I'm sorry I feel really dumb, but I need some help

Unknown

I recently had a strange thing happen. My IE shutdown and a warning came up on my desktop saying that my pc was being tracked. Somehow a html document was put onto my desktop, I have deleted the picture that was put on but I can't figure out how to get rid of the html thing that covers my desktop background. I've never even heard of this before, do I have a virus? I've ran a scan and it's still there. Can someone tell me how to get rid of this please.

Thrax

Go here first and follow the instructions.

Then go here and download HiJackThis! and post the results of the log file from HJT back here in this thread. We'll get ya set, mate.

Welcome to Short-Media, undoubtedly the most friendly forum on the whole internet. We ask that you don't feel stupid at all! Even the pros in the field get spyware they don't know what to do with. If you've got the problems, you've come to the right place! Stick around and enjoy yourself.

rdunsirn

Thank you so much Thrax for the fast reply, I'll follow your instructions as soon as I get off work in a couple of hours. Thanks again.

rdunsirn

Ok, I ran the adaware and spybot and this is what the hijacker log says.

Logfile of HijackThis v1.98.0
Scan saved at 8:41:02 AM, on 7/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijack\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Microsoft Update Machine] MSlti32.exe
O4 - HKLM\..\RunServices: [MSN Update] dllcon.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microszoft Update Mach1nezs] svcohst.exe
O4 - HKLM\..\RunServices: [442B2A2C] C:\WINDOWS\System32\itjdn.exe
O4 - HKLM\..\RunServices: [Virtual System Monitor] jrubsd.exe
O4 - HKLM\..\RunServices: [Video Multimedia Driver] ndrives32.exe

GHoosdum

These ones are probably virus-related, remove and virus scan:
O4 - HKLM\..\RunServices: [Microsoft Update Machine] MSlti32.exe
O4 - HKLM\..\RunServices: [MSN Update] dllcon.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microszoft Update Mach1nezs] svcohst.exe

Remove these too:
O4 - HKLM\..\RunServices: [442B2A2C] C:\WINDOWS\System32\itjdn.exe
O4 - HKLM\..\RunServices: [Virtual System Monitor] jrubsd.exe
O4 - HKLM\..\RunServices: [Video Multimedia Driver] ndrives32.exe

When you remove the files using Hijack This, make sure you find them all on your hard drive and move them to a new folder: C:\Quarantine - rename all the .exe files to .eee (just change the extensions).

rdunsirn

I am getting this message when I run the Hijack scan, I'm not sure what this means.
**********************************************************
An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=C:\WINDOWS\control.ini, sSection=don't load, sValue=inetcpl.cpl)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2600.0000
HijackThis version: 1.98.0

This message has been copied to your clipboard.
**********************************************************
This is the newest log, that html thing is still on my desktop though.

Logfile of HijackThis v1.98.0
Scan saved at 7:09:22 PM, on 7/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

GHoosdum

You might as well send what you just posted as an e-mail to that e-mail address.

Are you still having the infection?

rdunsirn

I did send that report to the email. Yes there is still a screen covering my desktop that is an html doc I think. When I right click and go to view to view source a notepad doc comes up with this in it. I followed it to the wallpaper and deleted the picture but now it is just a blank screen.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!----
***** This file is automatically generated by Microsoft Windows *****

---

><HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY
style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none"
bottomMargin=0 bgColor=#000042 leftMargin=0 background="" topMargin=0
rightMargin=0>
<DIV
style="LEFT: 0px; WIDTH: 800px; POSITION: absolute; TOP: 0px; HEIGHT: 600px"><IMG
style="LEFT: 0px; WIDTH: 100%; POSITION: absolute; TOP: 0px; HEIGHT: 100%" cache
src="file:///C:/Documents%20and%20Settings/Administrator/Local%20Settings/Application%20Data/Microsoft/Wallpaper1.bmp">
</DIV><IFRAME id=0
style="BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 800px; POSITION: absolute; TOP: 1px; HEIGHT: 570px"
name=DeskMovrW marginWidth=0 marginHeight=0
src="file:///C:/WINDOWS/Web/desktop.html" frameBorder=0 scrolling=no
subscribed_url="C:\WINDOWS\Web\desktop.html" resizeable=""> </IFRAME>
<OBJECT id=ActiveDesktopMover
style="LEFT: 0px; VISIBILITY: hidden; WIDTH: 0px; POSITION: absolute; TOP: 0px; HEIGHT: 0px; container: positioned; zIndex: 5"
classid=clsid:72267F6A-A6F9-11D0-BC94-00C04FB67863></OBJECT>
<OBJECT id=ActiveDesktopMoverW
style="Z-INDEX: -1; LEFT: -1px; VISIBILITY: hidden; WIDTH: 802px; POSITION: absolute; TOP: 0px; HEIGHT: 572px; container: positioned"
classid=clsid:72267F6A-A6F9-11D0-BC94-00C04FB67863></OBJECT> 
</BODY></HTML>