Danger Desktop Hijack

[Kane62]

I am have a terrible time getting rid of this desktop hijack.  I've been working on it for 6 hours and no joy.  Here is my hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 6:31:44 PM, on 5/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\owner\Desktop\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.objectcube.com/dc5/aebn/files/o...CubeInstall.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095555940895
O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://hot-spot.t-mobile.net/landing/TMD/d.../web/index.html
O16 - DPF: {C886256C-7A63-4213-AD2F-02AD3735DF06} - http://dl.adshooter.com/code/SYSsfitb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F2F33E2-ED3A-475E-8761-78C302F080F0}: NameServer = 217.237.148.17 217.237.148.49
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Appreciate all your help.  I have tried everything!!!  That I know.

[roofy]

Kane62,
Just out of curriousty, does this desktop hijack look like the background has been replace with an ad with it's title saying "Warning you are in great danger!!!" ? Also, what version of Nortans AV do you have? I ask this because I see that one of the virus startup files you have is the same file that I had. In addition, Nortan's AV didn't detect this even in safemode. Sorry I can't help you with your HiJackthis log, though I can help some.

What I did, was I did a online scan through Trendmicro's website, and it found the trojan horse. While you are waiting for guestolo to help you, you can find Trendmicro's free online scan by going to www.trendmicro.com . After going to their homepage, click on free online scan. However, it is possible to get redirected. If this happens this means that your browser has been hijacked as well. The 2 only solutions that you can do then are the following...

The first way is NOT RECOMENED if you do not know how to use the MSCONFIG. However if you do then what you could do is to disable some of your startup files. HOWEVER, you do not want to disable Nortans AV and I also see that you are running ZoneAlarm, which you wouldn't want to disable that either.

The second option is to wait for guestolo to help.


also FYI,
This virus IS VERY DANGEROUS! It can crack usernames and passwords and access personal data. For example, if you do online backing, its possible that you wont see that money in your account the next day or so all because of this virus. If you wait for guestolo, then I really sugguest reading future reply's to this thread on another computer, considering it is such a dangerous virus and staying online only makes this worse.

[guestolo]

Looks like the older infection

Can we try this and see how it goes

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
We'll need this later

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O16 - DPF: {C886256C-7A63-4213-AD2F-02AD3735DF06} - http://dl.adshooter.com/code/SYSsfitb.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Back in Windows

Find and delete these files if they exist
C:\WINDOWS\System32\spoolsrv32.exe <-this file, DON'T delete anything else because it looks similiar

C:\WINDOWS\Web\desktop.html <-file

Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. ~I removed this step, go on to step 5~
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck "Security" or  Make sure all checkboxes in this window are un-checked.
OK your way out

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off
Instead

Restart the computer

Back in Windows

Do another scan with Hijackthis and post a fresh log

Could you also
Download and UNZIP to desktop Get2.zip
 so you now have Get2.bat extracted to the desktop
Doulble click on Get2.bat and a text file called Export2.txt will be produced
Copy and paste back Export2.txt also