[A Bishop]

Sorry for not getting back to you. Have been trying to dig out my XP CD.

Here is the smitRem Log:


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

Not Infected!

And here is the PANDA scan:


Incident Status Location

Adware:adware/spysheriff No disinfected C:\WINDOWS\SYSTEM32\thn.dll
Adware:adware/tubby No disinfected HKEY_CURRENT_USER\SOFTWARE\MTC MTC
Adware:Adware/E-eliminator No disinfected C:\WINDOWS\system32\shdocsv.dll
Looks like its not all cleared up. Please let me know what I need to do next.

Many thanks

[Advertisements]

No problem, I'm here anyway
We're getting there.

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\SYSTEM32\thn.dll
C:\WINDOWS\system32\shdocsv.dll

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.

***

Open Notepad.
Copy the purple text to an empty file.
Save it as ‘panda.reg’ to your desktop.
Choose ‘save as all types *.*’

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\MTC]


Close Notepad.

Find ‘export.bat’ on your desktop.
Doubleclick the file.
Grant permission to add this to the Registry. Wait for the 'merge succesfull' message.

***

Reboot and see is you can rerun panda for me.

[g2i2r4]

No problem, I'm here anyway
We're getting there.

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\SYSTEM32\thn.dll
C:\WINDOWS\system32\shdocsv.dll

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.

***

Open Notepad.
Copy the purple text to an empty file.
Save it as ‘panda.reg’ to your desktop.
Choose ‘save as all types *.*’

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\MTC]


Close Notepad.

Find ‘export.bat’ on your desktop.
Doubleclick the file.
Grant permission to add this to the Registry. Wait for the 'merge succesfull' message.

***

Reboot and see is you can rerun panda for me.

[A Bishop]

Just a couple of things on the Panda Report. Please see below.


Incident Status Location

Adware:adware/tubby No disinfected HKEY_CURRENT_USER\SOFTWARE\MTC MTC
Adware:Adware/E-eliminator No disinfected C:\!Submit\shdocsv.dll

[g2i2r4]

You may remove the entire C:\!Submit\ folder.

I've been looking into that find of tubby. Looks like we can leave this entrie for it will not harm you. That means your computer is cleaned now.

Is it running okay now?

[A Bishop]

Thanks for all the help so far.

I am still getting messages from Norton that my system is infected with W32.desktophijack in c:windows\system32\wininet.dll.

I have it quarentined so it isn't ding very much. I just can't stand the alerts everytime I open up any software.

Is there anything I can do further?

[g2i2r4]

Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:

• Click on FileFind.exe
• In the box labeled "Enter the directory to search"
• Enter Drive eg.. C:\

[*]In the box labeled "Enter the file to search"

• Enter wininet.* to search for the file(s)

[*]Now click on the "Find" button
[*]Once the utility has found the files click on "Export"
[*]This will save a text file to your C:\ drive as "Export.txt"
[*]Double click on Export.txt, copy and paste this information in your next post

[A Bishop]

Here is the export.

C:\WINDOWS\system32\wininet.dll - 593920 Bytes
C:\WINDOWS\system32\dllcache\wininet.dll - 593920 Bytes

Look forward to hearing from you.

[g2i2r4]

Please go here: Jotti Virus Scan

Click the "browse" button and locate this file:

C:\WINDOWS\System32\wininet.dll

Click "Open", then click the "Submit" button. Copy the results and paste them here.

Do the same for this file:
C:\WINDOWS\system32\dllcache\wininet.dll

[A Bishop]

Slight problem. When I try to upload the first file I get:

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

Have tried again with Firewall Temporarily disabled and I still get the same message.

As for the other file I can't find it. It isn't where it says it is. I have searched my whole computer and it can't find it.

Where could it be?

Any suggestions?

[g2i2r4]

First do this:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
See if you can get it scanned than.

Otherwise:
apply Service Pack 1a for Windows XP
Click here
Apply the update, reboot, and let me know how things are now.

[A Bishop]

Here goes. Was able to upload the second one. This was the result. It says it's ok.

The first file still won't upload. Due to "malware prohibiting upload"

Any suggestions?

Service load: 0% 100%

File: wininet.dll
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 cf9f1eef71f42ede71b6f4aa05d5ca1a
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

[g2i2r4]

Go to your C:\Windows\system32-folder and rename the bad wininet.dll to wininet.old
Then on top in the menu, choose tab 'view' > 'refresh'
Look if there is a new wininet.dll created in your system32-folder.

If not...

Go to your C:\Windows\system32\system32\dllcache-folder and rightclick on the good wininet.dll and choose copy.
Go back to your C:\Windows\system32-folder, rightclick anywhere in that folder and choose paste.

[A Bishop]

No joy with either method. I get the following message.

Error Copying File or Folder

Cannot copy wininet: Access is denied

Make sure the disk is not full or write-protected and that the file is not currently in use.

Do you think it might be worth trying this in safe mode?

[g2i2r4]

Please do

[A Bishop]

Now that seems to have done the trick.

I have run all the scans I have and can't find anything.

Is there anything else I might need to do?