Jump to content


Photo

Desktop Hijack - Please help


  • Please log in to reply
3 replies to this topic

#1 Juiceloose

Juiceloose

    Member

  • Full Member
  • Pip
  • 52 posts

Posted 16 June 2004 - 05:04 AM

Hi,

Have had CWS previously and with help of these forums have successfully removed it. Have now got a version I have never seen before.

It redirects my explorer page to various porn sites and has taken over my desktop with a black screen and the following words on it:


"ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.

Every site you or somebody or even something, like spyware, opened in your browser, with all images, and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life!"

I have run cwshredder and it detected a version of CWS that was attempting to close down shredder. Shredder bypassed the attempt to close it and after running it it rest 6 explorer pages and advised me to reboot and run shredder again.

I did as intructed and on running sherdder again it rest a furhter five explore values.

This appears to have worked and my explorer page is back to about blank every time I open it.

I cannot however get rid of the black page and warning (see wording above) from my desktop screen.

I have attached a copy of my log file which from my very limited knowledge looks ok.

Any advice on how to get rid of the warning screen from my desktop would be very much appreciated.

Thank you in advance.

Juice.

Logfile of HijackThis v1.97.7
Scan saved at 11:01:52, on 16/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Paltalk\pnetaware.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steve\My Documents\My Installers\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: GetWebPics (HKCU)
O9 - Extra 'Tools' menuitem: Download pictires with GetWebPics (HKCU)
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38112.622337963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#2 DIGIWIBBS

DIGIWIBBS

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 16 June 2004 - 08:10 AM

I have the same problem I deleted some of the files but I still can't get rid of it

#3 Juiceloose

Juiceloose

    Member

  • Full Member
  • Pip
  • 52 posts

Posted 16 June 2004 - 11:39 AM

Hi folks,

Have been playing around for most of day now trying to recover my desktop from the black screen with the warning words from my post above.

Unfortunately it has me beat !!!!

Does anybody out there have any ideas how I can get rid of this damn thing.

Many thanks,

Juice.

#4 DIGIWIBBS

DIGIWIBBS

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 16 June 2004 - 07:19 PM

yeah i fixed it for about two seconds then it was back. I'm going to work on it more tonight.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button