Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help.....help!.....my Desktop Is Gone, Only Wallpaper..


  • Please log in to reply
2 replies to this topic

#1 masterbuilderz

masterbuilderz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 18 August 2007 - 07:23 PM

Booting in Safe mode doesn't work either.... Virus cleaner removed all spyware and trojans..still nothing. HELP PLEASE.. Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:57:01 PM, on 08/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Owner\Application Data\Opera\Opera\profile\cache4\temporary_download\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {133DB2C2-2359-5A8B-2DB2-0395BC8189EA} - (no file)
O2 - BHO: ib15_1.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\system32\ib15.dll
O2 - BHO: (no name) - {218997E8-84FA-978D-36CA-8872B7E3B4E1} - (no file)
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - (no file)
O2 - BHO: (no name) - {6591DB41-4088-6D05-F04A-6CE34A9DA9E8} - (no file)
O2 - BHO: (no name) - {686a161d-5bd1-4999-8832-6393f41e564c} - (no file)
O2 - BHO: (no name) - {79CB07CA-C951-B8DD-7952-BDCE1998B7BF} - (no file)
O2 - BHO: (no name) - {7B3D4BA7-DB34-A3E2-47D1-F0CAE959E5B4} - (no file)
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: (no name) - {904D0818-9B81-E75D-F3DF-B5DEC9C758E2} - (no file)
O2 - BHO: (no name) - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - (no file)
O2 - BHO: MSN Explorer Plugin - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\msnxpcl5.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} - C:\WINDOWS\system32\SHDOCVW.DLL
O3 - Toolbar: (no name) - {5152FB56-A55C-3669-533B-40F4C9D4DAD2} - (no file)
O3 - Toolbar: (no name) - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - (no file)
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\tbu978\AOL_security_toolbar.dll
O3 - Toolbar: (no name) - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - (no file)
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [wininet.dll] regperf.exe
O4 - HKLM\..\Policies\Explorer\Run: [dcomcfg.exe] dcomcfg.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185XXUS
O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm
O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: Alexa - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Alexa Toolbar - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1111330070810
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} - http://pcwab.ab.motive.com/wizlet/atlantic...wActiveXCab.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DC26874-B497-4D5F-8EB0-ED08D897740F}: NameServer = 85.255.114.35,85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EB48738-9461-4002-A6D1-D3F18A14A2B3}: NameServer = 85.255.114.35,85.255.112.13
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: articulation - {8dc1f789-e073-4363-b40d-07376bc5ecc5} - (no file)
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://images.thedilly.com/users/2004/03/1.../photos/t06.JPG

--
End of file - 8878 bytes

BC AdBot (Login to Remove)

 


m

#2 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 19 August 2007 - 10:57 AM

Hello masterbuilderz, I'm just looking over your log and will get back to you soon.

#3 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 20 August 2007 - 05:12 PM

Hello masterbuilderz, my name is Rorschach and I'll be helping you with your problems.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.


Looking at your system now, one or more of the identified infections is a keylogger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.


Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt)

If you have internet connection problems then do the following :

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.



Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {133DB2C2-2359-5A8B-2DB2-0395BC8189EA} - (no file)
O2 - BHO: ib15_1.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\system32\ib15.dll
O2 - BHO: (no name) - {218997E8-84FA-978D-36CA-8872B7E3B4E1} - (no file)
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - (no file)
O2 - BHO: (no name) - {6591DB41-4088-6D05-F04A-6CE34A9DA9E8} - (no file)
O2 - BHO: (no name) - {686a161d-5bd1-4999-8832-6393f41e564c} - (no file)
O2 - BHO: (no name) - {79CB07CA-C951-B8DD-7952-BDCE1998B7BF} - (no file)
O2 - BHO: (no name) - {7B3D4BA7-DB34-A3E2-47D1-F0CAE959E5B4} - (no file)
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: (no name) - {904D0818-9B81-E75D-F3DF-B5DEC9C758E2} - (no file)
O2 - BHO: (no name) - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - (no file)
O2 - BHO: MSN Explorer Plugin - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\msnxpcl5.dll
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} - C:\WINDOWS\system32\SHDOCVW.DLL
O3 - Toolbar: (no name) - {5152FB56-A55C-3669-533B-40F4C9D4DAD2} - (no file)
O3 - Toolbar: (no name) - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - (no file)
O3 - Toolbar: (no name) - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: [wininet.dll] regperf.exe
O4 - HKLM\..\Policies\Explorer\Run: [dcomcfg.exe] dcomcfg.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185XXUS
O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm
O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: Alexa - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Alexa Toolbar - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\system32\SHDOCVW.DLL
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.exe
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} - http://pcwab.ab.motive.com/wizlet/atlantic...wActiveXCab.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DC26874-B497-4D5F-8EB0-ED08D897740F}: NameServer = 85.255.114.35,85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EB48738-9461-4002-A6D1-D3F18A14A2B3}: NameServer = 85.255.114.35,85.255.112.13
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O22 - SharedTaskScheduler: articulation - {8dc1f789-e073-4363-b40d-07376bc5ecc5} - (no file)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

3. Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

MyWebSearchWB



Finally :

Please download OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\ib15.dll
    C:\Program Files\MyWebSearchWB
    C:\WINDOWS\system32\msnxpcl5.dll
    C:\WINDOWS\system32\regperf.exe
    C:\WINDOWS\system32\dcomcfg.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.



So in your next reply I need to see the following : the FixWareout report, the SmitfraudFix report, the OTMoveIt results, a new HijackThis log, and tell me how your PC is running now and if you had any problems.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users