Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan.desktophijack and related [resolved]


  • This topic is locked This topic is locked

#1
glennc007

glennc007

    Member

  • Member
  • PipPip
  • 41 posts
Hi,

I've read a bunch of posts to try and understand, and hopefully fix some malware problems but I have a major problem - all I get upon boot up is the blue screen with the "smitfraud error message" and no icons, no start button, nothing. After running Spybot and Norton Antivirus in normal mode to clean the following:

Trojan.desktophijack.B
Trojan.byteverify
w32.desktophijack
trojan.desktophijack

upon the next reboot, all I got was the blue screen. I tried safe mode, and there I have a totally black screen - again, no icons, no start button nothing. I have been able to run NAV and spybot in safe mode through the run command after opening the task manager window, and it seemed to clean out some things, but still

oleadm.dll
wininet.dll

are on the system and presumably a major reason for all this. I can't even download hijack this to that machine (I'm at another terminal now) as I can't get any programs to run in normal mode. Can someone please guide me on the path to sanity?

Thanks,
-Glenn
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome glennc007 to Geeks to Go!

Can you download it on this machine and transfer it to the infected one.

Than run it using Taskmanager. The log can then be transfered to this computer and posted here.
  • 0

#3
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
OK. I was able to run hijack this in safe mode w/ networking over my LAN thru task manager. Pls advise on next steps. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 10:18:06 AM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
\Glenn\glennshare\HijackThis.exe

O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [imouovf] c:\windows\system32\imouovf.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejna32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vrzanp.exe reg_run
O4 - HKLM\..\Run: [tF6Q3nX] imgrssk.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Hswnfc.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Kaqqsp.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKLM\..\RunOnce: [LUSETUP-LT] C:\PROGRA~1\Symantec\LIVEUP~1\LUSETU~1.EXE -s -a -q -log
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ndac.exe
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://c:default.mht!http://www.globolook...m::/dropper.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Lsdiorw - Logiciels & Services Duhem, Paris, France - C:\Program Files\mac disk\lsdiorw\lsdiorw2.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Let's start with getting this infected computer accessible again.

There's a lot of junk there. We will take that on when we can access the computer.

On the working computer:
Download SmitRem
your desktop.
Unzip it to your desktop. Copy the folder to your transportdisk (let's say that is called A:)

On the infected computer.

Click File>New Task (Run) and select Browse.
Navigate to A:\ and right click>copy the smitRem folder.
Now browse to C:\ and right click\paste.
Now double click the smitRem folder in C: and select the RunThis.bat file, then click Open and OK.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.

Copy that log to A: and post it here.

Reboot the infected computer and tell me what happens.
  • 0

#5
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
OK. I ran the smitRem program. It completed and went to disk cleanup. Upon reboot, there is just a blue screen now. The "smitfraud error message" is gone. Still no icons / no desktop / no start menu etc.

I searched for Smitfiles.txt everywhere on the drive, but it does not exist (???). I even shared the C drive and searched from another terminal, but no log file could I find.

Next steps?

Thank You!!!

-Glenn
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Did you copy the entire folder to the infected machine?
Can you try to rerun the tool?
  • 0

#7
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
I did copy the entire folder, which included 4 files. I already reran the tool once - but again, no log file anywhere to be found. I will try one more time, but if there is something else we can try, pls advise.

G
  • 0

#8
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
" A good copy of wininet.dll was not found. Pls talk to your advisor on other locations to look" came up during the tool.

-G
  • 0

#9
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
I'm going nuts looking for the smitRem log file. It really is nowhere to be found. When I run SmitRem in safe mode, I get the 'no good copy could be found" msg. In normal mode, it runs through fine , but still no log file to be found!

Glenn
  • 0

#10
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I'm consulting the expert on this infection. Please hold, I'll be back.
  • 0

Advertisements


#11
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
advise removed

Edited by g2i2r4, 11 July 2005 - 04:52 PM.

  • 0

#12
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Uh, already done. OK. This was all a bit weird. Here's what happened:

1. I tried to copy the wininet.dll file - but it was in use, so it wouldn't let me. Well, I used hijack this to kill some processes that were using the dll and eventually it let me.

2. I go to another terminal on the network and try and copy that wininet.dll file to my desktop. After selecting the file, my McAfee woke up and said it was infected with the Alemod virus. It wouldn't let me copy the file anyway cause it was apparently still in use.

3. I go back to the other machine, kill some more processes and I rename the original wininet.dll to wininet.old and copy it over to the working system. I run panda, and it says there's no virus. I put this supposedly 'clean' wininet.dll back on the other system and reboot.

4. Machine boots up and no change. However, when I go to delete the wininet.OLD file, it says its in use and I can't delete it. I could move it though, so I moved it out of the system32 folder to a new folder on C.

In any event, no change in the infected system right now.

Your continued help is appreciated.
  • 0

#13
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please make absolutly sure the infected file is no longer on your running machine!!!

Let's see if there are any other copies on the infected machine.


On your running machine:
Copy everything in purple below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt


Copy that file to the infected machine.

Run wininet.bat using taskmanager. When it is ready it will open files.txt
Copy the content of files.txt and paste it here.
  • 0

#14
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Volume in drive C has no label.
Volume Serial Number is 4807-D18E

Directory of C:\Program Files\Common Files\Adaptec Shared\System

04/23/1999 10:22 PM 459,024 Wininet.dll
1 File(s) 459,024 bytes

Directory of C:\Program Files\Common Files\Adobe\Fonts\Reqrd\CMaps

12/13/2001 08:50 PM 3,960 H
1 File(s) 3,960 bytes

Directory of C:\WINDOWS\system32

07/11/2005 06:11 PM 599,040 wininet.dll
1 File(s) 599,040 bytes

Total Files Listed:
3 File(s) 1,062,024 bytes
0 Dir(s) 21,906,157,568 bytes free
  • 0

#15
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Miekemoes and Noadfear are the real experts on this infection. As I feel this to be 'a special case', I'm asking their advise on how to move on.

I'll get back as soon as possible.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP