Explicit model on my desktop

By nocirpac
Jul 15, 2009
  1. This computer is at my place of work since i provide internet services. Someone changed my background into a picture of this naked lady. I thought it was a simple matter of setting a new background since my customers do this all the time. But this time whenever i changed the background the lady just appears over my new background, when i refresh my computer she disappears for a few milliseconds then she pops up back again.

    I found your 8-step instructions and i followed them and here i am. I have tried as best i can to upload the requested log-files.

    NOTE: I couldn't find the log files of super anti spyware and malware bytes since my computer somehow didn't save them so i run the tests again after i had already run hijackthis. I hope it doesn't make too much difference but advice me incase it does.

    Thank you.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Joke or no joke, the IT person at work is the one who should be addressing this.

    I had to chase this one around! From ArinWhIs to the RIPE Network to Afrnic:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{D2A4C6B6-FB37-4A3F-96D6-5A6C103E9363}: NameServer =,
    This IP belongs to:
    netname: KE-TKLJAMBONETNOC-07
    country: KE

    Is this IP for either your ISP or that of your company?

    You have some orphan files for McAfee and AVG, plus you're running Avast. So we need to clean up the system:

    McAfee Removal:

    AVG Removal: You may have to install AVG in order to uninstall it:

    Your HijackThis log does not look like a full log- some of the 'normal' entries are missing. You don't have any homepage set up either.

    I'd like you to take Malwarebytes and Superantispyware off of Startup: This does not remove them- I'll have you do that later. They don't need to be running in the background.

    Start> Run> type in msconfig> enter> Selective Startup> Startup tab> uncheck all entries for:

    Malwarebytes: you might see these> mbamgui.exe, mbam.exe, runcleanupscript

    Superantispyware: SUPERAntiSpyware.exe

    This may be your new "graphic":
    O4 - HKUS\S-1-5-21-1957994488-436374069-1060284298-1004\..\Run: [bce43d40] rundll32.exe "C:\DOCUME~1\Client\LOCALS~1\Temp\ntqjohly.dll",b (User 'Client')[/]

    Since it's a temp file, you may be able to delete it using this:

    TFC (Temp File Cleaner)

    Download TFC HERE and save to your desktop. (the link should be good- my colors aren't working)
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    After removing the orphan AV entries and after running the TFC:

    Please download VundoFix.exe HERE] and save to your desktop:
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the ‘Fix Vundo’ button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    Please attach the C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Also, please run a full system scan with Avast. Save the log and attach to next reply.

    1. Answer question about IP
    2. Run TFC
    3. Run Vundofix. Attach log
    4. Rescan with HijackThis. Attach new log.
    5. Run AV scan. Attach log.
  3. nocirpac

    nocirpac TS Rookie Topic Starter

    Hey Bobbye, thanks for taking an interest in this, i really appreciate the effort you are putting in.

    Anyway i did what you ask, what i could anyway, and here are the results.

    The IP address is for my ISP.

    I run the TFC, amazing how large a space is taken by these files.

    I run Vundofix and it came up clean so no log.

    Rescanned with HijackThis and the results are attached.

    Run the AV scan and for some reason i can't be able to attached the full detailed report. So i am attaching the one under the name of 'aswboot'. Hope it helps.

    About the orphan files, AVG removal tool gave me the log named 'avgremover, i hope you can make more sense of it.

    The McAfee removal tool said that it can detect McAfee Enterprise but that i woud have to contact their technical staff.

    Anyway thanks again Bobbye for your help.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    • 1. Is the dancing 'lady' gone from the desktop since this was removed?
      O4 - HKUS\S-1-5-21-1957994488-436374069-1060284298-1004\..\Run: [bce43d40] rundll32.exe "C:\DOCUME~1\Client\LOCALS~1\Temp\ntqjohly.dll",b (User 'Client')[/]

      2.Please disable this Services for McAfee:
      Click on Start> Run> type in services.msc> find this Service:
      McAfeeFramework or FrameworkService> double-click on it> Change Startup type to Disabled> Stop the Service> Close.

      3. Regarding AVG: did you note my comment that you might have to install AVG again in order to get the uninstaller to work?

      4.Your HijackThis log is still not 'normal.' I see no home pages set up and the only Services that show running are 4 for Avast and 1 for McAfee> not a normal configuration. There are also some of the 'normal' starting processes missing.

      So we look further:

      Before you run this online scanner, open the Avast quarantine section and delete anything in it. There is only one entry and I find it confusing:
      File C:\Documents and Settings\Skynet\Local Settings\Temp\ISSCAN\pskavs.dll is infected by Win32:CTX, Deleted

      [o]The Skynet Win32 malware is a Rootkit
      [o]pskavs.dll is a process belonging to the Panda Anti-malware program .
      [o]W32.Dengue(CTX) is a complex, slow-infecting, polymorphic Win32 virus that uses Explorer.exe as its main host.

      The big problem with the polymorphs is that they change into another variant when you remove one variant and it can be hard to find and remove all
      Run Eset NOD32 Online AntiVirus Scanner HERE

      Note: You will need to use Internet Explorer for this scan.
      • Tick the box next to YES, I accept the Terms of Use.
      • Click Start
      • When asked, allow the Active X control to install
      • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
      • Click Start
      • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
      • Click Scan
      • Wait for the scan to finish
      • Re-enable your Antivirus software.
      • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

      Please download ComboFix HERE:
      • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
      • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
      • Run Combo-Fix.exe and follow the prompts.
        (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
      • Wait for the scan to be completed.
      • If it requires a reboot, please do it.
      • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

      Do not click on the ComoboFix window, as it may cause it to stall.

      CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

      Follow with new HJ scan and log. Attach Combofix report and Eset log also.

      Please tell me specifically if the offending image is gone and if so, what current problems are.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...