Hello Guestolo,
I read your last post after performing the whole procedure. I'm sure the version of REMV3 is the same.. I went ahead and downloaded the one from this thread and installed it - after the fact. All the files were replaced with ones of equal size. The reason I could not download it the 1st time was because I was not in the "full version" of the forum.. I guess attachments don't show up unless you're in the "full version".
Enough on that.. This time everything went fairly smooth. A lot of the files in Hijack this were gone from yesterdays cleanup attempt. I seem to have regained control of my Internet Explorer (no pop-ups, no redirects, homepage is once again yahoo, etc). But my desktop is still hijacked.. A nasty black "Warning!! You're in danger!" message still appears. I right clicked on the desktop, went to properties and the address URL was //c:\\WINNT\\WEB\desktop.html. I proceeded to delete this file and refresh the desktop and now I have a plain white desktop (with the same URL address). I do not get the usual desktop configuration window when right clicking and going to properties (ie Wallpaper, screensaver, etc). However, I do see my original desktop picture for a short while when booting up... Dont know if this info helps out or not..
Maybe the following logs will:
_____________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 10:28:22 PM, on 5/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\nvsvc32.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5co...b?1114014142184O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
_________________________________________
C:\log.txt states:
Files Found.................
----------------------------------------
Files Not deleted.................
----------------------------------------
Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 9873-4FF9
Directory of C:\WINNT\system32
04/30/2005 06:14 PM 19,456 hdzjv.dll
1 File(s) 19,456 bytes
0 Dir(s) 110,273,032,192 bytes free
msi.dll
Finished
_______________________________________________________
SpSeHjfix.txt states:
(4/30/05 7:57:07 PM) SPSeHjFix started v1.1.2
(4/30/05 7:57:07 PM) OS: WinXP (5.1.2600)
(4/30/05 7:57:07 PM) Language: english
(4/30/05 7:57:07 PM) Win-Path: C:\WINNT
(4/30/05 7:57:07 PM) System-Path: C:\WINNT\System32
(4/30/05 7:57:07 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(4/30/05 7:57:17 PM) Disinfection started
(4/30/05 7:57:17 PM) Bad-Dll(IEP): (not found)
(4/30/05 7:57:17 PM) Bad-Dll(IEP) in BHO: (not found)
(4/30/05 7:57:17 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINNT\openwin.dll
(4/30/05 7:57:17 PM) Searchassistant Uninstaller - Keys Deleted
(4/30/05 7:57:17 PM) UBF: 5 - UBB: 0 - UBR: 12
(4/30/05 7:57:17 PM) UBF: 5 - UBB: 0 - UBR: 12
(4/30/05 7:57:17 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(4/30/05 7:57:17 PM) Stealth-String not found
(4/30/05 7:57:17 PM) File added to delete: c:\winnt\openwin.dll
(4/30/05 7:57:17 PM) Reboot
(4/30/05 7:59:01 PM) SPSeHjFix started v1.1.2
(4/30/05 7:59:01 PM) OS: WinXP (5.1.2600)
(4/30/05 7:59:01 PM) Language: english
(4/30/05 7:59:01 PM) Win-Path: C:\WINNT
(4/30/05 7:59:01 PM) System-Path: C:\WINNT\System32
(4/30/05 7:59:01 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(4/30/05 7:59:43 PM) Disinfection started
(4/30/05 7:59:43 PM) Bad-Dll(IEP): (not found)
(4/30/05 7:59:43 PM) Bad-Dll(IEP) in BHO: (not found)
(4/30/05 7:59:43 PM) UBF: 5 - UBB: 0 - UBR: 12
(4/30/05 7:59:43 PM) UBF: 5 - UBB: 0 - UBR: 12
(4/30/05 7:59:43 PM) Bad IE-pages: (none)
(4/30/05 7:59:43 PM) Stealth-String not found
(4/30/05 7:59:43 PM) Not infected->END
(5/1/05 9:37:07 PM) SPSeHjFix started v1.1.2
(5/1/05 9:37:07 PM) OS: WinXP (5.1.2600)
(5/1/05 9:37:07 PM) Language: english
(5/1/05 9:37:07 PM) Win-Path: C:\WINNT
(5/1/05 9:37:07 PM) System-Path: C:\WINNT\System32
(5/1/05 9:37:07 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/1/05 9:37:08 PM) Disinfection started
(5/1/05 9:37:08 PM) Bad-Dll(IEP): (not found)
(5/1/05 9:37:08 PM) Bad-Dll(IEP) in BHO: (not found)
(5/1/05 9:37:08 PM) UBF: 5 - UBB: 0 - UBR: 11
(5/1/05 9:37:08 PM) UBF: 5 - UBB: 0 - UBR: 11
(5/1/05 9:37:08 PM) Bad IE-pages: (none)
(5/1/05 9:37:08 PM) Stealth-String not found
(5/1/05 9:37:08 PM) Not infected->END
(5/1/05 9:44:24 PM) SPSeHjFix started v1.1.2
(5/1/05 9:44:24 PM) OS: WinXP (5.1.2600)
(5/1/05 9:44:24 PM) Language: english
(5/1/05 9:44:24 PM) Win-Path: C:\WINNT
(5/1/05 9:44:24 PM) System-Path: C:\WINNT\System32
(5/1/05 9:44:24 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/1/05 9:44:34 PM) Disinfection started
(5/1/05 9:44:34 PM) Bad-Dll(IEP): (not found)
(5/1/05 9:44:34 PM) Bad-Dll(IEP) in BHO: (not found)
(5/1/05 9:44:34 PM) UBF: 5 - UBB: 0 - UBR: 11
(5/1/05 9:44:34 PM) UBF: 5 - UBB: 0 - UBR: 11
(5/1/05 9:44:34 PM) Bad IE-pages: (none)
(5/1/05 9:44:34 PM) Stealth-String not found
(5/1/05 9:44:34 PM) Not infected->END
________________________________________________________________
I think I'm close... Any ideas on the desktop?
Muchos Gracias,
Paul
Show Posts