Hijack.desktop - Help I can't get rid of this malware

Status
Not open for further replies.
K

kristant

So I inherited a work computer that had a BUNCH of trojans, spyware, malware, etc. I have deleted most of it and have resolved 99% of my issues. I know that I am still infected by at least one malware still though, as my desktop is still all messed up!

I ran MalwareBytes and this is the log... even though I selected Remove This it didn't help!

Malwarebytes' Anti-Malware 1.29
Database version: 1276
Windows 5.1.2600 Service Pack 2

10/22/2008 12:56:01 PM
mbam-log-2008-10-22 (12-56-01).txt

Scan type: Full Scan (C:\|D:\|X:\|Y:\|)
Objects scanned: 72697
Time elapsed: 10 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SO I ran HijackThis and this is the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:54 PM, on 10/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\TEMP\BEBCE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\OfficeScan NT\pccntupd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sodexhousa.com/defaulthome/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [CACSBackup] C:\Windows\System32\Backup\backcacs.bat
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SDXverifyBackups] C:\WINDOWS\system32\NTBackup\VerifyBackups.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: rwcupd.lnk = C:\Program Files\RemoteWare\Nodesys\rwcupd.exe
O4 - Startup: CACS Data Backup.lnk = C:\WINDOWS\system32\Backup\Backcacs.bat
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: rwcupd.lnk = C:\Program Files\RemoteWare\Nodesys\rwcupd.exe
O4 - Global Startup: CACS Data Backup.lnk = C:\WINDOWS\system32\Backup\Backcacs.bat
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mysodexhoapps.com
O15 - Trusted Zone: .smdev[/url]
O15 - Trusted Zone: http://www.sodexhoinfo-usa.com
O15 - Trusted Zone: http://www.sodexhomail.com
O15 - Trusted Zone: http://www.sodexhousa.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099930646363
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132330243968
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = METRO-PARK.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = METRO-PARK.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = METRO-PARK.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = METRO-PARK.LOCAL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe

--
End of file - 6734 bytes


Please help! I have to get rid of this and get my Desktop squared away. I have been here for over a month and my computer still isn't up and running correctly!

Thanks for any help!
K
 
Please follow the directions here: https://www.techspot.com/vb/post645589-1.html

You will notice that it begins with Temporarily Disabling Real Time Programs. This will include all of the OfficeScanNT Monitor processes.

You have numerous backup processes running that should be stopped until the system is clean:
CACSBackup
SDXverifyBackups

The Java program is out of date: the following are loading
(Java Runtime Environment 1.4.1_07) -
C:\Program Files\Java\jre1.5.0_06\
Current version is v6u10. Update here: http://java.com/en/download/manual.jsp

The Adobe Reader is out of date. Current version is v9. Update here:
https://www.techspot.com/downloads/2083-adobe-reader-dc.html

I am unable to find a Domain called METRO-PARK.LOCAL
I cannot identify O15 - Trusted Zone: .smdev[/url]
I cannot identify C:\TEMP\BEBCE.EXE
There is a process loading for RemoteWare but I don't see the program listed.

So, please clear these things up. Handle the processes and run the programs. You will run HijackThis again AFTER Malwarebytes and SuperAntispyware. Follow the cleaning sequence and ATTACH the logs:
How to post your Hijackthis log-file as an ATTACHMENT: https://www.techspot.com/vb/topic19133.html

We will review all of the logs when posted.
 
OK

Ok so I tried to stop the backup processes that you mentioned and I don't know how. I asked our HelpDesk people and even when they remote logged into my computer they couldn't figure it out.

Metro.Park is the name of our server and the websites are part of our intranet.

The logs are attached. The only one that found anything was the Malware.

Thanks again!
K
 
Ccleaner and avast antivirus both free (download.com}

If you can get online download ccleaner and clean your computer well.
Download avast anti virus and schedual the boot scan and installation
and choose move to vault all the viruses and this should help you.
Be sure and uninstall your other antivirus right before you install avast.
this should help.
As Avast will scan your computer before windows loads after install and reboot.
Later download Windows Care from Iobit and immunize your computer from about 40,000 know trojans and viruses.
All of these are free.
 
jnjgoss, since we are in the midst of the malware cleaning, it would be best to finish that before using other programs.

kristant, can you please tell me what is happening when you say "my desktop is still messed up"? There are a few entries in HijackThis to remove, but not enough to mess up the system-as fr as I can see.

I'd like you to handle this:
C:\WINDOWS\system32\cidaemon.exe.
cidaemon.exe is an indexing service which catalogues files on your computer to enable for faster file searches. High resource user.Advise turn off:
My Computer> right click on Local Drive- usually C-UNCHECK BOTH 'allow indexing Service' AND 'compress drive'> Apply> OK.

Download and install the latest Java:
Current version is v6u10. Update here: http://java.com/en/download/manual.jsp

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below:
C:\TEMP\JM27B1.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
I'm on the fence about this because I can't get enough information about it:
O4 - Global Startup: rwcupd.lnk = C:\Program Files\RemoteWare\Nodesys\rwcupd.exe
I have search with each part of the string and am not satisfied. Is this a program you are familiar with? IF not, have HijackThis remove it.

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Start> Run> type in 'msconfig' without quotes> enter> Selective startup> Startup tab> UNCHECK all but the AV program> Apply> OK
Start> Run> type in secvices.msc> right click on Java Quick Starter> Properties> Change the Startup type to Disabled.
Control Panel> Add/Remove Programs> Uninstall any Java EXCEPT v6u10.
IF there are other programs listed that you do not use, uninstall them.

Reboot into Normal Mode.You will get a nag message that you can close after checking 'don't show this message again'. Stay in Selective Startup.

Please advise on status. If speed is an issue, you have numerous processes loading at start that can be stopped, then started manually if needed.
 
Just thought you might want to learn an easier way.

This is how I get my computer clean and keep it clean.
Very seldom do I have to go thru all that above to get cleaned.
If you put the right tools at your hand then you can stay in good shape.
But by all means try that first.
I also do this for a living every single day I am helping people get cleaned up and help them to stay clean.
Good Luck
 
When I say it's messed up I mean that the file names for the icons on the desktop still has a colored background. Normally for example Microsoft Word will not have a background color, it will be transparent. Well on my desktop it's black which is the background color for my desktop but also for the Name of the Icon. I've attached a picture so you can see it, because that was sort of a rambling explanation.
 
he file names for the icons on the desktop still has a colored background.

This is a display setting: To remove colored labels under desktop icons: I'm including the way to change Control Panel since I don't know your view:

1. Put the Start Menu in Classic View:
Right click on Taskbar>Properties> Start menu> Check Classic View> Apply> OK.

2. Put Control Panel in Category View:
Start> Settings> Control Panel> on left, click on Category view> Apply> OK

3.. Choose Performance & Maintenance
'Pick a Task'>>Adjust Visual Effects> Check Custom> CHECK 'use drop shadows for icon labels'> Apply> OK.

4.. ChooseAppearance & Themes
'Pick icon' for Display> Desktop> Customize Desktop> Web tab> UNCHECK 'Lock desktop items'> Apply> OK.

This should restore the transparent background.
 
Status
Not open for further replies.
Back