Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PSGuard, I could use a second opinion


  • Please log in to reply

#1
Kallale

Kallale

    New Member

  • Member
  • Pip
  • 9 posts
I followed the instructions in the "You must read this before posting..." thread.

I let my painter use my computer and he managed to get PSGuard installed on it. After running adaware, spybot, etc... i had to renamed the only file they could not fix because it was in use by the system, even on reboot in safemode. It was called oleext.dll, I renamed it to oleext.bku via safe mode dos. I didn't delete because it was in the windows\system folder and I wasn't sure if it was crucial. PSGuard, removed tabs in my display properties dialog box. I have those back now, and my system is completely free of spyware as far as I know.

However, when I select 32 bit color in my display properties it still displays the 16 bit color bar. My system displays 32 bit color, its just the display properties dialog box that is funky. Even after restart the color bar on the display properties dialog box still only shows the 16 bit color spectrum. I I've tried uninstalling my monitor, video card, and their drivers. But nothing seems to get 32 bit color bar working again. The only thing I haven't tried is physically removing the card when I uninstall it, and/or reinstalling direct x. I don't know that it would help any so I just thought I would ask here. I'm running win 98 se, and I have an Asus v8460 geforce 4 ti with the latest win 98 se drivers. It may be no big deal, but I thought I would ask. After looking at the HTJ file I realize maybe I'm not as clean as I hoped.

Thank you a bunch in advance for taking a look. :tazz:

Mike Yurich


Logfile of HijackThis v1.99.1
Scan saved at 9:50:00 PM, on 8/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\ANVSHELL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [asustweakenable] C:\PROGRAM FILES\ASUS\TWEAKING UTILITIES\ATWEAK.EXE /start
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://netropolis.lineone.net
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.co...date/EARTPX.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.co...yScapeTeleX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

Reboot back into Windows and let us know if any problems persist.

Regards,
  • 0

#3
Kallale

Kallale

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok ran smitRem. Found that wininet.dll was infected. Instructed me to run Panda Active Scan which I did. It found a few viruses and some spyware. The viruses are cleaned now except that Panda has somehow perma-deleted my wininet.dll file. I used mozilla to DL the file from a web site since IE explorer was not working anymore. I put wininet.dll in my system folder and everything seems to work fine. When I reboot however, I get the messaged that windows could not load a program, wininet.dll was not found. IE explorer and Real Rhapsody do not work at this point. But as soon as I put wininet.dll into my windows/system folder they both seem to work just fine. Upon reboot... wininet.dll is removed even after I check it as read only. Panda scan is coming up clean except for some spyware. I will post that report here as well. I apologize I didnt think to save the original Panda report.

*********************************************************
SmitRem Logfile
*********************************************************

smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


msmsgs.exe
ole32vbs.exe
msole32.exe


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll INFECTED!! :tazz:



***************************************************
Panda Active Scan Logfile
***************************************************


Incident Status Location

Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\BIINI.INF
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/bookedspace No disinfected C:\WINDOWS\bsx32
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\BIH.INF
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\BIINI.INF
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Paste these instructions into notepad for use in safe mode

Reboot into Safe Mode.

Once in Safe Mode, go to Start > Run type:

command

Click OK.

Please copy the following line and paste it into the black window:

CD C:\Windows\system

Hit enter.

It will go to the next line, then copy this line and paste it in:

rename wininet.dll wininet.old

Hit enter.

type exit hit enter.

Now try copying the one you downloaded into the system folder - once it's been copied into the system folder reboot into normal mode.

Regards,
  • 0

#5
Kallale

Kallale

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I rebooted into safemode (at this point I had wininet.dll in my system folder) and typed the commands. It said the the file was in use. I rebooted and, of course, wininet.dll was deleted. So I did not copy it back into my system folder. I rebooted back into safe mode and tried the commands again. File not found.

Everytime I copy wininet.dll into my windows\system folder it gets deleted upon reboot into normal mode, but not reboot into safe mode. I'm using the wininet.dll file that I got from this site: http://www.dll-files...s.shtml?wininet

I found the wininet.dll file that is on my win98se CD but it appears to be a much older version and I hesitate to use it.
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Use the one from your CD. You can better have an old one then one that gets deleted all the time. :tazz:
It will not effect the functionality of your computer and we can update it to the latest version later on.

Let me know.
  • 0

#7
Kallale

Kallale

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I used the old wininet.dll file from the win98se installation CD. Even it gets deleted upon rebooting. Before posting here I ran all the proggies from the "read this before posting your HJT file" thread. One or two of them had options to immunize my PC against some spyware/virus infections and I ran them. Any chance that the "immunization" is deleting the file? Or did the smitrem proggy do something to cause wininet.dll to be deleted everytime i restart. It has to be happening as the computer starts up again because it does not get deleted when I reboot into safemode. But it is definately in use in safe mode.
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Let me ask the person that wrote the smitREM program.
Maybe he has an idea what's going on.

Regards,
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
I got an answer from noahdfear :tazz:

Apparently Panda made some changes to autoexec.bat that need to be undone.

Can you find your autoexec.bat, rightclick it and open in notepad.
Then post the content of the file.

Regards,
  • 0

#10
Kallale

Kallale

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
My Autoexec.bat file:

attrib -s -h -r C:\WINDOWS\SYSTEM\WININET.DLL
del C:\WINDOWS\SYSTEM\WININET.DLL
attrib -s -h -r C:\WINDOWS\SYSTEM\WININET.DLL
del C:\WINDOWS\SYSTEM\WININET.DLL


Well I'll just go ahead and delete it since it's obviously the problem and there's no other commands in there. Let me know if I shouldn't for some reason.
  • 0

Advertisements


#11
Kallale

Kallale

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I deleted the file and my wininet.dll file no longer gets deleted upon reboot. Where can I find the latest version?

The only kink is that my color bar and icons in the display properties dialog box are still displaying in 256 color. Everything else seems to run fine so far. I'll run adaware, etc again to be sure im clean.
  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
The latest version of wininet.dll is the one that comes with IE SP2.
You can't get that package since it won't work for you. (The wininet.dll by itself is nor problem by the way, so if you have a friend with XP SP2, you can copy his)
I'd send you mine, but it's in the wrong language. :tazz:

But the one you got from dll-files.com should be fine.

Regards,
  • 0

#13
Kallale

Kallale

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok so adaware and spybot aren't finding these files that Panda says are spyware. Do they need to be removed?

Incident Status Location
Spyware:spyware/betterinetNo disinfected C:\WINDOWS\INF\BIINI.INF
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/bookedspace No disinfected C:\WINDOWS\bsx32
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\BIH.INF
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\BIINI.INF
  • 0

#14
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
There is no loss (or gain) in removing those .ini files.

You don't need them anymore so it's good riddens, but they are harmless by themselves, which is probably why the other scanners don't warn you about them.

Regards,
  • 0

#15
Kallale

Kallale

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok thanks a bunch you guys are the [bleep]. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP