Got "desktop highjack" I Do

Hello again, 1st I gotta say this site ROCKS, You've been very helpful on every post I've done. This might be tougher! After posting the other morning [fried mo-bo on 1 of my "puters] I started searching sites on hoy to build your own 'puter my screen turned red and said YOUR COMPUTER IS INFECTED! then symantic/norton popped up and could not stop or do anything to Object NAME: "C:\WINDOWS\SYSTEM32\WININET.DLL "
VIRUS NAME: "W32.DESKTOP HIGHJACK" [ unable to repair file ].
The next screen said all the same exept, [access to this file denied]
The next screen said OBJECT NAME: "C:\WINDOWS\SYSTEM32\OLEEXT.DLL" VIRUS NAME: "TROJAN .DESKTOP HIGHJACK .C "
unable to repair, next screen said all the same exept, access denied
ADAWARE & Microsoft were running but did not do anything! The virus also added 10 or more internet short cuts that all go to "HTTP://26.TOPNSSEARCH.COM/SEARCH.PHP?...
Iwent offline.[freaked out] Went back online to download updates. Then I found out what this bugger does, Symantic tried to scan and stop @500 or more e-mails beeing sent to and from my 'puter during the 1 1/2 hr download and slowed my xp to 1\2 speed or slower.[freaked out again]. Later that day getting the fried 'puter's mo-bo replaced at best buy [warrenty] They told me the ony way to get rid of it is to wipe the HD and start new, only problem is I don't have a startup/reboot disc, but I do Have over 40 GIG of music on it. don't wanna loose it, HELP, THANX,
AUTOHOLIC

 

Get SmitRem.Exe, and save it to the Desktop. It is a self extracting file, let it extract itself, creating a folder in the process.
Reboot into Safe Mode, and double click RunThis.Bat. Your screen will do some strange things.
After this, please post a HijackThis log.

 

desktop highjack

Sounds good I'll try it! Don't know how long it will take, the virus messes with the internet, try to do it before work, if not I'll post later today. THANX

 

highjack this file- Here it is

Logfile of HijackThis v1.99.1
Scan saved at 5:56:08 PM, on 9/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
Crogram FilesCommon FilesSymantec SharedccEvtMgr.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
Crogram FilescompaqCompaq Advisorbincompaq-rba.exe
C:WINDOWSsystem32msCMTSrvc.exe
Crogram FilesNorton AntiVirusnavapsvc.exe
C:windowssystemhpsysdrv.exe
C:WINDOWSsystem32dlatfswctrl.exe
Crogram FilesCOMPAQEasy Access Button SupportStartEAK.exe
Crogram FilesCommon FilesSymantec SharedccApp.exe
Crogram FilesCompaqEasy Access Button SupportCPQEADM.EXE
C:CompaqEAKDRVEAUSBKBD.EXE
CROGRA~1CompaqEASYAC~1BttnServ.exe
Crogram FilesMicrosoft AntiSpywaregcasDtServ.exe
Crogram FilesEasy SETI CLISETI Driver.exe
Crogram FilesEasy SETI CLIsetiathome-3.08.i386-winnt-cmdline.exe
Crogram FilesEasy SETI CLISetiSpy.exe
C:WINDOWSExplorer.EXE
Cocuments and SettingsvernMy DocumentsC hijack this . eweHijackThis.exe

R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - Crogram FilesNorton AntiVirusNavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Crogram FilesNorton AntiVirusNavShExt.dll
O4 - HKLM..Run: [hpsysdrv] c:windowssystemhpsysdrv.exe
O4 - HKLM..Run: [IgfxTray] C:WINDOWSSystem32igfxtray.exe
O4 - HKLM..Run: [StorageGuard] "Crogram FilesVERITAS SoftwareUpdate Managersgtray.exe" /r
O4 - HKLM..Run: [dla] C:WINDOWSsystem32dlatfswctrl.exe
O4 - HKLM..Run: [Recguard] C:WINDOWSSMINSTRECGUARD.EXE
O4 - HKLM..Run: [srmclean] C:CpqsScomsrmclean.exe
O4 - HKLM..Run: [TkBellExe] Crogram FilesCommon FilesRealUpdate_OBevntsvc.exe -osboot
O4 - HKLM..Run: [CPQEASYACC] Crogram FilesCOMPAQEasy Access Button SupportStartEAK.exe
O4 - HKLM..Run: [gcasServ] "Crogram FilesMicrosoft AntiSpywaregcasServ.exe "
O4 - HKLM..Run: [Fast Search] C:WINDOWSsystem32svcnv.exe home
O4 - HKLM..Run: [ccApp] "Crogram FilesCommon FilesSymantec SharedccApp.exe "
O4 - HKLM..Run: [ccRegVfy] "Crogram FilesCommon FilesSymantec SharedccRegVfy.exe "
O4 - HKLM..Run: [Symantec NetDriver Monitor] CROGRA~1SYMNET~1SNDMon.exe
O4 - HKLM..RunOnce: [Compaq_RBA] Crogram FilescompaqCompaq Advisorbincompaq-rba.exe -z
O4 - Startup: SETI Driver.exe.lnk = Crogram FilesEasy SETI CLISETI Driver.exe
O4 - Startup: SetiSpy.exe.lnk = Crogram FilesEasy SETI CLISetiSpy.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Crogram FilesAdobeAcrobat 7.0Readerreader_sl.exe
O12 - Plugin for .spop: Crogram FilesInternet ExplorerPluginsNPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120414491342
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120415009217
O20 - Winlogon Notify: igfxcui - C:WINDOWSSYSTEM32igfxsrvc.dll
O21 - SSODL: RealJukebox 1.0 - {E7FFB2AD-EC2D-15C4-792D-A5D05B634890} - crogram filescommon filesrealupdate_obwinxfradf1.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - Crogram FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - Crogram FilesCommon FilesSymantec SharedccPwdSvc.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - Crogram FilescompaqCompaq Advisorbincompaq-rba.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:WINDOWSsystem32msCMTSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - Crogram FilesNorton AntiVirusnavapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - CROGRA~1COMMON~1SYMANT~1SCRIPT~1SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - Crogram FilesCommon FilesSymantec SharedSNDSrvc.exe

WoW I just learned how to copy & paste So I hope this helps! Quick downloads this time, I had my server stop all e-mails for me. Look forward to the next step! THANX

 

Open HJT, and click on 'Open misc tools section', then click on "Delete a file on reboot', a File Open window will appear. Copy/Paste the following into it.

C:WINDOWS\system32\svcnv.exe

Then click on Open, and you will be prompted to reboot, select No at this time. Rescan with HJT, and remove this item.

O4 - HKLM..Run: [Fast Search] C:WINDOWS\system32\svcnv.exe home

Reboot into Safe Mode.
Delete all files and folders located in these folders.
C:\Windows\Prefetch
C:\Windows\Temp
C:\Documents and Settings\vern\Local Settings\Temp

 

Thanx, but when I tried it I could not find anything in my c:\ named svcnv.exe ?, Gotta go to work now , I'll check it out later! Thank you!

 

I'm Back, I still could not find the svcnv file so I went to step 2, E mail back to norm, SETI running full speed , Desktop still flashing white then grey when I move the mouse. ran norton, said I still Had 1 infection, no info, later it popped up c\programfiles\commonfiles\real\update_ob\winxfrad1.dll , not sure about the 1 after winxfrad my son was writing it down, RECENT HJT
Logfile of HijackThis v1.99.1
Scan saved at 7:24:03 PM, on 9/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\msCMTSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\vern\My Documents\C hijack this . ewe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - Startup: SETI Driver.exe.lnk = C:\Program Files\Easy SETI CLI\SETI Driver.exe
O4 - Startup: SetiSpy.exe.lnk = C:\Program Files\Easy SETI CLI\SetiSpy.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120414491342
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120415009217
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ED9496E-D2DB-4578-B7E6-23EFF6E1EE29}: NameServer = 216.250.190.144 216.250.190.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: RealJukebox 1.0 - {E7FFB2AD-EC2D-15C4-792D-A5D05B634890} - c:\program files\common files\real\update_ob\winxfradf1.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Once again thanx for all your help
I hope to get this wrapped up before the weekends over as I will giving assistance for a week ar so in Mississippi Please help the small towns in both states. GOD BLESS AMERICA

 

I had missed that one, other than this your log is clean.

Remove this.
O21 - SSODL: RealJukebox 1.0 - {E7FFB2AD-EC2D-15C4-792D-A5D05B634890} - c:\program files\common files\real\update_ob\winxfradf1.dll

Then delete the file.

Thanx, but when I tried it I could not find anything in my c:\ named svcnv.exe ?, Gotta go to work now , I'll check it out later! Thank you!
Your welcome. The file has Hidden attributes on it, if you did the 'delete a file on reboot' by pasting "C:WINDOWS\system32\svcnv.exe" in the File Open window, and not look for it, then rebooted, it was deleted when you rebooted.

You may want to try repairing Internet Explorer, as it seems of it's files may be corrupt. You do this by going to Start\Run, type in "SFC /SCANNOW ", and press Enter. You will be prompted for your XP cd.
It wouldn't be a bad idea to install Service Pack 2 for XP at this point.