[el bastardos]

hi a couple of days ago i became infected with spy sheriff.
I followed your instructions and ran all of the recomened downloads.
however i hav'nt been able to run the windows update as it does'nt support my
browsr anymore. anyway after running the downloads i was able to delete
spy sheriff from the control panel which i could not do before.
after i did this i was left with a white desktop background
which i cannot delete and wininet.dll has been deleted. As soon as
i logon now i get this message telling me that wininet.dll is not present and
i cannot use internet explorer either beacuse i have an invalid syntax error. at
the moment i am having to use this on line dating pop up link which connects me
to netscape.

here is my hjt scan;

Logfile of HijackThis v1.99.1
Scan saved at 14:20:57, on 7/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\ctfmon.exe
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
F:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
F:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
F:\Program Files\Real\RealPlayer\RealPlay.exe
F:\Program Files\BroadJump\Client Foundation\CFD.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
F:\Program Files\Microsoft Office\Office10\msoffice.exe
F:\Program Files\Netscape\Communicator\Program\netscape.exe
F:\Documents and Settings\Pual\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.uk.netscape.com/uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.uk.netscape.com/uk/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\windows\googletoolbar_en_2.0.95-big.dll (file missing)
O4 - HKLM\..\Run: [PrinTray] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] F:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] F:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [RealTray] F:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BJCFD] F:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [KernelFaultCheck] F:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PSGuard spyware remover] F:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.4.lnk = F:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Startup: Widgets.LNK = F:\Program Files\Starware\Products\Widgets\bin\Widgets.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O12 - Plugin for .mpeg: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://F:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://cw.netglearni...iles/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://F:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {CA356D79-679B-4B4C-8E49-5AF97014F4C1} (Starware) - http://files-pl.star...tarware_323.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://F:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) - http://klikw.com/awd/cabs/10036.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1865.exe
O20 - Winlogon Notify: style2 - F:\WINDOWS\q17656528_disk.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINDOWS\system32\LEXBCES.EXE

[Advertisements]

Hi el [bleep]os, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.

1. You have a lot of problems on your machine just by viewing your log.

2. Before trying to get you out of this mess, I need you to answer a few questions for me.

a. Do you have a Start button on your Desktop and if you do, can you click Start>>Search and the Windows Search function appears?

b. Can you rightclick on START, then left click on Explorer which would bring up Windows Explorer?


Regards,

Trevuren

[Trevuren]

Hi el [bleep]os, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.

1. You have a lot of problems on your machine just by viewing your log.

2. Before trying to get you out of this mess, I need you to answer a few questions for me.

a. Do you have a Start button on your Desktop and if you do, can you click Start>>Search and the Windows Search function appears?

b. Can you rightclick on START, then left click on Explorer which would bring up Windows Explorer?


Regards,

Trevuren

[el bastardos]

when i click on explore after right clicking on start i get the start menu folder come up. the windows search function appears to be working fine.

[Trevuren]

Go to your search function and do a complete system search for "wininet.dll" and post the results back into this thread.

Trevuren

[el bastardos]

Wininet.dll F:/documents and settings/pual/M… 570 KB Application extension 8/17/2001
Wininet.dll C:/wininet 570 KB Application extension 8/17/2001
Wininet.dll C:/unzipped/wininet 570 KB Application extension 8/17/2001
Wininet.dll F:/documents and settings/pual/wi… 570 KB Application extension 8/17/2001
Wininet.dll F:/ documents and settings/pual/D… 570 KB Application extension 8/17/2001
Wininet.dll F:/ documents and settings/pual/M… 570 KB Application extension 8/17/2001

sorry but i had to copy it into word

[Trevuren]

OK. This is what we are going to do.

We can't be sure that those copies are not infected but at this point, the question is irrelevant because the important thing is to get on the net. Then we will worry about getting it clean.

1. Copy (Not CUT), copy the wininet.dll from here:

Wininet.dll C:/wininet 570 KB Application extension 8/17/2001

2. Paste into your F:\Windows\System32\ folder.

3. Then Reboot.

4. Try your internet and please get back to me.

5. Also please tell me what is on your different drives. Is your Operating System on one and Data on another. Are they partitions?

Trevuren

[el bastardos]

i can't find the folder that is "folder". this virus seems to of completely changed the settings and is preventing me from deleting it. am i wasting your time and will i have to
re-install windows.

[el bastardos]

sorry. yes i have those two partitions.

[Trevuren]

I am not asking you to delete it. I am asking you to make a copy of anyone you can find and paste it into your F:\Windows\System32\ Folder

Take your time, you can do it.

Trevuren

[el bastardos]

right,where you have put "folder" i clicked on wininet.dll and saved it on a word document. i rebooted but internet explorer is still a complete no go. i am currently using mozilla however many other programs are not working, ewido is the only program i can run. adaware and spybot atc are not working either and i cant download many programs of the net as they reguire internet explorer.

[Trevuren]

Can you find F:|windows\system32 ?

The system32 is the folder.


Trevuren

[el bastardos]

after i click on system 32 i get more folders come up. i then clicked on file and folder tasks and clicked on make a new folder.a blank white screen thencomes up and it will not let me paste.

[Trevuren]

1. Good, you now know where the system32 folder is.

2. When you click on it, you will see a lot of folders and other files in the righthand side of the window. That is noemal.

3. Just paste that copy of wininet.dll anywhere in the righthand pane of the window. Do not create a new folder. Just paste it to a blank area.

I will try and upload a picture of the right hand side pane of my system32 folder

Trevuren

[Trevuren]

1. Good, you now know where the system32 folder is.

2. When you click on it, you will see a lot of folders and other files in the righthand side of the window. That is noemal.

3. Just paste that copy of wininet.dll anywhere in the righthand pane of the window. Do not create a new folder. Just paste it to a blank area.

I will try and upload a picture of the right hand side pane of my system32 folder

Trevuren

[Trevuren]

1. Good, you now know where the system32 folder is.

2. When you click on it, you will see a lot of folders and other files in the righthand side of the window. That is noemal.

3. Just paste that copy of wininet.dll anywhere in the righthand pane of the window. Do not create a new folder. Just paste it to a blank area.

Picture didn't upload, sorry

Trevuren

Edited by Trevuren, 24 July 2005 - 04:15 PM.