[ryomatic]

Hi everyone. I'm having all sorts of trouble ridding my system running Windows 98SE of the w32.desktophijack virus. McAfee's site said that Norton could clean the wininet.dll... it cannot. I've run through all the steps suggested on this site. I've ran adawareSE, TrojanHunter, SpyBotS&D, the online virusscan, Norton Antivirus, the WCD Shredder, and on and on. Also I have followed the directions posted by greyknight to try to rid my system of this virus (using SmiteREM)... but it has not worked.

A few things to note are that panda scan can identify some things that most cannot...but it has no option to remove them or fix them. Also, I've noticed that my norton real time scan always detects the wininet.dll infection whenever I run adaware... maybe something is going on here? Anyways... I will post my HJT log and see what you guys can come up with... I'm seriously thinking of throwing up the white flag and reformatting!

Thanks for any help.

-Ryan

[Advertisements]

Logfile of HijackThis v1.99.1
Scan saved at 12:13:50 PM, on 8/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
D:\PROGRAM FILES\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
D:\PROGRAM FILES\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\PROGRAM FILES\ICQ\ICQ.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Window Shades - {B5B57F4F-EFA5-11D4-A971-444553540000} - D:\PROGRA~1\WINDOW~1\WINDOW~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [McAfee Firewall] "D:\PROGRAM FILES\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServicesOnce: [CleanIEDAT] \xen\clean9xdat.bat
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: xenclean 9x.bat
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://learn.sdstate...12A/ScriptX.cab
O16 - DPF: {BD346F41-52BB-11D6-873F-0004AC28D799} (WebpHMeter.TechnologyBasedLabs) - http://learn.sdstate...abs/phmeter.cab
O16 - DPF: {D5277CD5-A7F1-11D6-8743-9162B7216474} (VSG1.TechnologyBasedLabs) - http://learn.sdstate...tr/cabs/VSG.CAB
O16 - DPF: {BD346EA1-52BB-11D6-873F-0004AC28D799} (MolecularGeometry.TechnologyBasedLabs) - http://learn.sdstate...cabs/molgeo.cab
O16 - DPF: {BD346E3F-52BB-11D6-873F-0004AC28D799} (LabTechniques.TechnologyBasedLabs) - http://learn.sdstate.../techniques.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BD34716B-52BB-11D6-873F-0004AC28D799} (SpecLab.TechnologyBasedLabs) - http://learn.sdstate...pectroscopy.cab
O16 - DPF: {9FD82800-52A6-11D6-873F-825E3BF38072} (GasLab.TechnologyBasedLabs) - http://learn.sdstate.../cabs/gases.cab
O16 - DPF: {C4712F16-5263-11D6-873F-995E98353173} (ThermChem.TechnologyBasedLabs) - http://learn.sdstate...mochemistry.cab
O16 - DPF: {C47130A4-5263-11D6-873F-995E98353173} (Chromat.TechnologyBasedLabs) - http://learn.sdstate...abs/chromat.cab
O16 - DPF: {C47131A2-5263-11D6-873F-995E98353173} (ColligProp.TechnologyBasedLabs) - http://learn.sdstate...eproperties.cab
O16 - DPF: {54D0BF3A-FA81-11D6-874A-F9F469F1D476} (EquilCon.TechnologyBasedLabs) - http://learn.sdstate...iumconstant.cab
O16 - DPF: {F49EEA0A-6E84-11D6-8740-98249CA57959} (Borax.TechnologyBasedLabs) - http://learn.sdstate.../cabs/borax.cab
O16 - DPF: {EA4E41D4-52BA-11D6-873F-0004AC28D799} (JobsLaw.TechnologyBasedLabs) - http://learn.sdstate...r/cabs/jobs.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {687589B8-1501-11D7-8685-E0D0A4FE9926} (ScientificObs.TechnologyBasedLabs) - http://learn.sdstate...bservations.CAB
O16 - DPF: {83420F81-0005-11D7-874A-AF75C5156375} (WeakAcid.TechnologyBasedLabs) - http://learn.sdstate...idTitration.CAB
O16 - DPF: {EA4E42EE-52BA-11D6-873F-0004AC28D799} (KspProject.TechnologyBasedLabs) - http://learn.sdstate...tr/cabs/Ksp.CAB
O16 - DPF: {C4712FE4-5263-11D6-873F-995E98353173} (Bromothymol.TechnologyBasedLabs) - http://learn.sdstate...Bromothymol.CAB
O16 - DPF: {77F2F812-0004-11D7-874A-AF75C5156375} (CopperLab.TechnologyBasedLabs) - http://learn.sdstate...erChemistry.CAB
O16 - DPF: {C471329D-5263-11D6-873F-995E98353173} (Electrochem.TechnologyBasedLabs) - http://learn.sdstate...rochemistry.CAB
O16 - DPF: {EA4E4258-52BA-11D6-873F-0004AC28D799} (KineticsLab.TechnologyBasedLabs) - http://learn.sdstate...bs/Kinetics.CAB
O16 - DPF: {74DA02DF-0005-11D7-874A-AF75C5156375} (Water.TechnologyBasedLabs) - http://learn.sdstate...ontaminants.CAB
O16 - DPF: {BD346F15-52BB-11D6-873F-0004AC28D799} (OrganicCompds.TechnologyBasedLabs) - http://learn.sdstate...abs/Organic.CAB
O16 - DPF: {261D269B-0005-11D7-874A-AF75C5156375} (RedoxTitrationLab.TechnologyBasedLabs) - http://learn.sdstate...oxTitration.CAB
O16 - DPF: {BD346FB4-52BB-11D6-873F-0004AC28D799} (Photosyn.TechnologyBasedLabs) - http://learn.sdstate...bs/Photosyn.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

[ryomatic]

Logfile of HijackThis v1.99.1
Scan saved at 12:13:50 PM, on 8/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
D:\PROGRAM FILES\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
D:\PROGRAM FILES\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\PROGRAM FILES\ICQ\ICQ.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Window Shades - {B5B57F4F-EFA5-11D4-A971-444553540000} - D:\PROGRA~1\WINDOW~1\WINDOW~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [McAfee Firewall] "D:\PROGRAM FILES\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServicesOnce: [CleanIEDAT] \xen\clean9xdat.bat
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: xenclean 9x.bat
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://learn.sdstate...12A/ScriptX.cab
O16 - DPF: {BD346F41-52BB-11D6-873F-0004AC28D799} (WebpHMeter.TechnologyBasedLabs) - http://learn.sdstate...abs/phmeter.cab
O16 - DPF: {D5277CD5-A7F1-11D6-8743-9162B7216474} (VSG1.TechnologyBasedLabs) - http://learn.sdstate...tr/cabs/VSG.CAB
O16 - DPF: {BD346EA1-52BB-11D6-873F-0004AC28D799} (MolecularGeometry.TechnologyBasedLabs) - http://learn.sdstate...cabs/molgeo.cab
O16 - DPF: {BD346E3F-52BB-11D6-873F-0004AC28D799} (LabTechniques.TechnologyBasedLabs) - http://learn.sdstate.../techniques.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BD34716B-52BB-11D6-873F-0004AC28D799} (SpecLab.TechnologyBasedLabs) - http://learn.sdstate...pectroscopy.cab
O16 - DPF: {9FD82800-52A6-11D6-873F-825E3BF38072} (GasLab.TechnologyBasedLabs) - http://learn.sdstate.../cabs/gases.cab
O16 - DPF: {C4712F16-5263-11D6-873F-995E98353173} (ThermChem.TechnologyBasedLabs) - http://learn.sdstate...mochemistry.cab
O16 - DPF: {C47130A4-5263-11D6-873F-995E98353173} (Chromat.TechnologyBasedLabs) - http://learn.sdstate...abs/chromat.cab
O16 - DPF: {C47131A2-5263-11D6-873F-995E98353173} (ColligProp.TechnologyBasedLabs) - http://learn.sdstate...eproperties.cab
O16 - DPF: {54D0BF3A-FA81-11D6-874A-F9F469F1D476} (EquilCon.TechnologyBasedLabs) - http://learn.sdstate...iumconstant.cab
O16 - DPF: {F49EEA0A-6E84-11D6-8740-98249CA57959} (Borax.TechnologyBasedLabs) - http://learn.sdstate.../cabs/borax.cab
O16 - DPF: {EA4E41D4-52BA-11D6-873F-0004AC28D799} (JobsLaw.TechnologyBasedLabs) - http://learn.sdstate...r/cabs/jobs.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {687589B8-1501-11D7-8685-E0D0A4FE9926} (ScientificObs.TechnologyBasedLabs) - http://learn.sdstate...bservations.CAB
O16 - DPF: {83420F81-0005-11D7-874A-AF75C5156375} (WeakAcid.TechnologyBasedLabs) - http://learn.sdstate...idTitration.CAB
O16 - DPF: {EA4E42EE-52BA-11D6-873F-0004AC28D799} (KspProject.TechnologyBasedLabs) - http://learn.sdstate...tr/cabs/Ksp.CAB
O16 - DPF: {C4712FE4-5263-11D6-873F-995E98353173} (Bromothymol.TechnologyBasedLabs) - http://learn.sdstate...Bromothymol.CAB
O16 - DPF: {77F2F812-0004-11D7-874A-AF75C5156375} (CopperLab.TechnologyBasedLabs) - http://learn.sdstate...erChemistry.CAB
O16 - DPF: {C471329D-5263-11D6-873F-995E98353173} (Electrochem.TechnologyBasedLabs) - http://learn.sdstate...rochemistry.CAB
O16 - DPF: {EA4E4258-52BA-11D6-873F-0004AC28D799} (KineticsLab.TechnologyBasedLabs) - http://learn.sdstate...bs/Kinetics.CAB
O16 - DPF: {74DA02DF-0005-11D7-874A-AF75C5156375} (Water.TechnologyBasedLabs) - http://learn.sdstate...ontaminants.CAB
O16 - DPF: {BD346F15-52BB-11D6-873F-0004AC28D799} (OrganicCompds.TechnologyBasedLabs) - http://learn.sdstate...abs/Organic.CAB
O16 - DPF: {261D269B-0005-11D7-874A-AF75C5156375} (RedoxTitrationLab.TechnologyBasedLabs) - http://learn.sdstate...oxTitration.CAB
O16 - DPF: {BD346FB4-52BB-11D6-873F-0004AC28D799} (Photosyn.TechnologyBasedLabs) - http://learn.sdstate...bs/Photosyn.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

[ryomatic]

Take a look at this event logged in my internet history... do you think this has something to do with the virus? I noticed this right after I had rebooted and checked my e-mail.

http://64.4.61.250/c...d990bf6548fab1e

[ryomatic]

Well either the virus or myself ruined my computers chances of being fixed... I tried to replace my wininet.dll in dos and somehow managed to delete some important start up files... I'm getting a new computer anyways... so don't worry about this anymore! Thanks if anyone spent any time to try to help me, I appreciate it... If anyone would suggest to me some nice hardware for a new computer I'd appreciate it... I'm kind of behind on all the new equipment and such...but I have like 1500$ to spend and I want to build my own... I know I want a 64-bit processor (AMD) and a nice video card... already have a moniter and speakers. So any suggestions would be nice... thanks!

-Ryan

[ryomatic]

ok... since noone has replied to any of my posts... I feel lonely and sad. But that's ok cuz I got help purchasing my computer. I'm going to have a dual core 3400 AMD processor with a nvidia 6800 video card. Everything looks good I'm going to order it today!