Hijacked desktop, please help!

I will be very grateful if you could help diagnose and solve my hijacking problem. My desktop was replaced with a red screen advertising RazeSpyware, and could not remove it. I have tried a number of solutions both from this site and others, and now I have a gray desktop that slightly blinks occasionally. I cannot obtain context sensitive menus upon right clicking.

I have followed your instructions, and done the following. Disable system restore, show hidden files, installed and ran CCleaner, ran Spybot and set immunization, ran McAfee, ran AdAware, ran Trojan Scan, installed and ran a-Squared, installed and ran Kaspersky On-Line Scanner and scanned critical areas. Somewhere along the line I booted in safe mode and deleted desktop.html.

Below is a HijackThis log. Can you help? Thank you so much for anything you can suggest.

• Edit by bjgarrick: Unrequested, Inline, Out dated HJT log removed!

 

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report along with a fresh HJT log.

 

I ran Ewido Security Suite in safe mode and hijack this again. Attached are the log files from both.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

NOW:
Click Start > Run > type services.msc and Click OK

Locate Command Service (cmdService) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply


Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

cmdService

You may be told to reboot at this point. Do not reboot just exit HijackThis as we will be restarting it with different options in a moment.

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.


After you complete the above, reboot and let me know things are running.

 

I got stopped at the first step below. When I open Properties for Command Service, "Stop, Pause, and Resume" are grayed out, so I cannot select Stop. I did not proceed further without your instruction.

 

Hi, I think we have another problem. I am the Mom, trying to help my son to fix his computer (with your help!). I was the one to post the reply this morning that I could not disable the cmdService because blocks were grayed out (but maybe this means it was already stopped?). At any rate, when he came home from work this morning he apparently tried to follow your instructions, and I suspect he may have misinterpreted.

I removed Ewido via Add/Remove Programs. Just now I looked again at services.msc, and could not locate a Command Service any longer. When I went to your next step with HJT and when clicked on Delete an NT Service and typed in cmdService, it tells me "Service 'cmdService' was not found in the Registry. Make sure you entered the short name of the service, vb Exclamation". (Although there is a Command entry in Add/Remove Programs that I don't remember seeing before.) I suspect he misunderstood your instruction and removed the Command Service from services.msc... Now what?

 

11/12/05
Hi again,
We followed down through all of your instructions, and completed all except for what we detailed below (unable to find cmdService). After rebooting, the problem remains.

You did not ask for a new hijack this log but we have attached one. If you have any further ideas for us we would be very grateful.

 

Your HJT log is clean, are you having any current problems?

 

Yes, the desktop remains hidden (hijacked ?), as when we started. Would be grateful if you have any further ideas!
Thank you.

 

Download smitRem.exe and save the file to your desktop.

Double click on the file to extract it to it's own folder on the desktop.

Reboot into safe mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please attach this log to your next reply.

 

I followed your last instructions. The problem still exists. I can actually see the backround when I drag my taskbar to the bottom of the screen but as soon as I let go of the mouse the white screen that blinks to tan covers the whole screen again. The smitrem program also changed the way the taskbar looks and the color of the backround like the program said it would.

 

Right click on the Desktop to open the Display Properties, select the Desktop Tab. Click the customize button and select the WEB tab.

Uncheck anything here and click ok. Also do a search for the file desktop.html and delete any that are found.

 

wow. All that work for such a simple answer. That fixed my problem. Thank you very much for all of your help. I know my computer is definitely clean now. Thanks.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!