Member Panel

Arastar

Sorry about the double post.

I appreciate the help. I'll go through the steps you've outlined and upload a new log files.

As far as the Win-Spy goes. I am the ONLY user on this PC. Seems that's tracking software? This PC is in my home office and locked during the day...and I live alone. My girlfriend doesn't have a key and is not PC savvy. I'll get rid of it of course...(not the girl)

joe5

Originally Posted by Arastar

I'll get rid of it of course...(not the girl)

LOL :grin: , see if you can uninstall it in add/remove programs. If not , add this line to the fix list:

O4 - HKLM\..\Run: [WinSys] C:\WINDOWS\system32\WinSys.exe

and delete the file in bold.

Arastar

Ok, I've done everything listed. I still have the issue with the wallpaper and now have some pop ups that I didn't have before this all started yesterday. Previously I never had any issues with pop ups.

I also ran AdAware while in Safe Mode. I read that it worked for someone with the same trouble on this board. Didn't work for me though.

Hopefully the log files will help.

Arastar

One final update.

I was told to remove Spoolsv.exe from my windows/system32 folder. I did that and it has returned after removing, deleting and re-starting.

joe5

Don't worry about that for now you had a pretty nasty infection there that is not possible to clean in one go , and also needs some checking to see if it hasent deleted any windows files.

But its looking pretty good already , but still plenty to do im afraid.

First i see that you have the Messenger services enabled , unless you need it i would really disable that:

Please download Shoot The Messenger

Download and run the small (22 kbyte) "ShootTheMessenger.exe" utility. It will display the current status of your system's Messenger Service. The button near the bottom of its window will allow you to set the service to whichever state ? running or disabled ? that you desire.

If, for any reason, you should ever choose to re-enable the Windows Messenger Service, simply re-run ShootTheMessenger to do so.

Then boot in safemode and fix these with hjt:

O2 - BHO: (no name) - {177CDD5E-8C7C-0B4D-8EDC-927A1BCC153B} - (no file)
O2 - BHO: (no name) - {C2B58764-C5C7-1BD4-E562-74CAC3710D50} - (no file)
O2 - BHO: (no name) - {DC9BE935-CD27-46E2-9A15-52879D1A81EC} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FC11535-E3DC-4278-9447-3019F7A6BE21}: NameServer = 85.255.114.87,85.255.112.68
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3038260-1927-48BD-8032-3185DF46C2C7}: NameServer = 85.255.114.87,85.255.112.68
O17 - HKLM\System\CCS\Services\Tcpip\..\{C13ACAC4-7DC0-483E-B52C-CC56FBF610F2}: NameServer = 85.255.114.87,85.255.112.68
O17 - HKLM\System\CS1\Services\Tcpip\..\{4FC11535-E3DC-4278-9447-3019F7A6BE21}: NameServer = 85.255.114.87,85.255.112.68

Now we need to see if we need to restore some deleted files:
Please check for the following files using the Windows Search Engine:

control.exe
rundll32.exe
wmplayer.exe
msconfig.exe
notepad.exe
shell.dll
SDHelper.dll (only if you have Spybot installed)

If any are missing or not working properly then you can download new copies from Merijn's Files and follow the instructions at that site to installthem where they belong for your OS.

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original Hosts file.

Download this reg fix: spysheriffdesktopfix , unzip and dubbel click on it and enter it to the registry.
http://users.telenet.be/marcvn/regfi...desktopfix.zip

And then post a new hjt log plus a discription of remaining problems.

joe5

Originally Posted by Arastar

One final update.

I was told to remove Spoolsv.exe from my windows/system32 folder. I did that and it has returned after removing, deleting and re-starting.

Who is telling you that ?? Be happy it came back..lol.

Arastar

Well, that last fix seemed to gid rid of my wallpaper issue. It's back and clickable again. THANKS!!

Here is the latest HJT log. Am I clean? :undecided