Desktop virus?? maybe

Before fixing anything with hijackthis, you need to move it out of the Temp folder it's in to it's own permanent folder, like c:\HJT\hijackthis.exe

After you move it, please post a new log (with all browser windows closed when you scan).

Before fixing anything with hijackthis, you need to move it out of the Temp folder it's in to it's own permanent folder, like c:\HJT\hijackthis.exe

After you move it, please post a new log (with all browser windows closed when you scan).

Hi,
Oh yeah, forgot about that bit, doh... here is the new log
Thanks for that.
Hoggy

Logfile of HijackThis v1.99.1
Scan saved at 09:41:01, on 05/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\ems\tngrc\rcHost.exe
c:\ems\tng\sdo\BIN\SDSERV.EXE
C:\WINDOWS\UMCSTUB.EXE
c:\ems\tng\sdo\BIN\TRIGGAG.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\SxpInst\sxplog32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\explorer.exe
H:\personal\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alpha.uk.atosorigin.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy2.uk.int.atosorigin.com:8080
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Regtool] Regsvr32.exe /s c:\windows\system32\regtool5.dll
O4 - HKLM\..\Run: [Outlwvw] Regsvr32.exe /s c:\Program Files\microsoft office\Office\1033\outlwvw.dll
O4 - HKLM\..\Run: [CA-AMAgent] c:\ems\tngam\agents\amagent.exe
O4 - HKLM\..\Run: [Sxplog] c:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [MandC] kix32.exe c:\ems\utils\mandc\mandc.kix $callingapp=ALL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Ipc] C:\WINDOWS\System32\Obt.exe
O4 - HKLM\..\Run: [Bnn] C:\WINDOWS\Bae.exe
O4 - HKLM\..\Run: [Egb] C:\WINDOWS\Gbu.exe
O4 - HKLM\..\Run: [Gpk] C:\WINDOWS\System32\Rhv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Zyu5RfGmP] odpctrac.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Rfr] C:\WINDOWS\Ion.exe
O4 - Global Startup: SpySubtract.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - c:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterball/miniclipGameLoader.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/stx/install.cab
O20 - AppInit_DLLs: RCEnumDD.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: DM Primer (DMPrimer) - Unknown owner - C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe" -DMPRIMER_SERVICE_: (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Unicenter Remote Control Host (rcHost) - Computer Associates International, Inc. - C:\ems\tngrc\rcHost.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - c:\ems\tng\sdo\BIN\SDSERV.EXE

Hoggy12,

Hi :). Ready for some work?

-

Run HiJackThis and click "Scan", then check(tick) the following, if present:

O4 - HKLM\..\Run: [Ipc] C:\WINDOWS\System32\Obt.exe
O4 - HKLM\..\Run: [Bnn] C:\WINDOWS\Bae.exe
O4 - HKLM\..\Run: [Egb] C:\WINDOWS\Gbu.exe
O4 - HKLM\..\Run: [Gpk] C:\WINDOWS\System32\Rhv.exe
O4 - HKCU\..\Run: [Zyu5RfGmP] odpctrac.exe
O4 - HKCU\..\Run: [Rfr] C:\WINDOWS\Ion.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
...(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterbal...pGameLoader.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Acti...iveLauncher.cab

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to "view system and hidden files/ folders:"

files...

C:\WINDOWS\System32\Obt.exe
C:\WINDOWS\Bae.exe
C:\WINDOWS\Gbu.exe
C:\WINDOWS\System32\Rhv.exe
C:\WINDOWS\Ion.exe

Search for...

odpctrac.exe

...using "Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

Download, install, update and run AVG antivirus.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting your PC, post back a new log and let me know how everything goes.

Hi Crunchie,

Thanks for all your help so far. I have done everything, but still seem to be having the same problems. I am not sure if it is related, but a few months ago I had the smart security virus/adware thingy.. I have a black desktop screen, which i am unable to change, have tried going into display properties but it will not go, plus i have double icons and cannot right click on any of them or the desktop.
here is the new hijackthis log after I done everything you said before.

thanks again
Hoggy

:eek: Now that i have remembered to paste the log here it is ;)

Logfile of HijackThis v1.99.1
Scan saved at 15:05:02, on 05/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\SxpInst\sxplog32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\ems\tngrc\rcHost.exe
c:\ems\tng\sdo\BIN\SDSERV.EXE
C:\WINDOWS\UMCSTUB.EXE
c:\ems\tng\sdo\BIN\TRIGGAG.EXE
C:\WINDOWS\System32\msiexec.exe
H:\personal\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alpha.uk.atosorigin.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy2.uk.int.atosorigin.com:8080
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Regtool] Regsvr32.exe /s c:\windows\system32\regtool5.dll
O4 - HKLM\..\Run: [Outlwvw] Regsvr32.exe /s c:\Program Files\microsoft office\Office\1033\outlwvw.dll
O4 - HKLM\..\Run: [CA-AMAgent] c:\ems\tngam\agents\amagent.exe
O4 - HKLM\..\Run: [Sxplog] c:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [MandC] kix32.exe c:\ems\utils\mandc\mandc.kix $callingapp=ALL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: SpySubtract.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - c:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/stx/install.cab
O20 - AppInit_DLLs: RCEnumDD.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: DM Primer (DMPrimer) - Unknown owner - C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe" -DMPRIMER_SERVICE_: (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Unicenter Remote Control Host (rcHost) - Computer Associates International, Inc. - C:\ems\tngrc\rcHost.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - c:\ems\tng\sdo\BIN\SDSERV.EXE

Download the following file and double click to run it. Set a system restore point first!!

http://www.kellys-korner-xp.com/reg.../desktoptab.reg

Hopefully that will fix it up :).

I tried that link and it wouldn't work; I think this is it:
www.kellys-korner-xp.com/regs_edits/desktoptab.reg

Hi guys,

Thanks for your help, although I am a little confussed at the moment. I have set a restore point, clicked on the link and it has asked if I want to put the file into my registery. Is this correct, if so what do i then have to double click on?

Sorry if i am being a bit thick..!!!!

Cheers
Hoggy

Just double click on the downloaded file.

Hi Crunchie,

I cannot find a downloaded file. This is what happens.
Click on link
'File download box' appears with the following info:
Filename - desktoploab.reg
File type -registration entries
From - Kellys-Korner-xp.com

I click open
'Registry editor' box appears with the following:
Are yo usure you want to add information in D:\Documents\48100h....etc ~1.reg to the registry.

I click yes and it says it was succesfull and then closes down.

If at the begining i click save i get a file named desktoplab.reg. If i double click this it goes through the same procedure as above.

Is this correct... if so what is it suppose to do.. because I have noticed no difference so far, even after rebooting.

Thanks alot for this.
Hoggy

Yep, that's all you need to do. Try this;

Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK. That should get rid of it.

Hi,

OK. I have one entry under the web folder... called My Current Home Page. I do not get the option to delete this though... whether it is checked or not the delete button stays greyed out.....

Any ideas???

Cheers
Hoggy

Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab.
Is the box checked for 'show web content on my active desktop'?
If it is, I am out of ideas :(.

I do not have a show web content on my active desktop box...!!!!!!

Does this mean anything??