Hijack.desktop - Help I can't get rid of this malware

By kristant
Oct 22, 2008
Topic Status:
Not open for further replies.
  1. So I inherited a work computer that had a BUNCH of trojans, spyware, malware, etc. I have deleted most of it and have resolved 99% of my issues. I know that I am still infected by at least one malware still though, as my desktop is still all messed up!

    I ran MalwareBytes and this is the log... even though I selected Remove This it didn't help!

    Malwarebytes' Anti-Malware 1.29
    Database version: 1276
    Windows 5.1.2600 Service Pack 2

    10/22/2008 12:56:01 PM
    mbam-log-2008-10-22 (12-56-01).txt

    Scan type: Full Scan (C:\|D:\|X:\|Y:\|)
    Objects scanned: 72697
    Time elapsed: 10 minute(s), 12 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    SO I ran HijackThis and this is the log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:11:54 PM, on 10/22/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\OfficeScan NT\OfcPfwSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\OfficeScan NT\pccntmon.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\TEMP\BEBCE.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\OfficeScan NT\pccntupd.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\regedit.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sodexhousa.com/defaulthome/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [CACSBackup] C:\Windows\System32\Backup\backcacs.bat
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SDXverifyBackups] C:\WINDOWS\system32\NTBackup\VerifyBackups.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: rwcupd.lnk = C:\Program Files\RemoteWare\Nodesys\rwcupd.exe
    O4 - Startup: CACS Data Backup.lnk = C:\WINDOWS\system32\Backup\Backcacs.bat
    O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: rwcupd.lnk = C:\Program Files\RemoteWare\Nodesys\rwcupd.exe
    O4 - Global Startup: CACS Data Backup.lnk = C:\WINDOWS\system32\Backup\Backcacs.bat
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.mysodexhoapps.com
    O15 - Trusted Zone: http://*.smdev
    O15 - Trusted Zone: http://www.sodexhoinfo-usa.com
    O15 - Trusted Zone: http://www.sodexhomail.com
    O15 - Trusted Zone: http://www.sodexhousa.com
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099930646363
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132330243968
    O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = METRO-PARK.LOCAL
    O17 - HKLM\Software\..\Telephony: DomainName = METRO-PARK.LOCAL
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = METRO-PARK.LOCAL
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = METRO-PARK.LOCAL
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
    O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe

    --
    End of file - 6734 bytes


    Please help! I have to get rid of this and get my Desktop squared away. I have been here for over a month and my computer still isn't up and running correctly!

    Thanks for any help!
    K
  2. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please follow the directions here: http://www.techspot.com/vb/post645589-1.html

    You will notice that it begins with Temporarily Disabling Real Time Programs. This will include all of the OfficeScanNT Monitor processes.

    You have numerous backup processes running that should be stopped until the system is clean:
    CACSBackup
    SDXverifyBackups

    The Java program is out of date: the following are loading
    (Java Runtime Environment 1.4.1_07) -
    C:\Program Files\Java\jre1.5.0_06\
    Current version is v6u10. Update here: http://java.com/en/download/manual.jsp

    The Adobe Reader is out of date. Current version is v9. Update here:
    http://www.adobe.com/products/acrobat/readstep2.html

    I am unable to find a Domain called METRO-PARK.LOCAL
    I cannot identify O15 - Trusted Zone: http://*.smdev
    I cannot identify C:\TEMP\BEBCE.EXE
    There is a process loading for RemoteWare but I don't see the program listed.

    So, please clear these things up. Handle the processes and run the programs. You will run HijackThis again AFTER Malwarebytes and SuperAntispyware. Follow the cleaning sequence and ATTACH the logs:
    How to post your Hijackthis log-file as an ATTACHMENT: http://www.techspot.com/vb/topic19133.html

    We will review all of the logs when posted.
  4. kristant

    kristant Newcomer, in training Topic Starter

    OK

    Ok so I tried to stop the backup processes that you mentioned and I don't know how. I asked our HelpDesk people and even when they remote logged into my computer they couldn't figure it out.

    Metro.Park is the name of our server and the websites are part of our intranet.

    The logs are attached. The only one that found anything was the Malware.

    Thanks again!
    K
  5. jnjgoss

    jnjgoss Newcomer, in training Posts: 16

    Ccleaner and avast antivirus both free (download.com}

    If you can get online download ccleaner and clean your computer well.
    Download avast anti virus and schedual the boot scan and installation
    and choose move to vault all the viruses and this should help you.
    Be sure and uninstall your other antivirus right before you install avast.
    this should help.
    As Avast will scan your computer before windows loads after install and reboot.
    Later download Windows Care from Iobit and immunize your computer from about 40,000 know trojans and viruses.
    All of these are free.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    jnjgoss, since we are in the midst of the malware cleaning, it would be best to finish that before using other programs.

    kristant, can you please tell me what is happening when you say "my desktop is still messed up"? There are a few entries in HijackThis to remove, but not enough to mess up the system-as fr as I can see.

    I'd like you to handle this:
    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below:
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
    Start> Run> type in 'msconfig' without quotes> enter> Selective startup> Startup tab> UNCHECK all but the AV program> Apply> OK
    Start> Run> type in secvices.msc> right click on Java Quick Starter> Properties> Change the Startup type to Disabled.
    Control Panel> Add/Remove Programs> Uninstall any Java EXCEPT v6u10.
    IF there are other programs listed that you do not use, uninstall them.

    Reboot into Normal Mode.You will get a nag message that you can close after checking 'don't show this message again'. Stay in Selective Startup.

    Please advise on status. If speed is an issue, you have numerous processes loading at start that can be stopped, then started manually if needed.
  7. jnjgoss

    jnjgoss Newcomer, in training Posts: 16

    Just thought you might want to learn an easier way.

    This is how I get my computer clean and keep it clean.
    Very seldom do I have to go thru all that above to get cleaned.
    If you put the right tools at your hand then you can stay in good shape.
    But by all means try that first.
    I also do this for a living every single day I am helping people get cleaned up and help them to stay clean.
    Good Luck
  8. kristant

    kristant Newcomer, in training Topic Starter

    When I say it's messed up I mean that the file names for the icons on the desktop still has a colored background. Normally for example Microsoft Word will not have a background color, it will be transparent. Well on my desktop it's black which is the background color for my desktop but also for the Name of the Icon. I've attached a picture so you can see it, because that was sort of a rambling explanation.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    This is a display setting: To remove colored labels under desktop icons: I'm including the way to change Control Panel since I don't know your view:

    1. Put the Start Menu in Classic View:
    Right click on Taskbar>Properties> Start menu> Check Classic View> Apply> OK.

    2. Put Control Panel in Category View:
    Start> Settings> Control Panel> on left, click on Category view> Apply> OK

    3.. Choose Performance & Maintenance
    'Pick a Task'>>Adjust Visual Effects> Check Custom> CHECK 'use drop shadows for icon labels'> Apply> OK.

    4.. ChooseAppearance & Themes
    'Pick icon' for Display> Desktop> Customize Desktop> Web tab> UNCHECK 'Lock desktop items'> Apply> OK.

    This should restore the transparent background.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.