-AA36-7E143BF52292}\RP28\A0002279.exe (Rogue.BugDoctor) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer\Advanced Registry Optimizer.lnk (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer\Uninstall Advanced Registry Optimizer.lnk (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\Advanced Registry Optimizer\ARO.chm (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\Advanced Registry Optimizer\ARO.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\Advanced Registry Optimizer\AROSS.dll (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\Advanced Registry Optimizer\CheckForV4.dll (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\Advanced Registry Optimizer\CleanSchedule.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\Advanced Registry Optimizer\EmailAddressCapture.hta (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\Advanced Registry Optimizer\NoSpam.jpg (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\Advanced Registry Optimizer\RCBanner.jpg (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\Advanced Registry Optimizer\soref.dll (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\Advanced Registry Optimizer\unins000.dat (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\Advanced Registry Optimizer\unins000.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\Advanced Registry Optimizer\uninstall.hta (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Program Files\The Weather Channel FW\Desktop Weather\eula.html (Adware.Hotbar) -> Quarantined and deleted successfully.
                            C:\Program Files\The Weather Channel FW\Desktop Weather\INSTALL.LOG (Adware.Hotbar) -> Quarantined and deleted successfully.
                            C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
                            C:\Program Files\The Weather Channel FW\Desktop Weather\uninstall.bat (Adware.Hotbar) -> Quarantined and deleted successfully.
                            C:\Program Files\The Weather Channel FW\Desktop Weather\UNWISE.EXE (Adware.Hotbar) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\AdwareAlert\Log\2008 Jan 01 - 05_38_05 PM_218.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\AdwareAlert\Log\2008 Jan 01 - 05_38_08 PM_515.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\1204819820.reg (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\backup.bin (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\ExcludeList.aro (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\results.aro (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000001.rmb (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000001.rmi (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
                            C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Check PC For Errors.lnk (Rogue.Link) -> Quarantined and deleted successfully.



                            evilfantasy

                            • Malware Removal Specialist
                            • Moderator


                            • Genius
                            • Calm like a bomb
                            • Thanked: 493
                            • Experience: Experienced
                            • OS: Windows 11
                            Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                            « Reply #20 on: March 15, 2008, 05:14:07 PM »
                            Try restarting the computer in safe mode and deleting it.

                             Also try this if safe mode doesn't work.

                            Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

                            Also remove the checkmark from the the Lock Desktop Items box if it is checked.
                            Apply.
                            Apply and Exit Display properties.

                            wilmsp

                              Topic Starter


                              Beginner

                              Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                              « Reply #21 on: March 15, 2008, 06:53:16 PM »
                              As the cliche goes - "Been there, did that" and couldn't find the blame thing, but it wasn't on normal desktop when I rebooted back to it.  If it shows up tomorrow, I will follows the above routine again.  I have kept you long enough - mucho gracias from Buckhorn, ON and I will likely touch base with this thread Monday, so have a really good weekend - or what's left of it.

                              Thanks,
                              Bill S.

                              evilfantasy

                              • Malware Removal Specialist
                              • Moderator


                              • Genius
                              • Calm like a bomb
                              • Thanked: 493
                              • Experience: Experienced
                              • OS: Windows 11
                              Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                              « Reply #22 on: March 15, 2008, 08:47:46 PM »
                              Hopefully it stays gone.....

                              You have a good weekend as well.

                              wilmsp

                                Topic Starter


                                Beginner

                                Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                                « Reply #23 on: March 18, 2008, 07:30:52 AM »

                                Good Morning:

                                All seems well - even the mysterious icon I mentioned is now gone.  I will now download a couple of the "stay-clean' programs you mentioned.

                                Thanks so much for all your help!

                                Bill S.

                                evilfantasy

                                • Malware Removal Specialist
                                • Moderator


                                • Genius
                                • Calm like a bomb
                                • Thanked: 493
                                • Experience: Experienced
                                • OS: Windows 11
                                Re: Bad, bad Malware - "Desktop Hijacker About Your Privacy.
                                « Reply #24 on: March 18, 2008, 10:05:05 AM »
                                Sounds good.

                                Safe surfing....