no desktop picture, why?

You are infected and wide open. Do you know how too use regedit?

Stop using adaware se, and spybot, remove them, they are in fact spyware themselves. In fact remove all programs you don't need thru "add remove programs"

You need to search the file names that are being started in places like;

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe

Do you know how to get to the registry location "O4 - HKLM\..\Run:"?

Look at all the things that are listed there and run a google search on the file names used like "BTHelpNotifier.exe ". If it is list as bad remove the line . If you are starting things you know about and need them then keep them. Also reboot often and then check to see if things come back.

Hope this helps but you got lots of things running on this system that look strange. go slow and take lots of notes.

Dunno as I notice any infection signatures in that log. A couple minor issues, such as missing updates and an unnecessarilly heavy Startup folder, alonfg with a couple orphan references, but nothing malicious. As to the allegations MZathras levels against Ad-Aware SE and Spybot S&D, well, as far as I'm concerned, that pretty well establishes his credentials; he may have an agenda, but he appears not to have a clue about security and privacy software.

Oh, and BTW - that 04 entry he mentions, "Motive SmartBridge"; its not strictly necessary, but it certainly isn't malicious; its the "Virtual Assistant" System Tray Icon, related to the user's broadband provider - part of the ISP's software, . Its commonly used by AT&T Broadband, and by BT Broadband. A few other things in the log lead me to conclude the example cited is from BT Broadband.

laydback, I'll get to your display issue soon, I promise. For the moment, don't worry about your machine being infected; its clean, according to that log.

No agenda here. Just trying to help. For the record I have been supporting the NAVCE campus' and Exchange SMTP Symantec filters for several corps for the last 5 years with over 15k XP units.

I was not saying the example was a problem. I was illistrating how she could see what programs were being started from the registry. I do not have time to look at each entry. I was suggesting she look at them herself since she is using the machine and whould know better than I what she wants to run. Suprisingly, Google searches on file names is simple and quick.

And the comments made about Adaware SE and Sybot are accurate. They are a backdoor to security. It is best to clean the machine yourself.

The item " i also receive a pop up saying that "??????" is trying to gain info from my computer, what connection should it use. "
Tells me something is trying to contact a remote source with information" This smells bad and I have seen it before.

But I am just a nubie with 35 five years of computer experience, feel free to ignore my advice. I was just trying to help.

Check this link;
http://forums.techguy.org/t394874.html
Because of this string;
C:\Program Files\ewido\security suite\ewidoctrl.exe

Check this link;
http://www.file.net/process/bthelpnotifier.exe.html
Because of this string;
C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe

Check this link;
http://www.neuber.com/taskmanager/process/msnappau.exe.html

Check this link;
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073603

Actually I would recommend you remove all your spyware and firewall software and upgrade to XP SP2. Your machine is a mess, but the first link looks like it could match your complaint.

Sorry I misundstood your name for being female I should have looked closer.

Look into Symantec Internet Security, no I don't have an agenda I use the product and it lets me know what is going on.

Sorry, laydback -been busy today, just getting back to this. Lets see what we can do about repersonalizing your desktop.

Try right-clicking on any area of the desktop not occupied by an icon. Select "Properties" to bring up the Display Control Panel, and then, on the "Themes" tab, select "Windows XP" from the dropdown. Click "Apply", and see what happens; if the standard Windows XP desktop wallpaper shows up, the problem likely is simply that the picture you used for your desktop was moved or deleted from the folder in which Windows expected to find it. That happens. Its a good idea to create a folder named something like "Wallpapers" in your "My Documents" folder. Any time you wish to use a picture as a desktop background, or "wallpaper", copy that picture into your "Wallpapers" folder. Now, just right-click on the image in the Wallpapers folder,and select "Set as desktop item" - that should put the image on your desktop. As long as the desired image isn't moved from the Wallpapers folder, Windows will find it and use it as your desktop. As a backup, you can create another folder, and name it something like "Desktop Themes". When your desktop is displaying the image you want, again right-click anywhere on the desktop not occupied by an icon, and select "Properties" to bring up the Display Control Panel. From the "Themes" tab of the Display Properties control panel, click "Save As", name it somethjing meaningfull to you, and save it to your Desktop Themes folder.

If that doesn't herlp you get to where you want to be, lemme know, and we'll go from there.

Now - that popup you mentioned. It would be very helpful if you could report the exact, verbatim message you receive, and the circumstances under which it occurs - does it come up from time to time while browsing, or does it come up right after booting up or logging on, or does it come up while you're using a particular application? Try to be as specific as you can.

On the subject of yuckware removal and control, if you care to check into it, excellent resources for reliable, objective information on computer security and privacy can be found on the websites of Ben Edelman, Eric Howes, DoxDesk, and CEXX.ORG. A list of rogue anti-yuckware apps - those that don't work, those that are rip-offs of legitimate apps, and those that install or are themselves spyware/adware is available at Spyware Warrior's Rogue/Suspect Anti-Spyware Products & Web Sites, and a listing of reliable, recommended applications is available at Trustworthy Anti-Spyware Products

That's a necessary component of Ewido Security Suite, which is a reputable, reliable, trustworthy, highly effective broad-spectrum anti-yuckware app.


That, as referenced earlier, relates to BT Broadband software, part of that ISP's installation package. While not necessary at startup, it is in no way malicious, and has essentially no impact on available resources.


Dunno what arouses your concern here - laydback's log shows that's what and where it should be; its a legitimate component of the MSN toolbar.


Sharezaa is just about the safest P2P app out there. Free, open source, easy to use, and devoid of yuckware payload of its own, its what I'd recommend to anyone who wants a P2P app. Now, anyone using a P2P app, regardless of which one, is foolish to open anything downloaded without first scanning it with a good antivirus and a good antiyuckware, but Sharezaa by itself is perfectly fine to use if used intelligently.


Dunno how you come up with any oif that - mind going into detail? The log is a little heavy on startups, and setting some of those to manual will free up a small amount of resources, but overall, other than being behind on updates -really should have SP2 - laydback's machine appears to be in fine shape.


Norton/Symantec Internet Security is a fine multi-product security and privacy suite, though its a resource hog, best suited to machines with relatively fast processors and plenty of RAM - it places a helluva load on a lesser machine. But then, so do equivalent products from any number of vendors. User choice, really, as long as you stick to the products of reputable, major name-brand vendors IMO - none of 'em are perfect, but any of 'em are better by far than nothing at all. Several of the free-for-home-use antivirus apps, antiyuckware apps, and firewalls perform just about as well, if at the cost of a bit less convenience and automation.

i had already tried the right-click and "reset" method but whatever i try it comes up as a white screen with the icons on it. (

As for the pop up mesage, there is no real time that it pops up. just seems to when it feels like it!

"usually" it does it as soon as the pc comes up with the windows screen.
Since i've been logged in it hasn't come up, typical! when it does next i'll post on here what it says.

Cheers
KArl

I take it you mean you've tried setting "Themes" to a standard, default Windows setting - is that correct? Have you tried selecting an image - any image, right-clicking on it, and selecting "Set as Desktop Background"?

If you feel adventurous, there are some Registry settings that might be worth checking out.

Go to Start>Run, then, in the dialog box that opens, type, without the quotes, "regedit", and click "OK". Registry Editor will open. Important note: before altering anything in the Registry, be sure to Back up any key you intend to change. It is unnecessary to back up the entire registry, in fact, in Win XP thats a bit of a trick, but its no big deal to back up any individual key you intend to play with before you play with it.

Navigate to the key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

and look for a DWORD value called or very closely resembling NoChangingWallPaper . If its there, right-click and delete it

In

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

you should NOT have the following values:

NoActiveDesktop
ForceActiveDesktopOn

If you find them, delete them.

And for the key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

you should find only the "(default)" string. Some common possible problem-causing strings can include:

NoComponents
NoAddingComponents
NoDeletingComponents
NoEditingComponents
NoHTMLWallpaper


There are other strings that might appear there, but whatever, the only string you should have there is "(default)", delete anything else.

I've tries the "themes" set to standard as well as trying a picture of my own, but neither will allow me to see anything apart from a white screen.

i'll have a go at the registry setting in a while.

When i switch on the pc, and windows loads that when i receive the message. This message says:

You(or a programme) have requested information from www.pctools.com. Which connection do you want to use?

"www.pctools.com" is the norm, but other web address's are sometimes shown.

Cheers for the help so far
Karl

That particular message indicates Spyware Doctor, a legitimate app, which it appears you do have on your machine, is trying to call home - most likely to check for updates. Though you appear to have a broadband connection, the Dial-up Connection Wizard wants to know how you want PC Dr to connect. I doubt that has anything to do with your desktop display problem, but we might as well try to sort it out anyway. I suggest you go to your browser's toolbar, select "Tools">"Internet Options", click the "Connections" tab, click "Never dial a connection", click "Apply", click "OK", reboot, and see what happens. The popup should not reappear, though, as I said, I don't think this is going to do anything for the desktop background picture issue.

It appears also there are a couple minor problems with PC Dr. itself (some of those "orphan references" I mentioned); assuming it is a program you want, use, and have paid for, and for which you have the download link, or the installation media, and the subscription key, I would uninstall it and reinstall/reconfigure it. If you downloaded the trial version only, and have not paid for a subscription to PC Dr, just leave it uninstalled. If you have a valid, current subscription, but no longer have the subscription key, go to the application vendor's website support pages, and follow the instructions to obtain a replacement subscription key.

Either way, when you've done whatever regarding PC Dr., its a good idea to do a little "Just to make sure" stuff.

Print out these steps, perform any updates or downloads as required, then proceede with the routine described.


I suggest you download install, update and configure Microsoft AntiSpyware Beta. Don't run it yet, just download, install, update and configure it (instructions for updating and configuring may be found HERE).

Download and install CCleaner. Don't run it yet, just download and install it.

When that has been done, disconnect from the internet - physically unplug your machine from your broadband interface if you are unsure how to turn off your broadband connection.

Next, launch EWIDO, and update it. When EWIDO has updated, close it, the re-launch it, run a full-system scan and have it fix whatever, if anything it finds. Please save the log it will create when it has finsihed.

Next, launch Microsoft Antispyware, check to be certain it is set to scan all drives, and run a full system scan with it, likewise having it fix whatever, if anything, it finds.

When that has been accomplished, reboot into Safe Mode. Launch Microsoft Antispyware, and again run a full system scan-and-clean routine.

When that has completed, reboot back into safe mode, launch EWIDO, and have it perform a full system scan-and-clean routine. Please save the log.

When that has completed, run CCleaner. When it opens, select "Analyze", let it scan through your system (should be just a couple minutes), then select "Run Cleaner", confirm you wish to delete files, and follow any onscreen prompts.

Now, reboot normally, but do not connect to the internet. Launch EWIDO again, run a full system scan-and-clean routine, and please save the log.

Without rebooting, launch Microsoft Antispyware and run a full system scan-and--clean routine.

Next, without rebooting, launch CCleaner, and run a full system scan-and-clean routine. When that cleanup is complete, click on the 3rd tab , "Issues", and select "Analyze". When the analysis has completed, select "Fix selected issues .... ", and confirm when prompted. The application will offer to write a registry backup - let it do so. It will offer to place the backup in your "My Documents" folder - select "New Folder", name the folder "CCleaner Backups", and click "Save".

Whent that has completed, reboot normally, but do not yet connect to the internet. Immediately on reboot, while not connected to the internet, perform one more full system scan-and-clean routine with CCleaner, then reboot normally. Immediately following that, reboot normally once more, and while still not connected to the internet, immediately run HJT, fixing nothing, just saving the log. Follow that with one more run of EWIDO. If it does find anything, let it try to fix it. Please save the log.


Now, reconnect to the internet, navigate back here, and post the HJT log and all 3 EWIDO logs - please label the EWIDO logs something like "1st Run", "Safemode run", and "2cnd run", respectively, so I can be sure which log is which when I'm looking at them. Once we're sure your machine is clean, we'll revisit the desktop display issue.

ok here goes. i've followed what you said and heres the results

when not connected to internet more sites requested info.

Also when i close down the computer i can see my desktop picture in the background just before the logging off.

1st run-
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 00:28:40, 16/09/2005
+ Report-Checksum: 8533A8E2

+ Scan result:

C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@xxxcounter[1].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\karl\Cookies\karl@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\eied_s7.cab/eied_s7_c_29.exe -> TrojanDownloader.Mediket.ay : Cleaned with backup


::Report End

safemode:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 20:04:06, 16/09/2005
+ Report-Checksum: FDEAB646

+ Scan result:

No infected objects found.


::Report End

2ndrun:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 20:55:15, 16/09/2005
+ Report-Checksum: AC43BF5F

+ Scan result:

No infected objects found.


::Report End

hjt log file:


Logfile of HijackThis v1.99.1
Scan saved at 21:12:51, on 16/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BT Yahoo! Help\bin\mpbtn.exe
C:\Documents and Settings\karl\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freenetname.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by freenetname pay as you go
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo! Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: BT - {4DB6579A-8CE5-488A-9E81-23AEA8107941} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {509075B1-0742-4C8E-82DD-E9FCBB9E8DF9} - http://bt.yahoo.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freenetname.co.uk
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6uk.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: WindowInstallSystem (d10b54a67e8svr) - Unknown owner - C:\WINDOWS\d10b54a67e8.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

cheers for the assistance so far

Karl

Sorta got good news/bad news here - the good new is it appears your problem stems from this:
O23 - Service: WindowInstallSystem (d10b54a67e8svr) - Unknown owner - C:\WINDOWS\d10b54a67e8.exe,
which is your machines particular instance of a little bugger which names itself randomly on every machine it infects.

The bad news is that its a real bear to get rid of; it hides itsef in numerous places, and rebuilds itself if any of its locations are missed - complicating things is that it hides itself very well, and uses a differing variety of techniques to protect itself. Further complicating things is that none of your logs include other entries I would expect to find accompanying that puppy - odd, to say the least.

I'm still looking into it, and so are lotsa other folks. As yet there is no removal tool for the sucker; all "fixes" that so far have been successful involve some direct registry work. I'm gonna keep looking; several folks are working on a tool to handle this, but results so far have been uneven. Worse comes to worst, we can try the registry route, but I'm really not in favor of doing that quite yet ... results there have been uneven as well.

On the bright side, though its a new variant, its not an unknown, and its being worked on by some very good folks.

MZathras, bow to whatever trips your trigger. Symantec/Norton, btw, any flavor, consumer or enterprise, would have been no service, in this instance, it neither would have blocked, nor failing that, detected and removed the culprit. Still doesn't, as of perusal of assorted mailing lists, newsgroups and forae this morning.

Now, if you have a proven, effective fix for the specific issue at hand, why not post it, instead of playing with your ego?


OK , back to the issue at hand, which is resolving laydback's problem ... hopefully without direct registry editing.

One other tool we're gonna use here is Pocket Killbox - just download it and unzip it to an easy-to-find folder for later use; don't run it right now.

While it prolly won't "fix" this bugger by itself, laydback, Panda ActiveScan does seem to detect and report any of several files which have been of use in getting to the root of the symptoms you're describing. Please run the scan-and clean as detailed at Panda's website, and save and post the log once the scan has completed. I'd also like to see another fresh-after-boot HJT log, performed after Panda Active Scan.

activescan log after cleanup:
Incident Status Location

Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
Adware:Adware/Startpage.XL No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/Startpage.XL No disinfected C:\RECYCLER\Q678341.exe
Security Risk:Application/PoliphonicNo disinfected H:\suprnova\Ringtones + Polyphonic Wizard v2.3.3\Polyphonic Tones.part01.rar[cwpolywz.exe]


Logfile of HijackThis v1.99.1
Scan saved at 13:38:23, on 19/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BT Yahoo! Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\karl\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freenetname.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by freenetname pay as you go
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo! Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: BT - {4DB6579A-8CE5-488A-9E81-23AEA8107941} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {509075B1-0742-4C8E-82DD-E9FCBB9E8DF9} - http://bt.yahoo.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freenetname.co.uk
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6uk.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63AF9792-A9C7-463F-85EB-F6087BA01DDD}: NameServer = 194.72.9.44 194.74.65.86
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: WindowInstallSystem (d10b54a67e8svr) - Unknown owner - C:\WINDOWS\d10b54a67e8.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


cheers

Karl

Virus Name


Has a virus name been given to this issue?

Thanks

Re: Virus Name

No, as its not a virus, its a variant trojan which exploits a vulnerability which Microsoft fixed some time ago, but of course, without the requisite Service Packs and other Critical Updates installed, a machine remains vulnerable.

OK - back to the actual business at hand. laydback, for any of this to do any good, you really should get your Windows up-to-date. Is there a reason you have not kept your Windows and Internet Explorer current? I strongly suggest you vist Windows Update and get caught up on Service Packs and Critical updates before doing anything else. There isn't much point to chasing pests out of the barn if the doors are left wide open. I suggest also you run the latest version of Microsoft Malicious Software Removal Tool

Anyhow, while its best you get current before continuing as detailed below, if for some reason you can't, you can still try this with things as they are on your machine. Print out the following steps, perform any suggested updates and/or online scans, and step through the remaining items, in the order listed, if you would please.

Go to Trend Micro Online Spyware Scanner, and follow the instructions there to run the free online scan-and-remove procedure. When it has completed, save the report.

Update EWIDO, then run a full system scan-and-clean, fixing anything found, and save the log.

Launch Microsoft Antispyware, and update it. When it has updated, don't run it, just close it.

Launch CCleaner and update it by clicking "Check for updates now" down at the bottom right of the program's start page and following the prompts. When it has updated, don't run it, just close it.

Go to Start>Run> and type, without the quotes (or copy-and-paste), "cmd" and click "OK". At the blinking cursor in the black-and-white Command box, type, without the quotes (or copy-and-paste), "sc stop d10b54a67e8svr" and click "Enter". Then type, without the quotes (or copy-and-paste), "sc delete d10b54a67e8svr" and click "Enter". When that has been done, type, without the quotes, "exit", and click "Enter". Reboot into safe mode.

Launch Hijackthis, click "Scan", and put a checkmark next to ONLY each of these, if reported:

O4 - HKLM\..\Run: [de812e1f990] C:\WINDOWS\System32\d10b54a67e8.exe
O4 - HKCU\..\Run: [de812e1f990] C:\WINDOWS\System32\d10b54a67e8.exe
O9 - Extra button: BT - {4DB6579A-8CE5-488A-9E81-23AEA8107941} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {509075B1-0742-4C8E-82DD-E9FCBB9E8DF9} - http://bt.yahoo.com (file missing) (HKCU)
O23 - Service: WindowInstallSystem (d10b54a67e8svr) - Unknown owner - C:\WINDOWS\d10b54a67e8.exe

Click "Fix Checked". Do not reboot.

Launch Microsoft Antispyware, select "Advanced Tools", then select "Browser Restore". Select "Check All", then click "Restore". This will reset your Internet Explorer and Search options to Microsoft defaults; when things have been cleaned up, you can manually reconfigure them as you wish. When the Browser Restore function has been completed, run a full system scan-and-clean with Microsoft Antispyware. Do not reboot.

Launch EWIDO, and run a full system scan-and-clean, fixing anything found, and save the log. Do not reboot.

Now, launch Pocket Killbox and select "Delete on reboot". Enter EXACTLY or copy-and-paste, one at a time, the following files to the field labeled "Full path of file to delete":

C:\WINDOWS\System32\d10b54a67e8.exe
C:\WINDOWS\d10b54a67e8.exe

Click "Delete" (the button that looks like a red circle with a white X in it) after entering the first file. A dialog box will ask if you want to delete the file on reboot, click "No" if more than one file is listed above, enter or copy-and-passte the next file and again click "Delete" selecting "No" at the reboot prompt until all files have been entered. When all listed files have been entered, click "Yes" to the reboot prompt. Another dialog box will ask you if you want to reboot now. Click "YES". Your computer will reboot ... let it reboot normally, but do not allow it to connect to the internet (if necessary, physically disconnect your machine from its internet access interface - unplug your phone line or the ethernet cable connecting your machine to your broadband interface).

When it has rebooted, With Windows Explorer (Windows key + E - NOT Start>Search) configured to Show All Files, navigate (if your instance of Windows Explorer does not display an address bar, right-click anywhere on a blank section of the browser's tool bar. Make sure "Lock the Toolbars" is NOT selected, then select "Address Bar" - you may have to drag the Address Bar tab to enable access to the address bar dialog box) to C:\WINDOWS\, look for and if found delete the file d10b54a67e8.exe

Next, navigate to C:\WINDOWS\System32\, look for and if found delete the file d10b54a67e8.exe

Now, go to Start>Run>Search, select "All files and folders", and in the "All or part of the file name" dialog box type, without the quotes, but being sure to include the asterisks (or copy-and-paste), "*d10b54a67e8*", be sure "Look in" is set to "Local Hard Drives ( C: ), then click "More advanced options" and select "Search system folders", "Search hidden files and folders", and "Search subfolders", then click "Search". When Search announces it has completed (could take a while), in the right-hand Search Results box, right-click on each instance found, if any, and select-and-confirm "Delete".

Repeat the above, searching for and deleting every instance, if any, of the term "*WindowInstallSystem*".

Launch CCleaner, click on the 3rd tab , "Issues", and select "Analyze". When the analysis has completed, select "Fix selected issues .... ", and confirm when prompted. The application will offer to write a registry backup - let it do so. It will offer to place the backup in your "My Documents" folder - select "New Folder", name the folder "CCleaner Backups", and click "Save", then allow CCleaner to fix all issues found. Next, without rebooting, select "Cleaner", and run a full system scan-and-clean.

When that has been completed, reboot normally, immediately run another HJT scan, fixing nothing, just saving the log, then run EWIDO again, saving the log. When that has been completed, connect to the internet, and post the new HJT log, along with the 2 new EWIDO logs and the report from Trend Micro.

Re: Virus Name

Sorry, MZathrus, offhand, I don't. Sorry to be vague, but if I recall correctly (which isn't a given ) it seems to me - though I could be wrong - the exploit was addressed in one of the post-SP1 Critical Updates, and/or SP2, or perhaps in an IE-specific Critical Update post-SP1. The signature, "WindowInstallSystem", and/or a couple close cousins, has been turning up with some frequency recently, typically, but not exclusively, in HJT logs from European users. The common denominator seems to be the absence of SP1 and/or post-SP1 Critical Updates and/or absence of SP2, though some examples have been found on Win2K SP4 and earlier systems, also all lacking more recent Critical Updates, apparently particularly those specific to IE.

Again, just an impression at the moment, but I really tend to believe the exploit in question is one specific to IE6 or earlier under Win2K or XP, though that too could be a mistaken impression. I do note the puppy does not seem, at least to my research, to show up on fully currently updated systems - it might, but though I've looked around some, and asked about it on various Privacy/Security forums, newsgroups, blogs, and mailing lists I frequent, as yet I've come across no example of such. That of course may mean only that I haven't found any, not that they aren't out there.