Desktop Hijacked

Re: DesktopHasBeenHijacked!

Help!

I have been using your forum for quite a while getting help for various problems (gotta stop letting the hubby use the pc). His computer has this same problem. I have run through the steps as described in "read me first before asking....", with the exception of running trend micro's housecall, when I try to run it either in normal or startup modes, I simply get a microsoft message stating that an error was encountered and did I want to send an error report. I ran housecall, ad-aware and spybot only yesterday, when a few data miners were removed.

I tried to follow the other steps in this thread, but none of the registry keys appear in regedit.

I am at the stage now where the background is flashing tan and white, a browser opens automatically when I log on which takes me immediately to about:blank with quickwebsearch.

I've been looking at this thing for hours now, hoping someone can help me please.

Am happy to attach hijack this logfile if needed.

Regards

Styx

 

Re: DesktopHasBeenHijacked!

Styx_oz,

From now on please create a new thread for your problem instead of posting into someone else's thread. I will have this moved into your own thread this time.

Please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Oops, sorry about that.

As I said, I have already followed all the steps in the "read me first" sticky.

IE just shut down when I tried to run Trend Micro housecall.

Ad-Aware found CWS when I ran it, which wasn't there the day before. CWS shredder didn't find any instances of CWS (it was run after adaware)

Logfile attached as per instructions.

 

Trojan Adclicker

Hi again,

Because I just can't let it go, I ran Nortons again, which found file CHMredir.chm, called trojan adclicker, and removed it. That made absolutely no difference to the problem, so I thought I'd try going throught the "read this before" steps again (just in case)

I still can't get Housecall to run, if I try to run it in safe mode with networking I get the "IE has encountered a problem and must close" message as soon as I try to go to the website, in normal mode it doesn't give me that message until I try to download housecall.

Will continue running other steps in meantime and post new HJT log file when its done.

Thanks for your time

 

I finished going through the "read this before...." steps again (three days in a row now) and this is what happened:

Adaware found 3 possible brower hijack attempts (all urls that I've never seen before) and cleaned them

Spybot S&D found 3 problems:
Startpage - EH
Cool www search.aff.winshow
URL Search hook. atlpz

CWS shredder found nothing

kill 2 me found nothing

Buster removed 4 random key entries

HS removed 8 items.

New HJT log attached.

Thanks again

 

You have not completed all of the steps. If you didnt the service running this hijacker wouldnt still be running. Now, please follow this fix exactly as it appears!

Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the flsmngr.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move flsmngr.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the file flsmngr.dll is already in the remove section, then just click FINISH.)




Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hmwll.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hmwll.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hmwll.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hmwll.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hmwll.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hmwll.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hmwll.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {A4626F5D-18F2-C0A7-8D1B-631BFD287428} - C:\WINDOWS\system32\d3fs32.dll

O4 - HKLM\..\Run: [syspf.exe] C:\WINDOWS\system32\syspf.exe

Again, make sure All Browser Windows are Closed when you Click FIX or this will be IMPOSSIBLE to remove!

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\d3fs32.dll

C:\WINDOWS\system32\hmwll.dll

C:\WINDOWS\system32\syspf.exe

C:\WINDOWS\systy.exe

NOW:
Click Start > Run > type services.msc and Click OK

Locate Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After doing ALL of the above, post a fresh HJT log from NORMAL MODE.

 

bjgarrick

My apologies if I missed something in the initial step by step instructions, I did try to be thorough.

I have followed every step in your instructions.

Spybot S&D found URL Searchhool.atlpz and fixed it (again)

When I rebooted to normal mode, there was a windows message that windows could not find file c:\windows\systy.exe (which as I removed as per instructions, I guess is okay)

After resetting web settings and security settings I ran HJT again, logfile attached. I notice that many of the things I fixed the first time have reappeared. I swear everything except HJT was closed when i ran it the first time, I did consider removing them again, but await any further suggestions from you.

Thank you so much for your time

 

Download this file: SpSeHjfix109

Unzip it to your desktop or to a folder.

Boot into Safe Mode

Start SpSeHjfix, click on " Desinfecton starten" (the other button means close) then it will reboot and finish the cleaning.

Run SpSeHjfix one more time.

Reboot in Normal mode.

Run HijackThis again and post a new log. Also post the log from SpSeHjfix, the log should be on your desktop or the same folder as SpSeHjfix.

 

BJGarrick

I ran SpSeFjfix from safe mode as instructed, I got the impression from your post that it would reboot the pc automatically, but it didn't, so I restarted and rebooted to safe mode again and ran it the second time, log attached.

Log also attached from Hijack This after running SpSeFjfix.

Thanks again

 

Follow this fix EXACTLY as it appears. Do not skip anything! Also, do this with ALL browsers CLOSED, if you dont this will be IMPOSSIBLE to remove!

Download Pocket KillBox
(Don't run it yet though)

Please boot into Safe Mode with the viewing of Hidden Files & Folders enabled per the tutorial.


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jfhuw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jfhuw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jfhuw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jfhuw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jfhuw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jfhuw.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jfhuw.dll/sp.html#12345

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {6D379624-072D-7176-5E58-A0C19A7072FA} - C:\WINDOWS\system32\iemu.dll

O4 - HKLM\..\Run: [iemu.exe] C:\WINDOWS\system32\iemu.exe
O4 - HKLM\..\RunOnce: [d3cm.exe] C:\WINDOWS\d3cm.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\systy.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.


Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\system32\jfhuw.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\iemu.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\iemu.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\d3cm.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now, let Killbox reboot your system. After you reboot, boot into normal mode and procede with the following.


Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.



After doing ALL of the above, Run CCleaner

Then, Scan with HijackThis and attach the new log.

 

Yay, that seems to have cleaned up the HJT log somewhat thanks so much.

This is what happens now:

My desktop still has the plain background, that flashes between white and off-white occasionally;

My browser now opens to something useful like www.majorgeeks.com instead of the nasty websearch page it was opening before.

Copy of HJT log attached.

Thanks again for all your time.

 

Hi Chaslang

I thought I did post the log from normal boot mode, that was how I ran HJT, but have done it again just in case, attached.

Regards

Styx

 

Now that is a funny thing..... you are quite correct, I am running Norton System Works 2003, but when I try to run AV, auto protect is off, and won't allow me to enable it, and there is an error in the email scanning. I twas working fine last week, but did have a few issues when downloading the last lot of updates. I never noticed that it wasn't running properly, thanks for pointing it out. I guess I will need to uninstall and reinstall it, unless you have any other suggestions?

Should I do the uninstall / reinstall before or after getting the hijacker sorted?

Thanks

Styx

 

Okay, tried to sort out Nortons, but gave it up as a bad joke.

I uninstalled it, and now I've installed AVG and run it (it cleaned 49 items)

Have run HJT again, log attached.

Regards

Styx

 

Hi again Chaslang

Thanks for that, sorted my msconfig as requested, ran HJT and fixed those three items, new log attached.

Thank you all so much for your help....

Styx

 

Just to be safe lets make sure this Service has been stopped, disabled and removed.

Click Start > Run > type services.msc and Click OK

Locate Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Now, lets remove the service.
Run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I)

or possible use the short name: 11Fßä#·ºÄÖ`I
(Copy and paste as those characters or difficult to type)


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [syspf.exe] C:\WINDOWS\system32\syspf.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\systy.exe (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\syspf.exe

C:\WINDOWS\system32\jfhuw.dll
(Just to be sure its gone!)

NEXT:
Run CCleaner

Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

No problems following those steps, the two files that you asked me to delete in system32 were not there (I hope thats a good sign)

Everything seems to be running better - my browser is opening where its supposed to be.

The desktop, however, still has the white / off white flashing background.

New log attached.

Cheers

Styx

 

I guess I should mention that the background problem only happened under one user login, which is the one I have been posting these hjt logs from, that particular user does have admin privileges (which I will be revoking as soon as this is sorted out).

All steps that you have given me to run have been done under each user log in as I go, but all logs have come from the one that had the initial problem. I hope this is correct.

Styx

 

Your HJT log is clean!

Now, lets get the desktop problem fixed.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixwp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixwp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

After doing the above, reboot and see if problem remains.

 

So glad my HJT log is clean now, thought for a while there it was going to be a reformat job! Thanks for all your help.

I followed the last step, unfortunately it didn't help the desktop problem.

Regards

Styx

 

Click Start > Run > type regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

Look for a DWORD value called "NoChangingWallPaper"

When located right click and delete it!



Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Only Should have "NoDriveTypeAutoRun"

Remove This Value "NoActiveDesktop"
Remove This Value "ForceActiveDesktopOn"

Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

There should on be the (default) string here

Remove This Value NoComponents
Remove This Value NoAddingComponents
Remove This Value NoDeletingComponents
Remove This Value NoEditingComponents
Remove This Value NoHTMLWallpaper

 

Okay, well that all looked easy enough until I started looking for them....... unfortunately NONE of the things I was asked to remove existed:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Under Policies there are only the files NonEnum, Ratings and system

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
The only DWORDS in there are NoBandCustomize and NoDriveTypeAutoRun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
The only folder under policies in here is Explorer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
See above, do I remove NoBandCustomize?

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
Only folder under Policies in Explorer.

Regards

Styx

 

Right Click and delete the value NoBandCustomize.

Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Only Should have "NoDriveTypeAutoRun"

Remove This Value "NoActiveDesktop"
Remove This Value "ForceActiveDesktopOn"

After doing the above, download and run Ad-Aware SE Personal 1.05
(Be sure you get the updated ref file by clicking "Check For Updates")

Let me know the results!

 

Thanks BJGarrick

Removed the registry key as instructed, ran adaware (in safe mode) it found CoolWebSearch (ARGH!)

Desktop is still flashing between white and offwhite/

Have attached HJT log again

Regards

Styx

 

If possible post the log from Ad-Aware.


Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates.

Please make sure ALL Browser Windows are Closed.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode.

 

Ummmmm .... does Adaware not save logs when run in safe mode? I can find copies of logs for every scan ever done in normal mode, but none under safe. (Settings definitely say to save logfiles) I did, however, find the quarantine file for the scan run yesterday.

Not sure if that will help, so haven't attached it, let me know if you need it. From the instructions below, I gather that after downloading and updating MS Windows Antispyware that I run it in safe mode, so that is what I shall do.

Regards

Styx

 

Can you advise what Ad-Aware found as in file, registry key and the exact location?

Also, let me know the results of the MSAS scan.

 

I managed to save the quarantine log as a txt file, hope this gives you the information you need (attached).

MSAS found nothing, running in safe mode.

Regards

Styx

 

Was you able to successfully remove those entries with Ad-Aware?

 

Yes, adaware successfully removed them on that run.

 

Lets try this one more time!

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixwp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixwp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

Locate PocketKillbox

Now, Copy and Paste C:\wp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\wp.bmp into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\WEB\desktop.html into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now, allow Killbox to reboot your computer. See if problem remains.

 

I added the registry key as per instructions, and got a message saying registry had been changed. When I look through regedit, there is still not a systems folder under policies.

I ran Killbox as per instructions, none of the filenames seemed to turn blue, but I red x'd them anyway, on the final one when I clicked yes for reboot I got window saying changes were being made, then a windows pop up came up that said

"pending FileRenameOperations Registry Data has been removed by external process!"

The system did not reboot, I did this manually .... desktop is still white / offwhite flashing.

 

Okay! Now that everything should be cleaned up as in the files.

Right Click on your Desktop and select properties. Click on the DESKTOP TAB and then click the button "CUSTOMIZE DESKTOP".

After you do this and another windows comes up click on the WEB TAB.

Now UNCHECK everything in here and delete it.

Click OK and see if background is still messed up.

 

BJGarrick, you are without a doubt a legend.

Thank you, and thanks Chaslang for all your help, the desktop appears fine now. I am now off to remove any and all privileges to this computer from both the hubby and kids, and to follow the instructions in the "how to protect your computer........" thread.

Cheers

Styx

 

Your Welcome!

Glad to hear things are back to normal.