Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

About black, No desktop back ground jsut error pag [RESOLVED]


  • This topic is locked This topic is locked

#16
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Broken__x

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
C:\RECYCLER\NPROTECT\00115486.exe
C:\WINDOWS\system32\wininet.dll
C:\RECYCLER\NPROTECT\00115487.EXE
C:\RECYCLER\NPROTECT\00116075.EXE
C:\RECYCLER\NPROTECT\00116076.EXE
C:\WINDOWS\system32\hhk.dll
Let the system reboot.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

Advertisements


#17
Broken__x

Broken__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Incident Status Location

Virus:W32/Smitfraud.A Disinfected Operating system
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll


Logfile of HijackThis v1.99.1
Scan saved at 13:05:58, on 15/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis sp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/me...aploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#18
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Broken__x

Important Step
Now I need you to check each of the file's below see if we can find a wininet.dll that is not infected
http://virusscan.jotti.org/

C:\WINDOWS\ServicePackFiles\i386
29/08/2002 04:41 599,040 wininet.dll
1 File(s) 599,040 bytes

C:\WINDOWS\SoftwareDistribution\Download\64a79cf0f12e33eb879c32f446d6e441\rtmgdr
07/12/2004 17:37 590,336 wininet.dll
1 File(s) 590,336 bytes

C:\WINDOWS\SoftwareDistribution\Download\64a79cf0f12e33eb879c32f446d6e441\RTMQFE
08/12/2004 02:23 581,120 wininet.dll
1 File(s) 581,120 bytes

C:\WINDOWS\SoftwareDistribution\Download\833ef6e935eca488f438dbe2c5b37e03\rtmgdr
18/02/2005 16:19 592,384 wininet.dll
1 File(s) 592,384 bytes

C:\WINDOWS\SoftwareDistribution\Download\833ef6e935eca488f438dbe2c5b37e03\RTMQFE
18/02/2005 21:45 581,632 wininet.dll
1 File(s) 581,632 bytes

Directory of C:\WINDOWS\system32
29/08/2002 04:41 599,040 wininet.dll<--Malware bad file this one we don't need to check
1 File(s) 599,040 bytes

Please post the results from the file check. Thank you

Kc :tazz:
  • 0

#19
Broken__x

Broken__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
On all of the files it came up with this same message

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
  • 0

#20
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Broken__x

Please download the wininet.dll
http://www.dll-files...s.shtml?wininet

Downloaded the file to your desktop unzipt the file to C:\WINDOWS\system32\

A window will pupup and ask if you want to re place the wininet.dll with the one you have downloaded answer yes when done
Reboot your system

Then run the panda scan

And post the results back here

Kc :tazz:
  • 0

#21
Broken__x

Broken__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
When i answer yes to the popup it sayd it can not be replace as its been used by another program shall i go into safemode to extract the file?
  • 0

#22
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Broken__x

Yes please if that don't work the only thing left is to update to XP_SP2.

This is a very bad infection you have had most of the experts on the fourum involved
Try this in safemode rename the infected wininet.dll to wininet.old then try to replace with the new wininet.dll.

But before you try to update backup all your important file's

Kc :tazz:
  • 0

#23
Broken__x

Broken__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
that worked in safe mode so il jsut do the panda scan and will post the results as soon as its done, Thanks for all this help! =)
  • 0

#24
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Broken__x

That is great news fingers crossed

Kc :tazz:
  • 0

#25
Broken__x

Broken__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
If i was to update is it cirtain that i would loose older files? so say the music i have on the computer would all of that be lost?

Heres the panda scan results



Incident Status Location

Spyware:Spyware/Dyfuca No disinfected Windows Registry
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.old
  • 0

Advertisements


#26
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Broken__x

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\system32\wininet.old
Let the system reboot.

Run panda one more time

Kc :tazz:
  • 0

#27
Broken__x

Broken__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Incident Status Location

Spyware:Spyware/Dyfuca No disinfected Windows Registry
  • 0

#28
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Broken__x

You have done a great job in repairing your system well done. ;)

Check the other wininet.dll file from your list if any are infected you now what to do.
http://virusscan.jotti.org/


REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\180ax]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ixizgfcp]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\msbb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\saie]



Please save the content of the box above to [colore=red](in red)[/color] to new file in Notepad.
Save as Dyfuca.reg
to your desktop
save type: all files
Close Notepad.
Doubleclick the file click.reg and grant permission to merge the registry entries.

Reboot your system

The item that is left is a useless registery key that has no software to operate with
If you feel upto one more scan with panda

Kc :tazz:
  • 0

#29
Broken__x

Broken__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I'm jsut doing the panda scan my mum was wondering is there a way of sending a donation kinda...thing..?
  • 0

#30
Broken__x

Broken__x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Incident Status Location

Spyware:Spyware/Dyfuca No disinfected Windows Registry
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP