Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

w32.Desktophijack [RESOLVED]


  • This topic is locked This topic is locked

#31
obnee

obnee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Here is the session log.



********
05:56 p.m.: |··· Start of Session, Martes, 04 de Octubre de 2005 ···|
05:56 p.m.: Spy Sweeper started
05:56 p.m.: Sweep initiated using definitions version 548
05:56 p.m.: Starting Memory Sweep
05:58 p.m.: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE
05:58 p.m.: Warning: Failed to check file "C:\WINDOWS\SYSTEM\WININET.DLL". Cannot open file "C:\WINDOWS\SYSTEM\WININET.DLL". Acceso denegado
05:59 p.m.: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MMTASK.TSK
05:59 p.m.: Warning: Failed to check file "C:\WINDOWS\SYSTEM\WININET.DLL". Cannot open file "C:\WINDOWS\SYSTEM\WININET.DLL". Acceso denegado
06:00 p.m.: Warning: Failed to load image: C:\WINDOWS\PTSNOOP.EXE
06:00 p.m.: Warning: Failed to check file "C:\WINDOWS\SYSTEM\WININET.DLL". Cannot open file "C:\WINDOWS\SYSTEM\WININET.DLL". Acceso denegado
06:01 p.m.: Warning: Failed to check file "C:\WINDOWS\SYSTEM\WININET.DLL". Cannot open file "C:\WINDOWS\SYSTEM\WININET.DLL". Acceso denegado
06:01 p.m.: Warning: Failed to check file "C:\WINDOWS\SYSTEM\WININET.DLL". Cannot open file "C:\WINDOWS\SYSTEM\WININET.DLL". Acceso denegado
06:02 p.m.: Warning: Failed to check file "C:\WINDOWS\SYSTEM\WININET.DLL". Cannot open file "C:\WINDOWS\SYSTEM\WININET.DLL". Acceso denegado
06:02 p.m.: Warning: Failed to check file "C:\WINDOWS\SYSTEM\WININET.DLL". Cannot open file "C:\WINDOWS\SYSTEM\WININET.DLL". Acceso denegado
06:04 p.m.: Warning: Failed to check file "C:\WINDOWS\SYSTEM\WININET.DLL". Cannot open file "C:\WINDOWS\SYSTEM\WININET.DLL". Acceso denegado
06:05 p.m.: Warning: Failed to check file "C:\WINDOWS\SYSTEM\WININET.DLL". Cannot open file "C:\WINDOWS\SYSTEM\WININET.DLL". Acceso denegado
06:05 p.m.: Warning: Failed to check file "C:\WINDOWS\SYSTEM\WININET.DLL". Cannot open file "C:\WINDOWS\SYSTEM\WININET.DLL". Acceso denegado
06:06 p.m.: Warning: Failed to check file "C:\WINDOWS\SYSTEM\WININET.DLL". Cannot open file "C:\WINDOWS\SYSTEM\WININET.DLL". Acceso denegado
06:06 p.m.: Memory Sweep Complete, Elapsed Time: 00:10:20
06:06 p.m.: Starting Registry Sweep
06:07 p.m.: Found Adware: dialerplatform
06:07 p.m.: HKCR\bhomod.bhomodobj.1\ (3 subtraces) (ID = 125124)
06:07 p.m.: HKCR\bhomod.bhomodobj\ (5 subtraces) (ID = 125125)
06:07 p.m.: HKLM\software\classes\bhomod.bhomodobj.1\ (3 subtraces) (ID = 125136)
06:07 p.m.: HKLM\software\classes\bhomod.bhomodobj\ (5 subtraces) (ID = 125137)
06:07 p.m.: HKLM\software\classes\typelib\{09ca52b3-703c-4b17-9690-c13f736e3dcd}\ (9 subtraces) (ID = 125148)
06:07 p.m.: HKLM\software\ptssa\ (8 subtraces) (ID = 125166)
06:07 p.m.: HKCR\typelib\{09ca52b3-703c-4b17-9690-c13f736e3dcd}\ (9 subtraces) (ID = 125167)
06:09 p.m.: Found Adware: psguard
06:09 p.m.: HKCR\clsid\{057e242f-2947-4e0a-8e61-a11345d97ea6}\ (ID = 487711)
06:09 p.m.: Found Adware: psguard desktop hijacker
06:09 p.m.: HKLM\software\shudderltd\psguard\ || versioninfo (ID = 488001)
06:09 p.m.: HKLM\software\classes\clsid\{057e242f-2947-4e0a-8e61-a11345d97ea6}\ (ID = 488236)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || enablertmonitoring (ID = 514580)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || alwaysblockchanges (ID = 514581)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || alwaysblockwhennoav (ID = 514582)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || performupdate (ID = 514583)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || updateinterval (ID = 514584)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || installdir (ID = 514667)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || databasefile (ID = 514668)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || resourcedll (ID = 514669)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || scan_depth (ID = 514670)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || scan_priority (ID = 514671)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || quarantinelocation (ID = 514672)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || minonstartup (ID = 514673)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || scanonstartup (ID = 514674)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || startatwinstartup (ID = 514675)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || registrationurl (ID = 552239)
06:09 p.m.: HKLM\software\shudderltd\psguard\ || mguid (ID = 553569)
06:09 p.m.: HKLM\software\shudderltd\psguard\psguard\ || installationid (ID = 656376)
06:09 p.m.: Registry Sweep Complete, Elapsed Time:00:02:30
06:09 p.m.: Starting Cookie Sweep
06:09 p.m.: Found Spy Cookie: go.com cookie
06:09 p.m.: usurario@go[1].txt (ID = 2728)
06:09 p.m.: usurario@tv.disney.go[1].txt (ID = 2729)
06:09 p.m.: Found Spy Cookie: about cookie
06:09 p.m.: usurario@about[2].txt (ID = 2037)
06:09 p.m.: usurario@inventors.about[1].txt (ID = 2038)
06:09 p.m.: Cookie Sweep Complete, Elapsed Time: 00:00:02
06:09 p.m.: Starting File Sweep
06:09 p.m.: Warning: Failed to open file "c:\windows\win386.swp". El proceso no tiene acceso al archivo porque
está siendo utilizado por otro proceso
06:11 p.m.: Warning: Failed to open file "c:\windows\system\wininet.dll". Acceso denegado
06:20 p.m.: Found Adware: winad
06:20 p.m.: c:\program files\media gateway (1 subtraces) (ID = -2147477127)
06:21 p.m.: File Sweep Complete, Elapsed Time: 00:11:41
06:21 p.m.: Full Sweep has completed. Elapsed time 00:24:35
06:21 p.m.: Traces Found: 75
06:29 p.m.: Removal process initiated
06:29 p.m.: Quarantining All Traces: dialerplatform
06:29 p.m.: Quarantining All Traces: psguard
06:29 p.m.: Quarantining All Traces: psguard desktop hijacker
06:29 p.m.: Quarantining All Traces: go.com cookie
06:29 p.m.: Quarantining All Traces: about cookie
06:29 p.m.: Quarantining All Traces: winad
06:29 p.m.: Removal process completed. Elapsed time 00:00:16
********
05:51 p.m.: |··· Start of Session, Martes, 04 de Octubre de 2005 ···|
05:51 p.m.: Spy Sweeper started
05:54 p.m.: Your spyware definitions have been updated.
05:56 p.m.: |··· End of Session, Martes, 04 de Octubre de 2005 ···|

Edited by obnee, 03 October 2005 - 05:29 PM.

  • 0

Advertisements


#32
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's see if we can get Windows to replace wininet.dll for us.

Click Start -> Programs -> Accessories -> System Tools -> System Information, and then click System File Checker on the Tools menu.
Select this option: Scan For Altered Files

Make sure you put in your Windows 98 disc.


Let me know how it goes.
  • 0

#33
obnee

obnee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Well, there is a problem. You see, the disk I have is not the Windows 98 disk (or a least I don't think it is, as I bought my computer through a friend of mine).

What I have got is SystemBoard pc100, and I do not think this is it.

What should I do?

obnee
  • 0

#34
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Copy everything in the quote box below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt

Double click wininet.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here.
  • 0

#35
obnee

obnee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I did that (twice) and when the files.txt opened, it was empty! And the wininet said:
Too many parameters - h
  • 0

#36
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hmmm...how about doing a manual search for wininet.dll
There is usually at least one other copy hiding somewhere. Let me know if you find one.



If, and only if, you don't find another copy, carefully follow this next step.

Go to this file.

C:\WINDOWS\System\wininet.dll

Right-click on it and select "Rename" and rename it to wininet.old

After renaming the file, Right-click an open space inside the system32 folder and choose "Refresh" - if another wininet.dll shows up in the system folder, let me know but do not reboot yet. You MUST make sure there is a wininet.dll inside the system32 folder before you reboot otherwise you will lose Internet Access, function of programs, and possible loss of Explorer!

If another wininet.dll does not show up in the system folder after refreshing please make sure that hidden files are showing and refresh again.

If it still doesn't show up, rename it back to wininet.dll and let me know.
  • 0

#37
obnee

obnee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I found it in C:\WINDOWS\SYSTEM\wininet.dll
Now what should I do?
  • 0

#38
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That's the infected one. Can you find another copy anywhere else? You may have another one that is not infected.

If not, go ahead and proceed with the second part of my instructions.
Let me know how it goes.
  • 0

#39
obnee

obnee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I followed the steps but the wininet.dll is already hidden so it didn't work.
  • 0

#40
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I'm not sure what you mean. Were you able to rename it?
  • 0

Advertisements


#41
obnee

obnee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I went to System but wininet wasn't there. I opened System again with 'show all files' and there it was but when I tried to rename, it said it was being used by windows and couldn't be renamed.
  • 0

#42
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's try something new.

Please download the IE6 setup file and reinstall Internet Explorer.

http://www.microsoft...&displaylang=en


Then run smitrem again and post the log here in your next reply.
  • 0

#43
obnee

obnee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Ok, I did that and a Wizard appeared on the dektop called: 'Connect to the Internet'.

This appears
Posted Image
But I'm afraid I might loose mi Internet connection.


Plus on the tool bar another Internet appears.
Posted Image
Through which should I connect, or is it the same?
  • 0

#44
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You will need to be connected to the Internet when you run this setup file because it will download new files that you will need. Just make sure you are connected first and then click Cancel when you get to this screen.
  • 0

#45
obnee

obnee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I'm really sorry for the delay. I've been very busy lately.


Anyways, here is the SmitRem log:




smitRem log file
version 2.5

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~






~~~~ wininet.dll ~~~~

wininet.dll Clean!! :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP