Black Warning Screen Desktop Hijack

I've gone through the "do this first" thread, and run the requested programs.
Desktop has been taken over by a black screen with a Warning about spyware on it, as described in other threads here. It's a persistent little bastard, I'll give it that! I even created a new user, and deleted the infected one, but it found the new one and installed itself there as well as on any user I open. As with the other postings, safe mode results in the black screen, but no warning message.... I'm attaching 2 hjt logs... one in safe mode, one not. Thanks! Mike

 

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

 

Okay... I've got HJT moved to the program files folder, in it's own folder....
Here are two new HJT scans.... one in safe mode, one not. By the way... is there any difference, or would a singe safe mode scan be sufficient for the purposes of this forum?

Thanks!
Mike

 

Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the flsmngr.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move flsmngr.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the file flsmngr.dll is already in the remove section, then just click FINISH.)

Now, download the following utility:

CWShredder 2.14
(Click FIX instead of scan)

Now scan with HJT and have it fix the below entry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

Be sure you have ALL browsers closed before you click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

c:\windows\system32\flsmngr.dll

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Okay, ran everything suggested.... no change. Desktop still hijacked. Warning in center is an html doc. with "click here to remove" at the bottom. In save mode, the desktop is still black without the html doc. The properties of the desktop show its location as C/WINDOWS/web/desktop.html

As soon as I ran the instructions provided, I rebooted to normal windows, and the bastard thing was still there..... I ran the attach hijack log immediately....

Let me know what else I can try.... thanks for the help!

Mike

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file desktopfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the desktopfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Click Start > Run > type regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

Look for a DWORD value called "NoChangingWallPaper"

When located right click and delete it!



Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Only Should have "NoDriveTypeAutoRun"

Remove This Value "NoActiveDesktop"
Remove This Value "ForceActiveDesktopOn"

Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

There should on be the (default) string here

Remove This Value NoComponents
Remove This Value NoAddingComponents
Remove This Value NoDeletingComponents
Remove This Value NoEditingComponents
Remove This Value NoHTMLWallpaper


Now, Navigate to and delete the following file:

C:\WINDOWS\Web\wallpaper.html


After you have completed ALL of the above, reboot and see if problem remains!

 

Okay.... now we're getting somewhere! The black screen is gone, replaced by a white one, that kind of brightens and darkens regularly... like it's trying to update or change back to it's old file, but can't find it..... just my guess...

Clicking properties brings up a dialouge box about the desktop.html file that I deleted.... NOTE: I didn't have a "wallpaper.html" doc. as described, but I did have a "desktop.html", which I know as the file on my screen, so I deleted it at that step.... hope that was the right thing to do. Also.... when I went through regedit, none of the values mentioned were there. I rebooted thinking that nothing would be different, when I got the white screen.....

Let me know what should be next. The new HJT scan is attached.

Thanks!
Mike

 

Hey! Solved my own problem with another thread... I followed the advice shown here:
http://computing.net/security/wwwboard/forum/12432.html

It seemed to do the trick.... going through the control panel - display - customize desktop - web. I had a website for desktop thing there called "Security" which I removed... and instantly, my desktop came back! Would still like it if you would peruse the HJT log on my previous post to see if there is anything left that should come out.....

Thanks!
Mike

 

Yeah, we would have gotten to that point. First, I wanted to confirm the files and registry entries were gone.

Anyway, glad you got it fixed. Go ahead and attach a current HJT log just to confirm your clean.

 

Hi... sorry to jump ahead of you! Sure do appreciate all the help! Here is the new log.... let me know how it looks!

Mike

 

Your HJT log is clean!

Are you having any further problems?

 

Nope! All clear.... thanks again for the help! You folks are a godsend!

Mike

 

Your Welcome!

You should see this article on How to Protect yourself from malware!