Can't remove Desktop.exe

It's related to a load of nasty malware that has been trouble some to remove.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Please follow my directions on where to install HijackThis and exit browsers before running it. You had this:

C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Jim\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

You are running HijackThis from the ZIP file. You need to extract the HijackThis.exe file from the ZIP to the folder I indicated. This is a new folder you need to create.

You also did not run the Symantec online scan! Please make sure you ran ALL steps of the READ ME.

 

But you are still missing them.

You still did not run the Symantec online scan.
You still have several Internet Explorer sessions running
And now you also have about:Buster running and it does not like having Internet Explorer running either.

If you do not exit Internet Explorer sessions as directed, you may not be able to repair your problems.

You also have been installing other software that I did not request. Like MS Antispyware which has a lot of issues right now.

You now also enable a selective Startup mode using MSConfig.exe . You need to run msconfig again and select Normal Startup. We need to be able to see everything that you have inoder to make sure nothing bad is lurking in there.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Copy and paste the information in the below quote box to notepad. Save it to a file that you will have access to later when you boot into safe mode. Name it fix.reg. Then boot into safe mode, run Windows Explorer and locate the fix.reg file. Doubleclick it and grant it permission to merge in the registry entries.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
sysmonnt.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteyza32.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [zqkm] C:\PROGRA~1\COMMON~1\zqkm\zqkmm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\sysmonnt.exe
C:\WINDOWS\isrvs\ffisearch.exe <--- delete all files in this folder and then delete the folder
C:\windows\system32\eliteyza32.exe
C:\WINDOWS\System32\sysmonnt
C:\PROGRA~1\COMMON~1\zqkm\zqkmm.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Re: Thanks

Well I'm not sure what improved based on your log. Basically everything is still there and some new items were added. Did you have any problems finding or deleting any of the files I asked you to delete?
Did you remember to click FIX in HijackThis?

It does not look like you did the Reset of Web Settings as I requested!

 

Re: Thanks

Please boot into safe mode this time to do the below steps and make sure you are physically disconnected (unplug your cable) from the Internet. You will need to print or save these instructions locally to do this.

OK! Unplug your cable now, exit all browsers and do not run anything unless my directions tell you to. Now boot into safe mode.

Copy and paste the information in the below quote box to notepad. Save it to a file that you will have access to later when you boot into safe mode. Name it fix.reg. Then boot into safe mode, run Windows Explorer and locate the fix.reg file. Doubleclick it and grant it permission to merge in the registry entries.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and if found kill them one at a time by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\sysmonnt.exe
C:\WINDOWS\System32\sysmonnt
C:\WINDOWS\system32\winbehk32.exe
C:\windows\system32\eliteyza32.exe
c:\windows\system32\slzaqfg.exe
C:\WINDOWS\System32\iwxzqc.exe
C:\Program Files\glqclghn\glqclghn.exe
C:\Program Files\Common Files\zqkm\zqkmm.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\msnavc32.exe
C:\windows\system32\ricstrm.exe
C:\windows\system32\repgrcoi.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [slzaqfg] c:\windows\system32\slzaqfg.exe
O4 - HKLM\..\Run: [iwxzqc] C:\WINDOWS\System32\iwxzqc.exe
O4 - HKLM\..\Run: [glqclghn] C:\Program Files\glqclghn\glqclghn.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Delete] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteyza32.exe
O4 - HKLM\..\Run: [3F5P33W] ricstrm.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [zqkm] C:\PROGRA~1\COMMON~1\zqkm\zqkmm.exe
O4 - HKCU\..\Run: [IouFRTa7P] repgrcoi.exe


After clicking Fix, exit HJT.

Now use Windows Explorer to delete:
C:\WINDOWS\System32\sysmonnt.exe
C:\WINDOWS\System32\sysmonnt
C:\WINDOWS\system32\winbehk32.exe
C:\WINDOWS\isrvs\ffisearch.exe <--- delete all files in this folder and then delete the folder
C:\WINDOWS\isrvs\desktop.exe <--- delete all files in this folder and then delete the folder
C:\windows\system32\eliteyza32.exe
C:\Program Files\Common Files\zqkm\zqkmm.exe
c:\windows\system32\slzaqfg.exe
C:\WINDOWS\System32\iwxzqc.exe
C:\Program Files\glqclghn\glqclghn.exe
C:\WINDOWS\farmmext.exe
C:\windows\system32\msnavc32.exe
C:\windows\system32\ricstrm.exe
C:\windows\system32\repgrcoi.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you do not find any of these files or cannot delete them, you must tell me!

Now:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

Now we need to Reset Web Settings (make sure you use majorgeeks for you home page for now while we are fixing your problems):
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You still have a Delfin Media Viewer file:
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe

First try looking in Add/Remve programs for something like DMVlite and if found uninstall it. If you don't find an uninstall or afterwards the above item is still in your log, do the below:

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial). For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
vmss.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\vmss <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Information on HijackThis was given in the link I gave you in the first message. But it is more than learning about HJT, you need to spend time learning about valid processes for your OS by reasearching them, also looking at your CD for original names. You will have a full time job learning to recognize the thousands of bad items. Reading the posts here will help with quite a bit of that but you have a lot to read. Also new baddies come out daily.

 

Your log is clean now. For future use, you need to get the latest HijackThis 1.99.1

Aso you should do the steps in the below link to help avoid future problems:

How to Protect yourself from malware!