Good day to you all,

I´ve got infected with SpySheriff and removed it, as I thought successfully with SmitRem. But know I seem to get stuck with the following messages at startup:
"Windows cannot find C:\Windows\inet2001\services.exe. Make sure you typed the name correctly and then try again"
When I say ok on the window, I recieve the following message.

"Cannot load or run C:\Windows \inet20001\services.exe specified in the registry. Make sure the file exists or remove its reference from the registry

Sometimes the pc doesn´t shut down and I have to press the powerbutton to shut it down. the desktop I´ve lost all together. Can´t seem to get it back, but ónly on the administrator profile. Other profiles have a nice working desktop.

Plus: I constantly get a flaring red HotbarAdware message from Anti Spyware, at start-up, which doesn´t let itself remove from and is infecting my humor:D

My virusdetector is Norman, latest version, updated.
I´ve run AntiSpyware with result: no known issues detected.
I´ve run FixWareOut
I´ve run Spybot.
And in safemode I´ve run Ewido, antiMalware: C:\WINDOWS\system32\sysc.exe -> Worm.Locksky.m : Cleaned with backup.
Don´t know what else to do.:scratch:
I hope someone can help me....
Greetings from Holland...

Spyware Scan Details
Start Date: 16-2-2006 21:24:05
End Date: 16-2-2006 21:38:39
Total Time: 14 mins 34 secs

Detected Threats
No spyware threats were found during this scan.

Fixwareout ver 1.003
Last edited 2/15/2006
Post this report in the forums please

Reg Entries that were deleted
...

Random Runs removed from HKLM
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

---------------------------------------------------------
ewido anti-malware - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 23:52:56, 16-2-2006
+ Rapport samenvatting: F22CC395

+ Scan resultaten:

C:\WINDOWS\system32\sysc.exe -> Worm.Locksky.m : Schoongemaakt met een backup

::Einde rapport
Logfile of HijackThis v1.99.1
Scan saved at 0:06:52, on 17-2-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Norman\Bin\Zanda.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tgbstarter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\nipsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI-configuratiescherm\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Norman\bin\ZLH.EXE
C:\Program Files\SISTECH\TheGreenBow VPN\vpnconf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SISTECH\TheGreenBow VPN\tgbike.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Eigenaar\Mijn documenten\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\services.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI-configuratiescherm\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [TgbVpn] C:\Program Files\SISTECH\TheGreenBow VPN\vpnconf.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\System32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/7.20.0003/OCI/setup.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://pgc.planet.nl/classes/ExentCtl.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylomgames.com/activex/zylomgamesplayer.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - Unknown owner - (no file)
O23 - Service: SafeNet IKE Service (IREIKE) - Unknown owner - (no file)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TgbIke Starter (TgbIKE Starter) - Unknown owner - C:\WINDOWS\system32\tgbstarter.exe

Hello and welcome to the forum. You do indeed have some nasties left, see this: http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.html The information may help you see any damage done to your system and perhaps help you prevent it from happening again. There is other junk also, let's clean it up like this.

1) Open ewido and choose updates, allow time for it to compete. Close ewido.

2) Use these instructions to enter safe mode: http://www.bleepingcomputer.com/forums/tutorial61.html Once in safe mode,

3) Open ewido and choose scanner then complete system scan, allow ewido to delete anything it locates unless you know it is not bad. Save the scan report, I must see it.

4) Stay in safe mode, open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\services.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
(next one does not want to identify itself, you may leave it if you know it is safe)
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylomgames.com/activex...amesplayer.cab
(next one is optional but it is adware based and I would not have it on my computer...you call, see the link for information)
http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW%5FPOP%2EA
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\inet20001\ >>> folder

C:\WINDOWS\sysldr32.exe >>> file

C:\Windows\Prefetch\ >>> delete the contents(NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Restart the computer and post the ewido scan results, a new HJT log and any feedback you think I should have.

I see CCleaner, you can run it now also. You may use it on auto if you wish, but I suggest you save the resources and turn it off...then run it once a month or so. Your call, here is a good tutorial if you can use it: http://www.ccleaner.com/help/tour1.asp

Thanks...pskelley
Safer Networking Forums

Well pskelley, aren´t you my hero for today:D
I updated Ewido and ran complete system scan in safe mode.
---------------------------------------------------------
ewido anti-malware - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 19:03:35, 17-2-2006
+ Rapport samenvatting: 6C30431A

+ Scan resultaten:

Geen geinfecteerde bestanden gevonden!


::Einde rapport:bigthumb:

I followed your instructions on Hijackthis and deleted all except the zylomgames. (It´s my daughters favourite european gamessite and well, I visit it often enough to wanna keep my highscores).

I cleaned content of the Prefetch folder. But...
C:\WINDOWS\inet20001\ >>> folder
C:\WINDOWS\sysldr32.exe >>> file
were nowhere in sight...and yes, I enabled hidden files and folders to be seen.:confused:
My desktop is still not visible BUT
for now, you made at least one lady happy today! :D I promise I will run CCleaner every month.
I restarted and (notices are gone, even HotbarAdware notice!!!) here are the results from the Dutch jury:

Logfile of HijackThis v1.99.1
Scan saved at 19:30:33, on 17-2-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Norman\Bin\Zanda.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tgbstarter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI-configuratiescherm\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Norman\bin\ZLH.EXE
C:\Program Files\SISTECH\TheGreenBow VPN\vpnconf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SISTECH\TheGreenBow VPN\tgbike.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Documents and Settings\Eigenaar\Mijn documenten\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI-configuratiescherm\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [TgbVpn] C:\Program Files\SISTECH\TheGreenBow VPN\vpnconf.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\System32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/7.20.0003/OCI/setup.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://pgc.planet.nl/classes/ExentCtl.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylomgames.com/activex/zylomgamesplayer.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - Unknown owner - (no file)
O23 - Service: SafeNet IKE Service (IREIKE) - Unknown owner - (no file)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TgbIke Starter (TgbIKE Starter) - Unknown owner - C:\WINDOWS\system32\tgbstarter.exe

No problem about those items you could not find. Ewido probably removed them, I like to kill them several times and no problem with the game, that was why I gave you the option, I get nervous when they won't let me look. Gaming sites are notorius for malware. I was talking about this one:
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO

I rarely if ever see it on auto like that. Do you specifically have it set to run like that? If not, then use one or more of these free online scanners to make sure it is not a problem:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Navigate to the file and upload it to see what they say.

Since the log is clean, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know good from bad, it backs up everything. In case some of the infection got into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, restart your computer and turn it back on.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

The Smitfraud trojan that brings spyshreriff and a load of other junk does mess up the Desktop, you may have to run the newest version of smitRem to fix it. (do not keep smitRem, it needs to be updated to often) Here are some things we can try.

1) Click Start, and then click Control Panel.
Double-click Display, click the Desktop tab, and then click Customize Desktop.
Select Restore Defaults

2) Right-click on the desktop
Click on the Properties item
When the Properties dialog comes up click on the Web tab
If Show Web content on my Active Desktop is checked then click on the page in the box below and click the Delete button
Uncheck the checkbox in front of Show Web content on my Active Desktop
Click the Apply button and then the Ok button

3) http://www.computerhope.com/issues/ch000593.htm

4) It could be possible, after reboot that the system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.

Let me know how it goes, safe surfing...Phil:bigthumb:

Thanks...pskelley
Safer Networking Forums

Hello PsKelley,Thank you so much for the explanation...indeed, it´s a couple of months ago that I installed CClean and it´s probably just me in paranoid mood making sure everything is checked, so I leave no options out... I unchecked the box in CCleaner. Thank you for the tip on system restore...I turned it off yesterday and completely forgot to turn it on again:eek: Well....it is now!

I´ve tried everything you suggested on the desktop problem...and it´s still a no show. I deleted all smitrem related items and downloaded the program again, ran it in safe mode, but no such luck. I´ll get used to running my desktop through the explorer I guess. I thank you very muchs for your help! You´ve been wonderfully patient..:bow:
Greetings from Holland.

What exactly is the Desktop doing? Try to describe it to me. Holland, is that the Netherlands? And what process you are going through. Here is another idea but I have next tried this one. If you wish to give it a try, I can't make any promises one way or another.

http://www.msfn.org/board/lofiversion/index.php/t21581.html

Thanks...Phil

Yes indeed Phil, that is the Netherlands:D

Okay here we go...the desktop is just empty. In this case blue, since I put the settings on no wallpaper just now and no icons at all. If I download an internet explorer wallpaper it will show just that, but the icons on my desktop are just gone and won´t re-appear on my desktop. Oh my god.....If I tell you what I just did, this instant, pauzing just to try re-doing what I´ve been trying with my desktop all night to describe it to you, you´ll die laughing and I´ll die from shame:o

It´s like this: last december I got infected with Spysheriff. Downloaded Smitrem, gone through all the motions and got stuck with the problems I explained in my first post. No time, and not annoyed enough to really search for a solution, I kept looking for options to get my icons back on my desktop. In the meantime, a system consultant from work came around to install VPN and remote server and he too couldn´t get my icons back on the desktop. He couldn´t believe it, and I blond as I am, just let it go....everytime opening my desktop icons when needed, through my explorer.

And now, just preparing to write to you what´s happening on my desktop, I see an other option just re-appeared when I right click on my desktop. And I´d swear (I hope indeed I am not thát blond) it wasn´t there before.

When I rightclick on my desktop now I get the option (and I hope I translate the command right, because my pc is in dutch) arrange Icons on >>> then I get the option to show Desktop Icons ... And YES: here they are!!!

I really expect I should have tried this after the last attempt of running SmitRem, but then again I somehow expected the icons to re-appear themselves...never knowing this option was even there! Phil, if it wasn´t for you I wouldn´t have even tried it again...and again and missed it all together....Are you done laughing? Because I´m slowly, but only slowly recovering from deep shame...I herewith declare my pc recovered from any stupid actions I´ve ever made and promise to protect it against future attacks ...Thank you so much, Phil!

As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the topic.

Glad we could help, thanks Phil. :)