Set of advertisement Icons stuck on desktop! HELP!

Forums: Computers
Email this Topic • Print this Page

Hi, this is my first post on these forums. I hope i'm following all the rules.

So here's my problem: A set of icons has appeared on my desktop. Each icon links to an advertisement webpage called Searchweb2. I have looked it up on the forums, and none of the help says anything about Icons. I may have missed something, so forgive me if i have. Also, when i open interent explorer, a little hypertext search bar appears on my desktop. It has all the same icons, and a little search bar. I can close out of it, so it's little more than annoying, but it might be doing something more malicious that i'm unaware of. Does anyone know how to stop all this? I ran the forum's general fix stuff and that didn't help (ad-aware and spybot and all that like). I'll post my process list and my hijack list just in case.

svchost.exe
alg.exe
wdfmgr.exe
ati2evxx.exe
msnmsgr.exe
avgcc32.exe
Steam.exe
MsgPlus.exe
Mediadet.exe
iexplore.exe
iexplore.exe
explorer.exe
CTNotify.exe
SpybotSD.exe
firefox.exe
taskmgr.exe
svchost.exe
System Idle Process
System
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
ati2evxx.exe
svchost.exe
svchost.exe
spoolsv.exe
avgserv.exe
ctsvccda.exe

Spybot picks up these two things everytime i run it:

C2.lop: Tracking cookie (Internet Explorer: Michael Sojka) (Cookie, fixed)

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-823518204-1004336348-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2004-12-15 Includes\Dialer.sbi
2004-12-16 Includes\Hijackers.sbi
2004-12-15 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-12-15 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2004-12-16 Includes\Spybots.sbi
2004-11-29 Includes\Tracks.uti
2004-12-15 Includes\Trojans.sbi

And here's my HijackThis results:

Logfile of HijackThis v1.98.2
Scan saved at 2:01:10 PM, on 1/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
E:\progra~1\steam.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Michael Sojka\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ustbydqxkyeuqsqqrguitzepv.uk/xHuJoOIEda0DUIBWZP/usS/8HajDcJqPbYO4amoLdLmIA0lGIgyN8JTBdGu6AQfg.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Steam] "e:\progra~1\steam.exe" -silent
O4 - HKCU\..\Run: [meowproc] C:\DOCUME~1\MICHAE~1\APPLIC~1\SHOWBY~1\NEWFREE.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab

Alright, this is as much as i can do on my own. I really hope someone know's what's going on.

Topic Stats
Top Replies
Link to this Topic

Type: Discussion • Score: 1 • Views: 637 • Replies: 3

No top replies

Hi Nesk and welcome to A2K,
Need you to do a couple things please,

Run this please lop uninstaller
Reboot

Next,
Also,
Please Download
Silent Runners
Please create a folder for it please, Then double click on the program, It will save a notebook file in the same folder, Open that, copy, paste the log back to this thread please, along with a fresh HJT log.

I will be back in a few hours, to see how you made out,

0 Replies

"Silent Runners.vbs", revision 29, launched at: 02:51
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MessengerPlus3" = ""C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart" ["Patchou"]
"Steam" = ""e:\progra~1\steam.exe" -silent" ["Valve Corporation"]
"FAST Defrag" = (no data)
"meowproc" = "C:\DOCUME~1\MICHAE~1\APPLIC~1\SHOWBY~1\NEWFREE.exe" [null data]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"nForce Tray Options" = "sstray.exe /r" ["NVIDIA Corporation"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"AVG_CC" = "C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP" ["GRISOFT s.r.o."]
"MessengerPlus3" = ""C:\Program Files\Messenger Plus! 3\MsgPlus.exe"" ["Patchou"]
"Disc Detector" = "C:\Program Files\Creative\ShareDLL\CtNotify.exe" ["Creative Technology Ltd."]
"Default" = (no data)
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default)" = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1E2CDF40-419B-11D2-A5A1-002018648BA7}" = "AVG Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Grisoft\AVG6\avgse.dll" ["GRISOFT(c)SOFTWARE s.r.o."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> CLSID InProcServer32 resolves to: "C:\Program Files\K-Lite Codec Pack\Real\rpshell.dll" ["RealNetworks, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\Audiodev.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "AtiExtEvent\DLLName" = "Ati2evxx.dll" ["ATI Technologies Inc."]

Startup items in "Michael Sojka" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"ATI CATALYST System Tray" -> shortcut to: "C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]

Enabled Scheduled Tasks:
------------------------

"A9AEA83191815F91" -> launches: "c:\progra~1\showby~1\Hold Size Scr.exe" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG6 Service, AvgServ, "C:\PROGRA~1\Grisoft\AVG6\avgserv.exe" ["GRISOFT s.r.o"]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTSvcCDA.exe" ["Creative Technology Ltd"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

and here is my HJT log

Logfile of HijackThis v1.98.2
Scan saved at 2:52:32 AM, on 1/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\progra~1\steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Michael Sojka\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.penny-arcade.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Steam] "e:\progra~1\steam.exe" -silent
O4 - HKCU\..\Run: [meowproc] C:\DOCUME~1\MICHAE~1\APPLIC~1\SHOWBY~1\NEWFREE.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab

It's funny, the penny arcade hasn't been my homepage for months, and the LOP unistaller made the icons go away. I think you saved me! thanks alot! i'll repost if i have any further problems, and i'll keep checking this post to make sure you don't have any further advice.

0 Replies

Hi again Nesk_101
Sorry I overlooked your post and it took me a bit to get back to you,

Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"

O4 - HKCU\..\Run: [meowproc] C:\DOCUME~1\MICHAE~1\APPLIC~1\SHOWBY~1\NEWFREE.exe

Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the following in BOLD
C:\DOCUME~1\MICHAE~1\APPLIC~1\SHOWBY~1\NEWFREE.exe
Delete any associated folders found with the above fileRestart your computer,

Head to AVG and update to AVG7. AVG6 is no longer supported

Restart HJT and post back a fresh log please
And a fresh silent runners log too please

0 Replies

Set of advertisement Icons stuck on desktop! HELP!

Related Topics

Quick Links

My Account

able2know