Have really tried to fix this but all efforts have failed - please help

Hi,

My computer has the following symptoms:
- repeated messages saying the homepage has been changed (they seem to come in threes and it seems to be hijacked to lots of different pages in turn)
- flashing grey/white desktop
- "Win Min" error message on shutdown
- lots of warnings from Windows about spyware being present on the machine

I'm new to all this (therefore I need to have things very carefully explained), but have done my best to follow the tutorial on this site to the letter. I had to do the online scans in normal mode though, as booting in safe mode left me unable to log on to the internet for some reason. Anyway, none of the programs/scans picked anything up.

I then ran Hijack This & deleted a few things, but the site I was using for analysis said I should also go in & delete a certain file (in the system 32 folder)after rebooting... but I can't, because I get an "access denied" message. Tried to take possession of the folder & file by following some instructions I found online, but that didn't work, & now I am really at wits' end. Can anyone help?

Many thanks
Camilla

 

Hi Camilla,

If you have exhausted the options in the Cleanup Tutorial, please attach a fresh HijackThis log. Be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis ! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

PP

 

Hi,

OK, I will do this when I get home tonight.

Thank you!
Camilla

 

Hi,

Here is my fresh Hijack This log.

Thanks,
Camilla

 

Hi Camilla,

Before we start, I suggest you Uninstall / Remove Spyhunter and Security iGuard as they are of ill repute. See the following linnk: Rogue Product List


And off we go . . . .
Please look in Add or Remove Programs for the following and Uninstall them if found:

Spy Hunter
Security iGuard

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

gmbhjhc.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm

O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [klckrgq] c:\windows\cnaquay.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O9 - Extra button: Microsoft AntiSpyware helper - {10A6D7BB-3145-4EFD-BD66-67973AA57CF7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {10A6D7BB-3145-4EFD-BD66-67973AA57CF7} - (no file) (HKCU)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\spoolsrv32.exe ---> NOT to be confused with the legitimate spoolsv.exe!!
C:\windows\gmbhjhc.exe
C:\Program Files\Enigma Software Group\SpyHunter ---> The Folder. I would also suggest removing Enigma Software Group Folder unless it includes items you wish to keep!
c:\windows\cnaquay.exe
C:\Program Files\Security iGuard ---> The Folder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

Hi PP,

Thanks a lot for your instructions. I've done as you suggested & it all seemed to work fine apart from the following possible hiccups:

1) Just for background: I do remember trying (apparently unsuccessfully) to uninstall Security iGuard a few days ago because I didn't know what it was & it seemed to have just appeared... Anyway, just now when I looked in "Add & Remove Programs" as you instructed, I couldn't find it. I then did a search of all files & folders for that name, and found one thing (I think it was a .exe file) which I deleted; hope that is ok.

2) In safe mode, I managed to find & delete all of the files & folders you listed apart from the last one, C\Program Files\Security iGuard (the folder). It wasn't there.

3)When I rebooted in normal mode, after logging in & before the desktop came up, I got an error message from Windows saying it "could not find" C\Windows\system 32\spoolsrv32.exe. It told me to "make sure I had typed it correctly, & try again" – as if I had been searching for it. But I hadn't done anything except boot up the machine.

4) I haven't had one of those hijack warning messages for several minutes, which is great. Also, the yellow triangle/exclamation point symbol has gone. But I still have a flashing grey & white desktop, if that means anything...

Here is my new Hijack This log. thank you!

Camilla

 

Let me know if this message keeps returning after a few boots. Not a big deal - It is trying to call the bad file that you deleted. I don't see it in your HJT Log (which looks OK)

Try this:

RightClick your Desktop and select Properties > Desktop Tab > Customize Desktop > Web and make sure nothing is selected in the box labeled "Web Pages." Namely, make sure that the My Current Home Page Box is unchecked.
Let me know if there are other entries in the Web Pages box and if these instructions help.

If still no joy, run a search of your machine for desktop.html and let me know what you find.

Also, reboot a couple times and run a few IE sessions and then get me a fresh HJT Log. Tell me how things are running and if any problems or error messages remain.

Will try to check back tonight (EST)

PP

 

Hello,

It hasn't appeared again.

Actually, when I right-click on the desktop and click Properties, there's only one tab (General) and it mostly says everything is Not Available. There's nothing to play around with at all, it's just sort of a dead end...

I tried this, but nothing turned up.

No problems remain, except the desktop. I'm attaching a new log. It's great to be rid of all those dire warning messages.

OK, cool. Meanwhile, I am going to try to educate myself about stopping this from ever happening again.

Camilla

 

I just tried right-clicking the desktop & clicking View Source. In the window that came up was some code. I won't paste it here unless you want to see it, but it does have "desktop.html" within it a couple of times.



Camilla

 

Hi Camilla,

It's odd that you cannot RightClick on your Desktop and get those options I mentioned before. When you select "Properties" you don't get "Display Properties" window with a number of tabs to choose from?


Well . . . . Let's try this. Please download Pocket KillBox

Now:
Run Pocket KillBox and select the Delete on Reboot option.

Then, where it says Full Path of File to Delete, copy and paste C:\WINDOWS\desktop.html into the box and Click the Delete Button (Red X).

A message should say C:\WINDOWS\desktop.html will be Deleted on Next Reboot YES / NO

Click YES.

A message will say: File will be Removed on Reboot, Do you want to reboot now?

Click YES and allow Killbox to reboot your computer.


Let me know if that does the job. Also, while you're here, have a peek at Chaslang's Recommendations!! to help keep you safe from malware.

PP

EDIT PP: Missed your last post, but I figured it was that! The above instructions may do the job - let me know.......

 

Hi PP,

No, really. I even had someone else come and have a look to make sure I wasn't just somehow misunderstanding. I get a window just called "Properties" with just the one tab. Actually, one of the things it says is "Type: HTML Document" so maybe it is a symptom of this desktop.html problem.

After I click Yes, I get a message to say it is checking something or other, and then this error message comes up:

"PendingFileRenameOperations Registry Data has been removed by External Process!"

(exactly like that, with the words all run together and the exclamation point). Once I click OK, it just leaves me looking at the Killbox window but doesn't reboot.

I should really go to bed now (it's nearly 2 AM), but thanks again for all this help; I get the impression that this is pretty close to being resolved. Thanks for that link as well. I'll have a look at it in the morning.

Have a nice Friday night!

Camilla

 

Go ahead and run through that process again (perhaps in Safe Mode), reboot your machine after, and get back to me Saturday evening with the results.

G'Night!

PP

 

Good morning PP,

ok, I've now tried that process several times, in both safe and normal mode. Each time, though, it just shows a window saying "Verifying Registry Entries... Plz wait", followed by the error message I mentioned in my last post.

I Googled "PendingFileRenameOperations" and learned little bits of information about it, such as where on the computer it is supposed to be located, so I had a look but it doesn't seem to be there. Didn't want to try & mess with anything, though, so I just left it at that.

What do you suggest?

Camilla

 

This is odd that this thing is proving to be so stubborn! What happens when you try to set your own wallpaper/background?

Three things to try:

1 - Let's try to get at the settings once more:

Go Start > Control Panel > Display Properties > Desktop Tab > Customize Desktop button > Web tab.
Now, Uncheck ALL boxes.
Click OK and exit out ant try to set your own background.

2 - If the above fails, please download and Run Microsoft® Windows AntiSpyware and let it fix what it finds. Maybe it will catch this guy.

3 - If that should fail, make sure that the viewing of hidden files is enabled and navigate to C:\Windows\Desktop.html and RightClick it and see if you can change its protections and delete it.

Let me know how you fare!

PP

 

Hi PP,

Your patience with this is very much appreciated! I think things are fine now, but I'm not sure I understand why. Let me describe what has happened.

The only box there was called "Security" and it was checked, so I unchecked it. After that, I was able to reset the wallpaper. Also, you remember that when I tried to right-click my desktop before, I just got a kind of dead end? That seems to be OK now. Right-clicking on the newly reset desktop brings up the correct "Display Properties" window with all its tabs.

I'm really pleased about this, but still not sure if it is safe to consider the whole thing solved, because if I go back in and check that "Security" box again, the desktop reverts to its flashing grey & white appearance & can't be right-clicked anymore. I mean, I now realize that I can fix it easily by going in via Control Panel and unchecking that box, but I'm just concerned that this means there is still something present on my machine that shouldn't be there, even though you have shown me how to get around it. Should I be bothered about this, or is it OK to just leave that "Security" box unchecked & forget about it? Sorry if that's a dumb question but I am kind of niggled by it for some reason, mainly just because I don't really understand it.

Just to make sure I mention everything:

- I tried navigating to desktop.html, but it wasn't there and a search of my machine still doesn't show it up, although it is still mentioned in the code when I right-click the "bad" desktop and click View Source.

- Microsoft AntiSpyWare found something called Melkosoft spyware and deleted it. I was surprised that there was still something lurking there after all the work of the past few days, but I guess that's what I'm learning here...not to get complacent!

All the best,
Camilla

 

It dawned on me (little slow in my old age ) that it might be blocking you from getting to the setting options - that's why I suggested alternate route.

You can probably leave it - doubt it will cause problems. But, I understand the desire to clean it from your machine! This may be something you will have to research and track down on your own. However, if you copy the code you get when you click view source, I'll be happy to take a peek and try to help you pinpoint this baddie.

Indeed! Lots of times, remnants will be buried and often will not show up in HJT logs. Further, you'll often find that one anti-spyware tool will remove stuff missed by another and vice versa. That's why we suggest multiple scans, etc . . . in the Cleanup Tutorial! Even they don't get ALL the baddies all of the time.

You should be sure to put Chaslang's recommendations into place. Especially, make sure you are running a good Firewall and AV. Also note that an updated version of Spyware Blaster has been released - It is another "Must Have!" Also, it is probably about time to update XP to SP2.

Best
PP

 

Dear PP,

Here is that code (attached) if you have time to take a look, but don't worry if you have to move on to some other people now.

I've been following Chaslang's recommendations, & updated XP to SP2. It's been annoying to have this problem, but actually pretty interesting to work on solving it. It always feels better to be informed. Thanks again for all of your help; I'm really glad this site is here.

Actually, how does it work, can I donate to the site or something? I would have been lost without your advice...

Camilla

 

Thanks for attaching that . . . It shows that i made a mistake going from memory on the files to delete. I forgot the WEB. Try deleting the following: C:/WINDOWS/Web/desktop.html
If you need to use Pocket KillBox to delete it, then do so. If you need to do it in Safe Mode (doubtful), then try that as well.
Also check out C:/DocumentsandSettings/NicholasAldridge/LocalSettings/ApplicationData/Microsoft/Wallpaper1.bmp - You may want to remove it as well!

You're welcome! We enjoy helping people with malware problems. I always tell people that killing malware is my type of online game! And, you're right. . . . Many people come away from a battle with malware better informed as to the type of things lurking the Interweb trying to get them and how to safeguard against these threats!

We will be happy if you visit us often and keep up to date with all the preventive measures we offer! However, if the mood strikes you, you could purchase a MajorGeeks T-Shirt! I'm not sure how well-represented we are in Scotland - - - > Trendy Geek-Wear!!

Anyhoo, let me know how you fare with the desktop and whether we need to try something else . . .

Best
PP

 

Huh, it's odd, but when I went to C:/WINDOWS/Web, I couldn't see the desktop.html file there either. Kind of mysterious...it doesn't seem to be anywhere. I did delete the other file, though (Wallpaper1.bmp).

Oh well ... I'm sure one of these days I'll find it.

Definitely, I'll do that. And I'll spread the word around Scotland!

Best
Camilla

 

Cool!

Did you try Copy & Pasting C:/WINDOWS/Web/desktop.html into Pocket Killbox and Deleting on Reboot? You should try that and see if KillBox can find desktop.html . . . .

PP

 

I tried it, but I had the same problem as before – first the window saying "Verifying Registry Entries... Plz wait" came up, and then the error message, "PendingFileRenameOperations Registry Data has been removed by External Process!" I haven't actually been able to use Killbox at all because that just happens every time.

My impression is that it's looking for some essential bit of information & failing to find it; so maybe I can do something about that. But when I tried to look into it before, I read something which basically said that I shouldn't mess with the registry keys (or whatever they are called) because it's very easy to screw things up that way. So I just backed off for the moment.

Goodnight!

C

 

Something must be protecting it . . . Which is odd because we removed most of the related baddies (I think) during the initial cleanup. Try looking for this one and see if somehow it remains: C:\WINDOWS\System32\spoolsrv32.exe - I think it is realated to the Desktop mess . . . .

I'm surprised you can't find desktop.html. Is the viewing of hidden files still enabled? Darn! This is frustrating! When I find some time, I'll try to dig up some more info.

G'Night!

PP

 

Dear PP,

We have been moving furniture around over the past couple of weeks and have just set up the PC again, so I am back.

To answer your questions: no, I couldn't find that file you mentioned in the system 32 folder (it sounds familiar, though – I think perhaps it is one we already got rid of); and yes, the viewing of hidden files etc. is enabled. Weird, eh?

Hope all is well with you! Our computer seems otherwise healthy just now, so don't worry about this unless you are in the mood for puzzle-solving!

All the best,

Camilla

 

Hi Camilla,

Always in the mood for puzzle solving! (though time is scarce these days) I'll reread this thread tonight when have a chance and see if anything jumps out at me. In the meantime, have a peek at this thread and a similar battle:

"warning you are in danger" wallpaper

Best
PP

 

I have done a little looking around and have not really found any avenues of pursuit other than the things we have already tried - Sorry!

If having the remnants on your machine still bothers you, all I can suggest is to check back now and then to see if a new removal procedure has been discovered, or any more info on the baddie, etc . . .

Keep all of your anti-spyware tools updated and run them often as well - A subsequent definitions update may clean this as well!

Best
PP

BTW - Happy Birthday!

 

OK, thanks for having another look. I think that whatever may be left is really minimal in terms of the problems it is likely to cause, so I won't worry about it. And I've been checking for updates & keeping to the rules for avoiding malware, & have explained it all to my boyfriend as well...

Thank you!

Best,
Camilla

 

I think we removed most of the really evil components of the baddie! I imagine the Anti-spyware companies will catch up to it eventually and one day a routine scan with updated spyware defintions will remove the remnants!
As long as you both have an awareness of what is out there and surf accordingly + use the right preventive measures, I think you'll be OK!

PP