Jump to content

Desktop hijack

Bnaped

By Bnaped
in Tech and Computers

 Share

Recommended Posts

Bnaped

Bnaped

Posted
Posted

Ahhh. My desktop has gone crazy, it changed my back round. Heres what it looks like lala5qs.png It says somestuff about me finding a adware/spyware remover. Its totaly bs cheesy spyware. So i got microsoft anti spyware and tried to remove it. Microsoft said it was removed, but its still there, and i cant change my back round. What do i do?

When survival is in question, anything goes.

Link to comment
Share on other sites
Bnaped

Bnaped

Posted
  • Author
Posted

Thanks, i really hate spyware. I think i should pk who ever invented it..

When survival is in question, anything goes.

Link to comment
Share on other sites
Bnaped

Bnaped

Posted
  • Author
Posted

Wait....

 

 

 

 

 

 

 

I got this thing....

 

 

 

omgz9en.png

 

 

 

Im not sure what to get rid of, cause i think some of that stuff is my anti-virus and firewall.

When survival is in question, anything goes.

Link to comment
Share on other sites
Mercifull

Mercifull

Posted
Posted

ROFL, i removed this EXACT same virus from my friends computer last night. had me completely stumped.

 

 

 

 

 

 

 

Go to add/remove programs and uninstall a program called iSecurityGuard or something like that. Its not a real BSOD and is actually just a forced wallpaper at C:\WP.bmp

 

 

 

 

 

 

 

post a hijackthis log please and ill tell you what to remove. so you can then delete the files which are causing this.

 

 

 

 

 

 

 

the background is forced via the registry entries in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

 

 

 

you can safely remove this registra folder. But if you are not comfortable with modifying the registry yourself either get a friend to do it or try the following.

 

 

 

Open notepad and paste this

 

 

 

REGEDIT4







[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]



"NoDispAppearancePage"=-



"Wallpaper"=-



"WallpaperStyle"=-



"NoDispBackgroundPage"=-







[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]



"NoActiveDesktopChanges"=-







[HKEY_CURRENT_USER\Control Panel\Desktop]



"Wallpaper"=-



"WallpaperStyle"=-







[HKEY_CURRENT_USER\Control Panel\Colors]



"Background"="0 78 152"







[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]



"notepad[Caution: ExecutableFile]"=-



"notepad2[Caution: ExecutableFile]"=-



"winlogon[Caution: ExecutableFile]"=-

 

 

 

save as smitfraud.reg

 

 

 

then right click on this new file and merge with the registry. this will bring back ie and desktop control.

612d9da508.png

Mercifull.png

Mercifull <3 Suzi

"We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12

Link to comment
Share on other sites
Eb11

Eb11

Posted
Posted

It looks like yure running XP, I had the same problem, and though i removed the browser and desktop hijacker, i still got popups. So, instead of removing it with hijack this, i just reverted to a restore point. Go to control panel > revert to earlier restore point, and pick a date earlier than when you first got the virus.

Link to comment
Share on other sites
gadien01

gadien01

Posted
Posted

some people don't make restore points fequently enough. Restoreing to a to save point for something this trivial is useless. My suggestion is to do what Mercifull said and get ad-awear from lavasoft.com (free adwear remover) if you don't already have it. Run a full system scan on that and you should be set.

 

 

 

 

 

 

 

Tip for other people- Never use earthlink it sucks.

Link to comment
Share on other sites
Bnaped

Bnaped

Posted
  • Author
Posted

Logfile of HijackThis v1.99.1

 

 

 

Scan saved at 5:31:38 PM, on 5/6/2005

 

 

 

Platform: Windows XP (WinNT 5.01.2600)

 

 

 

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

 

 

 

 

 

 

Running processes:

 

 

 

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\services[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\explorer[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\SMSSU[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\Tmntsrv32[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon[Caution: ExecutableFile]

 

 

 

C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution: ExecutableFile]

 

 

 

C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

C:\Program Files\AIM\aim[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\SMSSU[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\Tmntsrv32[Caution: ExecutableFile]

 

 

 

C:\Program Files\Microsoft AntiSpyware\gcasDtServ[Caution: ExecutableFile]

 

 

 

C:\Program Files\Internet Explorer\iexplore[Caution: ExecutableFile]

 

 

 

C:\Program Files\Internet Explorer\iexplore[Caution: ExecutableFile]

 

 

 

C:\Documents and Settings\Jack Patterson\My Documents\HijackThis[Caution: ExecutableFile]

 

 

 

 

 

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home

 

 

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home

 

 

 

O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll

 

 

 

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ[Caution: ExecutableFile]"

 

 

 

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background

 

 

 

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim[Caution: ExecutableFile] -cnetwait.odl

 

 

 

O4 - HKCU\..\Run: [sMSSU] C:\WINDOWS\System32\SMSSU[Caution: ExecutableFile]

 

 

 

O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32[Caution: ExecutableFile]

 

 

 

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon[Caution: ExecutableFile]

 

 

 

 

 

 

 

Theres the log file...

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

My comp is freaking out, NEVER surf the web without a firewall is what i learned. I keep rebooting and running ad-aware and spybot then restarting and it keeps comming back...Help pl0x

When survival is in question, anything goes.

Link to comment
Share on other sites
Mercifull

Mercifull

Posted
Posted

have you uninstalled iGuird Security yet?

 

 

 

Go to the C:\ drive and try and delete WP[Caution: ExecutableFile] and WP.bmp if they are there. Then delete those registry entries like i said or merge the one i posted

612d9da508.png

Mercifull.png

Mercifull <3 Suzi

"We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept