MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Hijacked Desktop...
October 18, 2018, 08:20:01 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
October 18, 2018, 08:20:01 PM

Login with username, password and session length
 Featured Sites: de.harddriveparts.com |
News
New  New Poll on our main page!
"My experience with Vista..."
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: Hijacked Desktop...  (Read 5990 times)
G_man_001
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 8


Bookmark and Share

View Profile
« on: November 14, 2004, 08:30:19 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: Microsoft XP
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:


My desktop's been hijacked! The background has gone black and there's a big message saying: "WARNING YOUâ
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #1 on: November 14, 2004, 08:40:48 PM »

Hi G_man_001 ...
I noticed you Downloaded HJT to a TEMP folder,always download to a folder OTHER than Temp/Temorary Internet Folders.

EG---- Open MyDocuments----Right click an empty spot and select NEW---Folder----Name the new folder HJT ---this is where you will want to save Hijackthis too, also, backups will be stored there.
Download a fresh copy from here:
http://www.spywareinfo.com/~merijn/files/HijackThis.exe
or here:
http://aumha.org/downloads/hijackthis.exe


Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #2 on: November 14, 2004, 08:46:54 PM »

**NOTE**
DO THIS FIX AFTER YOU MOVE HJT TO A PERMANENT FOLDER



**(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. This is where it will save the backup files needed if there's a problem.)**

Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

ehSched.exe


Turn off System Restore. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing

Go to Control Panel / Add/Remove Programs and remove the
 following if they are there:


ehome

Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\WINDOWS\ehome\ehSched.exe


Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.

Turn on System restore,before opening your browser goto TOOLS>INTERNET OPTIONS and make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.

Now re-run HJT and post a new logfile back here.

Cactus
« Last Edit: November 14, 2004, 08:48:40 PM by Cactus » Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
G_man_001
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 8


Bookmark and Share

View Profile
« Reply #3 on: November 14, 2004, 10:07:09 PM »

I'm still unable to remove that disgusting website from my desktop.  No problem with my home page but still need some help.

Logfile of HijackThis v1.98.2
Scan saved at 5:02:38 PM, on 11/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WDC\SetIcon.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Desktop Armor\DesktopArmor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Desktop Armor\DesktopArmor.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Family Tree Maker 2005\FTW.exe
C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Desktop Armor] C:\Program Files\Desktop Armor\DesktopArmor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: x-atng - {7E8717B0-D862-11D5-8C9E-00010304F989} - C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\atngprot.dll
O18 - Filter: text/html - {99FEA1B2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Desktop Armor\GeekSuperHeroBugSwat.dll

G_man_001
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #4 on: November 14, 2004, 10:31:54 PM »

Did you goto ADD/REMOVE and remove eHome?
Because I see it again in your LOGFILE.

First let's Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

ehSched.exe
DesktopArmor.exe


Turn off System Restore. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


O4 - HKLM\..\Run: [Desktop Armor] C:\Program Files\Desktop Armor\DesktopArmor.exe
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com


Go to Control Panel / Add/Remove Programs and remove the following if they are there:
 
Desktop Armor
eHome

Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\Program Files\Desktop Armor\DesktopArmor.exe

Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.

Turn on System restore,before opening your browser goto TOOLS>INTERNET OPTIONS and make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.

Now re-run HJT and post a new logfile back here.

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
G_man_001
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 8


Bookmark and Share

View Profile
« Reply #5 on: November 15, 2004, 02:15:16 AM »

OK, here it my HJT logfile but my desktop is still hijacked as before.  I just want to mention that i'm not having a problem with my homepage, it's my web page - and it continues to start up with that crazy warning sign.

Another thing that may be worth mentioning is that when i go to the Display screen in the Control Panel my "active window" is lock in position in front of what i use for my web page in a screen that says "window text".  

Logfile of HijackThis v1.98.2
Scan saved at 9:00:58 PM, on 11/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WDC\SetIcon.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: x-atng - {7E8717B0-D862-11D5-8C9E-00010304F989} - C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\atngprot.dll

I appreciate your help and will continue to work with you in an effort to fix my webpage.
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #6 on: November 15, 2004, 04:21:54 PM »

Ok can you Download "Getactiveservices.zip" from HERE

Extract the "get active services.vbs" - file to a new folder on the desktop.
Doubleclick it to run it.
This script will create and open a text file named Active.txt in the same folder as the script itself.
It will then open Active.txt for you.

It will list all active Services. Copy and paste the contents of Active.txt in your next reply here.

If you have script blocking installed, you will get a warning when you try to run the script. Please allow it to run. It is only collecting information so we can help you.


Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
G_man_001
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 8


Bookmark and Share

View Profile
« Reply #7 on: November 15, 2004, 05:27:36 PM »

Here you go...

These are the Current Active Services:

 ATI HOTKEY POLLER: Ati HotKey Poller
C:\WINDOWS\System32\Ati2evxx.exe

 WINDOWS AUDIO: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

 COMPUTER BROWSER: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

 CRYPTOGRAPHIC SERVICES: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

 DHCP CLIENT: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

 LOGICAL DISK MANAGER: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

 ERROR REPORTING SERVICE: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

 COM+ EVENT SYSTEM: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

 FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

 HELP AND SUPPORT: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

 HID INPUT SERVICE: HidServ
C:\WINDOWS\System32\svchost.exe -k netsvcs

 SERVER: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

 WORKSTATION: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

Let me know what to do next - Thanks!
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #8 on: November 15, 2004, 06:12:39 PM »

Make sure Windows is set to Hidden files and folders

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Go here: http://www.kaspersky.com/scanforvirus

Navigate to these files:

programfilesdir+\comets~1\dm\bin\dmserver.exe
programfilesdir+\comets~1\dm\bin\cssecure.dll
programfilesdir+\comets~1\dm\bin\dmproxy.dll
 
Simply navigate to them by clicking the "browse" button
Please submit them to Kapersky for a free virus scan
Right click---select--- then "Submit"

Goto ADD/REMOVE Programs and Remove if they are there!

Comet
Comet Dmserver
Dmserver

Empty ALL your Temp Folders,Cookies and History


Cactus
« Last Edit: November 15, 2004, 06:14:38 PM by Cactus » Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
G_man_001
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 8


Bookmark and Share

View Profile
« Reply #9 on: November 15, 2004, 07:48:51 PM »

None of the 3 files mentioned are there.  I did a search as well that included looking for hidden files.  I was not able to delete the following file from the temp folder "Perfib_Perdata_61c".  I have no idea what this file is used for.  You never mentioned anything about that text file (desktop.html) that contains the text that hijacked my desktop - is there anything that could be done with that?

My desktop is still hijacked.
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #10 on: November 16, 2004, 02:42:25 AM »

Did you try and remove from SAFE MODE?

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
G_man_001
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 8


Bookmark and Share

View Profile
« Reply #11 on: November 16, 2004, 10:09:32 PM »

Yes, i did but my desktop is still hijacked.  Is there anything else i can do to clean up my desktop?
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #12 on: November 16, 2004, 10:24:11 PM »

Hi G_Man_001

Try this

Go to the display settings in your control panel

Click on desktop>customize desktop

Click on the web tab..

Uncheck whatever you see there

Lemme know if it helped
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
G_man_001
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 8


Bookmark and Share

View Profile
« Reply #13 on: November 17, 2004, 02:39:59 AM »

Thank you so much!!! This information brought back my original desktop (before the hijack) and i'm fairly sure all else has been cleaned up thanks to Cactus. You made my day - big time!!!
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #14 on: November 17, 2004, 02:44:27 AM »

Hey G_man_001

Whew.....that's great to hear Grin
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page September 15, 2018, 06:36:48 AM