picture of desktop hijacked

Derek March 5, 2005 at 19:50:46

I think you ought to "try", after all it is only you who can actually act, we can only advise. First paste that log in HJT DETECTIVE (see my link as advised). It shows just one entry under "Malicious", quite good really. You you should let HijackThis delete this one. Shout if you cannot see how to do it (you just tick the right entry). Next produce a "new" (cleaner) log. Now post this new log into the second link given in post #1 (Hijack Log). I appreciate that there will be a lot of entries, good and bad, and this part might be a bit much for you. See what you make of it. If it is too greek then post it back on here instead. I am in UK and it is already 3.50am so I can't do any more tonight. I will definitely be back again tomorrow sometime. Someone else might be prepared to pick it up before then. Derek.W

Abnormal March 5, 2005 at 20:08:54

Something I put together from what I know, research taken from below. Answers to any questions are there. http://www.sophos.com/virusinfo/analyses/trojadclickai.html http://www.hijackthis.de/forum/showthread.php?p=9606 http://www.google.com/search?q=se.dll,DllInstall+&hl=en&lr=&start=0&sa=N your bad files Put a check mark nex to these and "fix checked" then shut down and restart your pc. O4 - HKLM\..\Run: [glbgkeyh] C:\WINDOWS\system32\glbgkeyh.exe O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\gsioufi\LOCALS~1\Temp\se.dll,DllInstall Delete these files in safe mode. glbgkeyh.exe se.dll,DllInstall Download Crap Cleaner, and checkmark the settings below. http://www.ccleaner.com/ Under Internet Explorer: Temporary Internet Files History Recently Typed URLs Delete Index.dat files Under System: Empty Recycle Bin Temporary Files Memory Dumps Chkdsk File Fragments Old Prefetch Data Run cleaner Do an online virus scan set to auto clean http://windowsxp.mvps.org/Scanners.htm Good luck

jboy March 5, 2005 at 20:36:40

On the bright side - at least we finally get to know what OS 'x' means. Spyware Begone?

Abnormal March 5, 2005 at 21:10:38

Found another up to no good whatever, thanks. O4 - HKCU\..\Run: [Disspy] C:\Program Files\Disspy\Disspy.exe - silent O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan

i did all, and my main desktop image still hijacked

Derek March 6, 2005 at 11:42:11

Put your latest log on here and I'll see if there is anything still lurking. It may just be that the background image file is still present. Right click destop and let me know what wallpaper is highlighted. You could try setting it as "none" (although best remove the file sometime). Derek.W

seawatch March 6, 2005 at 11:52:17

Did you do all in the Safe Mode? Larry

Larry , what u mean safe mode??

DEREK W. here is the LOG FILE: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\regsvc.exe C:\WINDOWS\system32\MSTask.exe C:\WINDOWS\system32\stisvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\PROGRA~1\WINZIP\winzip32.exe C:\unzipped\hijackthis[1]\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.adjvfuebjaushfz.com/hhJQeyqE7z/8UhFoHGkFyxlv2yyurLTU3OdcF819C1ExvKzKxI93uf6Q40QC7q_t.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.adjvfuebjaushfz.com/hhJQeyqE7z/8UhFoHGkFyxlv2yyurLTU3OdcF819C1ExvKzKxI93uf6Q40QC7q_t.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\gsioufi\LOCALS~1\Temp\se.dll,DllInstall O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\PREVX\Prevx Home\PXAgent.exe (file missing) O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Derek March 9, 2005 at 11:56:12

First get HijackThis to remove this entry: O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\gsioufi\LOCALS~1\Temp\se.dll,DllInstall Once this has been done, search your system for the file named se.dll and delete it. You should be able to deduce it's location, from the path given above in 8 character format. The main folder is DOCUMENTS AND SETTINGS, I expect you will decipher what LOCALS~1 is (probably LOCAL SETTINGS). Now get HJT to remove the following entry too (not a problem but as the file PXAgent.exe is missing it serves no purpose): O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\PREVX\Prevx Home\PXAgent.exe (file missing). Reboot. Two things concern me. Firstly this might be a virus/trojan called "about:blank" which is a pig to remove (keeps changing file name). Secondly I "now" know that you are using W2000 but I know little about that operating system and would have probably not jumped in if I had realised that. If you are still in trouble after my suggestions it might be best to repost giving your OS as Win2000 this time, rather than just putting X in the boxes. This post is getting old so I doubt anyone else will pop by. Derek.W

Derek: do u mean i have to delete all files ending with se.dll?? I did a search on my computer by typing se.dll and i got lots of files, as: pscparse.dll (6 of them) xmlparse.dll database.dll ccgse.dll iffmouse.dll sqlparse.dll probegse.dll pebase.dll u32base.dll xmlparse.dll dssbase.dll psbase.dll rsabase.dll admparse.dll ase.dll dssbase.dll dssbase.dll mmutilise.dll psbase.dll rsabase.dll pscparse.dll admparse.dll dssbase.dll mmutilise.dll psbase.dll rsabase.dll do i have to delete them all?? is it safe?

Derek March 10, 2005 at 10:32:59

Can't stop now but I'd hold off on deleting that lot, even at a quick glance some are genuine - they are probably fine. Is there no file which is just se.dll ? That's all I meant. Maybe HJT deleted it. Have you still got problem? I'll be back in a few hours. Derek.W

yes i still have same desktop problem, i can t put any pic on my desktop as a background on screen. :(

Derek March 10, 2005 at 21:34:18

Post your log again, we'd better make sure it's now clear. It's a crazy time here in the UK (getting light LOL) so I can't stop now. I'll pick it up again tomorrow. Otherwise by all means repost the problem (but not the log, unless someone asks for it). One other thing. Go to Display Properties and see if this background is showing in the list of backgrounds. I'll leave you to try and guess what it might be called. I'm assuming Win2k is similar to W98 so if this bit makes no sense then forget it for now. Derek.W

Go to Control Panel,Display,Desktop, Customise Desktop, click the web tab and you'll probably find it in here. Hope thats a bit of help