desktop hijacker

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

About a week ago my computer got infected with a nasty anti-virus virus: the
kind that places viruses on a computer and then one must pay to clean the
computer up (I believe the term for this is "ransom-ware"). Anyway, with the
help of about a dozen removal tools I've managed to completely rid my pc of
all infections. One problem remains - the desktop background cannot be
changed to any picture, the color of the background is fully customizable
though. I have tried several methods for setting any picture as a background
- no go on all standard attempts. I have a feeling that in the process of
removing the infestations an improtant file or registry item was also
removed.

My question, what are the control files (.dll or .inf or .ini) that Windows
XP Srv Pk 1 uses to set background wallpaper? I think one or more of these
is missing.

I would really appreciate any help or suggestions on this topic. Mind you,
everything else is fine, but I am really irritated at this unresolved issue.
Thanks.
 
From: "Vadim" <[email protected]>

| About a week ago my computer got infected with a nasty anti-virus virus: the
| kind that places viruses on a computer and then one must pay to clean the
| computer up (I believe the term for this is "ransom-ware"). Anyway, with the
| help of about a dozen removal tools I've managed to completely rid my pc of
| all infections. One problem remains - the desktop background cannot be
| changed to any picture, the color of the background is fully customizable
| though. I have tried several methods for setting any picture as a background
| - no go on all standard attempts. I have a feeling that in the process of
| removing the infestations an improtant file or registry item was also
| removed.
|
| My question, what are the control files (.dll or .inf or .ini) that Windows
| XP Srv Pk 1 uses to set background wallpaper? I think one or more of these
| is missing.
|
| I would really appreciate any help or suggestions on this topic. Mind you,
| everything else is fine, but I am really irritated at this unresolved issue.
| Thanks.

You should bve using Service Pack 2 not Service Pack 1.

It sounds like you have a ZLob/FakeAlart/SmitFraud Trojan infection and got a rogue anti
malware application.

What exactly it is is hard to tell becuasde the importntant facts were left out.



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_06


http://www.java.com/en/download/manual.jsp



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:

Part 1
-----------

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Part 2
-----------

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *
 
David:

Thank you for responding. First off, before I follow your suggested fix
process I figured you may wnat a peek at the HijackThis log. Here it is, I
hope it gives you some useful info:

Logfile of HijackThis v1.99.1
Scan saved at 11:21:17 PM, on 5/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
D:\Program Files\Common Files\AOL\1127326195\ee\AOLSoftware.exe
D:\Program Files\Common
Files\AOL\1127326195\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP
Scheduler.exe
D:\Program Files\mcafee.com\personal firewall\MPfTray.exe
D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
D:\Program Files\VIA\RAID\raid_tool.exe
D:\Program Files\Lexmark X5100 Series\lxbabmon.exe
c:\ewido\security suite\ewidoctrl.exe
c:\ewido\security suite\ewidoguard.exe
D:\Program Files\mcafee.com\personal firewall\MPFService.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Common Files\AOL\ACS\acsd.exe
D:\WINDOWS\system32\notepad.exe
C:\Avant Browser\avant.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
D:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
D:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec
Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "D:\Program
Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [PCLEPCI] D:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [Lexmark X5100 Series] "D:\Program Files\Lexmark X5100
Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common
Files\AOL\1127326195\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] D:\Program Files\Common
Files\AOL\1127326195\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP
Scheduler.exe
O4 - HKLM\..\Run: [sscRun] D:\Program Files\Common
Files\AOL\1127326195\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [MPFExe] D:\Program Files\mcafee.com\personal
firewall\MPfTray.exe
O4 - HKLM\..\Run: [smapp] D:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = D:\Program
Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Add to AD Black List - C:\Avant
Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server -
C:\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Avant
Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Avant
Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program
Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active
Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/13f751e45db23a91c919/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120715511301
O16 - DPF: {8DD733A8-353A-4E93-AB85-93CA8DC96F6A} (ActivatorControl1 Class)
- https://objects.aol.com/activator/en-us/Activator.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
http://aol131.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) -
http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) -
http://www.gamespot.com/KDX22/download/kdx.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner -
D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks -
c:\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -
c:\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee
Corporation - D:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
Online, Inc. - D:\WINDOWS\wanmpsvc.exe

A few words about my system: I have 3 hards drives on this computer. The
OS drive is a SCSI with drive letter asignment D: - I've found that that
alone helps this computer avoid some instantaneous, crippling infections.
The two other drives are pure data drives. As a result I am able to monitor
what is on my computer by choice or against my will. I built the computer
from parts so there is nothing bundled or prepackaged on this computer. I
run an AOL/MacAfee firewall and spyware, eWido anti-malware, and Norton
anti-virus simulateously and at all times (from startup). On top of that I
manually run Adaware SE manually every few days. This is a super fast
computer with tons of RAM so I have no delay issues to speak of - I didn't
before the infection and do not now again. I regularly make and check
printouts of my registry and make sure that nothing has sneaked in there. I
use the Avant Browser or the AOL 9.0 gateway for Internet access. No istant
messengers are used even though they are there if I should need these.

Please let me know if you still suggest I proceed with your recommended fix
process.

Thank you,
Vadim
 
From: "Vadim" <[email protected]>

| David:

| Thank you for responding. First off, before I follow your suggested fix
| process I figured you may wnat a peek at the HijackThis log. Here it is, I
| hope it gives you some useful info:

< snip >

| A few words about my system: I have 3 hards drives on this computer. The
| OS drive is a SCSI with drive letter asignment D: - I've found that that
| alone helps this computer avoid some instantaneous, crippling infections.
| The two other drives are pure data drives. As a result I am able to monitor
| what is on my computer by choice or against my will. I built the computer
| from parts so there is nothing bundled or prepackaged on this computer. I
| run an AOL/MacAfee firewall and spyware, eWido anti-malware, and Norton
| anti-virus simulateously and at all times (from startup). On top of that I
| manually run Adaware SE manually every few days. This is a super fast
| computer with tons of RAM so I have no delay issues to speak of - I didn't
| before the infection and do not now again. I regularly make and check
| printouts of my registry and make sure that nothing has sneaked in there. I
| use the Avant Browser or the AOL 9.0 gateway for Internet access. No istant
| messengers are used even though they are there if I should need these.

| Please let me know if you still suggest I proceed with your recommended fix
| process.

| Thank you,
| Vadim

I did NOT state to run HJT and post a log.

I gave you specific instructions to follow but instead you did your own thing. The wrong
thing !

News Group in general and Ncaertain groups in particular such as the Microsoft hierarchy,
alt.comp.virus , alt.comp.anti-virus and alt.privacy.spyware do NOT accept the
posting of HJT logs -- period.

* Please - Do NOT post HJT Logs here ! *

Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7


That being said...

You have Wild Tangent which needs to be removed.

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) -
http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "D:\Program
Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

Second is you have mixed and matched McAfee and Norton. Pick one suite.
McAfee AV and FireWall or Norton AV and FireWall.
Don't mix these two together.

Better yet use Kaspersky or NOD32 AV and Zone Alarm FireWall.
 
David:

I followed your instructions for SmitRem and SmitFraud -- all seems to be
fine now. Thank you. As for the log files, I don't see these where you said
to look. Thanks for the help.

Vadim
 
From: "Vadim" <[email protected]>

| David:
|
| I followed your instructions for SmitRem and SmitFraud -- all seems to be
| fine now. Thank you. As for the log files, I don't see these where you said
| to look. Thanks for the help.
|
| Vadim

Did it actually perform a Mcafee AV Scan ?

If id did, you would have seen it download the needed filesd and then performed then McAfee
scan.
 
Did it actually perform a Mcafee AV Scan ?

If id did, you would have seen it download the needed filesd and then performed then McAfee
scan.
Click to expand...

A download took place and the AV Scan occurred. I think that maybe because
my OS drive is drive letter D: the log file may have been saved in a
different place - is that possible? In any case everything seems fine. If
there is any other way I can confirm success or show the information you're
after let me know (the HijackThis utility you said shouldn't be used).

Vadim
 
From: "Vadim" <[email protected]>


|
| A download took place and the AV Scan occurred. I think that maybe because
| my OS drive is drive letter D: the log file may have been saved in a
| different place - is that possible? In any case everything seems fine. If
| there is any other way I can confirm success or show the information you're
| after let me know (the HijackThis utility you said shouldn't be used).
|
| Vadim

My SmitFraud is hard coded to work from c:\mcafee

The other tools are not hard coded like my tool which incorporates the McAfee AV scanner.
 
David,

Yes, the folder was created and everything worked fine with both SmitRem and
SmitFraud. I did not change the default direrctories. However, the log
files to which you refer are not there. So, is there any other way I can
post the information you requested or can you suggest where else the log file
may have default saved to?

Once again, thank you - the problem is gone and everything works just fine.

Vadim

"> My SmitFraud is hard coded to work from c:\mcafee
 
From: "Vadim" <[email protected]>

| David,
|
| Yes, the folder was created and everything worked fine with both SmitRem and
| SmitFraud. I did not change the default direrctories. However, the log
| files to which you refer are not there. So, is there any other way I can
| post the information you requested or can you suggest where else the log file
| may have default saved to?
|
| Once again, thank you - the problem is gone and everything works just fine.
|
| Vadim
|

The log files may be helpful to you but the important thing is that you are OK
 
Back
Top