Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

i've been attacked! [CLOSED]

Started by antiviral2005 , Jul 08 2005 07:30 PM

  • This topic is locked This topic is locked

#16
Trevuren
Posted 11 July 2005 - 11:37 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Everything is in a specific order for a reason. Yes, it would have been preferable to run Cleanup first.

1. Deactivate or UNINSTALL the Watch Dog program because it may interfere with our fixes.

2. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yoursearch.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System

If you see that those 2 items are still there, go into your Internet Options and manually change both to what you want. Then click apply. REBOOT your system and check your log.

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now

Regards,

Trevuren
  • 0

Advertisements

#17
antiviral2005
Posted 12 July 2005 - 09:12 PM

antiviral2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hey Trevuren...how do I deactivate or uninstall Watchdog. I can't simply delete it since it says it is being run by Windows. I can't find it in my control panel under Add/Remove programs. And I don't have it in my Startup taskbar so there's no option to uninstall the application.
  • 0

#18
Trevuren
Posted 12 July 2005 - 09:39 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Attempt the fix without uninstalling Watchdog.

Trevuren
  • 0

#19
antiviral2005
Posted 12 July 2005 - 10:26 PM

antiviral2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hey Trevuren...hope this works...I fixed the 2 entries in HJT as instructed. I rebooted and saw that the items were no longer there, but when I launched IE about:blank was there and I changed my default home page. I rebooted once again and my home page was changed to the setting I designated. Here's my HJT log currently...


Logfile of HijackThis v1.99.1
Scan saved at 11:24:51 PM, on 7/12/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\MLT1100L\Wswpd.exe
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\COMPAQ\INTERNET\WATCHDOG.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TOOLS_95\IMGICON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
F1 - win.ini: run=C:\MLT1100L\WSWPD.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [CPQEASYACC] C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Minolta PageWorks/Pro 1100L] C:\MLT1100L\WSWPD.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Tools_95\IMGSTART.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Program Files\Tools_95\IMGICON.EXE
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Tools_95\IOWATCH.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://vivo.real.com/dldv2/vvweb.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://www.cookiecen...ex/ikcntrls.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://rpma02ln.rush.edu/iNotes.cab



Looks OK right? I'm worried that the virus is still hiding somewhere though...looking forward to your suggestions.
  • 0

#20
Trevuren
Posted 12 July 2005 - 10:36 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Looks good from here. Try this final test.

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe. This scan only produces a report, it doesn't clean your system. I will analyze the report and recommend a course of action depending on the results.

Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

Regards,

Trevuren
  • 0

#21
antiviral2005
Posted 13 July 2005 - 11:16 PM

antiviral2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hey Trevuren...I ran the MWav program and here is the list of infected items...


File C:\WINDOWS\SYSTEM\WININET.DLL infected by "Virus.Win32.Nsag.a" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\Desktop\cuteftp.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\Desktop\Ad Aware.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Object "Quicken Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\IE32DSW.TXT". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\ASIPORT.RSR". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\ASIFONT.MAP". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\M5DRVR32.RSR". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\XOBGLU16.DLL". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\XOBGLU32.DLL". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\xtras\SWASTRM.X32". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\xtras\GIFIMPOR.X32". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\xtras\JPEGIMPO.X32". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\xtras\MIX32.X32". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\xtras\NETFILE.X32". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\xtras\NETLINGO.X32". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\xtras\SOUNDIMP.X32". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\xtras\SWADCMPR.X32". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Macromed\Director\xtras\BRWSSERV.X32". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\isdnm.vxd". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "E:\Office\Actors\logo.act". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "E:\Office\Actors\scribble.act". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "E:\Office\Actors\dot.act". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "E:\Office\Actors\mnature.act". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "E:\Office\Actors\hoverbot.act". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "E:\Office\Actors\will.act". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "E:\Office\Actors\powerpup.act". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "E:\Office\Actors\genius.act". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\QuickTime.cpl". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\QuickTime.qts". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\QuickTimeCheck.OCX". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\Indeo4.qtx". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\QuickTime\QuickTimeStreaming.qtx". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\QuickTime\QuickTimeInternetExtras.qtx". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\QuickTime\QuickTimeStreamingExtras.qtx". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\QuickTime\QuickTimeWebHelper.qtx". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\QuickTimeVR.qtx". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Canon\RAW Image Task\ZbTaskRIC.dll". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\pxwma.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "c:\windows\SYSTEM\disktool.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{E05592E4-C0B5-11D0-A439-00A0C9223196}" refers to invalid object "ksqmf.ax". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{E9975030-D326-11D0-BDE6-00AA001A1953}" refers to invalid object "C:\WINDOWS\SYSTEM\MSAAHTML.DLL". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{3585b601-4773-11CF-BBF2-0020AFEF3E57}" refers to invalid object "C:\PROGRA~1\CARBON~1\iccwker.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{C306851C-EEF8-49DB-9FA0-758AA1FCC220}" refers to invalid object "C:\Program Files\Canon\RAW Image Task\ZbTaskRIC.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{790E4EBE-13DD-485E-99DB-A7C95D1B0A54}" refers to invalid object "C:\Program Files\Canon\RAW Image Task\ZbTaskRIC.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{14CF1665-9FA2-4D3F-BB16-DA40FD978745}" refers to invalid object "C:\PROGRAM FILES\CANON\REMOTECAPTURE TASK\ZBTASKREMOTECAPTURE.DLL". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}" refers to invalid object "C:\PROGRAM FILES\WINAMP\PLUGINS\CDDBCONTROLWINAMP.DLL". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}" refers to invalid object "C:\PROGRAM FILES\WINAMP\PLUGINS\CDDBCONTROLWINAMP.DLL". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{69E9B473-22E6-471D-8683-84BD1E4BECE1}" refers to invalid object "C:\PROGRAM FILES\WINAMP\PLUGINS\CDDBCONTROLWINAMP.DLL". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}" refers to invalid object "C:\PROGRAM FILES\WINAMP\PLUGINS\CDDBCONTROLWINAMP.DLL". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}" refers to invalid object "C:\PROGRAM FILES\WINAMP\PLUGINS\CDDBCONTROLWINAMP.DLL". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{0dabacb1-1a16-4082-a610-3d0b3a2a94fc}" refers to invalid object "C:\PROGRAM FILES\WINAMP\PLUGINS\CDDBUIWINAMP.DLL". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{C5FC17C0-EDB0-11D9-9D6A-D95032558ED4}" refers to invalid object "C:\WINDOWS\SYSTEM\CPBN.DLL". Action Taken: No Action Taken.

Entry "HKCR\Overview.Document" refers to invalid object "{DA23B9C9-6893-11D0-8534-00C04FD7AD0C}". Action Taken: No Action Taken.

Entry "HKCR\Netscape Starting" refers to invalid object "{EBBFE288-BDF0-11D2-BBE5-00609419F467}". Action Taken: No Action Taken.

Entry "HKCR\Zb.ZbCmdProcessRawImages" refers to invalid object "{4DCADFA0-556A-4288-AB68-833C51A2CF6B}". Action Taken: No Action Taken.

Entry "HKCR\Zb.ZbCmdProcessRawImages.1" refers to invalid object "{4DCADFA0-556A-4288-AB68-833C51A2CF6B}". Action Taken: No Action Taken.

Entry "HKCR\Zb.ZbCmdRemoteCapture" refers to invalid object "{7D5BAFEE-5A7D-4BB0-B709-A17422EEB658}". Action Taken: No Action Taken.

Entry "HKCR\Zb.ZbCmdRemoteCapture.1" refers to invalid object "{7D5BAFEE-5A7D-4BB0-B709-A17422EEB658}". Action Taken: No Action Taken.

File C:\WINDOWS\home.reg infected by "Trojan.JS.Seeker.e" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM\WININET.DLL infected by "Virus.Win32.Nsag.a" Virus! Action Taken: No Action Taken.

File c:\windows\TEMP\3jzeQj4A.exe infected by "Trojan-Downloader.Win32.Agent.jw" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\TH8XCPHF\aawsepersonal[1].exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\TEMPOR~1\Content.IE5\TH8XCPHF\aawsepersonal[1].exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\OPTIONS\CABS\WIN98_59.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\OPTIONS\CABS\CONTENT\DISNEY\IE4CACHE.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\OPTIONS\CABS\OLS\AOL\AOL40US.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\SYSTEM\MACROMED\Shockwave 8\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\SYSTEM\WININET.DLL infected by "Virus.Win32.Nsag.a" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\Desktop\cuteftp.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\Desktop\Ad Aware.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\temp\3jzeQj4A.exe infected by "Trojan-Downloader.Win32.Agent.jw" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\Temporary Internet Files\Content.IE5\TH8XCPHF\aawsepersonal[1].exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\home.reg infected by "Trojan.JS.Seeker.e" Virus! Action Taken: No Action Taken.

File C:\Program Files\Online Services\AT&T\ATTSETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Introreg\SETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Introreg\UNWISE32.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Go!Zilla\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\GlobalSCAPE\CuteFTP\unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\AIM95\unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\DivXCodec\DivXPro502GAINBundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\OPTIONS\CABS\WIN98_59.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\OPTIONS\CABS\CONTENT\DISNEY\IE4CACHE.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\OPTIONS\CABS\OLS\AOL\AOL40US.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\SYSTEM\MACROMED\Shockwave 8\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\SYSTEM\WININET.DLL infected by "Virus.Win32.Nsag.a" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\Desktop\cuteftp.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\Desktop\Ad Aware.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\temp\3jzeQj4A.exe infected by "Trojan-Downloader.Win32.Agent.jw" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\Temporary Internet Files\Content.IE5\TH8XCPHF\aawsepersonal[1].exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\home.reg infected by "Trojan.JS.Seeker.e" Virus! Action Taken: No Action Taken.

File C:\Program Files\Online Services\AT&T\ATTSETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Introreg\SETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Introreg\UNWISE32.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Go!Zilla\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\GlobalSCAPE\CuteFTP\unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\AIM95\unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\DivXCodec\DivXPro502GAINBundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.


Thanks for your help and looking forward to your suggestions...
  • 0

#22
antiviral2005
Posted 16 July 2005 - 11:49 AM

antiviral2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hey Trevuren...I see that you've been really busy...have you had a chance to review the MWav log I sent you in my previous reply. I see there are a couple of viruses present...how should I proceed? Thanks for your help and looking forward to your advice.
  • 0

#23
Trevuren
Posted 16 July 2005 - 12:16 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Sorry about not responding but I wasn't advised of your reply. We have been having some minor glitches with the system of late and this is one of them, I presume.

You do have some stuff in there, that is why I often use this scan as a last check.

Most of this can be taken care of quite easily but there is one area of major concern. It is with the following file:

C:\WINDOWS\SYSTEM\WININET.DLL

***We cannot afford to let anything remove this file yet as it is crucial to your system.*** So don't run any removal programs yet.

Please do the following:

A. I would like you to submit the file to Jotti's for proper analysis

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\WINDOWS\SYSTEM\WININET.DLL

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

B. Before posting the results, I need you, and this is very important, to do a search through Windows Search Engine module for all instances of this file : WININET.DLL on your system and add (Copy/Paste) all the results into your reply along with the results from Jotti.

Regards,

Trevuren
  • 0

#24
antiviral2005
Posted 17 July 2005 - 01:36 PM

antiviral2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hey Trevuren...I ran the scan from Jotti and here are the results...



File: Wininet.dll
Status: INFECTED/MALWARE
MD5 1e2054b8ceab2846411ef030214971e6
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Oleadm.Callgate
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.2636
F-Prot Antivirus Found W32/Oleadm.A
Fortinet Found W32/Nsag.A
Kaspersky Anti-Virus Found Virus.Win32.Nsag.a
NOD32 Found Win32/Oleloa.A
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Virus.Win32.Nsag.a


In performing my search for all files named: WININET.DLL, the only file present is in C:\WINDOWS\SYSTEM, size 449 kB, type application extension, and last modified 7/5/2005 11:59 PM.

Thanks for the time and looking forward to the next step...
  • 0

#25
Trevuren
Posted 17 July 2005 - 01:45 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
This is important:

1. Pleae use the search function in Windows again and search for all instances of "wininet.dll" throughout all of drive C.

2. Copy and Paste the results here.

Thanks,

Trevuren
  • 0

Advertisements

#26
antiviral2005
Posted 17 July 2005 - 10:25 PM

antiviral2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Trevuren, I'm not sure if I'm searching correctly, but I am going to the "Start" menu and selecting "Find" and going to the find "Files or Folders" option and selected for both "WININET.DLL" and "wininet.dll" and the only result is in the C:\WINDOWS\SYSTEM folder. Should I try another way to search since this is the only file I can find...
  • 0

#27
Trevuren
Posted 17 July 2005 - 11:41 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
No that appears to be the correct method. I will have to consult with higher up as to how to get you a new file. Sorry for the wait but this has never happened to me before.


Trevuren
  • 0

#28
Trevuren
Posted 18 July 2005 - 11:57 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I will give you the answer directy from the expert. If you do not understand anything, please ask me for clarification before starting. I will provide you with the link for the trial version of Kaspersky at the bottom of the post. Note: I enhanced some of the comments in bold which are not from the original text

On 9X and ME there are no other wininet.dlls on the systems. Unless you have a 98 system your wininet.dll won't work  Scanners will properly clean the file when it isn't in use. Have him locate wininet.dll in his system folder and right-click to copy it (make sure he doesn't cut it!), then paste it on the desktop. This way the file won't be in use, then he has to download a trial version anti-virus that will clean the file such as Kaspersky (not the online scan, but the full download trial). AVG won't work, unfortunately, because it doesn't even notice it's infected! Once it's on the desktop have him run a full system scan with the anti-virus program, then when it gets to the wininet.dll on the desktop make sure it doesn't get deleted, but that it gets cleaned. Then once it's cleaned, have him rename wininet.dll in the system folder to wininet.old, then copy the clean one off the desktop and paste it into the system folder.


. Please download the 30-day free trial of Kaspersky anti virus

. Install the program
. Run the definition update module.
. Scan your whole system and let the program remove anything it wants.
. When finished, REBOOT your system

Trevuren
  • 0

#29
antiviral2005
Posted 19 July 2005 - 08:56 AM

antiviral2005

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hey Trevuren...so I went ahead and copied winint.dll to my desktop. Then, I downloaded the Kaspersky anti virus application and installed it. I ran the program and after the scan, I cleaned or deleted any infected files or viruses as instructed. When I was prompted to take action on the wininet.dll file in the C:\WINDOWS\SYSTEM folder I chose to disinfect the file and I also chose to disinfect the wininet.dll file copied on my desktop. I was then instructed to reboot, but did not immediately reboot. I went into my WINDOWS\SYSTEM folder and got a prompt stating that I could not rename the wininet.dll file since it was in use. I rebooted the computer and again tried to rename the file in the windows\system folder but could not since it was in use. I rebooted into safe mode but still could not rename the file to wininet.old as instructed. What should I do to rename the file and what should I do with the disinfected wininet.dll file on my desktop?
  • 0

#30
Trevuren
Posted 19 July 2005 - 12:13 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Run the procedure again and REBOOT when requested to do so.

2. Reboot into safe mode and check the properties of C:\Windows\system\wininet.dll by rightclicking on the DLL file, then choose Properties amd make sure that nothing is checkmarked under Attributes.

3. While still in Safe mode, attempt to rename wininet.dll to wininet.old

4. Reboot your system and confirm the action taken as well as the results achieved in your next reply.

Regards,

Trevuren
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP