Help! Desktop.html...hijacked desktop.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by LadyStang, Dec 12, 2004.

  1. LadyStang

    LadyStang Private E-2

    Hi. A couple weeks ago, something took over my desktop. It was a black screen with a "Warning: You may be in danger" message (or something similar). Somehow, I got rid of the black screen and the text, but my desktop is still covered up....its now a white screen that periodically turns beige. When I right-click it and go to 'properties' it says this "file://C:\WINDOWS\desktop.html." I use AVG anti-virus, and I also have ran Sybot S&D and Ad-aware. Any help would be greatly appreciated. Thanks.
     
    LadyStang, Dec 12, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should attempt to follow all the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal >

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    If still having a problem after the above, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.
     
    chaslang, Dec 12, 2004
    #2
  3. LadyStang

    LadyStang Private E-2

    OK...I ran both the online virus scans and they showed nothing. I ran Ad-aware, Spybot S&D, CCleaner, McAfee AVERT, installed Spyware Blaster, and ran the others that didn't need to be installed. Ad-aware found 104 things...all put in quaratine and Spybot S&D found 5 things, and fixed them. Nothing else turned up anything. The desktop.html is still on my desktop. What can I do now to try to get rid of this thing?
     
    LadyStang, Dec 13, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Finish the rest of what I requested----> If still have problems, post a HijackThis log.
     
    chaslang, Dec 13, 2004
    #4
  5. LadyStang

    LadyStang Private E-2

    I have done everything listed in that help section. While some things were found and supposedly fixed, this desktop thing is still there. I even did the extra things like (Bitdefender, TrojanScan, etc.). I have attached the Hijack This log...
     

    Attached Files:

    LadyStang, Dec 13, 2004
    #5
  6. Blaine

    Blaine Private E-2

    nevermind this post
     
    Last edited: Dec 13, 2004
    Blaine, Dec 13, 2004
    #6
  7. PhilliePhan

    PhilliePhan Guest

    You should Extract HijackThis from the ZIP File to its own safe folder - C:\Program Files\HijackThis

    Also, you had a few unnecessary items running when you scanned. They should be shut off. Please see the HJT Sticky.

    That said, your log doesn't look too bad. Some minor cleanup here and there left to do. Chas will probably suggest removing WeatherBug.
    I wonder if the following are contributing to your problem:

    C:\WINDOWS\System32\PANTHE~1.SCR
    O16 - DPF: {46EB676D-8C0B-4C15-8E61-5770B172DE2F} (ThemeCreator Control) - http://www.peanutsoftware.com/tw/TW-ThemeCreator3.cab

    Just a thought - I'm sure Chaslang will check back.

    PP :)
     
    PhilliePhan, Dec 13, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes PP I agree. And there is more.

    LadyStang, please follow the direction I gave you in message #2 and put HJT in the proper directory. Also I requested that ALL browsers and other programs be shutdown when running HJT. You did not do this. You should definitely not be running IE or cmd.exe.

    Bigger problem - why are you using both McAfee and AVG. Only one virus application should be used. Pick one and uninstall the other.

    Is this next line something you recognize:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.danesonline.com/

    Make sure you have system restore disabled and viewing of hidden files enabled.
    Do not continue if you have not put HJT in the proper directory.
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
    PANTHE~1.SCR

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O16 - DPF: {46EB676D-8C0B-4C15-8E61-5770B172DE2F} (ThemeCreator Control) - http://www.peanutsoftware.com/tw/TW-ThemeCreator3.cab

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\PANTHE~1.SCR
    C:\Program Files\AWS <--- the whole directory if it exists

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 13, 2004
    #8
  9. LadyStang

    LadyStang Private E-2

    What is cmd.exe? I do recognize Danesonline.com. I thought I had closed out IE, but maybe I just minimized it. Sorry.
     
    LadyStang, Dec 13, 2004
    #9
  10. LadyStang

    LadyStang Private E-2

    Also, there is no PANTHE~1.SCR in my processes.
     
    LadyStang, Dec 13, 2004
    #10
  11. LadyStang

    LadyStang Private E-2

    I got rid of McAfee too. It was on my computer when I bought it. I deleted all the things you said to delete in the hijack log. Then I booted up in safe mode and deleted the two C: drive files. Rebooted and that stupid desktop thing is still there. Here is the new HJT file....which I think I have in the right place now.
     

    Attached Files:

    LadyStang, Dec 13, 2004
    #11
  12. PhilliePhan

    PhilliePhan Guest

    Hi LadyStang,

    I think you might just need to disable your Active Desktop. Try this:

    RightClick your Desktop and select Properties > Desktop Tab > Customize Desktop > Web and make sure nothing is selected in the box labeled "Web Pages." Namely, make sure that the My Current Home Page Box is unchecked.
    Let us know if there are other entries in the Web Pages box and if these instructions help.

    Also, regarding your previous question, cmd.exe is the Windows Command Prompt. It should not be running when you scan with HJT and if it is running and you did not tell it to, that might be a problem.

    PP :)
     
    PhilliePhan, Dec 13, 2004
    #12
  13. LadyStang

    LadyStang Private E-2

    OK...that worked! Thank you so much!!! Is that all I had to do to begin with, lol? In any case, I can't thank you enough! :)
     
    LadyStang, Dec 14, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well you had other issues too! Now there all fixed!
     
    chaslang, Dec 14, 2004
    #14
  15. PhilliePhan

    PhilliePhan Guest

    You're welcome! I am always happy to help out when Chaslang is stumped!! :)

    Best,
    PP
     
    PhilliePhan, Dec 14, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hey smarty pants you missed this:
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    Should be fixed since McAfee was uninstalled.
     
    chaslang, Dec 14, 2004
    #16
  17. PhilliePhan

    PhilliePhan Guest

    I didn't look at the new log. . . Figured you took care of it with your previous instructions. Just thought I'd chime in with the FIX when I saw that you were floundering with no idea which way to proceed on this one. :p :)

    PP
     
    PhilliePhan, Dec 14, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    LAZY! No floundering! One step at a time. ;)
     
    chaslang, Dec 14, 2004
    #18
  19. PhilliePhan

    PhilliePhan Guest

    Dr. Evil Triumphs at last!!! MMwuuuHaaaHaaaaHAAAA!!!! :p
     
    PhilliePhan, Dec 14, 2004
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds