Member Avatar for pleasehelpme-7

I believe that this may be a relatively NEW bug/problem after checking several tech support forums and finding nothing related.

After surfing I picked up some sort of problem. This first started out by replacing my desktop screen with a warning that I may have been infected with spyware. After clicking on the link provided it brought me to a webpage that advertised "Smart Security Privacy Protection Tool" and provided additional info to attempt to frighten someone into purchasing the software to remove spyware. The web address was 213.159.117.130/?affid=NAT-5.

Desktop icons, browser and other software all function normally.

New desktop icon/shortcut was "! Smart Security"-I have since deleted

After deleting this and a couple associated files my desktop background changed from the warning to an alternating gray and white.

I have used Ad-aware, spybot, and norton (latest versions) with no additional success. However, abnormal files in c:\program files\internet explorer were dchxuqbd.exe, gcdmkhfu.exe, and gkwfryiw.exe which I could not delete or uninstall but are no longer found (after ad aware).

Hijack log does not appear abnormal.

Right clicking on my desktop background and selecting view source provides the following notepad document:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!----
***** This file is automatically generated by Microsoft Windows *****
--------><HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY
style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none"
bottomMargin=0 bgColor=#000000 leftMargin=0 background="" topMargin=0
rightMargin=0>
<DIV
style="LEFT: 0px; WIDTH: 1280px; POSITION: absolute; TOP: 0px; HEIGHT: 1024px"><IMG
style="LEFT: 0px; WIDTH: 100%; POSITION: absolute; TOP: 0px; HEIGHT: 100%" cache
src="file:///C:/WINDOWS/9600_1024.bmp"> </DIV><IFRAME id=0
style="BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 1280px; POSITION: absolute; TOP: 1px; HEIGHT: 993px"
name=DeskMovrW marginWidth=0 marginHeight=0
src="file:///C:/WINDOWS/desktop.html" frameBorder=0 scrolling=no
subscribed_url="C:\WINDOWS\desktop.html" resizeable=""> </IFRAME>
<OBJECT id=ActiveDesktopMover
style="LEFT: 0px; VISIBILITY: hidden; WIDTH: 0px; POSITION: absolute; TOP: 0px; HEIGHT: 0px; container: positioned; zIndex: 5"
classid=clsid:72267F6A-A6F9-11D0-BC94-00C04FB67863></OBJECT>
<OBJECT id=ActiveDesktopMoverW
style="Z-INDEX: -1; LEFT: -1px; VISIBILITY: hidden; WIDTH: 1282px; POSITION: absolute; TOP: 0px; HEIGHT: 995px; container: positioned"
classid=clsid:72267F6A-A6F9-11D0-BC94-00C04FB67863></OBJECT>&nbsp;
</BODY></HTML>

Right clicking on the desktop background and clicking properties provides
Type: HTML Document
Connection: Not Encrypted
Address: file://C:\Windows\desktop.html

Still the background of my desktop is alternating gray and white and may send me into a seizure before long.

I would appreciate any help.
Thanks in advance.

  • 7 Contributors
  • 14 Replies
  • 414 Views
  • 3 Weeks Discussion Span
  • Latest Post Latest Post by jdbaker82

Recommended Answers

All 14 Replies

Member Avatar for dlh6213

You should first try booting into Safe Mode and running the programs you mentioned. While in Safe Mode, delete the contents of all Temp and Temporary Internet folders for all users. Also, do a search for *.tmp and delete all those files as well.

Reboot normally and go to this thread and follow any of the recommendations you haven't already tried:
http://daniweb.com/techtalkforums/thread5690.html

After that, post a hijackthis log in the Security forum (even if it doesn't look 'normal').

Member Avatar for pleasehelpme-7

dlh6213

I have followed your advice but have not had any success.

The following is my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 9:11:30 PM, on 11/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Mr\My Documents\My Videos\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


I appreciate you taking an interest in my problem.
Thanks again

Member Avatar for crunchie

Hi. First of all you need to update hijackthis to version 1.98.2. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by deleting the file manually. Unzip the new version into the hijackthis folder.

Looks like that log was done in safe mode? If so, please do this; Hit Start\Run and type in *Msconfig* without the asterix and hit ok. Then go to the startups Tab and make sure that everything there is enabled to start.
Reboot your PC and rescan with hijackthis and post that log here please.

Member Avatar for pleasehelpme-7

Crunchie
I am know you are probably very busy so I really appreciate you taking the time to help me.

Here is my HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 3:20:27 PM, on 11/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Sony Handheld\Hotsync.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Mr\My Documents\My Videos\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash
R3 - Default URLSearchHook is missing
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab


Thanks in advance

Member Avatar for DaveSW

Do you know what C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe is?

Member Avatar for pleasehelpme-7

DaveSW
This is an application that I believe came with a satellite ISP that I did not completely get rid of after discontinuing their service. The actual despcription is Webcast Proxy server.

Thanks for your interest.

Member Avatar for crunchie

The only thing in your log that requires fixing is;

R3 - Default URLSearchHook is missing

Could be the problem lies elsewhere :(.

Member Avatar for DaveSW

DaveSW
This is an application that I believe came with a satellite ISP that I did not completely get rid of after discontinuing their service. The actual despcription is Webcast Proxy server.

Thanks for your interest.

I see. there is a trojan of the same filename, but that usually resides in the system32 folder, so I thought this had to be legit.

You could try going to add/remove programs and see if there's any strange entries there, but as crunchie says, it should be under the 04 section if it's loading it.

Member Avatar for dlh6213

Try this; right-click on a blank area of your desktop (someplace where there are no icons), in the menu that pops up, click on Properties. In the next window, click on the Desktop tab; down near the bottom, click on the Customize Desktop box. Click on the Web tab and let us know what is in the box under 'Web pages:'

Member Avatar for pleasehelpme-7

DLH6213, DaveSW, and Crunchie
Thank you all for your help. I appreciate you taking the time to assist with my problem. If you are interested JC7 solved my problem with a simple adjustment I evidently had destroyed the original bug but had not got rid of its linking my desktop to a webpage. The thread is under internet explorer.
Thanks again for your help.

Member Avatar for fran0216

DLH6213, DaveSW, and Crunchie
Thank you all for your help. I appreciate you taking the time to assist with my problem. If you are interested JC7 solved my problem with a simple adjustment I evidently had destroyed the original bug but had not got rid of its linking my desktop to a webpage. The thread is under internet explorer.
Thanks again for your help.

Who is JC7 and can I get the Instructions?

Member Avatar for joesixpack

I am having exactly the same problem with eactly the same web page as my desktop background.

Member Avatar for jdbaker82

Try this; right-click on a blank area of your desktop (someplace where there are no icons), in the menu that pops up, click on Properties. In the next window, click on the Desktop tab; down near the bottom, click on the Customize Desktop box. Click on the Web tab and let us know what is in the box under 'Web pages:'

just to let you guys know I had the exact same problem and this fix's it. But I had to get to it a different way... Just go to control panels/Display/Desktop/Customize Desktop/ and then to the Web tab and then uncheck the security box there/ Apply now, and problem is solved

Thanks DLH for the info.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.