spyware! system error #384 - hijackthis log

I've tried following the advice on similar threads, but it hasn't worked, any advice is appreciated! thanks


Logfile of HijackThis v1.97.7
Scan saved at 9:33:05 PM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\WINDOWS\system32\rundll32.exe
D:\users\david\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TightVNC\vncviewer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.127.1.11 10.127.2.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.127.1.11 10.127.2.11

 

Bump **

 

Hello kimwipes

I would like you to start with this:

Download CWShredder Click on update, then close all browsers, and then click on Fix, not scan.

Next, download Spybot S&D Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

Reboot the computer.

Run Hijackthis again and post a fresh log here.

 

Taz, thanks, the latest version of cwshredder got rid of the iexplorer hijack. The log is bellow. The only thing remaining is the annoying desktop "Warning! you are in danger ...", whenever I try to replace it, the new desktop flashes in for a second and comes right back

Logfile of HijackThis v1.97.7
Scan saved at 11:27:22 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
D:\users\david\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE

 

Copy what is in the quote box below to notepad and save it as noactd.reg

Close notepad. Doubleclick the file your just created and confirm you want to merge it with the registry.
It may take a reboot for the changes to take effect.

Run Hijackthis again and post a new log.