I've gone through numerous threads on this site to try and fix my computer. My desktop was hijacked. I tried searching for desktop.html in hidden files and folders - nothing. I tried going to Properties => Desktop => Customise Desktop => Web => dead end - nothing. I've tried everything that's been suggested. I've had a blue, blank screen for almost a month now. I can see my regular desktop picture for seconds when I'm logging on or off. Can anyone help me?? I'm officially begging.
eander23 0 Newbie Poster
PhilliePhan 171 Central Scrutinizer Team Colleague
Hi Eander,
If nobody else answers, I suggest you follow my steps outlined here and attach the requested scanlogs to this thread.
-- Kaspersky Log
-- AVG Anti-spy Log
-- HijackThis Log
If none of the other volunteers here is able to help, I will try to check back. Have a lot on my plate these days...
Best Luck :)
PP
douchrti 0 Newbie Poster
Any Message with the BSOD?
jbennet 1,618 Most Valuable Poster Team Colleague Featured Poster
if the desktop is blank do control - alt - delete then go into processes and kill explorer .exe then go into run (file menu) and type explorer
this acted as atemporary fix for me when I broke my desktop getting rid of spyware dialers
eander23 0 Newbie Poster
Is there an easier way to go about this? I tried the ctrl - alt - delete that didn't really help. I'm not too computer savvy. I just downloaded the new version of Internet Explorer and it recognized my desktop photo but it wouldn't show it - now it's back to the same old boring one color screen.
PhilliePhan 171 Central Scrutinizer Team Colleague
Is there an easier way to go about this?
Not really.
It is difficult to ascertain the cause of the problem - may or may not be malware. Could have been a malware infection that was partially cleaned and left an altered registry. Who knows?
There have been a ton of malware that bork the desktop. But, if indeed there is a malware cause, nobody is going to be able to help you without getting more information.
Hence the steps I requested. (If it IS malware, just running them may even fix the problem, if Kaspersy or AVG are able to clean it...)
If you can get us those scanlogs, we can rule out malware and go from there.
PP :)
eander23 0 Newbie Poster
While I was installing I found that I couldn't have Windows Defender and Windows LiveOne at the same time. Is LiveOne ok to use or should I uninstall it and go with Defender?
DimaYasny 180 Godmode enabled Team Colleague Featured Poster
sounds like good old "spyware sherif" to me...
it is quite curable, but reformatting the machine is faster and much more efficient than the remedy
eander23 0 Newbie Poster
What suggestions do you have for my problem?
DimaYasny 180 Godmode enabled Team Colleague Featured Poster
well, you could go through the registry, and reset the permissions for every key altered by the malware, but as I said formatting is really faster and more efficient :)
PhilliePhan 171 Central Scrutinizer Team Colleague
well, you could go through the registry, and reset the permissions for every key altered by the malware, but as I said formatting is really faster and more efficient :)
Yes it does sound like a Smitfraud issue and NO, a reformat is not the easiest way to deal with this. (I agree that it IS 100% effective, but can often be problematic - depending on the user, how skilled they are, backup of data, whather they have copy of Windows with valid key.... the list goes on.)
Better to try removal first and save format as last option.
However, before we run a bunch of specialized removal tools, it is important to pin down exactly what is going on.
Hence the scanlogs.
Also, if we find exactly what is at the root of the problem, I can make a "one-click" registry patch that will address any altered Registry keys.
-- Eander - Hold off on replacing One Care with Defender until we get a better idea of what is going on. Just skip it fo now.
PP :)
eander23 0 Newbie Poster
PP, I have a question about the last couple of steps in your forum after rebooting in safe mode. The first is to run the ATF cleaner and it's for XP and 2000 OS only, are the other steps following good for 2003 users like me? Or is that whole set of things only for Xp and 2000?
PhilliePhan 171 Central Scrutinizer Team Colleague
PP, I have a question about the last couple of steps in your forum after rebooting in safe mode. The first is to run the ATF cleaner and it's for XP and 2000 OS only, are the other steps following good for 2003 users like me? Or is that whole set of things only for Xp and 2000?
Everything is geared toward XP & 2K.
-- The HijackThis log and the Kaspersky log should be plenty to get us started. Let's just do those first and go from there.
PP :)
eander23 0 Newbie Poster
Here's the HJT log, I'm not sure how I'm to get the kaspersky log it wouldn't work on my computer for some reason so I did the Panda scan instead. How do I get the log from Panda?
Logfile of HijackThis v1.99.1
Scan saved at 6:10:17 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://updates.installshield.com/GetUpdates.asp?p={4192EAC0-6B36-4723-B216-D0E86E7757AC}&r=5.1&v=ISUA%203.1&u={3B85956C-C421-4009-9106-B1E8F1F085E5}&l=1033&K=Z
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
eander23 0 Newbie Poster
I
eander23 0 Newbie Poster
I also had another Question with the Windows Defender. Since we just decided for me to keep the Windows One, at the end of your steps after rebooting in safe mode should I open my Windows One care where it says to open Defender?
PhilliePhan 171 Central Scrutinizer Team Colleague
I also had another Question with the Windows Defender. Since we just decided for me to keep the Windows One, at the end of your steps after rebooting in safe mode should I open my Windows One care where it says to open Defender?
That's not necessary.
I just wanted a couple initial logs so as to set a baseline to start from.
Your HijackThis log looks pretty clean - a couple very minor issues, but nothing to worry about at the moment.
-- Your HJT also tells me that you are running Windows XP, not 2003.
Logfile of HijackThis v1.99.1
Scan saved at 6:10:17 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
So, you can and should run the AVG Anti-Spyware step and submit that log for me.
Anyhoo, as poster DimaYasny mentioned, your description of the problem does indeed sound like a "Spy Sheriff" issue (Smitfraud Trojan).
However, it is usually evident in a HijackThis log, but I see no sign of it.
To rule it out as the cause, please do the following:
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Desktop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
Please be patient while the program runs.
When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C:.
Please post that log along with all others requested in your next reply.
IMPORTANT: Do NOT run any other options until you are asked to do so!
Please submit the Rapport.txt and the AVG Anti-spy Log for me.
Also, if those logs prove to be clean (and I suspect they will), I might suggest doing a System Restore back to an earlier checkpoint. Seeing as you are running XP instead of Windows 2K3, you should have this option available to you. If, as I suspect, the registry has been altered, a Restore should correct that.
Let's look at those logs and go from there.
Best :)
PP
eander23 0 Newbie Poster
Here's the Smitfraud log, I'll be posting the AVG log a little bit later. How do I go about getting that log? Just letting it scan and it'll automatically come up like in the other programs?
SmitFraudFix v2.135
Scan done at 9:19:25.04, Thu 01/25/2007
Run from C:\Documents and Settings\David\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David\Application Data
C:\Documents and Settings\David\Application Data\Install.dat FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\David\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
PhilliePhan 171 Central Scrutinizer Team Colleague
Hi Eander,
It looks like you did indeed have a SpySheriff or similar infection. The bulk of it ssems to have been cleaned somewhere along the way. The only remaining component found by SmitfraudFix is the below and it is harmless. You may delete it if you desire.
C:\Documents and Settings\David\Application Data\Install.dat
-- The AVG Anti-Spy Log will pop up and you'll need to save it where you can find it easily. My steps cover it pretty well.
I would also suggest that you keep the AVG anti-spy on your machine after we are done. Even if you do not buy it (it's worth the cost) and the "real-time" protection is disabled after a month, you can always use it as an "on-demand" scanner as we are doing now. Just follow the same steps as I have outlined.... Update and Scan.
Anyhoo, as I mentioned, it looks like the malware has come and gone, leaving an altered registry. Let's have a look at what sort of mess it left so that we can fix it:
-- Please download Peekaboo.bat to your Desktop.
-- DoubleClick peekaboo.bat and give it a couple seconds to run.
A log should pop up in Notepad. Please submit that (peek.txt) for me along with the AVG AntiSpy log and we'll get you fixed up.
BTW - You should be advised that anytime somebody in any forum gives you an unknown program to run (even a simple batch like this one), it is strictly a "Use At Your Own Risk" proposition!
Anyhoo, it is up to you if you want to trust me :)
Best :)
PP
eander23 0 Newbie Poster
Here's the peekaboo scan log:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
"WallpaperFileTime"=hex:fc,bf,d0,a6,52,ed,c6,01
"WallpaperLocalFileTime"=hex:fc,1f,bf,1f,31,ed,c6,01
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"Wallpaper"=""
"DisableRegistryTools"=dword:00000000
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ea,00,00,00,00,00,00,00,16,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,ea,00,00,00,00,00,00,00,16,03,00,00,00,03,\
00,00,01,00,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]
"BackupWallpaper"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,\
49,00,4c,00,45,00,25,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,20,00,53,00,65,\
00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,70,00,70,00,6c,00,69,00,\
63,00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4d,\
00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,61,00,6c,00,\
6c,00,70,00,61,00,70,00,65,00,72,00,31,00,2e,00,62,00,6d,00,70,00,00,00
"WallpaperFileTime"=hex:fc,bf,d0,a6,52,ed,c6,01
"WallpaperLocalFileTime"=hex:fc,1f,bf,1f,31,ed,c6,01
"TileWallpaper"="0"
"WallpaperStyle"="2"
"Wallpaper"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,\
4c,00,45,00,25,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,20,00,53,00,65,00,74,\
00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,70,00,70,00,6c,00,69,00,63,00,\
61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4d,00,69,\
00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,61,00,6c,00,6c,00,\
70,00,61,00,70,00,65,00,72,00,31,00,2e,00,62,00,6d,00,70,00,00,00
"ComponentsPositioned"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Old WorkAreas]
"NoOfOldWorkAreas"=dword:00000001
"OldWorkAreaRects"=hex:00,00,00,00,00,00,00,00,00,04,00,00,de,02,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode\General]
"Wallpaper"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,57,00,65,00,62,00,5c,00,53,00,61,00,66,00,65,00,4d,00,6f,\
00,64,00,65,00,2e,00,68,00,74,00,74,00,00,00
"VisitGallery"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Scheme]
"Edit"=""
"Display"=""
And the AVG anti spyware:
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:01:49 AM 1/26/2007
+ Scan result:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : No action taken.
C:\Documents and Settings\David\Cookies\david@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\David\Cookies\david@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@ulta.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Erin\Cookies\erin@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\WINDOWS\Temp\Cookies\david@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\WINDOWS\Temp\Cookies\david@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\WINDOWS\Temp\Cookies\david@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\David\Cookies\david@ads.addynamix[2].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\David\Cookies\david@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@adrevolver[2].txt -> TrackingCookie.Adrevolver : No action taken.
C:\WINDOWS\Temp\Cookies\david@adrevolver[3].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@z1.adserver[1].txt -> TrackingCookie.Adserver : No action taken.
C:\Documents and Settings\David\Cookies\david@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\WINDOWS\Temp\Cookies\david@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\David\Cookies\david@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\WINDOWS\Temp\Cookies\david@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\David\Cookies\david@bluestreak[2].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@bluestreak[2].txt -> TrackingCookie.Bluestreak : No action taken.
C:\WINDOWS\Temp\Cookies\david@bluestreak[1].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@www.burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\David\Cookies\david@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\David\Cookies\david@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\WINDOWS\Temp\Cookies\david@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\David\Cookies\david@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\David\Cookies\david@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\WINDOWS\Temp\Cookies\david@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\David\Cookies\david@ehg-kasperskylab.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\David\Cookies\david@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\David\Cookies\david@counter.hitslink[1].txt -> TrackingCookie.Hitslink : No action taken.
C:\Documents and Settings\David\Cookies\david@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\WINDOWS\Temp\Cookies\david@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\David\Cookies\david@overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\David\Cookies\david@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\David\Cookies\david@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\WINDOWS\Temp\Cookies\david@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\David\Cookies\david@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\David\Cookies\david@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\WINDOWS\Temp\Cookies\david@serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\David\Cookies\david@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\David\Cookies\david@tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\David\Cookies\david@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
C:\WINDOWS\Temp\Cookies\david@trafficmp[2].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\David\Cookies\david@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\WINDOWS\Temp\Cookies\david@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Erin\Cookies\erin@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : No action taken.
C:\Documents and Settings\David\Cookies\david@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\WINDOWS\Temp\Cookies\david@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\David\Cookies\david@zedo[2].txt -> TrackingCookie.Zedo : No action taken.
::Report end
PhilliePhan 171 Central Scrutinizer Team Colleague
Hi Eander,
The AVG log looks ok. I'll wager any baddies have long since been cleaned by your resident AV/Anti-spy apps.
-- The registry looks like you are running Windows XP Professional as opposed to XP Home?
Anyhoo, let's try a minimally invasive registry patch and see if it does the job....
Please download EanderFix.zip and extract the contents (Eanderfix.reg) to your Desktop.
-- DoubleClick on EanderFix.reg and follow the prompts to allow it to merge into the registry. You may then delete it from your desktop.
-- REBOOT your compy and see if you are able to reset your Desktop.
Let me know how it shakes out.
Best Luck :)
PP
eander23 0 Newbie Poster
Thank you so much for helping me, it completely worked! My desktop is back and I checked just to make sure I can change it. FANTASTIC! THANK YOU!
PhilliePhan 171 Central Scrutinizer Team Colleague
Thank you so much for helping me, it completely worked! My desktop is back and I checked just to make sure I can change it. FANTASTIC! THANK YOU!
You're welcome!
Sorry about the rather "roundabout" approach it took us to get there, but I wanted to be sure the cause of the problem was gone.
Be sure to have a look at my linky below to help head off future problems.
Cheers :)
PP
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.