# Help needed to remove Desktop Hijacker from my PC....



## Yoda (Jan 17, 2005)

Hi,

Last week I visited an Bad Website and immediately a Desktop Hijacker sat on my desktop.

Then I used..

Ad-Aware SE Professional 1.05 (With latest definitions)

and

Webroot SpySweeper (Latest Version) (with Latest Definitions)

and

Spybot Search & Destroy 1.3 (with Latest Definitions)


After using these 3 softwares I was able to remove that "AD" that appeared in the desktop but I couldn't remove the Blank screen of that Hijacker.

The blank screen changes between 2 colors. "White" and "cement" color every 20 seconds in the desktop automatically.

And I coundn't right-click the desktop. I tried even changing the wallpaper but no way. The hijacker blank screen remains.


You can see the images of my desktop. The BG of the desktop is the "background" of the hijacker.


*img21.exs.cx/img21/9017/pic15lp.jpg

*img116.exs.cx/img116/9312/pic28ss.jpg


Where is the file of this desktop hijacker stored in the PC. So that I can deleted myself and remove that irritating BG of the hijacker ?   

How to get rid of this problem...  

Thanx in Advance
Arsenal.


----------



## indrajit (Jan 17, 2005)

Post your HijacThis log file here


----------



## digen (Jan 17, 2005)

Maybe you can try this,

Right-click on your desktop>Properties>Desktop>Customize Desktop>Web>Uncheck entries which have not been set by you[mostly malicious].


----------



## Yoda (Jan 17, 2005)

> Right-click on your desktop>Properties>Desktop>Customize Desktop>Web>Uncheck entries which have not been set by you[mostly malicious]




I'm unable to do this also. in right-click>Properties

i get this window

*img35.exs.cx/img35/219/pic39cn.jpg


i searched even the "desktop.html" file in WINNT directory and search tool but no use. there is no such file, but the properties button shows.


i will send the Log file soon.

Thanx
Arsenal.


----------



## Yoda (Jan 17, 2005)

*Log File "indrajit"*

heres the Log file "indrajit"




> Logfile of HijackThis v1.99.0
> Scan saved at 4:57:15 PM, on 1/17/2005
> Platform: Windows 2000 SP3 (WinNT 5.00.2195)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
> ...





Thanx in Advance
Arsenal


----------



## digen (Jan 17, 2005)

As I had suggested earlier your desktop has been hijacked by replacing it with a webpage.
Try scanning under safe mode & see if the anti-spyware software detect anything till someone goes through the log file & posts back.[/code]


----------



## theraven (Jan 17, 2005)

win 98 eh ?
first goto control panel then display properties
and fromtone of those tabs disable yout active desktop and remove the "Active desktop item" from the list

as for the hijackthis logfile
this is my first attempt since bats away (raven will play)


```
C:\WINNT\SYSTEM32\DWRCS.EXE   <-- unknown
C:\WINNT\SYSTEM32\DWRCST.exe <-- unknown
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe <-- unknown
C:\Program Files\Lotus\Sametime Client\Connect.exe <-- unknown
C:\Program Files\ABK\abk.exe <-- unknown

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 3.174.26.70:8080 <-- This page could possibly be nasty.   If you do not know the entry '3.174.26.70:8080', delete it. 

O2 - BHO: (no name) - {C2260B66-CCA5-E059-DB8C-90ABA1040794} - C:\WINNT\system32\peksvrb.dll (file missing)   
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([C2260B66-CCA5-E059-DB8C-90ABA1040794] - Result: ) has been checked. Hit rate: -1 %   Unknown application.
Unnecessary (deactivated) entry that can be fixed. 

O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" <--unknown

O4 - HKLM\..\Run: [Z1DSPW5] c:\documents and settings\opac\local settings\temp\Z1DSPW5.exe   <--Unknown application. 
  O4 - HKLM\..\Run: [BITzop9] c:\documents and settings\opac\local settings\temp\BITzop9.exe   <-- Unknown application. 
  O4 - HKLM\..\Run: [6vG9AP702] c:\documents and settings\opac\local settings\temp\6vG9AP702.exe   <--  Unknown application. 
  O4 - HKLM\..\Run: [gB2LV] c:\documents and settings\opac\local settings\temp\gB2LV.exe <--  Unknown application. 

  O9 - Extra button: Instant Messenger - {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} - *cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?*cn.messenger.yahoo.c om/ (file missing)   
Unnecessarily   The entry Instant Messenger has been identified as safe.   If the entry 'Instant Messenger ' is not needed anymore, it should be fixed.
Unnecessary (deactivated) entry that can be fixed. 
  O9 - Extra button: Gexus - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no file)   
Unnecessarily   Unknown buttons or entries in the 'Extras'-menu should be fixed.   To be fixed if the entry 'Gexus ' is unknown.
Unnecessary (deactivated) entry that can be fixed. 
  O9 - Extra 'Tools' menuitem: Gexus - {426F81A5-0B8C-4948-8115-11606FD3F389} - (no file)   
Unnecessarily   Unknown buttons or entries in the 'Extras'-menu should be fixed.   To be fixed if the entry 'Gexus ' is unknown.
Unnecessary (deactivated) entry that can be fixed. 

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE   
Nasty      This entry should be fixed by HijackThis! 

O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\WINNT\System32\shdocvw.dll   
Possibly nasty   Unknown buttons or entries in the 'Extras'-menu should be fixed.   To be fixed if the entry '@C:\Program Files\Failsafe\GuardIE\PnIE.dll,' is unknown. 
  O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\WINNT\System32\shdocvw.dll   
Possibly nasty   Unknown buttons or entries in the 'Extras'-menu should be fixed.   To be fixed if the entry '@C:\Program Files\Failsafe\GuardIE\PnIE.dll,' is unknown. 

O14 - IERESET.INF: START_PAGE_URL=*crd.home.ge.com/   
Possibly nasty   This entry should be fixed if this address does not belong to your PC-manufacturer or your 'Internet-Service-Provider (ISP)'.   This entry should be fixed if '*crd.home.ge.com/' is not your PC-manufacturer or your 'Internet-Service-Provider (ISP)'. 
  O15 - Trusted Zone: *.skoobidoo.com   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted Zone: *.slotchbar.com   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted Zone: *.windupdates.com   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted Zone: *.skoobidoo.com (HKLM)   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted Zone: *.slotchbar.com (HKLM)   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted Zone: *.windupdates.com (HKLM)   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted IP range: 67.19.185.246   
Nasty   If you did not add these pages to your trusted pages, they should be fixed.    
  O15 - Trusted IP range: (HKLM)   
Possibly nasty   If you did not add these pages to your trusted pages, they should be fixed.   If you didn't add '(HKLM)' to your trusted pages, it should be fixed. 
  O16 - DPF: {0036F389-FEF8-43AC-9220-16430E0012ED} - *naupoint.com/toolbar/installer/iEBINST5.cab   
Nasty   This entry is possibly nasty.   Should be fixed. 
  O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - *crdquickplace02.ge.com/qp2.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 

O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} (VacPro.russia_ver3) - *advnt01.com/dialer/russia.CAB   
Nasty   This entry is possibly nasty.   Should be fixed. 
  O16 - DPF: {426F81A5-0B8C-4948-8115-11606FD3F389} - *www.serialspot.com/serials/serials.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 
  O16 - DPF: {60261C06-81B0-4DE0-9313-E5BA203A64E9} - *216.195.35.10/pdfmgr_s.cab   
Nasty   This entry is possibly nasty.   Should be fixed. 
  O16 - DPF: {68E53982-CCCE-48C2-89B9-C3C97638F9B4} (CActSetupObj Object) - *www.odysseusmarketing.com/actsetup.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 
  O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - *pacioli.crd.ge.com/oa/US/jinit11816.exe   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 
  O16 - DPF: {9BBC1154-218D-453C-97F6-A06582224D81} - *www.shifen.com/update/moon/install.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 
  O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} - *hkmeeting01c.ge.com/sametime/STMeetingRoomClient/STJNILoader.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 
  O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - *bar.baidu.com/update/IESearch.cab   
Nasty   This entry is possibly nasty.   Should be fixed. 
  O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - *deposito.hostance.net/dialer/1014061.exe   
Nasty   This entry is possibly nasty.   Should be fixed. 
  O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - *www.35mb.com/downloadapplet.cab   
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!   Check if you know this site and fix it if you do not. 
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com   
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'grmsasia.grms.ge.com'? If not, fix this entry. 
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = crd.ge.com,ge.com   
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'crd.ge.com,ge.com'? If not, fix this entry. 
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com   
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'grmsasia.grms.ge.com'? If not, fix this entry. 
  O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = grmsasia.grms.ge.com   
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'grmsasia.grms.ge.com'? If not, fix this entry. 
  O18 - Protocol: mp3 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)   
Nasty   Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.   Should be fixed. 
  O23 - Service: AutoComplete Service - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe   
Unknown   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.   Unknown service. (autocomp.exe) 

O23 - Service: DameWare Mini Remote Control - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE   
Unknown   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.   Unknown service. (DWRCS.EXE) 

  O23 - Service: OracleOraHome81ClientCache - Unknown - c:\oracle\ora81\BIN\ONRSD.EXE   
Unknown   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.   Unknown service. (ONRSD.EXE)
```

check all these and click on fix selected


----------



## Yoda (Jan 18, 2005)

*Very Many Thanks for you guys.*

Thank you very much "The Raven" and "Digen Verma".

I disabled the active desktop item and it worked.


I fixed some of them using HijackThis as suggested by "Raven".

I will also do a TEST in "Safe Mode" and see whether is there any left outs of the Hijacker.

Thanks once again "Raven"     


Arsenal.


----------

