hi im trying to fix a computer for a friend but am having no luck with this part..when the computer is turned on the desktop is blue..[icons show up and so does taskbar] but i cannot change the desktop...also in the middle of the screen is a green box in some other language with a title like xxx access something...but that green box can be closed .... here is the hijackthis log..

http://hijackthis.de/logfiles/ad21f1...d6c9c9a5b.html

Please follow the instuction for posting a HJT log from my signature ...

im sorry here you go

Attached Files

hijackthis.log (10.9 KB, 4 views)

ok because noone tryed to help i did it my self fixed everything ...the firewall wouldnt work fixed it...i can change background ctrl alt delete...everything cleared up all spyware... now one problem...THERE IS A BLUE HIGHLIGHT around the desktop icons...i tryed the drop shaddow button didnt work..deleted the explorer path in the registry didnt work...now what...

Hi
Please dont always expect instant help.Everyone here is a volunteer and we all have other things to do. Please be patiant as they are very busy people and also have others to help.

You have quite a few Trojans that will need a fair bit of fixing.Your desktop problem stems fron these.We will fix that next time round.
Just take you time and fix each section at a time.Download all fixes first.

==========================================

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
================================================== ===========
Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip).
Unzip it to it’s own folder (c:\BFU)
RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).
Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe
In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do it’s job.
Wait for the complete script execution box to pop up and press OK.
click "save"
IN "filename" enter log.txt
click exit to exit the BFU program.
Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder ...
================================================== ====================

Please download Brute Force Uninstaller to your desktop. (rightclick on this link and choose save as, if using IE save target as)

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk" C:/ or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
• Download qoofix.bat (rightclick on this link and choose save as, if using IE save target as)
• Place qoofix.bat in your C:\BFU - folder. (Important!)
• Doubleclick qooFix.bat, Close all browsers and explorer folders.
• Choose option 1 (Qoolfix autofix) and follow the prompts.
• Please be patient, it will take about five minutes.
• After the PC has restarted please post another hijackthis log.

================================================== =====

SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jjedx.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,uekgixs. exe
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsx50.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {576C2C2A-B5C1-B635-BD2A-E8ABB93EB5CF} - C:\WINDOWS\system32\pdped.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll (file missing)
O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\system32\sysmon.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels8.exe
O4 - HKLM\..\Run: [defender] C:\\defender23.exe
O4 - HKLM\..\Run: [sqrqxq] C:\WINDOWS\system32\tanyxs.exe reg_run
O4 - HKLM\..\Run: [keyboard] C:\\keyboard23.exe
O4 - HKLM\..\Run: [newname] C:\\newname23.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [c205f2c6.exe] C:\WINDOWS\system32\c205f2c6.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\xkikup.exe
O4 - HKLM\..\Run: [ZPoint] C:\WINDOWS\system32\winmuse.exe
O4 - HKLM\..\Run: [DCOM Server] C:\DOCUME~1\Tina\LOCALS~1\Temp\explorer.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\kwinpqez.exe GID003
O4 - HKLM\..\Run: [w0056096.dll] RUNDLL32.EXE w0056096.dll,I2 0011961400056096
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels8.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels8.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKCU\..\Run: [pnxry] C:\WINDOWS\system32\tanyxs.exe reg_run
O4 - HKCU\..\Run: [c205f2c6.exe] C:\Documents and Settings\Tina\Local Settings\Application Data\c205f2c6.exe
O4 - HKCU\..\Run: [Usrr] "C:\DOCUME~1\Tina\APPLIC~1\MCROSO~1\netdde.exe " -vt yazr
O4 - HKCU\..\Run: [atmgin] C:\WINDOWS\system32\atmgin.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\system32\vxgame6.exe3072.exe
O4 - HKCU\..\Run: [Gefcsg] C:\Documents and Settings\Tina\My Documents\??crosoft.NET\c?rss.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00006.exe"
O4 - HKCU\..\RunOnce: [atmgin] C:\WINDOWS\system32\atmgin.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinpqez.exe
O4 - Global Startup: lhyae.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O15 - Trusted Zone: www.1987324.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - AppInit_DLLs: direct32.dll,C:\WINDOWS\system32\svch3e.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: se500mdm - C:\WINDOWS\SYSTEM32\se500mdm.dll
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O20 - Winlogon Notify: ssldr - C:\WINDOWS\SYSTEM32\ssldr32.dll
O20 - Winlogon Notify: s_reg - C:\WINDOWS\SYSTEM32\notifysb.dll
O20 - Winlogon Notify: wancp - C:\WINDOWS\SYSTEM32\wancp.dll.tmp
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VGluYQ\command.exe (file missing)

Open Windows Explorer and delete the following highlighted file/s
Also delete the following red folder/s

C:\WINDOWS\system32\spoolsvv.exe
C:\WINDOWS\system32\c205f2c6.exe
C:\Program Files\xkikup.exe
C:\WINDOWS\system32\winmuse.exe
C:\WINDOWS\system32\kwinpqez.exe
C:\WINDOWS\system32\kernels8.exe
C:\winstall.exe
C:\WINDOWS\system32\tanyxs.exe
C:\WINDOWS\system32\0mcamcap.exe
C:\WINDOWS\system32\vxgame6.exe3072.exe
C:\WINDOWS\system32\atmgin.exe
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\kwinpqez.exe
C:\Program Files\webHancer
C:\WINDOWS\system32\WinNB57.dll
C:\Program Files\AlfaCleaner

Reboot............................
===============================================
Download Ewido Anti-Malware

• Install Ewido Anti-Malware
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the top of the main screen click Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update Ewido. When you have finished updating, EXIT Ewido.
Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

• In Safe Mode,run Ewido.
• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
• When the scan is complete click Recommended Action and change it to Quarantine
• Then click Apply all actions

Once finished, click the Save report button, then click Save Report As. This will create a text file.
Make sure you know where to find this file again (like on the Desktop).
Restart back into Normal Mode.

Please perform another scan with Hijack This, and then post back with a copy of the Ewido log and the new HijackThis log,Combofix and the BFU log txt,

ok so the computer is running great...but there is still the blue highlight cant figure out how to get rid of it...combofix.exe didnt not work came up with an error message...forgot to check logbutton on the bruteforce but it seemed to work...also qoofix.bat doesnt do anything it flashes a cmd box for a split second...and my version off ewido does not have a save report button but i did update manually it found 4 problems then when run again it found none. and i fixed everything u said in hijack this so i only have a new hijack this log sorry can u please tell me how to get rid of thoughs blue highlights

Attached Files

hijackthis.log (6.2 KB, 1 views)

Still a few more to remove

Please download the Killbox.
Run Killbox, left click and drag you mouse over the highlighted files below (including filepath) then right click and choose Copy (including filepath) with your mouse, rightclick and choose Copy. Insert your mouse pointer within the box entitled "Full Filepath of File to Delete", rightclick again and choose File > Paste from Clipboard. All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there). If each file exists, it will appear in blue under that window when you click on it. Click on Delete on Reboot. Next go to Options > Delete on Reboot and click on "Process All in List". Please do this even if this option is already checked. You will get a message saying "File with be deleted on next reboot, click "Yes". Process and Reboot now?" Click "Yes" to reboot

C:\WINDOWS\system32\Heqqbc32.dll
C:\WINDOWS\lt.exe
C:\WINDOWS\SYSTEM32\wancp.dll
C:\WINDOWS\SYSTEM32\se500mdm.dll
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
C:\DOCUME~1\Tina\MYDOCU~1\CROSOF~1.NET\CRSS~1.EXE
C:\WINDOWS\system32\atmgin.exe
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\system32\winldra.exe
C:\Program Files\E2G\IeBHOs.dll


Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {9C0AD764-003C-4CF0-9672-8E7D45B57DDB} - C:\Program Files\Messenger\howejec.dll
O2 - BHO: (no name) - {C89D3D6D-F089-A97D-AB3C-FCEA1DED2196} - C:\WINDOWS\system32\pph.dll
O4 - HKLM\..\Run: [load32] C:\WINDOWS\system32\winldra.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [atmgin] C:\WINDOWS\system32\atmgin.exe
O4 - HKCU\..\Run: [Gefcsg] C:\DOCUME~1\Tina\MYDOCU~1\CROSOF~1.NET\CRSS~1.EXE
O20 - AppInit_DLLs: direct32.dll,c:\windows\system32\svch150.dll rundll.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: se500mdm - C:\WINDOWS\SYSTEM32\se500mdm.dll
O20 - Winlogon Notify: wancp - C:\WINDOWS\SYSTEM32\wancp.dll.tmp
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Heqqbc32.dll




Reboot and post a new log please.