PS Guard Virus/Trojan
#16
Posted 05 August 2005 - 03:19 AM
#17
Posted 05 August 2005 - 03:41 PM
"Process module EXPLORER.EXE\WININET.DLL is infected with a virus
Virus.Win32.Nsag.b
You are advised to delete the object."
Now, I cannot access the Windows folder from 'My Computer.'
I also had no desktop for a while there until I went to Start>Settings>Active Desktop>View as Webpage and unchecked this option. Now I at least have a somewhat normal looking desktop.
I thought that AVG and Kaspersky might be working against each other. So, I uninstalled one, then the other. Both are currently unistalled. If Kaspersky is running, I can't even get a proper Windows start up because I get ILLEGAL OPERATION (Page Fault) messages for just about every start-up process.
What's going on?!
I've just realized that I can't paste emoticons in here either, even though the ENABLE EMOTICONS option is checked.
Here is my latest HijackThis log file, if this helps at all:
Logfile of HijackThis v1.99.1
Scan saved at 11:27:30 PM, on 8/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\RICHARD\RICHARD'S FILES\HIJACKTHIS.EXE
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [KASP] "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\OESpamTest.exe"
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {8731163E-77B9-4F91-9122-F112521C28AF} (MMSPlayerX Class) - http://mmbox.mtn.co....r/mmsPlayer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://www.pandasoft...5/ASPROinst.cab
#18
Posted 05 August 2005 - 04:01 PM
You are advised to delete the object."
Did you delete it?
#19
Posted 05 August 2005 - 04:07 PM
1. Reboot into Safe Mode.
2. Once in Safe Mode, go to Start > Run type: command Click OK
3. Please do the following in sequence:
* Please copy the following line and paste it into the black window:
CD C:\Windows\system
* Hit enter.
* It will go to the next line, then copy this line and paste it in:
rename wininet.dll wininet.old
* Hit enter.
* type exit hit enter.
4. Now try copying the one from the desktop into the system folder.
5. Once it's been copied into the system folder reboot into normal mode.
I also want you to do the following:
Make absolutely sure there is a wininet.dll in the system folder before you reboot!
1. Click HERE to get to Jotti's site.
2. At the top of the Jotti window, use the Browse button to locate the following file on your system:
c:\Windows\System\wininet.dll
3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.
4. Please provide me with the results of the analysis.
#20
Posted 05 August 2005 - 04:23 PM
#21
Posted 05 August 2005 - 04:30 PM
Once it's on the desktop run a full system scan with Kaspersky, then when it gets to the wininet.dll on the desktop make sure it doesn't get deleted, but that it gets cleaned.
#22
Posted 05 August 2005 - 04:41 PM
#23
Posted 05 August 2005 - 04:42 PM
Why can't I put emoticon's in the message?
I don't know, but that is the least of our problems right now. Submit it to Jotti's and get back to posting the results. I will be gone most of the evneing but will try to check in later tonight.
Don't sweat it, we'll get it done.
#24
Posted 05 August 2005 - 05:02 PM
ArcaVir Found - Trojan.Callgate.Oleadm.3
Dr.Web Found - Trojan.DownLoader.2636
Kaspersky Found - Virus.Win32.Nsag.b
NOD32 Found - Win32/Oleloa.gen
The other scanners didn't find anything.
#25
Posted 05 August 2005 - 05:29 PM
I just tried re-installing Kaspersky. As soon as I rebooted the system, I got all those start-up process errors again - Kernel32 fault, SysTray fault, Explorer fault etc. So, now it seems that my system will not run Kaspersky. Pitty, 'cause it looked like a good program while it worked ;-) As soon as I uninstalled from Safe Mode, it was kind of good to go again. I don't know if this has anything to do with our friend wininet.dll?
On the brighter side, PS guard seems to be gone, touch wood, yeah! Good riddance! I still cannot view my desktop as a web page, though. When I select this option from Start>Settings>Active Desktop, I just get the 'Desktop Recovery' screen. I also cannot view documents in My Computer from a web page view. It would seem logical that this must be because of the infected wininet.dll. I know nothing about dll's, but the name seems to allude to the fact that it has something to do with Internet Explorer?
#26
Posted 05 August 2005 - 11:33 PM
#27
Posted 06 August 2005 - 12:42 PM
#28
Posted 06 August 2005 - 12:44 PM
Do not do the following in safe mode.
Boot to command prompt:
(Press “F8” on boot to get start menu and select “Command Prompt Only”
Let's rename, rather than delete the infected file.
Type in:
ren C:\windows\system\wininet.dll wininet.old
copy c:\windows\desktop c:\windows\system
del c:\windows\system\oleext.dll
Hit enter. Reboot and tell me how it is going.
#29
Posted 07 August 2005 - 07:23 AM
Thanks so much for your time and effort. I could go on and on about what an honorable service you guys provide to your fellow man
#30
Posted 07 August 2005 - 12:21 PM
http://www.onecomput...hell_icon_cache
I thought Kellys Korner would work,, but I think that's just for xp. Let me do some more searching and see.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users