Desktop Problem!! URGENT!!!!

[JayIBM]

My sis was browsing the web on Internet Explorer. She didnt know of all the security holes and spyware there. So we ended up getting something i cant get rid of. The is a black desktop that says spyware detected. Click here to remove or wat not. I need help getting my desktop back!!!!!

[elf]

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Then download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log HERE. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

[JayIBM]

Well, thanks, but this thing is serious.... I cant open anything that has a spyware detector, cant open my Ad-aware, spyware s&d. I did however open HiJackthis. It took out my internet and i just got it back ( for some reason it thought that my linksys was a threat ).... Please tell me some other way. Tell me how to find it in the registry. Because its come up everytime i start my computer. It starts out normal then applys the HTML spyware pop-up background. HELP!!!!!!!!!!!

[JayIBM]

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1142 PM, on 5/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\??oolsv.exe
C:\windows\wjbpino.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JAMAHR~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {33EE6839-8A21-4F20-96F1-04A6530F4DF8} - C:\WINDOWS\system32\klcob.dll (file missing)
O2 - BHO: (no name) - {34AEDEED-4355-6388-2974-3CB67D6EF3E3} - C:\WINDOWS\system32\yatziv.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\Fmd2oK.exe
O4 - HKLM\..\Run: [HomeKeyLogger] C:\Program Files\HomeKeylogger\KeyLogger.exe
O4 - HKLM\..\Run: [FKS v2.0] C:\WINDOWS\system32\fks2.0_server.exe
O4 - HKLM\..\Run: [Zxtarqe] C:\Program Files\Oooju\Jvetye.exe
O4 - HKLM\..\Run: [yrsbgzwx] C:\WINDOWS\yrsbgzwx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [Dialup Ripper] "C:\Jamahrae's Stuff\New Folder\Download2\dripper\DRipper.exe"
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Vki] C:\WINDOWS\system32\??oolsv.exe
O4 - HKCU\..\Run: [ofjqoap] c:\windows\wjbpino.exe
O4 - HKCU\..\Run: [rvixkfl] c:\windows\wbptrwb.exe
O4 - HKCU\..\Run: [nijesfw] c:\windows\wbptrwb.exe
O4 - HKCU\..\Run: [uveuodn] c:\windows\wbptrwb.exe
O4 - HKCU\..\Run: [gwlsjyh] c:\windows\wbptrwb.exe
O4 - HKCU\..\Run: [jbbyfyu] c:\windows\wbptrwb.exe
O4 - HKCU\..\Run: [uhvhhdx] c:\windows\wbptrwb.exe
O4 - HKCU\..\Run: [ydcfvum] c:\windows\wbptrwb.exe
O4 - HKCU\..\Run: [lnxtovl] c:\windows\wbptrwb.exe
O4 - HKCU\..\Run: [gdxibpd] c:\windows\wbptrwb.exe
O4 - HKCU\..\Run: [ktwrwpk] c:\windows\wbptrwb.exe
O4 - HKCU\..\Run: [vufhaif] c:\windows\wbptrwb.exe
O4 - HKCU\..\Run: [obreufq] c:\windows\wbptrwb.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: @C:\Program Files\Messenger2\im2_ie_plugin.dll,-4 - {410C30C7-098A-4090-928E-F1D356D34C7F} - C:\Program Files\Messenger2\im2_ie_plugin.dll
O9 - Extra 'Tools' menuitem: Run IM2 Messenger - {410C30C7-098A-4090-928E-F1D356D34C7F} - C:\Program Files\Messenger2\im2_ie_plugin.dll
O9 - Extra button: Microsoft AntiSpyware helper - {E81578F7-12DF-43F6-9FCB-A69F102951EE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E81578F7-12DF-43F6-9FCB-A69F102951EE} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
O16 - DPF: {2CEC3DF6-2061-4436-82BF-5CD32364E04F} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14dcb292...p/RdxIE601.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{370E5F05-0D35-449C-9683-B3EB8BF75E9F}: NameServer = 209.47.15.118,64.157.143.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2B029B-257E-4D84-A255-6BC8D318FF76}: NameServer = 64.238.96.12,66.180.96.12
O20 - AppInit_DLLs: c:\windows\system32\wdmpkc.dll
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: RemotePC Host (remotepc) - Unknown owner - C:\Program Files\Remote Access Host\RemotePCHost.exe (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


End of KRC HijackThis Analyzer Log.
====================================================================

[elf]

Start it up in safe-mode with networking, by tapping F8 as the computer boots up. This will prevent the computer from loading anything other than what is required to run.

Run an online virus scan at TrendMicro making sure to select the "autoclean" option. Then do what I said in my first post, and they will help clear your computer through hijackthis.

Just FYI, hijackthis scans your computer for everything that starts up and that is currently running. It can be used as a virus removal, but is generally just a last resort type of option. If it is on there, chances are hijack this will catch it and one of the members of our security team will catch it for you.

[elf]

Oh wow you have some nasties. I highly recommend you do what I just said, and instead of posting the log here post it over in our HijackThis Log Help. We have about 10 people who 'camp' over there to fix your logs up.

[JayIBM]

That bad. HUH? Well i did, look for my post called "report". Thanks for all your help!

[Geekgirl]

The system is very riddled, I noticed there is no anti-virus installed, I strongly suggest you install one.

AVG Free Edition is a very good anti-virus program. After you get cleaned up over in the HJT log help forum get the program

[JayIBM]

I would love too GeekGirl but the spyware/hiJacker wont let me set it up. Dude, i restarted in safe mode. Downloaded the VX2 thing, run Ad-Aware, i ran Spyware S&D. I did alot of things. But my desktop is still set to a black HTML screen that says "Im in danger or spyware" and i cant get rid of it!!!

[JayIBM]

OK, i went and found the desktop.html file and deleted to get rid of the spyware sign.... but now all i have is a white HTML desktop and i still cant run any of my spyware detectors under normal mode.... Little bit of progress. Just need to know how to get rid of the stupid white HTML desktop screen.

[elf]

heh well they should give you a nice long list of stuff to fix with hijack this...

[Geekgirl]

Go to the display settings in your control panel

Click on desktop>customize desktop

Click on the web tab..

Uncheck whatever you see there


This should bring your desktop back. If your unable to post in the HJT forum I will give you instructions in here. Otherwise someone will get you fixed up over in that forum.

[JayIBM]

My goD!!!!! thank you geekgirl.... Finally, it was that simple all along.. LOL... thanks so much GeekGirl!!!! YOU ROCK!!!!!!!!!

[Geekgirl]

Wow I think someone is very happy

Can you post your log in the HJT forum now? They will get you all straightend out over there

[elf]

(he posted his log there a while back )

Quote:

Well i did, look for my post called "report"

[Geekgirl]

My bad sorry didn't look

[JayIBM]

I sure am, and with the web desktop off i installed AVG and its pretty cool and better than nortan... Thanks again for all of your help. You two were the only ones that cared about my problem... and i say thanks alot to you 2.

[Geekgirl]

..awwww shucks

[elf]

I feel loved

[JayIBM]

lol