1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Wheres my wallpaper

Discussion in 'Windows XP' started by rahzip, May 14, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. rahzip

    rahzip Thread Starter

    Joined:
    May 14, 2005
    Messages:
    7
    I lost my walllpaper to a hijack i quess quite awhile ago. I got everything working but my wallpaper. What do I do ? :eek:
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    110,606
    Hi and welcome to TSG,

    Please do this. Click here: http://www.thespykiller.co.uk/files/hijackthis_sfx.exe
    to download HijackThis.

    Close all open windows and open HijackThis. Click “Scan”. When the scan is finished, the scan button will change to “Save Log”. Click on “Save Log” and then save it to Notepad. Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.

    DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed.
     
  3. Tushman

    Tushman Banned

    Joined:
    Nov 10, 2002
    Messages:
    633
    When you R-click on a picture and select "Set As Wallpaper" - the default location is C:\Windows\Web\Wallpaper. Look for your wallpaper there. It will probably say Internet Explorer background or something similar.
     
  4. rahzip

    rahzip Thread Starter

    Joined:
    May 14, 2005
    Messages:
    7
    Logfile of HijackThis v1.99.1
    Scan saved at 11:58:39 AM, on 5/14/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Speed Disk\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Quicken\qw.exe
    C:\Program Files\Outlook Express\wab.exe
    C:\Program Files\Yahoo!\browser\YBrowser.exe
    C:\DOCUME~1\David\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
    O3 - Toolbar: CouponsBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - C:\WINDOWS\CouponBarIE.dll
    O3 - Toolbar: Coupons - {FB986A68-EAE4-11D4-9BD1-0080C6F60B6A} - C:\WINDOWS\CouponBar.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NuonSoft Wallpaper Cycler StartupHelper] C:\Program Files\NuonSoft\WallpaperCycler\StartupHelper.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1D8A63E5-F219-11D4-9BD1-000039051213} (CouponTBInst Control) - http://ftp.coupons.com/CouponBar/CouponBar.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper20040728.dll
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
    O16 - DPF: {5BED3930-2E9E-76D8-BACC-80DF2188D455} (CouponsBar) - http://ftp.coupons.com/CouponsBarXML/CouponBarIE.cab
    O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://67.133.209.133/activex/AxisCamControl.cab
    O16 - DPF: {94418D7F-29BF-460F-8614-DEFB34871FA4} - https://secure3.trueswitch.com/SBCYahoo/TrueConfig.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f2.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A7418AE5-713A-4B33-8E8B-570D5CBEE1A0}: NameServer = 151.164.14.201 151.164.1.8
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CC70DB78-84C8-4468-A8AE-194E3E2EFC03}: NameServer = 151.164.1.8,206.13.28.12
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    110,606
    These are all listed as pending or open for debate, or not listed at all and I recommend removing them:

    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click “fix checked.”

    O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL

    O3 - Toolbar: CouponsBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - C:\WINDOWS\CouponBarIE.dll

    O3 - Toolbar: Coupons - {FB986A68-EAE4-11D4-9BD1-0080C6F60B6A} - C:\WINDOWS\CouponBar.dll

    O16 - DPF: {1D8A63E5-F219-11D4-9BD1-000039051213} (CouponTBInst Control) - http://ftp.coupons.com/CouponBar/CouponBar.cab

    O16 - DPF: {5BED3930-2E9E-76D8-BACC-80DF2188D455} (CouponsBar) - http://ftp.coupons.com/CouponsBarXML/CouponBarIE.cab

    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/do...bin/actxcab.cab


    Download and Save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe and double click on the cleandesktop.exe

    It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script.

    If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to.

    If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

    If you get a message when you first run it "Can not find script file "blah blah blah" then don't worry just double click the cleandesktop.vbs script again as you sometimes get that message when a script blocker blocks the script.

    It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

    It will restart Explorer.

    Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

    I have included another vbs to do this. It is named Other Profiles Regfix.vbs

    Have each User sign in and run Other Profiles Regfix.vbs
    Open C:\ (Go to Start>Run and type C: Press enter) and Open the c:\desktopclean folder. Double click on Other Profiles Regfix.vbs

    Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

    To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your preferred picture press apply & then ok to exit and then press F5.

    You will need to do this step for every user account
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/362229

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice