# Help please!! DESKTOP.EXE virus. See log



## kurttt (Feb 18, 2005)

Hello,

I did about two hours of research on this virus and it lend me to this great site. I belive the problem is in the desktop.exe? Was surfing the net two nights ago and a lot happened really fast and before I knew what was going on.. I was hyjacked. Here is my log, can someone please tell me what I need to do to get this thing under control. I will gladly, paypal a donation for this site if someone can help me. Thank you very much.

Logfile of HijackThis v1.99.1
Scan saved at 9:06:00 PM, on 2/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\AvConsol.exe
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\system32\mslo.exe
C:\WINDOWS\system32\soft.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
\?\C:\WINDOWS\system32\aux.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\d3zv32.exe
C:\WINDOWS\System32\tibs5.exe
C:\windows\system32\ewajtcd.exe
C:\WINDOWS\msnmsgq.exe
C:\WINDOWS\shch.exe
C:\PROGRA~1\SYSTEM~1\soap.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\windows\system32\packager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\WINDOWS\shch.exe
C:\PROGRA~1\SYSTEM~1\soap.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ultralinks.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jlymx.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jlymx.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jlymx.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jlymx.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jlymx.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jlymx.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\System32\soft.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {33F56A6A-2E16-643C-568E-3180370AF478} - C:\WINDOWS\sdklx.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [aux.exe] \\?\C:\WINDOWS\system32\aux.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\DigitalCamera\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [d3zv32.exe] C:\WINDOWS\d3zv32.exe
O4 - HKLM\..\Run: [C3.tmp] C:\DOCUME~1\KURTST~1\LOCALS~1\Temp\C3.tmp.exe 1 10001
O4 - HKLM\..\Run: [C5.tmp] C:\DOCUME~1\KURTST~1\LOCALS~1\Temp\C5.tmp.exe 0 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ewajtcd] c:\windows\system32\ewajtcd.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitebjv32.exe
O4 - HKLM\..\Run: [msnmsgq32] C:\WINDOWS\msnmsgq.exe
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [aux.exe] \\?\C:\WINDOWS\system32\aux.exe
O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\winupdate.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - WWW. Prefix: http://ehttp.cc/?
O14 - IERESET.INF: START_PAGE_URL=http://www.globalcomputer.com
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/dlhelper/version4/dlhelper.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/314/webolr/OCX/FlashAX.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O19 - User stylesheet: C:\WINDOWS\sample.txt
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Remote Procedure Call (RPC) Helper (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\system32\mslo.exe


----------



## kurttt (Feb 18, 2005)

please?


----------



## kurttt (Feb 18, 2005)

anyone? please?


----------



## buckaroo (Mar 25, 2001)

Wow, there is an awful lot here. Lets try this:

Download CWShredder:

http://www.intermute.com/spysubtract/cwshredder_download.html

After downloading, close your browser, open the application and click Fix (not scan) and let it do it's thing.

Then download About:buster:

http://www.majorgeeks.com/download4289.html

Read the instructions on the site for it's use.

Then go here and download AdAware:

http://www.majorgeeks.com/download.php?det=506

After installation follow the prompts to download current updates and allow it to do a full system scan.

Everything AdAware finds is safe to delete.

Then download Spybot:

http://www.majorgeeks.com/download.php?det=2471

After installation, use the "Check for Updates" function and download current updates, then "Check for Problems" to scan your system.

Everything Spybot finds in RED is safe to delete.

Reboot, then post a new HJT log here and we'll clean up whatever is leftover, okay?


----------



## kurttt (Feb 18, 2005)

Thank you very much for your help so far. FYI: ad aware alwasys stalled while scanning when it came to the c:/windows/inst/ folder. I opened up the folder and it seemed virus infected with all the files names and date a bunch of jargon. So I had adaware skip that folder and it finished. Everytime I would run these programs, I would run them again and again and keep getting tons of them to delete or quarentine.

Here is my updated log. again, thank you very much for taking the time to help me.

Logfile of HijackThis v1.99.1
Scan saved at 1:53:38 PM, on 2/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\WINDOWS\system32\mslo.exe
C:\WINDOWS\system32\soft.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
\?\C:\WINDOWS\system32\aux.exe
C:\Program Files\DigitalCamera\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\d3zv32.exe
C:\WINDOWS\msnmsgq.exe
C:\WINDOWS\shch.exe
C:\WINDOWS\kdbqvt.exe
C:\WINDOWS\System32\Psugdh.exe
C:\WINDOWS\System32\Nnwbjr.exe
C:\WINDOWS\Xhrmy.exe
C:\PROGRA~1\SYSTEM~1\soap.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\System32\soft.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O2 - BHO: (no name) - {33F56A6A-2E16-643C-568E-3180370AF478} - C:\WINDOWS\sdklx.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [aux.exe] \\?\C:\WINDOWS\system32\aux.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\DigitalCamera\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [d3zv32.exe] C:\WINDOWS\d3zv32.exe
O4 - HKLM\..\Run: [C3.tmp] C:\DOCUME~1\KURTST~1\LOCALS~1\Temp\C3.tmp.exe 1 10001
O4 - HKLM\..\Run: [C5.tmp] C:\DOCUME~1\KURTST~1\LOCALS~1\Temp\C5.tmp.exe 0 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ewajtcd] c:\windows\system32\ewajtcd.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitekjp32.exe
O4 - HKLM\..\Run: [msnmsgq32] C:\WINDOWS\msnmsgq.exe
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [eCgQHx] C:\WINDOWS\kdbqvt.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Psugdh.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Nnwbjr.exe
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [272R3tj] edltulbz.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [aux.exe] \\?\C:\WINDOWS\system32\aux.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O4 - HKCU\..\Run: [Jwt5RjHEl] dsoex.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.globalcomputer.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/dlhelper/version4/dlhelper.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/314/webolr/OCX/FlashAX.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Remote Procedure Call (RPC) Helper (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\system32\mslo.exe


----------



## buckaroo (Mar 25, 2001)

Okay, let's start cleaning this mess up.

Let's make sure you know how to boot into safe mode as well as how to view
hidden files on your PC. Instructions here:

Safe Mode:

http://www.computerhope.com/issues/chsafe.htm

Hidden files:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Now, in HJT check the following entries, click Fix and then REBOOT to safe mode.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\System32\soft.exe

O2 - BHO: (no name) - {33F56A6A-2E16-643C-568E-3180370AF478} - C:\WINDOWS\sdklx.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY

O4 - HKLM\..\Run: [aux.exe] \\?\C:\WINDOWS\system32\aux.exe

O4 - HKLM\..\Run: [d3zv32.exe] C:\WINDOWS\d3zv32.exe
O4 - HKLM\..\Run: [C3.tmp] C:\DOCUME~1\KURTST~1\LOCALS~1\Temp\C3.tmp.exe 1 10001
O4 - HKLM\..\Run: [C5.tmp] C:\DOCUME~1\KURTST~1\LOCALS~1\Temp\C5.tmp.exe 0 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ewajtcd] c:\windows\system32\ewajtcd.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitekjp32.exe
O4 - HKLM\..\Run: [msnmsgq32] C:\WINDOWS\msnmsgq.exe
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [eCgQHx] C:\WINDOWS\kdbqvt.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Psugdh.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Nnwbjr.exe
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [272R3tj] edltulbz.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer

O4 - HKCU\..\Run: [aux.exe] \\?\C:\WINDOWS\system32\aux.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O4 - HKCU\..\Run: [Jwt5RjHEl] dsoex.exe

015 - check all of these entries

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

O23 - Service: Remote Procedure Call (RPC) Helper (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\system32\mslo.exe

After rebooting to safe mode, find and delete these files:

C:\WINDOWS\system32\aux.exe
C:\WINDOWS\d3zv32.exe
C3.tmp.exe 1 10001
C5.tmp.exe 0 10001
C:\WINDOWS\System32\tibs5.exe
C:\WINDOWS\System32\sm.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe
c:\windows\system32\ewajtcd.exe
C:\windows\system32\elitekjp32.exe
C:\WINDOWS\msnmsgq.exe
C:\WINDOWS\shch.exe /i
C:\WINDOWS\farmmext.exe
C:\WINDOWS\kdbqvt.exe
C:\WINDOWS\System32\Psugdh.exe
C:\WINDOWS\System32\Nnwbjr.exe
C:\WINDOWS\Xhrmy.exe
edltulbz.exe
soap.exe min
dsoex.exe
C:\WINDOWS\system32\mslo.exe

Reboot to normal mode and run online AV scans from both of these sites:

http://housecall.trendmicro.com/housecall/start_corp.asp

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Also go here and download this anti-trojan application and scan your system:

http://www.majorgeeks.com/download4281.html

We're not finished so post a current log when done, okay?


----------



## kurttt (Feb 18, 2005)

Hi Bucaroo.

How frustrating. I did all of what you said. some of the files you told me to delete, I could not find. I ran hjckthis and fixed the ones you told me to. I rebooted and while I was running a virus check, some of them came back all at once, so I did your process over again. I'm seeing a lot of returning files that I've deleted, including the ones I fixed on hjackthis. Here's my latest logfile. As always, thank you very much.

Kurt

Logfile of HijackThis v1.99.1
Scan saved at 9:17:51 PM, on 2/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\DigitalCamera\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINDOWS\kdx\KHost.exe
\?\C:\WINDOWS\system32\aux.exe
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\DigitalCamera\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [aux.exe] \\?\C:\WINDOWS\system32\aux.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [Jwt5RjHEl] dsoex.exe
O4 - HKCU\..\Run: [aux.exe] \\?\C:\WINDOWS\system32\aux.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.globalcomputer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/dlhelper/version4/dlhelper.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/314/webolr/OCX/FlashAX.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Remote Procedure Call (RPC) Helper (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\system32\mslo.exe (file missing)


----------



## buckaroo (Mar 25, 2001)

Okay, we're getting there (I think)  .

Download this application (cwsserviceremove.zip) and save to desktop:

http://forums.techguy.org/attachment.php?attachmentid=44318

unzip it to your desktop and have it ready to run later.

Make sure you have CWShredder and About:Buster easily available.

Now download this application to fix your 010 entries:

http://www.cexx.org/lspfix.htm

Once you download this application, physically disconnect your PC form the internet and remain disconnected until directed later on, okay?

Open LSP Fix and move these entries from the left side window of the application to the right side:

O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll

Once that's done, Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Remote Procedure Call (RPC) Helper.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: There is also a service named Remote Procedure Call (RPC) Locator and one called Remote Procedure Call (RPC) . These are the legitimate services. Do not stop those two.

Reboot to safe mode.

1. Double click on the cwsserviceemove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.

2. Open HJT. Check the following entries and click fix, but don't reboot.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll

O4 - HKLM\..\Run: [aux.exe] \\?\C:\WINDOWS\system32\aux.exe

O4 - HKCU\..\Run: [Jwt5RjHEl] dsoex.exe
O4 - HKCU\..\Run: [aux.exe] \\?\C:\WINDOWS\system32\aux.exe

O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

O23 - Service: Remote Procedure Call (RPC) Helper (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\system32\mslo.exe (file missing)

3. While in safe mode, find and delte these files:

C:\WINDOWS\system32\aux.exe
dsoex.exe
C:\WINDOWS\system32\mslo.exe

4. Now run About:Buster.

5. Then run CWSHredder.

Reboot to normal mode.

6. Check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! Reset your active x security settings like so... Go to Internet Options > Security > Internet, press 'default level', then OK. 
Now press "Custom Level." 
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

7. Reconnect your internet and go back to Housecall for an online AV scan:

http://housecall.trendmicro.com/

Post a current log, okay?


----------



## nelsont315 (Feb 25, 2005)

kurttt

try searching on this forum for "isrvs.exe"

there are alot of discussions on this...

I was able to finally get rid of the program...DESKTOP.EXE or isrvs.exe


----------

