picture of desktop hijacked

March 5, 2005 at 10:50:34
Specs: x, x

my main desktop picture had been changed to a publicity to a site to remove program, i guess it s hijaked, how can i fix that??

each time i try to change my desktop picture it comes back to that site publicity.


See More: picture of desktop hijacked

Report •


#1
March 5, 2005 at 13:13:28

download and run hijack this
Hijack This
And copy and paste it here
Hijack Log

" IF IT AINT BROKE - LEAVE IT ALONE "


Report •

#2
March 5, 2005 at 13:35:22

Sorry bout that link.
HIJACK THIS

" IF IT AINT BROKE - LEAVE IT ALONE "


Report •

#3
March 5, 2005 at 14:57:31

May I suggest that you might find it easier "initially" to paste the log in here:
HJT DETECTIVE

My reasoning is that "HJT Detective" tends to focus straight in on some known "nasties" that can be removed immediately (the red list).

You then get HJT to remove the nasties, run it again and then paste your "new" log into the website given in post #2. This lists everything that is running (good or bad) and with a now shorter log it will be much easier to sift through.

Google can be useful to check the questionable items (look in Google Groups too).

Derek.W


Report •

Related Solutions

#4
March 5, 2005 at 15:03:34

... my #3. Ooops sorry, in my penultimate para I meant the second link given in response #1. The revised link in post #2 is the HJT program download itself, which is obviously your very first step.

Derek.W


Report •

#5
March 5, 2005 at 19:04:19

BOB i am not an expert in IT to be able to differ between good and bad ones, so hijack this cant help me, i got a list of programs

Report •

#6
March 5, 2005 at 19:08:08

Here is the log file i got:
Logfile of HijackThis v1.99.1
Scan saved at 10:06:56 PM, on 3/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\glbgkeyh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\chatClient\chatcli.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\SPAMfighter\Clients\Outlook\SFOLMoni.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis[1]\HijackThis.exe
C:\unzipped\uptimer4[1]\Uptimer4.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [glbgkeyh] C:\WINDOWS\system32\glbgkeyh.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\gsioufi\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Disspy] C:\Program Files\Disspy\Disspy.exe - silent
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\PREVX\Prevx Home\PXAgent.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Report •

#7
March 5, 2005 at 19:50:46

I think you ought to "try", after all it is only you who can actually act, we can only advise.

First paste that log in HJT DETECTIVE (see my link as advised). It shows just one entry under "Malicious", quite good really. You you should let HijackThis delete this one. Shout if you cannot see how to do it (you just tick the right entry).

Next produce a "new" (cleaner) log.

Now post this new log into the second link given in post #1 (Hijack Log). I appreciate that there will be a lot of entries, good and bad, and this part might be a bit much for you. See what you make of it.

If it is too greek then post it back on here instead. I am in UK and it is already 3.50am so I can't do any more tonight. I will definitely be back again tomorrow sometime. Someone else might be prepared to pick it up before then.

Derek.W


Report •

#8
March 5, 2005 at 20:08:54

Something I put together from what I know,
research taken from below.
Answers to any questions are there.

http://www.sophos.com/virusinfo/analyses/trojadclickai.html

http://www.hijackthis.de/forum/showthread.php?p=9606

http://www.google.com/search?q=se.dll,DllInstall+&hl=en&lr=&start=0&sa=N

your bad files
Put a check mark nex to these and "fix checked" then shut down and restart
your pc.

O4 - HKLM\..\Run: [glbgkeyh] C:\WINDOWS\system32\glbgkeyh.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\gsioufi\LOCALS~1\Temp\se.dll,DllInstall

Delete these files in safe mode.

glbgkeyh.exe
se.dll,DllInstall

Download Crap Cleaner, and checkmark the settings below.

http://www.ccleaner.com/

Under Internet Explorer:
Temporary Internet Files
History
Recently Typed URLs
Delete Index.dat files

Under System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data

Run cleaner

Do an online virus scan set to auto clean

http://windowsxp.mvps.org/Scanners.htm

Good luck


Report •

#9
March 5, 2005 at 20:36:40

On the bright side - at least we finally get to know what OS 'x' means.


Spyware Begone?


Report •

#10
March 5, 2005 at 21:10:38

Found another up to no good whatever, thanks.

O4 - HKCU\..\Run: [Disspy] C:\Program Files\Disspy\Disspy.exe - silent
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan


Report •

#11
March 6, 2005 at 10:30:44

i did all, and my main desktop image still hijacked

Report •

#12
March 6, 2005 at 11:42:11

Put your latest log on here and I'll see if there is anything still lurking.

It may just be that the background image file is still present. Right click destop and let me know what wallpaper is highlighted. You could try setting it as "none" (although best remove the file sometime).

Derek.W


Report •

#13
March 6, 2005 at 11:52:17

Did you do all in the Safe Mode?

Larry


Report •

#14
March 8, 2005 at 23:15:50

Larry , what u mean safe mode??



Report •

#15
March 8, 2005 at 23:22:02

DEREK W. here is the LOG FILE:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.adjvfuebjaushfz.com/hhJQeyqE7z/8UhFoHGkFyxlv2yyurLTU3OdcF819C1ExvKzKxI93uf6Q40QC7q_t.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.adjvfuebjaushfz.com/hhJQeyqE7z/8UhFoHGkFyxlv2yyurLTU3OdcF819C1ExvKzKxI93uf6Q40QC7q_t.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\gsioufi\LOCALS~1\Temp\se.dll,DllInstall
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\PREVX\Prevx Home\PXAgent.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Report •

#16
March 9, 2005 at 11:56:12

First get HijackThis to remove this entry:

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\gsioufi\LOCALS~1\Temp\se.dll,DllInstall

Once this has been done, search your system for the file named se.dll and delete it. You should be able to deduce it's location, from the path given above in 8 character format. The main folder is DOCUMENTS AND SETTINGS, I expect you will decipher what LOCALS~1 is (probably LOCAL SETTINGS).

Now get HJT to remove the following entry too (not a problem but as the file PXAgent.exe is missing it serves no purpose):

O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\PREVX\Prevx Home\PXAgent.exe (file missing).

Reboot.

Two things concern me. Firstly this might be a virus/trojan called "about:blank" which is a pig to remove (keeps changing file name). Secondly I "now" know that you are using W2000 but I know little about that operating system and would have probably not jumped in if I had realised that.

If you are still in trouble after my suggestions it might be best to repost giving your OS as Win2000 this time, rather than just putting X in the boxes. This post is getting old so I doubt anyone else will pop by.

Derek.W


Report •

#17
March 9, 2005 at 23:41:13

Derek: do u mean i have to delete all files ending with se.dll??

I did a search on my computer by typing se.dll and i got lots of files, as:

pscparse.dll (6 of them)
xmlparse.dll
database.dll
ccgse.dll
iffmouse.dll
sqlparse.dll
probegse.dll
pebase.dll
u32base.dll
xmlparse.dll
dssbase.dll
psbase.dll
rsabase.dll
admparse.dll
ase.dll
dssbase.dll
dssbase.dll
mmutilise.dll
psbase.dll
rsabase.dll
pscparse.dll
admparse.dll
dssbase.dll
mmutilise.dll
psbase.dll
rsabase.dll

do i have to delete them all?? is it safe?


Report •

#18
March 10, 2005 at 10:32:59

Can't stop now but I'd hold off on deleting that lot, even at a quick glance some are genuine - they are probably fine. Is there no file which is just se.dll ? That's all I meant.

Maybe HJT deleted it.

Have you still got problem?

I'll be back in a few hours.

Derek.W


Report •

#19
March 10, 2005 at 20:48:07

yes i still have same desktop problem, i can t put any pic on my desktop as a background on screen. :(

Report •

#20
March 10, 2005 at 21:34:18

Post your log again, we'd better make sure it's now clear. It's a crazy time here in the UK (getting light LOL) so I can't stop now. I'll pick it up again tomorrow.

Otherwise by all means repost the problem (but not the log, unless someone asks for it).

One other thing. Go to Display Properties and see if this background is showing in the list of backgrounds. I'll leave you to try and guess what it might be called. I'm assuming Win2k is similar to W98 so if this bit makes no sense then forget it for now.

Derek.W


Report •

#21
April 4, 2005 at 09:15:14

Go to Control Panel,Display,Desktop, Customise Desktop, click the web tab and you'll probably find it in here.

Hope thats a bit of help


Report •


Ask Question