Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

file://C:\WINDOWS\Web\desktop.html


  • Please log in to reply
1 reply to this topic

#1 rigelsaint

rigelsaint

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 14 March 2005 - 10:36 AM

Hello, I have 3 problems: 1) my desktop have this "file://C:\WINDOWS\Web\desktop.html" as default wallpaper, it is a blank page (no more). Trying to delete this spyware, start the 2nd problem: http://www.hotoffers.info/250/adult/index.html is my default start page in my internet explorer (I delete it, but reinstall every time restart my PC). And 3rd (and last), Security iGuard is auto installed in my PC every time that I restart WinXP. WHAT CAN I DO??? PLEASE!!! HELP ME!!! THANKS!!!
Here is my log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:17:04 a.m., on 14/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\ARCHIV~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Archivos de programa\NavNT\rtvscan.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\NavNT\vptray.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Archivos de programa\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Microsoft Firewall Client\ISATRAY.EXE
C:\Archivos de programa\Microsoft Office\Office\3082\OLFSNT40.EXE
C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
X:\Documents and Settings\msim\Mis documentos\Projects\Asistonto\Asistonto.exe
C:\DOCUME~1\msim\CONFIG~1\Temp\tmp18.tmp
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\msim\Escritorio\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/250/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0C0A/bl7.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por Digicel C.A
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = svbut06:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\System32\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [vptray] C:\Archivos de programa\NavNT\vptray.exe
O4 - HKLM\..\Run: [Smapp] C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Archivos de programa\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Archivos de programa\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Archivos de programa\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: Acceso directo a Asistonto.exe.lnk = Documents and Settings\msim\Mis documentos\Projects\Asistonto\Asistonto.exe
O4 - Startup: winupdate15418709[1].exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Archivos de programa\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Puerto Symantec Fax Starter Edition.lnk = C:\Archivos de programa\Microsoft Office\Office\3082\OLFSNT40.EXE
O4 - Global Startup: Service Manager.lnk = C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102369524283
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://svbut03/tsweb/msrdp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = digicel.com.ve
O17 - HKLM\Software\..\Telephony: DomainName = digicel.com.ve
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = digicel.com.ve
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = digicel.com.ve
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Archivos de programa\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Archivos de programa\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\WINDOWS\Pointdev\VNC\WinVNC.exe" -service (file missing)

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:55 PM

Posted 16 March 2005 - 03:20 AM

Hi there,

It's better to print out these instructions or save it into notepad, because you have a lot of different steps to take and it is really important that you don't miss any of it. We are trying to get rid of your 3 problems in once if possible.

Open NOTEPAD and copy and paste next in the white field into it:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12345678-0000-0010-8000-00AAFF6D2EA4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{12345678-0000-0010-8000-00AAFF6D2EA4}"=-

Save this as fix.reg , choose to save as *all files and place it on your desktop.
Don't use it yet.

Now,

* Download and unzip Killbox to your desktop.
Click killbox.exe.
Select the option "Delete on reboot".
In the field labeled "Full Path of File to Delete" copy and paste next:

C:\WINDOWS\System32\systr.dll

Select: "Unregister DLL Before Deletion"
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES

Your system will reboot now.

* Doubleclick on fix.reg that is on your desktop and answer yes when asked if you want to add the contents to the registry.

* Download and install CCleaner
Do not use it yet.

* Please set your system to show
all files; please see here if you're unsure how to do this.

* Download HSFix.zip
Make a new folder on your desktop and name it HSFix
UNZIP the contents of HSFix.zip to that HSFix-folder. !!Important!!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/250/
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\System32\SEARCH~1.DLL
O4 - HKLM\..\Run: [Security iGuard] C:\Archivos de programa\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: winupdate15418709[1].exe


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.


Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\System32\SEARCHDLL.DLL
C:\Archivos de programa\Security iGuard <== this folder (this is a so called spywareremover, but has a dubious reputation)
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\Web\desktop.html

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there.

* Open the HSFix-folder located on your desktop and doubleclick hsfix.bat !!Do not forget this step!!
Notepad will open afterwards with some txt in it (hslog.txt)
Just close this again.

* Start Ccleaner and click Run Cleaner.

* Reboot your system back to normal mode

* Perform an onlinescan with housecall and Etrust

* Reboot again and post a new hijackthislog together with that log from hsfix. (hslog.txt that is on your C:\)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users