0

I can't change my desktop background. when i try to select a group from the list after right clicking on the desktop and clicking 'properties' 'desktop' and in the background area it has 'none' at the top with a circle and line through it beside it. it won't let me change the background which is just a plane blue screen. I can use my desktop icons. my internet explorer is starting to act up and I frequently have to control alt. del. I donwnloaded the hijackthis thing and here is my log. Any asistance would be greatly appreciated as this is becoming a huge pain.

Logfile of HijackThis v1.99.1
Scan saved at 11:12:03 PM, on 10/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Steve\Application Data\F?nts\m?config.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Steve\LOCALS~1\Temp\Rar$EX00.463\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {2263A239-4FD9-5458-81DF-64349471B3CE} - C:\WINDOWS\System32\qifoext.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2263A239-4FD9-5458-81DF-64349471B3CE} - C:\WINDOWS\System32\qifoext.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvil1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6b962594-0e69-4ac4-b6f8-eae962809df4} - C:\WINDOWS\system32\egaapi.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Szdla] C:\Documents and Settings\Steve\Application Data\F?nts\m?config.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Documents and Settings\Steve\My Documents\TYK\America Online 8.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {400429E4-BED4-472E-93BF-F85AB8565DFF} - http://www.terp17.com/ax/axo.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: egaapi - C:\WINDOWS\SYSTEM32\egaapi.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

3
Contributors
2
Replies
3
Views
11 Years
Discussion Span
Last Post by Colin Mac
0

Yeah, i can see you could well be having problems....
Is there any reason that you are not running SP2? it's a big download, but it is ALL about

security...
More on security, download the latest update for SUN Java - it is to fix security holes

also. From control panel >java, and click the update tab.
You're making it tough for youself being this wide open. Okay, enough scolding.. :) .. on

with the cleanup.

Not a bad collection, but nothing to boast about, really....:)

I put all my cleaners, scanners etc in the same partition as my program

files... if u only have a C: drive then open a new folder for this

stuff.. however, HT deserves a folder unto itself. Please do not run it

from the temp folder as you have done - it may miss a lot of stuff. A

point, if you don't do these all these steps some things may not get

fixed...

You may wish to save this to Notepad for the time being.

-I would like you to download CCleaner from

http://www.majorgeeks.com/download4191.html and put it in a new

folder.
-Go here and get Ewido 4 [free].:-

http://free.grisoft.com/doc/2/lng/us/tpl/v5
Install it alongside your other regular applications in Program Files,

because you should keep it for scanning once a week or so - put an icon

on your desktop.

So, Ewido:- start it; the main "Status" menu will appear. Select "Change

state" to inactivate 'Resident Shield' and 'Automatic Updates'. Click on

update tab and then Update Now. When it finishes click on scanner tab

and then Settings:- How to act- click on recommended action and set

Quarantine. For reports, set to generate after every scan and untick

only if threats found. Finally down on the tray right click the Ewido

icon and untick Start with windows, an then Exit it. Don't scan yet.

Ok, you're done with the net. Shut it down. Disconnect..... whatever...

Rclick your recycle bin and run CCleaner. [or go to its folder and

dclick ccleaner.exe] You will lose a lot of handy stuff like histories

etc... but there is a job to do...

Go into safe mode [Restart, key F8 immed after POST runs and select Safe

Mode and Enter.... You'll get a dark desktop with icons etc...]

Start Ewido, do the full system scan. Click "Apply all actions" to place

any infected files into Quarantine, and only then click on "Save Report"

to view all completed scans; click on the scan you just performed and

select "Save report."

Note: Close all open windows, programs, and DO NOT USE the computer

while Ewido is scanning. If Explorer or other programs are open during

the scan that means certain files will also be in use. Some malware will

insert itself and hide in areas that are "protected" by Windows when the

files are being used. This can hamper Ewido's ability to clean properly

and may result in reinfection.

And now, still in Safe Mode and with NOTHING else open, run Hijack This,

check the items i list below and Fix them. [if they still exist]

By nothing else open, i mean open the explorer folder of HT, start it by

dclicking the .exe, then CLOSE the explorer folder, close ALL apps

including browsers [you should be off the net anyway], and finally start

the scan.
Checkmark the following for fixing [if they still exist] and FIX them.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

\blank.htm

R3 - URLSearchHook: (no name) - {2263A239-4FD9-5458-81DF-64349471B3CE} -

C:\WINDOWS\System32\qifoext.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

- (no file)

O2 - BHO: (no name) - {2263A239-4FD9-5458-81DF-64349471B3CE} -

C:\WINDOWS\System32\qifoext.dll

O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} -

C:\WINDOWS\system32\durvil1.dll

O2 - BHO: (no name) - {6b962594-0e69-4ac4-b6f8-eae962809df4} -

C:\WINDOWS\system32\egaapi.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [Szdla] C:\Documents and Settings\Steve\Application

Data\F?nts\m?config.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {400429E4-BED4-472E-93BF-F85AB8565DFF} -

http://www.terp17.com/ax/axo.cab

O20 - AppInit_DLLs:

O20 - Winlogon Notify: egaapi - C:\WINDOWS\SYSTEM32\egaapi.dll

Finally go into this windows folder and delete these three files if they still exist. You

first will have to check "show hidden files and folders" via Tools > folder options > view...

C:\WINDOWS\System32\qifoext.dll
C:\WINDOWS\system32\durvil1.dll
C:\WINDOWS\system32\egaapi.dll


Done? then back to normal windows mode, run HT again and please post it.

0

No, That's a vundo infection so a special tool is needed here. Checking with HJT won't solve the problem.

download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.