Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PS Guard Virus/Trojan


  • Please log in to reply

#16
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please follow the instructions I provided for right now. It has worked on another machine that was a 98 after much trial and error. :tazz:
  • 0

Advertisements


#17
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I did as you said -- downloaded and ran Kaspersky with the latest definition update module. It cleaned up the WININET.DLL file on the desktop. However, Windows would not allow me to rename the file in the System folder because it said the file was in use. Once the Kaspersky scan had finished, other weird stuff started happening. On rebooting the system, I received a Kaspersky message saying:
"Process module EXPLORER.EXE\WININET.DLL is infected with a virus
Virus.Win32.Nsag.b
You are advised to delete the object."

Now, I cannot access the Windows folder from 'My Computer.'
I also had no desktop for a while there until I went to Start>Settings>Active Desktop>View as Webpage and unchecked this option. Now I at least have a somewhat normal looking desktop.
I thought that AVG and Kaspersky might be working against each other. So, I uninstalled one, then the other. Both are currently unistalled. If Kaspersky is running, I can't even get a proper Windows start up because I get ILLEGAL OPERATION (Page Fault) messages for just about every start-up process.
What's going on?!
I've just realized that I can't paste emoticons in here either, even though the ENABLE EMOTICONS option is checked.

Here is my latest HijackThis log file, if this helps at all:

Logfile of HijackThis v1.99.1
Scan saved at 11:27:30 PM, on 8/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\RICHARD\RICHARD'S FILES\HIJACKTHIS.EXE

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [KASP] "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\OESpamTest.exe"
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {8731163E-77B9-4F91-9122-F112521C28AF} (MMSPlayerX Class) - http://mmbox.mtn.co....r/mmsPlayer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://www.pandasoft...5/ASPROinst.cab
  • 0

#18
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts

You are advised to delete the object."


Did you delete it?
  • 0

#19
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Paste these instructions into notepad for use in safe mode

1. Reboot into Safe Mode.

2. Once in Safe Mode, go to Start > Run type: command Click OK

3. Please do the following in sequence:

* Please copy the following line and paste it into the black window:

CD C:\Windows\system

* Hit enter.
* It will go to the next line, then copy this line and paste it in:

rename wininet.dll wininet.old

* Hit enter.
* type exit hit enter.

4. Now try copying the one from the desktop into the system folder.

5. Once it's been copied into the system folder reboot into normal mode.

I also want you to do the following:

Make absolutely sure there is a wininet.dll in the system folder before you reboot!

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

c:\Windows\System\wininet.dll

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.
  • 0

#20
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Yes, I did delete it. Was that the wrong thing to do? It apears that the PS Guard thingy is gone from my computer now. It seems that the remaining problems are the infected wininet.dll file and the fact that I can't access the Windows folder from My Computer. If I re-installed Kaspersky, I'm also pretty sure that it would tell me the EXPLORER\WININET.DLL is still infected. I will do what you ahve just suggested and will send you the analysis results. Thank you, thank you and thanks again for trying
  • 0

#21
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts

Once it's on the desktop run a full system scan with Kaspersky, then when it gets to the wininet.dll on the desktop make sure it doesn't get deleted, but that it gets cleaned.


  • 0

#22
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I Still have the 'clean' wininet.dll on my desktop. Rebooting in Safe Mode and trying to rename the dll through the DOS prompt still doesn't work. It says "Duplicate file or file in use." I will now submit the C:\Windows\System\wininet.dll to jotti's site and let you have the analysis ASAP. Why can't I put emoticon's in the message?
  • 0

#23
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts

Why can't I put emoticon's in the message?


I don't know, but that is the least of our problems right now. ;) Submit it to Jotti's and get back to posting the results. I will be gone most of the evneing but will try to check in later tonight.

Don't sweat it, we'll get it done. :tazz:
  • 0

#24
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here we go...it doesn't look pretty!

ArcaVir Found - Trojan.Callgate.Oleadm.3
Dr.Web Found - Trojan.DownLoader.2636
Kaspersky Found - Virus.Win32.Nsag.b
NOD32 Found - Win32/Oleloa.gen

The other scanners didn't find anything.
  • 0

#25
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
To add:

I just tried re-installing Kaspersky. As soon as I rebooted the system, I got all those start-up process errors again - Kernel32 fault, SysTray fault, Explorer fault etc. So, now it seems that my system will not run Kaspersky. Pitty, 'cause it looked like a good program while it worked ;-) As soon as I uninstalled from Safe Mode, it was kind of good to go again. I don't know if this has anything to do with our friend wininet.dll?

On the brighter side, PS guard seems to be gone, touch wood, yeah! Good riddance! I still cannot view my desktop as a web page, though. When I select this option from Start>Settings>Active Desktop, I just get the 'Desktop Recovery' screen. I also cannot view documents in My Computer from a web page view. It would seem logical that this must be because of the infected wininet.dll. I know nothing about dll's, but the name seems to allude to the fact that it has something to do with Internet Explorer?
  • 0

Advertisements


#26
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I'm checking something out with one of our experts who has worked on this fix. I will get back with you. Enjoy your day. :tazz:
  • 0

#27
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
A friend of mine just suggested copying the 'clean' wininet.dll from my desktop into the root directory, booting up into Command Prompt only, and then copying the 'clean' file from the root directory into the c:\windows\system directory and confirming the file replacement when prompted. Would this work? My friend knows a lot about this kind of stuff (through lots and lots of trial and error) but I prefer to run the procedure by you first :tazz:
  • 0

#28
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
That's close to what our expert proposed to me. I was working on the instructions and sent them to him to proof, but here is what I came up with:

Do not do the following in safe mode.

Boot to command prompt:
(Press “F8” on boot to get start menu and select “Command Prompt Only”


Let's rename, rather than delete the infected file.

Type in:

ren C:\windows\system\wininet.dll wininet.old

copy c:\windows\desktop c:\windows\system

del c:\windows\system\oleext.dll

Hit enter. Reboot and tell me how it is going.
  • 0

#29
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Okay, I have copied the uninfected .dll via the Command Prompt screen. Everything seems to be just peachy now ;) The only remaining little thing is that the area around the text names of my desktop icons is surrounded by color and I cannot seem to change the settings for this pattern to 'none.' In other words, where there would be no color and the text would just be sitting right on top of my desktop wallpaper. Do you have any idea why this would be the case?

Thanks so much for your time and effort. I could go on and on about what an honorable service you guys provide to your fellow man :tazz:
  • 0

#30
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Check out this link:

http://www.onecomput...hell_icon_cache

I thought Kellys Korner would work,, but I think that's just for xp. Let me do some more searching and see.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP