My desktops been hijacked,HELP PLEASE

Ez everyone
Some spyware thing has hijacked my desktop and i cant get rid of it.Ive tried about 5 different removal tools with no joy.Basically it turned my desktop black and it had a internet shortcut link in the middle to something called Power Scan.I tried deleting it in windows explorer which kind of worked but now my desktop just flashes from white to grey.I cant apply a new wallpaper either.
Can anyone suggest anything please

 

no one then

 

Hi Munz,

Please take a spin through our Cleanup Tutorial. It will remove a lot of stuff that would otherwise clog a HijackThis Log.

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Please note to be in Safe Mode with System Restore OFF. Make sure to do the Online Scans.

Post back with the results and we'll go from there.

Best luck
PP

 

cheers for replying
ill let u know tomorrow how i get on

 

I have this same problem.I have been through the post directions doing all the clean up with disable system off and in safe mode. I looked at the optional post by Chaslang and it looks too complicated for me. I am stuck and could use some help as well

 

forget about "looks too complicated" , do your best to complete it step by step. It will take some time but it will help.

 

Okay - I got brave and worked through the post by chaslang. My desktop still looks the same. When I look at the properties of the desktop , I get file://C:\WINDOWS\desktop.html as the address.

Any other suggestions?

 

Do you feel brave enough to post a log file for us?

Hijack This Tutorial And How To Post Your Log File

 

Hijack is the original log and Hijack2 is the log after I worked through chaslang's directions.

 

copy Hijackthis to
C:\HJT and run it from there for the following.

remove
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)

now, see if you can find
C:\Documents and Settings\Mommy\Application Data\erse.exe
and delete it


Go into your add/remove control panel and remove anything there that says P2P .. Weather bug should also be removed.

if p2p is found and uninstalled, then remove the following in Hijackthis
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


after you do this, post another log

 

I could only find the erse.exe through hijackthis.

In the add/remove control panel, I did delete a P2P as well as weather bug. Hijack this did not find any of the P2P lines is O4 or O16.

 

looks good. How's the computer running now?

I would run this extra tool just to be sure that the exe you couldn't find is most likely gone.
a-squared (a²) Personal Edition 1.1 (requires free registration)

 

My desktop still doesn't allow me to change it. Here is the source code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!----
***** This file is automatically generated by Microsoft Windows *****
--------><HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY
style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none"
bottomMargin=0 bgColor=#004e98 leftMargin=0 background="" topMargin=0
rightMargin=0>
<DIV
style="LEFT: 0px; WIDTH: 800px; POSITION: absolute; TOP: 0px; HEIGHT: 600px"><IMG
style="LEFT: 0px; WIDTH: 100%; POSITION: absolute; TOP: 0px; HEIGHT: 100%" cache
src="file:///C:/Documents%20and%20Settings/Mommy/Local%20Settings/Application%20Data/Microsoft/Wallpaper1.bmp">
</DIV><IFRAME id=0
style="BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 800px; POSITION: absolute; TOP: 1px; HEIGHT: 571px"
name=DeskMovrW marginWidth=0 marginHeight=0
src="file:///C:/WINDOWS/desktop.html" frameBorder=0 scrolling=no
subscribed_url="C:\WINDOWS\desktop.html" resizeable="粶ې"> </IFRAME>
<OBJECT id=ActiveDesktopMover
style="LEFT: 0px; VISIBILITY: hidden; WIDTH: 0px; POSITION: absolute; TOP: 0px; HEIGHT: 0px; container: positioned; zIndex: 5"
classid=clsid:72267F6A-A6F9-11D0-BC94-00C04FB67863></OBJECT>
<OBJECT id=ActiveDesktopMoverW
style="Z-INDEX: -1; LEFT: -1px; VISIBILITY: hidden; WIDTH: 802px; POSITION: absolute; TOP: 0px; HEIGHT: 573px; container: positioned"
classid=clsid:72267F6A-A6F9-11D0-BC94-00C04FB67863></OBJECT>&nbsp;
</BODY></HTML>
I am currently running the a2 scan.

 

There might be a registry entry that is preventing you from modifying it, such entries would appear commonly in HK_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES and possibly in
HK_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES


and your wallpaper location info is here: HK_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION When you click on the last folder CurrentVersion on the left pane, you will see a list of values appear on the right hand side, generally at the bottom you will see a StringValue name WallPaperDir with a value of %SystemRoot%\Web\Wallpaper.

 

this is probably the same thing as above but ...load up Hijackthis again and delete this line

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

then try changing the wallpaper.

 

Sorry I was editing my previous note but it timed-out before I could finish it (I am at work, bare with me!)

There might be a registry entry that is preventing you from modifying it, such entries would appear commonly in HK_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES and possibly in
HK_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES
and your wallpaper location info is here: HK_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
When you click on the last folder CurrentVersion on the left pane, you will see a list of values appear on the right hand side, generally at the bottom you will see a StringValue named WallPaperDir with a value of %SystemRoot%\Web\Wallpaper.

Quite obviously a malicious executable (like a virus program) entered your system, possibly even created its clones, then modified the registry to make things appear or act a specific way. Also possibly have processes still running in the background preventing you from correcting the situation since it constantly takes over and re-modifies settings. It most certainly has entries in the registry and Startup locations to ensure the malicious executable will be running after a reboot or a shutdown.
You have to find (identify) all of the malicious executable so you can boot in safe mode (needles to say System Restore which shouldn't be running as a service in Safe Mode but to make sure it is turned off prior to rebooting, also while you are at it, zero out the 'paging file' [Start>Control Panel>System>Advanced>Performance-Settings>Advanced>Virtual Memory-Change..> No Paging File - Set]
Now boot in Safe Mode with all malicious executable file names you have collected ( I am assuming you used HijackThis, Spybot and other utilities?)
Start deleting the files once you locate them, then clean the registry and the Startup entries.

For details see the thread I entered a little earlier about the 53-slide Anti-Spyware guide I created.
Good Luck.

 

In response to the previous 3 posts, I did not find anything in the HK_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION about wallpaper.

I then decided to search for the "desktop.html" in the registry. I found 2 entries and deleted them both. Now when I go back to the desktop and right click, I cannot get the properties for the desktop. It throws me into control panel, display.

I then searched for O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present and found it. I deleted it. I am in the process of completing the other items you have suggested.

 

I'm really stumped. I finished your suggestions to no avail. Now my email is acting up and doesn't want to connect. If I go to Outlook express then back to my desktop and right click the desktop for properties; I get the properties for Outlook express.

I have run all the suggested utilities. In google, when I type erse.exe, I only get a foreign website.

More suggestions?

 

Well...I am kind of stumped to that you have the guts to go ahead and delete registry keys/values left and right without backing up your registry first.
Do not get me wrong but all the previous posts had very sound advise in tHEM but if you really are following the instructions to the T and still experiencing problem and/or the condition of the system has gotten even worse....may be it is time to bite the bullet and re-install everything from scratch.

I am sure most every one who browses the Internet had gotten hit by some sort of a malware at one point and if disinfecting the system is going to take hours of effort without 100% recovery assurance, that is when I stop and re-evaluate the situation. It shouldn't take more than couple of hours to reinstall XP and available service pack, device drivers and most vital applications (assuming the user has broadband connection). I know to some I might've sounded like a quiter but anyone with common sense should agree that if you are not going to lose any important documents (files and folders are still accessible) and know how to back them up properly then why bother spending hours to disinfect something only to make things worse? Sypware infections are normally disinfectable but for some users who did more damage during the disinfection process than the sypware itself caused, a clean install doesn't sound like a bad idea!
I haven't noticed any info on you ever using 'System Restore' utility on this PC, if you had, it may not always yield successful results but I'd recommend giving it a try. May be a registry restore from DOS mode because it seems that you might have already done some irreversible changes to the registry.

Have you also checked out my own visual anti-spyware guide?
http://www.pc101.20megsfree.com/Presentations.html

Let me know if you do, I'd like to get as much feedback as possible!

 

Frustration set in and I got crazy and careless. Started deleting things. Not a good idea.

Anyways. Email seems fine today. I checked the web tab on my desktop. It was not locked.

I had another thought. I have a different logon for my daughters. Their desktop has not been hijacked. Can I copy registry entries from theirs to mine?

 

If I may say so, if I were you, I'd login as the admin delete your account using the User Account Manager [right-click My Computer > Manage > Local Users and Groups > Users] and then Delete your user folder under C:\Documents and Settings\ but make sure to copy your personal settings and files:
\Documents and Settings\your user name\desktop (for shortcuts and files saved on the Desktop)
\Documents and Settings\your user name\Favorites (IE Favorites)
\Documents and Settings\your user name\My Documents (for personal files, etc)
and any other Folder and/or file you had created under
\Documents and Settings\your user name\ that you need.


then reboot and create a new user account (must logoff of Admin account and then Login as the new user that you created:
right-click My Computer > Manage > Local Users and Groups > Users (right-click) > New user...)

You could create a new folder named BACKUP directly on the C drive for backing up your files and later to Restore from...

 

In the desktop web tab, there is a "security" with a check beside it.

 

CHA-CHING That worked. I only unchecked it. Should I delete it as well?


Thanks so much for sticking with me through all of this. I had almost given up hope.

 

Many thanks to all of you.Just deleted two things from that web tab in desktop properties.Worked a treat

 

I have deleted "security". When I go back to that same spot, "security" is back but does not have a check mark beside it.

It this major concern?