recovery from desktop hijacker

i'm approaching the end of a fierce battle with a desktop hijacker that removed all of my desktop icons and replaced it with obnoxious wallpaper with the title "DANGER:SPYWARE" along with links to rid oneself of the spyware. i ran spybot, adaware, and spy sweeper, as well as hijack this, but things haven't entirely returned to normal. i have 2 problems.

1. i'm unable to open IE altogether. when i click the icon, the hourglass appears for about a second and then nothing.


2. my former desktop has not returned. all that exists now is the recycle bin and some other icons of software i've just downloaded (i.e. firefox). there is no 'my computer' nor 'my documents' nor anything else. also strange is that there is a duplicate of everything on the desktop even though i made no copies. for example, when i downloaded firefox, there were two installers and after i installed it, there are two icons for it. or when i saved the log for hijackthis, 2 copies of it appeared instead of just one. i'm wondering how to restore the original desktop with all of its icons. i know it still exists if i search for it through explorer, but for whatever reason, windows XP is looking at c:/desktop for the source instead of c:/documents and settings/...

hijackthis log is attached.

any help is much appreciated.

 

First:
Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

Second:
Please close ALL browsers while running Hijack This!

• C:\Program Files\Mozilla Firefox\firefox.exe

Third:
Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates BUT BEFORE YOU START THE SCAN: Print or save these instructions locally now because you will have to be disconnected with no browsers open in the following steps.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable. Do not reconnect or open a browser again until requested.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode.

After doing the above post a fresh HJT log.

 

Re: "warning you are in danger" wallpaper

bjgarrick, i hate to drag bleed this thread on any further, but i've been following it closely and my desktop still hasn't reappeared. i followed the instructions listed here:

and here

and rebooted my computer hoping to discover some changes, but the values were reset back to c:\desktop again. do you have any suggestions for me?

thank you for your time.

 

Re: "warning you are in danger" wallpaper

also, should one reboot the computer after each time changes are made to the registry or is it simply a matter of closing the registry editor?

 

Re: "warning you are in danger" wallpaper

finally, i will attach my hijackthis log to this reply. thank you.

 

FIRST:
Please print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

NOW:
Click Start > Run > type services.msc and Click OK

Locate Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply.

Locate Trace network connections (ACCRA) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply.

Locate Provides three management service (FreeBSD) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply.

NEXT:
Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

C:\WINDOWS\System32\mocih.exe
C:\Documents and Settings\jeff\Application Data\aoeo.exe
C:\WINDOWS\System32\dmconfig.exe

After killing all the above processes, click "Back".
Then, please scan with HijackThis and check the boxes for the following entries. DO NOT CLICK FIX until you make sure you have exited all browser sessions including the one you are reading right now! (DO NOT OPEN ANOTHER BROWSER UNTIL DIRECTED TO DO SO):

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {38F6EAD3-A605-4E22-E382-1F90ADD04248} - C:\WINDOWS\msey.dll

O4 - HKLM\..\Run: [rFsS32P] wh2pack.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\jeff\LOCALS~1\Temp\keep.exe
O4 - HKCU\..\Run: [Seei] C:\Documents and Settings\jeff\Application Data\aoeo.exe
O4 - HKCU\..\Run: [dmconfig] C:\WINDOWS\System32\dmconfig.exe

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Support - {396CDAFC-B449-4F02-9EBB-287A751920BD} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {3AE930D1-4010-47D0-ACEE-A842D9463C42} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {7FA73B74-69EF-49B8-83C8-87EA8527A9EF} - http://www.comcast.net/memberservices/ (file missing) (HKCU)

O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)

O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab

O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\addfk32.exe (file missing)
O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINDOWS\System32\mocih.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)

Click FIX and then Exit HijackThis.

NEXT:
Run Windows Explorer and look for and try to delete the following (sort the listing in Windows Explorer by Modification dates and look for possibly other similarly named files from the same date - let me know if you find others):

C:\WINDOWS\SYSTEM32\drct16.dll
C:\WINDOWS\System32\mocih.exe
C:\WINDOWS\System32\dev32.exe
C:\WINDOWS\System32\dmconfig.exe
C:\WINDOWS\msey.dll
C:\Documents and Settings\jeff\Application Data\aoeo.exe
wh2pack.exe ←–– Search for this file and delete it!

If you get an error when deleting a file, RightClick on the file and check to see if the “read only” attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue with the instructions (tell me the results when you post back). We will be repeating an attempted deletion after booting in safe mode later in these steps.

NOW:
- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that, wait a few minutes and then power up into Safe Mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Repeat the attempted file deletions given above while in safe mode. Note and tell me later which ones cannot be deleted or found (if already deleted earlier and not found now, that is okay).

- Empty your Recycle Bin. In fact, as an additional measure do the following, run CCleaner that you installed while running the READ ME FIRST.

Now, Reset your Web Settings:
1) If you have an Internet Explorer icon on your Desktop, go to step 2. If not, skip to step 3.

2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

NEXT:
- Run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log.


Let me know how things went and whether you ran into any trouble with the above instructions. I will try to check back when I get some free time - Very busy these days!


*** It might also be a good idea to run this Online Scan after doing the above.
http://www.pandasoftware.com/activescan -- Let me know the results!

Good Luck!

 

OK, all instructions were followed correctly, but i did run into a few obstacles. first, among the files that were to be deleted, i was unable to delete drct16.dll - "access denied". also, msey.dll, dev32.exe, and wh2pack.exe i could not find on my system. however, i did find a file named devldr32.exe but did not delete it. also, a more significant obstacles was that i was unable to complete the 2nd scan of about:buster in either normal or safe mode. it comes to a halt at around 91% or 92%. i also left the scan on overnight and nearly 8 or 9 hours after it began, the progress still had reached only 96%. thus, i wasn't able to produce a 1st or 2nd log. so then, it makes perfect sense that my homepage was 'about:blank' after opening IE towards the end of the instructions, once i reset my web settings. also, i had problems running the panda activescan, which may or may not be related to my situation with spyware. once i arrived at the screen that prompts you to select what you'd like to scan, i click 'all my computer' and the scan did not start. overall, though, there are several small improvements. for once, i am able to open IE and navigate the web. one other oddity has also been solved (at least sp far) - my computer doesn't randomly restart when i open a favorite program (soulseek).

and so this is where i'm left for now. the major issues remain: my original desktop has not returned and i am also unable to change my desktop under the tab in 'properties'. like wizz, it's been greyed out.

my new hijackthis log is attached. and again, thank you for your time.

 

The only thing that remains in this log is the Haxdoor infection.

First:
Click Start > Run > type in regedit and press OK.

Now navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify

In the right pane, select the key drct16, once located right click and delete it.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\drct16.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Second:
After windows has loaded, Scan with HijackThis and attach the new log.

Good Luck!

 

to be completely clear, there is no drct16.dll key in the path you mentioned, nor does it show up in the right pane. however, there is a folder named drct16 in the ...\notify path. shall i delete this and all of its subkeys?

also, which box am i cutting and pasting drct16.dll from the system32 folder into?

 

I'm having the same problem with my desktop, received an email from bluemountain. Unfortunately and unwisely I opened it. Now I'm hit with slimshield.com popup and the "danger spyware" as my desktop. As far as I know I'm completely functional. I just can't change my desktop and cannot right click my mouse. Can't go to the control panel directly or the computer shuts down. All of my desktop programs with the exception of the email, trash, Ie explorer all have disappeared. Last night, I found the thread about slimshield.com. I think I may have knocked that out. We will see. Should I just follow your direction for the current thread, or is this user specific?

 

Hey psychogenic!

Those cut and paste directions are for a PocketKillbox fix. They're the same as BJ gave in another thread for a Haxdoor fix, but he didn't copy the download PocketKillbox link and directions. If I were you, I'd wait until he gets back to you before you do anything else. It's better to get clear directions from the person that's been helping you than to try something you're not sure of!

Good Luck!

 

Delete anything that links to drct16.dll .

Copy and paste the below into Killbox with the check next to Delete on Reboot:

C:\WINDOWS\SYSTEM32\drct16.dll

Reboot when prompted and attach a current HJT log.

 

copy that. new hijackthis log is attached.

 

This came back, are you doing what I requested? You have to remove the registry key and paste the file into killbox.

O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

 

yes, i followed the directions exactly. i'm not sure why it would have come back because after rebooting with killbox, i even browsed the system32 folder myself and drct16.dll was gone.

 

Click Start > Run > type in regedit

Search for: drct16

Delete anything linking back to drct16.dll.

Also, look and make sure the file is not there.

 

i searched the registry and deleted the same folder that i mentioned in the earlier post and all of its subkeys. there is something else that is regenerating the folder.

also, drct16.dll is no longer found in the system32 folder.

 

Okay! Do a search for the file and make sure it no where to be found!

Let me know!

 

just when i began to think i was nearing the end of this, my computer has now entered a pattern of restarting over and over again. before, it would only happen when i opened up a p2p program that would scan my external hard drive at startup. but now, my computer began restarting when i ran a search for drct16.dll on the entire system. i'll get past the welcome screen and hear the opening music, then my system restarts and over and over again it happens. the only way i was able to enter windows is through safe mode, which is what i'm in now.

 

update...

windows appears to now start normally again and followed the directions below. drct16.dll is no longer in the system32 folder, but i can't rule out that it will appear again.

 

Okay! Now, since your not having problems at the moment, go to Windows Updates and get updated!

 

things are OK, but my desktop has still not reappeared to the original and the about:blank remains the homepage. are you still aware of this?

 

No, I wasnt!

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Reboot, see if its still set at about:blank.

If so, Attach a current HJT log.

 

about:blank is back and so is drct16.dll. just so that we're on the same page, my current problems are:

1. original desktop is gone replaced with duplicates of icons and unable to change desktop wallpaper
2. system restarts randomly
3. unable to complete about:buster 2nd scan

new hijackthis log is attached.

 

Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates BUT BEFORE YOU START THE SCAN: Print or save these instructions locally now because you will have to be disconnected with no browsers open in the following steps.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable. Do not reconnect or open a browser again until requested.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and attach a current HJT log.

 

i downloaded and ran the MS antispyware software and rebooted. about:blank has returned once again. my log is attached.

 

also, i was finally able to run about buster without a problem. immediately after i run it, i'm able to open an explorer window with the correct homepage. about:blank seems to return only after i reboot.


the log is attached to this reply.

 

You must update your Refernce List to #26. Click Update and download the updates. Run 2 more scans with the updated ref list.

Be sure your running Microsoft AntiSpyware Version 1.0.509 (Beta 1)
Also, make sure you have spyware definitions 5703.

Now, after updating both programs, reboot into Safe Mode and do a full scan with both.

Reboot and post a new HJT log.

 

i clicked 'check for updates' under the misc tools section in HJT and it confirmed that i had the latest software. otherwise, i'm not sure how to update the reference list to #26. i also ran MS antispyware.

the new HJT log is attached.

 

ah...my mistake. i updated and ran both scans over again. the logs are attached.

 

no, i did update. about buster somehow combined the logs from my first and second scans. i'm not sure why. if you look at the bottom of the log, you'll see the results of my new scan with #26. and yes, i also ran MS antispyware.

 

Spyware Definition Version: 5703 (4/1/2005 3:42:43 PM)

MS antispyware is preventing my homepage from being changed back to about:blank, but apparently the bug still remains.

 

i connect via cable. i will look at the link you provided, as well.

yes, i still have a myriad of problems. my desktop remains hijacked, my computer restarts at random, and about:blank continues to return.

 

directions followed. logs are attached.

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [x3yy] C:\WINDOWS\System32\x3yy\ceohafdf.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\x3yy ←–– Delete this whole folder if it exist!

NEXT:
Run HSFix one last time and attach the log after finishing the below steps.

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows , Scan with HijackThis and attach the new log along with a fresh HSFix log.

 

things are looking better. for one, about:blank no longer returns.

fresh HJT log attached.

 

Your HJT log is clean!

Please reboot into Safe Mode and run HSFix as requested in my last post, attach the log when its done.

 

yes, i forgot to attach the log. have a look.

 

Just to be sure we got them, search for and delete these files if they still remain:

p2.ini
ps.a3d
vdmt16.sys
mszx23.exe

After doing this, attach one last HJT log.

 

using the search function in windows, the files you listed were not found on my system. now, all that i need is to restore my desktop and i believe all else is well.

new HJT log is attached.

 

HJT log is clean! Looks like they are gone then.

Now, the desktop problem, what was the exact problem again?

 

well, windows is reading the desktop as c:\desktop instead of c:\documents and settings\... and when i save something to my desktop, a duplicate of the icon is created. also, i am unable to change the desktop wallpaper. 'background' is greyed out.

by the way, avast detected drct16.dll this morning. i think it may have been trying to return.

 

update...

avast has detected approximately 15+ trojan horses on my system this morning and the number continues to grow. there is literally a new detection of a virus every 10 seconds. what am i to make of this?

 

the final count stand at a whopping 35 new trojan horses detected! they were all quarantined, but i still can't help but feel alarmed.