| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 59639 | 2005-07-08 08:47:00 | W32.Desktophijack virus | bk T (215) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 370508 | 2005-07-08 08:47:00 | Scanned this machine with AVG, Avast, Housecall on line scan and found nothing. However, went to Symantec's online security check, it detected this W32.Desktophijack virus but unfortunately, it doesnot help the remove it. Ran Hijackthis and came out with this log file: Logfile of HijackThis v1.99.1 Scan saved at 7:22:26 p.m., on 8/07/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\PurgeIE\PurgPro_Service.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Documents and Settings\P3 NOTEBOOK\Local Settings\Temp\Temporary Directory 2 for hijackthisJul05.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.updatesearches.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = xtramsn.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xtra.co.nz R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.updatesearches.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.updatesearches.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Xtra R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file) R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp17AC.tmp (file missing) O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\ Yahoo! \Messenger\yhexbmes0819.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\ Yahoo! \Messenger\yhexbmes0819.dll O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Microsoft AntiSpyware helper - {30654E88-86F7-4169-8162-3121A10F4001} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {30654E88-86F7-4169-8162-3121A10F4001} - (no file) (HKCU) O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O14 - IERESET.INF: START_PAGE_URL=http://xtra.co.nz O16 - DPF: ConferenceRoom Java Client - mail.igl.net:8000 O16 - DPF: Yahoo! Backgammon - download.games.yahoo.com O16 - DPF: Yahoo! Blackjack - download.games.yahoo.com O16 - DPF: Yahoo! Canasta - download.games.yahoo.com O16 - DPF: Yahoo! Chat - us.chat1.yimg.com O16 - DPF: Yahoo! Checkers - download.games.yahoo.com O16 - DPF: Yahoo! Chess - download.games.yahoo.com O16 - DPF: Yahoo! Dice - download.games.yahoo.com O16 - DPF: Yahoo! Dots - download.games.yahoo.com O16 - DPF: Yahoo! Euchre - download.games.yahoo.com O16 - DPF: Yahoo! Fleet - download.games.yahoo.com O16 - DPF: Yahoo! Go - download.games.yahoo.com O16 - DPF: Yahoo! Go Fish - download.games.yahoo.com O16 - DPF: Yahoo! GoStop - download.games.yahoo.com O16 - DPF: Yahoo! Literati - download.games.yahoo.com O16 - DPF: Yahoo! Pinochle - download.games.yahoo.com O16 - DPF: Yahoo! Pool 2 - download.games.yahoo.com O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} - www.movie-browser.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - housecall60.trendmicro.com O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - security.symantec.com O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - security.symantec.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - a840.g.akamai.net O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - sc.groups.msn.com O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - www.worldwinner.com O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - www.zuvio.com O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} ( Yahoo! Companion) - us.dl1.yimg.com O17 - HKLM\System\CCS\Services\Tcpip\..\{DE637AF2-5260-4B7F-9B37-907A19AAA145}: NameServer = 202.27.158.40,202.27.156.72 O20 - Winlogon Notify: tapiexec - tapiexec.dll (file missing) O21 - SSODL: MSSQLMonitor - {7D20D1A1-BF35-4FC4-AC3B-151EF1BCC28E} - C:\WINDOWS\System32\biosntfs.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: PurgPro XP Service (PurgProService) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgPro_Service.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Please advise. Cheers |
bk T (215) | ||
| 370509 | 2005-07-08 08:53:00 | Hi bk T Your log shows a few problems. Your best bet is to past your log into this (www.hijackthis.de) online analyser. Post back here with any questions you have over the results. :) |
Jen (38) | ||
| 370510 | 2005-07-08 08:55:00 | Try these removal instructions. securityresponse.symantec.com And here forums.techguy.org hth |
johnboy (217) | ||
| 370511 | 2005-07-08 09:49:00 | Especially: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file) R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file) My favorite about:blank. NOT. |
pctek (84) | ||
| 370512 | 2005-07-08 13:34:00 | Posted the hijackthis log file to the link as suggested by Jen for analysis. Ticked all those items for Hijackthis to fix the problem. Everything seems to be OK, but when I went on line to Symantec for another scan, it still detects the W32.Desktophijack virus. Followed Symantec's instructions to look for the registry keys but could not find any. Is this a false alarm? Or, is there any other way to remove this virus other than installing Norton Antivirus? Will NAV be able to remove this virus? But Why all other programs like AVG, AVAST and Housecall did not detect any? There isn't any unusual activity detected in this computer, everything seems to be working OK. Cheers |
bk T (215) | ||
| 370513 | 2005-07-09 00:33:00 | Is there any way to remove this virus at all? Tried manually deleting registry keys, hijackthis, etc, etc . Or, do I have to reformat my HDD to get rid of it? Please advise . |
bk T (215) | ||
| 370514 | 2005-07-09 00:54:00 | Try yet another of the online virus scans as listed in the FAQ. If they do not detect anything then I would ignore what Norton says. | FoxyMX (5) | ||
| 370515 | 2005-07-09 10:53:00 | Got a copy of NAV (for another machine), installed and it removed successfully the w32 . desktophijack virus . Have then uninstalled it and put back my AVG . Have I breached the copyright issue by doing that? Cheers |
bk T (215) | ||
| 370516 | 2005-07-09 12:20:00 | i won't tell if you don't ;) | tweak'e (69) | ||
| 370517 | 2005-07-09 14:43:00 | Got a copy of NAV (for another machine), installed and it removed successfully the w32 . desktophijack virus . Have then uninstalled it and put back my AVG . Have I breached the copyright issue by doing that? Cheers See here ( . symantec . com/sabu/eula/pdf/06 . 12 . 03%20CPD . GLBLEULA . SAVHandheld . AE . pdf" target="_blank">www . symantec . com), it is the download to a pdf . I looks like a grey area, but looks like you are OK only if it was on one machine at a time |
Rob99 (151) | ||
| 1 2 | |||||