Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bloodhound.W32.EP --- WININET.DLL [CLOSED]


  • This topic is locked This topic is locked

#1
LonstaDaMonsta

LonstaDaMonsta

    New Member

  • Member
  • Pip
  • 5 posts
AHhh this is a crazy virus. My desktop changed, and I have minor spyware... but who knows what else this virus is doing besides getting annoying with Norton telling me I have it but can't fix it.

Norton pops up:

Norton AntiVirus has detected a virus on your computer.

Object name: C:\WINDOWS\SYSTEM32\WININET.DLL


I just got an internet explorer error, so I'm gonna hurry and post this before I lose it-- if anyone could help me I'd really appreciate it.

~ Lonnie
  • 0

Advertisements


#2
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and post your log here.
  • 0

#3
LonstaDaMonsta

LonstaDaMonsta

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:06:43 AM, on 6/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ntti.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\smscfg.ini:egnee
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijackthis.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\My Music\Fish Bowl\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpC2B3.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntti.exe] C:\WINDOWS\system32\ntti.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{32F36236-FD6C-4C8A-A0AD-42378BC3214C}: NameServer = 209.16.220.30 209.16.220.31
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\smscfg.ini:egnee.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
  • 0

#4
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log into this topic.

Do NOT download Service Pack 2 that will only make problems worse, just Service Pack 1.
  • 0

#5
LonstaDaMonsta

LonstaDaMonsta

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I can't successfully run the service pack...

When it is "Inspecting current configuration" About a minute later, it pops up saying "Service Pack 1 Setup Error"
"The file c:\windows\system32\wininet.dll is open or in use by another application."
Close all applications and then click retry."
So I arleady have them all closed, so I clicked retry, and everytime I do, it gives me the same message, and everytime i click retry, norton pops up with it's error.

Ahh this virus is killing me... let me know what I should do next.

Lonnie

Edited by LonstaDaMonsta, 22 June 2005 - 12:36 PM.

  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It's OK, Lonnie! Try not to panic :tazz:

Copy everything in the code box below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt

Double click wininet.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here.
  • 0

#7
LonstaDaMonsta

LonstaDaMonsta

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi, thanks-- trying not to panic :tazz:
I did what you said, here's what the files.txt says:

Volume in drive C is HP_PAVILION
Volume Serial Number is 9C2B-62E7

Directory of C:\WINDOWS\SYSTEM32

08/18/2001 12:36 AM 593,920 wininet.dll
1 File(s) 593,920 bytes

Directory of C:\WINDOWS\SYSTEM32\dllcache

08/18/2001 12:36 AM 593,920 wininet.dll
1 File(s) 593,920 bytes



Thanks again,
Lonnie
  • 0

#8
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please locate this file:

C:\WINDOWS\System32\wininet.dll

Right-click on wininet.dll and go to "Send to > Compressed (Zipped) Folder"

It will create a zipped folder inside the system32 folder called "wininet.zip", I need you to right-click on the zipped folder and go to "Explore" when the window opens Go up to "File > Add A Password". Enter the password as wininet confirm the password. Let me know when that's done and I will PM you the e-mail address I need the zipped folder sent to. As soon as I receive the folder, we will finish this infection off!
  • 0

#9
LonstaDaMonsta

LonstaDaMonsta

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Arghh.. why can't this be easy? Heh.. I received an error when trying to compress to a zip folder.

First, when I right clicked wininet.dll and pressed "Send To> Compressed (Zipped) folder, a thing popped up that read:

"For Compressed (Zipped) folders to handle ZIP files correctly, the application associated with them must be compressed (zipped) folders. Currently this is not the case.
Do you want to designate Compressed (zipped) Folders as the application for handling ZIP files?

So I clicked yes, and got an error: "File not found or no read permission"

I did the same thing, and this time I clicked No instead, and got the same error.

Sorry that I'm not making this easy on you.. I was so excited we're so close :tazz: Please let me know what to do next.

Thanks again,
Lonnie
  • 0

#10
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
That's OK! No worries, I was hoping I would be able to get that file, but it looks like it's being extra stubborn :tazz:

I will be back in a flash to tell you what to do with it!
  • 0

#11
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It's important all steps be done exactly otherwise you will lose Internet access. Please print them out!

If you do not understand something, please let me know before continuing!

*Important* Set your system to SHOW HIDDEN FILES

I need you to reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit Enter.

Once in Safe Mode:

Using Windows Explorer (You can get to Windows Explorer, by Going to Start > "My Computer", then double-clicking "C:\"), locate this file:

C:\WINDOWS\System32\wininet.dll

Right-click on it and select "Rename" and rename it to wininet.old

Then go into this folder (it will be hidden so make sure hidden files are showing!):

C:\WINDOWS\SYSTEM32\DLLCACHE

Inside the "DLLCACHE" folder, locate wininet.dll. Right-click on it and choose "copy" (NOT cut!).

Then go back into C:\WINDOWS\System32
Right-click an open space and choose "Paste".

Delete the following:
C:\WINDOWS\System32\wininet.old

Reboot your computer into normal mode and post a new HiJackThis log.
  • 0

#12
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP