Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Psguard Malware, Browser Hijacker problems [RESOLVED]

Started by Derek182 , Jul 31 2005 03:50 PM

  • This topic is locked This topic is locked

#16
Derek182
Posted 03 August 2005 - 02:35 PM

Derek182

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Well, Trendmicro's scan didn't find anything, but here are the results of smitRem and Mwav.


smitRem log file
version 2.2

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


intell32.exe
oleext.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll INFECTED!!


Mwav results

Wed Aug 03 16:15:20 2005 => ***** Scanning complete. *****
Wed Aug 03 16:15:20 2005 => Total Objects Scanned: 5789
Wed Aug 03 16:15:20 2005 => Total Virus(es) Found: 4
Wed Aug 03 16:15:20 2005 => Total Disinfected Files: 0
Wed Aug 03 16:15:20 2005 => Total Files Renamed: 0
Wed Aug 03 16:15:20 2005 => Total Deleted Objects: 0
Wed Aug 03 16:15:20 2005 => Total Errors: 84
Wed Aug 03 16:15:20 2005 => Time Elapsed: 00:15:38
Wed Aug 03 16:15:20 2005 => Virus Database Date: 2005/07/29
Wed Aug 03 16:15:20 2005 => Virus Database Count: 140525
Wed Aug 03 16:15:20 2005 => Scan Completed.

File C:\WINDOWS\SYSTEM\intell32.exe infected by "Trojan.Win32.Small.ev" Virus! Action Taken: No Action Taken.
Object "DyFuCA Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.smartsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.smartsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\jao.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\jao.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "C:\WINDOWS\SYSTEM\disktool.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E05592E4-C0B5-11D0-A439-00A0C9223196}" refers to invalid object "ksqmf.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CD9-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CDB-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CDC-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CDD-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CDE-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CDF-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CE0-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CE1-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CED-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CE2-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CE3-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{35461E30-C488-11d1-960E-00C04FBD7C09}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CE6-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CE7-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CE8-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CE9-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CEA-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD853CEB-7F86-11d0-8252-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5A580C11-E5EB-11d1-A86E-0000F8084F96}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB847B8A-054A-11d2-A894-0000F8084F96}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EA678830-235D-11d2-A8B6-0000F8084F96}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{05300401-BCBC-11d0-85E3-00C04FD85AB4}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{64577982-86D7-11d1-BDFC-00C04FA31009}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1C82EAD9-508E-11D1-8DCF-00C04FB951F9}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0D17FC2-7BC4-11d1-BDFA-00C04FA31009}" refers to invalid object "C:\WINDOWS\SYSTEM\INETCOMM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3E9BAF2D-7A79-11d2-9334-0000F875AE17}" refers to invalid object "C:\WINDOWS\SYSTEM\MSCONF.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{068B0700-718C-11d0-8B1A-00A0C91BC90E}" refers to invalid object "C:\WINDOWS\SYSTEM\MSCONF.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{07970B30-A4DA-11D2-B724-00104BC51339}" refers to invalid object "C:\PROGRAM FILES\NETMEETING\CONFMRSL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{507708CC-A74A-11d2-9351-0000F875AE17}" refers to invalid object "C:\WINDOWS\SYSTEM\MSCONF.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{06CE0C3A-8917-11D1-AA78-00C04FC9B202}" refers to invalid object "C:\PROGRA~1\NETMEE~1\RRCM.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\FASTPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\FASTPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C71566F2-561E-11D1-AD87-00C04FD8FDFF}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\FASTPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{49353C99-516B-11D1-AEA6-00C04FB68820}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\FASTPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\FASTPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\FASTPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7A0227F6-7108-11D1-AD90-00C04FD8FDFF}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\FASTPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6C19BE35-7500-11D1-AD94-00C04FD8FDFF}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\FASTPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WMIPROV.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0725C3CB-FEFB-11D0-99F9-00C04FC2F8EC}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WMIPROV.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FE9AF5C0-D3B6-11CE-A5B6-00AA00680C3F}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\STDPROV.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{72967901-68EC-11D0-B729-00AA0062CBB7}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\STDPROV.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FA77A74E-E109-11D0-AD6E-00C04FD8FDFF}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\STDPROV.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMCORE.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CD184336-9128-11D1-AD9B-00C04FD8FDFF}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMCORE.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMCORE.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMDISP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMDISP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9AED384E-CE8B-11D1-8B05-00600806D9B6}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMDISP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMDISP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5791BC26-CE9C-11D1-97BF-0000F81E849C}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMDISP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMDISP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5D08B586-343A-11D0-AD46-00C04FD8FDFF}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMESS.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F7CE2E13-8C90-11D1-9E7B-00C04FC324A8}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A1044801-8F7E-11D1-9E7C-00C04FC324A8}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMSVC.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DDBABFC0-2648-11D2-BC64-00104B2CF71C}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\CIMW32EX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9A653086-174F-11D2-B5F9-00104B703EFD}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMCOMN.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\WBEMCOMN.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6DAF9757-2E37-11D2-AEC9-00C04FB68820}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\MOFD.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C10B4771-4DA0-11D2-A2F5-00C04F86FB7D}" refers to invalid object "C:\WINDOWS\SYSTEM\WBEM\MOFD.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{53DEFDE0-9222-11CF-9ED3-00AA004C120C}" refers to invalid object "C:\WINDOWS\SYSTEM\WEBPOST.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{33675000-9B48-11D0-AD53-00AA00A219AA}" refers to invalid object "C:\WINDOWS\SYSTEM\WEBPOST.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{96E31637-59F3-11D0-AD1F-00AA00A219AA}" refers to invalid object "C:\WINDOWS\SYSTEM\WPWIZDLL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8B14B770-748C-11D0-A309-00C04FD7CFC5}" refers to invalid object "C:\WINDOWS\SYSTEM\POSTWPP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FFCF1E40-7978-11D0-B1C9-00AA006DCDF4}" refers to invalid object "C:\WINDOWS\SYSTEM\CRSWPP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{02B5E1D1-8B7C-11D0-AD45-00AA00A219AA}" refers to invalid object "C:\WINDOWS\SYSTEM\FTPWPP.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{886e7bf0-c867-11cf-b1ae-00aa00a3f2c3}" refers to invalid object "C:\PROGRAM FILES\WEB PUBLISH\FLUPL.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" refers to invalid object "C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IDMGETALL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" refers to invalid object "C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IDMIECC.DLL". Action Taken: No Action Taken.
Entry "HKCR\Overview.Document" refers to invalid object "{DA23B9C9-6893-11D0-8534-00C04FD7AD0C}". Action Taken: No Action Taken.
Entry "HKCR\cnkf9.e4vh02" refers to invalid object "{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}". Action Taken: No Action Taken.
Entry "HKCR\cnkf9.e4vh02.857" refers to invalid object "{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}". Action Taken: No Action Taken.
Entry "HKCR\1f80k2.8g3b" refers to invalid object "{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}". Action Taken: No Action Taken.
Entry "HKCR\1f80k2.8g3b.55" refers to invalid object "{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}". Action Taken: No Action Taken.



During the mwav scan, I saw this in the what was scanned.

Wed Aug 03 16:13:08 2005 => Result: ERROR!!! File C:\WINDOWS\TEMP\PSGuardInstall.exe is Not Scanned

Just thought I'd point that out, not sure if it means much.
  • 0

Advertisements

#17
greyknight17
Posted 03 August 2005 - 05:17 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
*Download RegSeeker http://www.hoverdesk.net/freeware.htm and install it.
*Click on 'Clean The Registry' in the left panel.
*Check all boxes (make sure the backup box in the lower left corner is selected!).
*After it runs, click 'Select All' on the bottom. Then right-click on any selected item in the window and select 'Delete Selected Items'.
*Click 'Quit RegSeeker'.

Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run RegSeeker again. Do the same thing again if anything is found. You may have to run RegSeeker 5 - 6 times, but you want it showing none to very few items.

*Make sure to reboot between each use of the program.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

It doesn't look like the smitRem file completed correctly. OK, delete the smitRem folder you have there. Download it again here:

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

Now boot into Safe Mode and run smitRem.exe - let it do it's job again like last time.

Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Restart and post a new log for HijackThis and also for smitfiles.txt.
  • 0

#18
Derek182
Posted 03 August 2005 - 10:45 PM

Derek182

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Well, not sure if that helped. It always gets rid of Intell32, but then I think it comes back when I go online. I've also gotten the same message from smitRem as before about a sharing violation reading drive C. But anyways, here are the logs.

smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard spyware remover.lnk
quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~



~~~ system folder ~~~


intell32.exe
oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard spyware remover.lnk
quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll INFECTED!! :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 8:32:12 PM, on 8/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET CALL MANAGER\ICM.EXE
C:\WINDOWS\IRXFER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Internet Call Manager.LNK = C:\Program Files\Internet Call Manager\ICM.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
  • 0

#19
greyknight17
Posted 04 August 2005 - 11:16 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

copy c:\windows\system\wininet.dll c:\windows\desktop
del copy.bat

Save the file as "copy.bat". Make sure to save it with the quotes. Double click on it.

Restart your computer. Scan the desktop folder with eTrust Web Scanner. When done, make sure the box is checked for wininet.dll and click cure.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

del c:\windows\system\wininet.dll
del c:\windows\system\oleadm.dll
del c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Restart and go online. Surf for a while and then run a new HijackThis scan. Post the log here.
  • 0

#20
Derek182
Posted 04 August 2005 - 12:25 PM

Derek182

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I just did the delete.bat part, and I don't think it worked, here's what it says

C:\WINDOWS\Desktop>del c:\windows\system\wininet.dll
Access denied

C:\WINDOWS\Desktop>del c:\windows\system\oleadm.dll
File not found

C:\WINDOWS\Desktop>del c:\windows\system\oleext.dll

C:\WINDOWS\Desktop>copy c:\windows\desktop\wininet.dll c:\windows\system
Sharing violation - c:\windows\system\WININET.DLL
0 file(s) copied

C:\WINDOWS\Desktop>del delete.bat

Am I supposed to do this step in safe mode, or something?
  • 0

#21
greyknight17
Posted 04 August 2005 - 02:08 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I was wondering if that would be a problem. OK, we'll do it this way then and see if that works:

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

del /f c:\windows\system\wininet.dll
del /f c:\windows\system\oleadm.dll
del /f c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Yes, try it in Safe Mode if Normal Mode still won't work. Tell me when you are done so we can continue on.
  • 0

#22
Derek182
Posted 04 August 2005 - 02:32 PM

Derek182

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Well, that didn't work either... here's what it said

C:\WINDOWS\Desktop>del / c:\windows\system\wininet.dll
Invalid switch - /F

C:\WINDOWS\Desktop>del / c:\windows\system\oleadm.dll
Invalid switch - /F

C:\WINDOWS\Desktop>del / c:\windows\system\oleext.dll
Invalid switch - /F

C:\WINDOWS\Desktop>copy c:\windows\desktop\wininet.dll c:windows\system
Sharing violation - c:\windows\system\WININET.DLL
0 file(s) copied

C:\WINDOWS\Desktop>del delete.bat
  • 0

#23
greyknight17
Posted 04 August 2005 - 05:12 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
:tazz: Just my luck ;)

Print this out since you will need it (or write it down somewhere).

OK, we'll have to do this in the command prompt then. Restart your computer and hit the F8 key repeatedly (or the F5 key if that works instead) until a menu shows up. Choose Command Prompt or DOS Prompt. Let it load.

When it gets to the prompt, there will be a black screen with white letters and a blinking underscore cursor. I want you to type in each of the following lines manually (hit Enter after each line):

del c:\windows\system\wininet.dll
del c:\windows\system\oleadm.dll
del c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system

Restart now by hitting ctrl+alt+del and you should go straight back to Windows 98.

Tell me if that worked or not, so we can continue on with the fix.
  • 0

#24
Derek182
Posted 04 August 2005 - 05:29 PM

Derek182

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Finally, it seems like things are working out! Except when I tried to delete oleadm.dll it said file not found, not sure about that, I could always just try it again, but I'll let you decide! :tazz:
  • 0

#25
greyknight17
Posted 04 August 2005 - 09:01 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
We're not clear yet ;)

I just wanted to cure that infected file because the scans we make may delete that file by mistake :tazz:

Since you just completed that step, we may now proceed:

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish. If the smitRem looks like it's stuck at any point (probably when deleting that oleadm.dll file, just hit the F key on your keyboard and it should continue.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log and post it along with a new HijackThis log, the contents of the smitfiles.txt log and the Ewido log.
  • 0

Advertisements

#26
Derek182
Posted 05 August 2005 - 11:04 AM

Derek182

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I think my system is pretty clean now, except the 2 things Panda Active Scan found. And can I delete the extra wininet.dll off of my desktop now? Anyways, here are the logs.

smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard spyware remover.lnk
quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard spyware remover.lnk
quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Clean!! :tazz:

Panda Activescan

Incident Status Location


Adware:adware/superspider No disinfected C:\WINDOWS\SYSTEM32\bridge.dll
Adware:adware/gator No disinfected Windows Registry

Logfile of HijackThis v1.99.1
Scan saved at 12:57:19 PM, on 8/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET CALL MANAGER\ICM.EXE
C:\WINDOWS\IRXFER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Internet Call Manager.LNK = C:\Program Files\Internet Call Manager\ICM.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
  • 0

#27
greyknight17
Posted 05 August 2005 - 02:22 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, it's pretty much clean now :tazz:

Just delete these two files:

C:\WINDOWS\SYSTEM32\bridge.dll
PSGuard spyware remover.lnk - should be one in your favorites and one in your quick launch toolbar - so search for it and delete the two instances

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#28
Derek182
Posted 05 August 2005 - 02:34 PM

Derek182

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
No problems at all, thank you very much greyknight17! You rock! :tazz: ;)
  • 0

#29
greyknight17
Posted 05 August 2005 - 08:11 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP