Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

w32\desktophijack


  • Please log in to reply

#16
POADB

POADB

    Visiting Staff

  • Member
  • PipPip
  • 46 posts
OK - here we go, further scans to dig deeper..

Download StartDreck http://www.greyknigh.../StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

Can you also get a screen shot of what Norton reports?
  • 0

Advertisements


#17
ydnar522000

ydnar522000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
one other thing, I also have and icon in most of my files that is named Thumbs.db It doesn't look the same as the rest. More like a shadow and when I delete it come s right back.


The norton alert reads:


VIRUS ALERT

HIGH RISK


OBJECT NAME C:\WINDOWS\SYSTEM32\WINNET.DLL
VIRUS NAME W32.DESKTOPHIJACK
ACTION TAKEN UNABLE TO REPAIR FILE


StartDreck (build 2.1.7 public stable) - 2005-10-12 @ 15:47:10 (GMT -07:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as randy at RANDY-WT5GMX510

舞egistry
舞un Keys
翟urrent User
舞un
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*MoneyAgent="C:\Program Files\Microsoft Money\System\mnyexpr.exe"
*Yahoo! Pager=C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
*LDM=C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
*LogitechSoftwareUpdate="C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
*IncrediMail=C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
舞unOnce
聞efault User
舞un
舞unOnce
*RunNarrator=Narrator.exe
腿ocal Machine
舞un
*USBDetector=C:\USBStorage\USBDetector.exe
*Microsoft Works Update Detection=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*SSC_UserPrompt=C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
*LogitechVideoRepair=C:\Program Files\Logitech\Video\ISStart.exe
*LogitechVideoTray=C:\Program Files\Logitech\Video\LogiTray.exe
*IntelliType="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
舞unOnce
舞unServices
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇ile Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /s
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
翡rowser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*YUber.UberButton.1/{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
`InprocServer32=C:\Program Files\Yahoo!\Common\yiesrvc.dll
*YIeTagBm.YahooTaggedBM.1/{65D886A2-7CA7-479B-BB95-14D1EFB7946A}
`InprocServer32=C:\Program Files\Yahoo!\Common\YIeTagBm.dll
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton AntiVirus\NavShExt.dll
肇iles
翠utostart Folders
翟urrent User
*C:\Documents and Settings\randy\Start Menu\Programs\Startup\desktop.ini
聞efault User
*C:\Documents and Settings\LocalService\Start Menu\Programs\Startup\updtpcps.bat
腿ocal Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
膏NI-Files
蓄IN.INI\[windows]
*LOAD=
*RUN=
艋YSTEM.INI\[boot]
*SHELL=explorer.exe
蓉ext Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
*C:\WINDOWS\System32\drivers\etc\hosts
艋ystem/Drivers
翠pplication specific

Edited by ydnar522000, 12 October 2005 - 02:30 PM.

  • 0

#18
POADB

POADB

    Visiting Staff

  • Member
  • PipPip
  • 46 posts

one other thing, I also have and icon in most of my files that is named Thumbs.db It doesn't look the same as the rest. More like a shadow and when I delete it come s right back.


The norton alert reads:


VIRUS ALERT

HIGH RISK


OBJECT NAME C:\WINDOWS\SYSTEM32\WINNET.DLL
VIRUS NAME W32.DESKTOPHIJACK
ACTION TAKEN UNABLE TO REPAIR FILE

If you remember I had to Unhide hidden files. Those 'ghost' files you're referring to are normally hidden. You cant delete them.

It's time to run smitrem again. I assume you still have the file??

Refer back to my previous instructions on how and where to run it. The Norton virus alert suggests it's still active.

so - i'll need the log created by smitrem in your next post.
  • 0

#19
ydnar522000

ydnar522000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Went back to previous file instructions. This is what I did.




REBOOT TO SAFE MODE
Restart the computer. The computer begins processing a set of instructions known as BIOS.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
Continue to do so until the 'Windows Advanced Options' menu appears.
Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options>View tab.
Enable the option for `Show hidden files and folder
Disable the option for `Hide file extensions for known types
Disable the option for `Hide protected operating system files
Click Yes to confirm & then click OK

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Locate and delete the following file(s), if present:
C:\Documents and Settings\randy\Start Menu\Programs\Hardware Seek.lnk
C:\WINDOWS\SYSTEM32\ptainfo2.ico
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep stored in these locations, Move them now!!!

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.




This is the only text file I saw in the folder


Testing presence of HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD ---------


Deleting ShudderLTD ----------


Checking if HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD is still present ------

Deleting leftovers in registry ------

leftovers deleted!
  • 0

#20
POADB

POADB

    Visiting Staff

  • Member
  • PipPip
  • 46 posts
You know - i think it may be this simple:

Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Use Killbox with the settings we had before and paste in this file:

C:\WINDOWS\SYSTEM32\WINNET.DLL

Infact - are you sure you spelt the file found by Norton correct?
Norton calls it DesktopHijack - but CastleCops calls it a CWS variant..

Try the above and reboot - tell me what happens.

Edited by POADB, 13 October 2005 - 02:23 PM.

  • 0

#21
ydnar522000

ydnar522000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Back to the drawing board I guess.

CWShredder found no infections.

Pasted C:\WINDOWS\SYSTEM32\WINNET.DLL in killbox file path.
changed setup per instructions
but when asked to reboot and clicked yes got a reply:
Pending file Rename operations Registry Data has been Removed by External Process

As far as The Norton Alert:

It calls the object Name: C:\WINDOWS\SYSTEM32\WINNET.DLL
It calls the Virus Name: W32\DESKTOPHIJACK


What a pain :tazz: and thanks for stickin' with me. I'm a long way from a PC whiz.

Edited by ydnar522000, 13 October 2005 - 10:04 PM.

  • 0

#22
POADB

POADB

    Visiting Staff

  • Member
  • PipPip
  • 46 posts
Hi > Sorry I was busy the beginning of the weekend. Let's try the above again.

  • C:\WINDOWS\SYSTEM32\WINNET.DLL
Select/Highlight all the filename(s) from the above.
Copy to clipboard by pressing [CTRL]+[C] on your keyboard.
Start KillBox.exe
  • Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
    Click the dropdown-arrow next to the "Full Path of File to Delete" field.
    Verify that the filenames you pasted are found in there.
  • Select/tick the following:
    • Replace on Reboot
    • Use Dummy
    • End Explorer Shell While Killing File
    • Unregister.dll Before Deleting * if it's not grayed out
  • Click the RED X button.
  • Click Yes at the 'Delete on Reboot' prompt.
  • Click Yes at the 'Pending Operations prompt'.
* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to manually restart Windows.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.


When you reboot - does Norton still give the message? Have you cleared Nortons Quaruntine foldeR?
  • 0

#23
POADB

POADB

    Visiting Staff

  • Member
  • PipPip
  • 46 posts
New Plan.

As I'm still convinced this is a smitfraud infection - i'm sure you mean Norton is detecting wininet as being infected. To make sure, please do the following.

(for some reason I think smitrem has somehow failed - a first for me)

Please visit this website - virusscan.jotti.org
Submit these file(s) for a comprehensive scan & then post the results back here.

C:\Windows\system32\wininet.dll

I also want you to upload:

C:\Windows\system32\winnet.dll

You can simply type in the full path (copy paste) - you don't have to browse your computer for the file.

I anticipate your results - this ones had both of us running circles for weeks now.
  • 0

#24
ydnar522000

ydnar522000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
You were right. Sorry!!!!
the object name is: C:\WINDOWS\SYSTEM32\WININET.DLL
But now the Virus name has Changed to: Trojan.Alemod
For weeks Norton has called it Desktophijack

Tried to run the Jotti's scan but got this reply:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.

Don't know what to do about it??? I tried a few times.
  • 0

#25
POADB

POADB

    Visiting Staff

  • Member
  • PipPip
  • 46 posts
Then we need to try one last time - as this is definatley smitfruad.

Download smitRem.exe and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

I know you've downloaded it all ready but I need you to download it again from this link.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO SAFE MODE
  • Restart the computer. The computer begins processing a set of instructions known as BIOS.
  • As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
  • Continue to do so until the 'Windows Advanced Options' menu appears.
  • Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

(C:\smitfiles.txt)

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Reboot back to Normal mode. Run Panda Online ActiveScan and in your next post please provide:

1. The Smitfiles.txt from the location specified.
2. The results from Panda.

Edited by POADB, 17 October 2005 - 01:15 AM.

  • 0

Advertisements


#26
ydnar522000

ydnar522000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Had some problems with the smitRem download. Kept telling me incorrect file size and to download again. I think I got it. Had a text file. also ran the Trogan killer and bloodhound fix. Panda scan found no infections.


smitRem log file
version 2.7

by noahdfear

The current date is: Mon 10/17/2005
The current time is: 18:47:58.96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files








These are programs that could dial a premium rate number.1-Click ActiveScan!
Installation finished

The next time, start ActiveScan with just one click!
1-Click ActiveScan!
The next time, start ActiveScan with just one click! Install the ActiveScan shortcut in:
Desktop
Start menu
Taskbar
Internet browser toolbar
1-Click ActiveScan! | Your Opinion - FAQs - Help No viruses or other malicious software have been found!Scan finished Local Folders\Sent Items\bassplayers[~0000002.~]Scan reportSelect a device to scan...
My Computer
Local Disks
Floppy Disk
My Documents
Email
Other Media
Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0
  • 0

#27
POADB

POADB

    Visiting Staff

  • Member
  • PipPip
  • 46 posts
OK - so with all these clean results - you're computer still performs badly? And your desktop is unchanged?
  • 0

#28
ydnar522000

ydnar522000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Yep, still runs like crap. It takes a while to startup. Still get the norton alert. Then after a short period of time it refreshes, at least I think thats what you would call it. Then once it does that I can't type or if I click on a desktop icon it just shows me the properties but doesn't open. I can open it if I go to find target. once it comes up, if I click file on the tool bar and hold down mouse drag to open. The it will open, but I still can't type. After it reaches that point. Can't do much of anything. Not even start. If I click on start, it's just a quick flash on the screen and thats it. Then the PC has to be turned off at the server. when it reboots, it checks the files and restarts. Then it's right back to the same crap. Sometimes I can stay on for an hour before it does that and other times a few minutes. :tazz:

Edited by ydnar522000, 18 October 2005 - 07:18 PM.

  • 0

#29
POADB

POADB

    Visiting Staff

  • Member
  • PipPip
  • 46 posts
New Tactic.

Go to C:\Windows\System32\dllcache (make sure you still have show hidden files enabled).

Can you see wininet.dll in there?

Go to C:\Windows\System32\wininet.dll and rename it to winiet.old

Go back to dllcache and copy wininet.dll from there in to C:windows\System32.

Does this make sense?

What we are doing is replacing the infected wininet.dll.

Delete wininet.old and reboot.

Let me know if this goes to plan.
  • 0

#30
ydnar522000

ydnar522000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Understand what your trying to do, but had some problems. Like I said before I'm not a whiz at this. I'll explain what I did. Made sure show hidden files was enabled, went to C:\Windows\System32\dllcache, saw the Wininet.dll file, went to search and found the C:\Windows\System32\wininet.dll file, renamed it to wininet.old, thats when the problems started. got an error that read:

Error Renaming File or Folder

Cannot Rename WININET. Access is Denied

Make sure the disk is not full or write-protected and that the file is not currently in use


Not sure what that means. didn't have a disk in or other programs running.
LOST AGAIN. :tazz:

Edited by ydnar522000, 20 October 2005 - 10:34 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP