Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

w32\desktophijack


  • Please log in to reply

#31
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Hi ydnar522000,

Hope you don't mind me jumping in here. :tazz:

Please open the smitRem folder, right click and copy the replace.cmd file, then open My Computer>Local Disk C:, right click a blank space and select paste. Now copy the delfiles.cmd file and paste it in C: also. Reboot to safe mode and log onto your username. Open C: and double click replace.cmd to start it. When it completes (may happen very quickly), reboot back into normal mode. Open C:\smitfiles.txt, copy it's contents and post it here.

Out of curiosity, when you previously ran the RunThis.bat file, did your desktop icons and taskbar disappear at any time while it was running? Did disk cleanup run when the tool completed? Does the user account you're using have administrative privledges, and when in safe mode, did you logon to your account or the administrator account?
  • 0

Advertisements


#32
POADB

POADB

    Visiting Staff

  • Member
  • PipPip
  • 46 posts
Hi ydnar522000

Understand please that smitRem has never failed for me before - so replacing an infected wininet.dll file is new to me to. I didn't think you would be able to replace the infected with the backup - but it was worth a shot, for my curiosity at least.

I've contacted noahdfear, the creator of smitRem to see if he can understand whats failing. Please follow his above suggestions. I'm confident we can now turn this around.

Thanks.
  • 0

#33
ydnar522000

ydnar522000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi Dave & POADB

Yes to all your questions. As far as the administrative priviledges I'm not sure what you mean. When I startup in safe mode, I always logon to my account, but there is a box for aministrator. Also for the first time in 6 or 8 weeks I'm NOT getting the Norton alert. I think you guys did it. I'll have to let it run for a while and see what happens.



smitRem log file
version 2.7

by noahdfear

The current date is: Sun 10/23/2005
The current time is: 12:59:51.17

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files
  • 0

#34
POADB

POADB

    Visiting Staff

  • Member
  • PipPip
  • 46 posts
Time to make sure:

Please visit this website - virusscan.jotti.org
Submit these file(s) for a comprehensive scan & then post the results back here.

C:\Windows\system32\wininet.dll

Can you log on to Administrator in Safe Mode?
  • 0

#35
ydnar522000

ydnar522000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Well, I guess I spoke to soon. I'm no longer getting the Norton alert. but the PC's still running the same. As soon as I added the last reply, It wouldn't let me type anymore. Also desktop icons stopped working again. It shows me the properties menu, but doesn't open. I can open them if I click on find target, but still can't type. As far as logon to administrator in safe mode, I believe I can. If I check now it could take me hours to get back online again. I have to keep rebooting at server till windows checks and fixes files. It's a long process and hit or miss. I did another Norton scan yesterday and had 1 infection that it clams to have fixed. also did an Ad-aware scan that showed 11 infected cookies which I deleted.


Jotti's malware scan 2.99-TRANSITION_TO_3.00

File to upload & scan:
Service
Service load: 0% 100%

File: wininet.dll
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 4f64d1df989e3aa2fad91a2f1167b9c7
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, and some people who prefer to remain anonymous... many thanks to all!

Statistics
Last file scanned at least one scanner reported something about: lorraine.zip, detected by:

Scanner Malware name
AntiVir W32/Mapson.Worm
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Win32.Mapson.A@mm
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet W32/Mapson.A-mm
Kaspersky Anti-Virus X
NOD32 Win32/Mapson.A
Norman Virus Control HTML/Mapson.A
UNA X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback



Page generated by JTPL

Copyright © 2004-2005 Jordi Bosveld <jotti@jotti.org>
  • 0

#36
ydnar522000

ydnar522000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Well, I guess I spoke to soon. I'm no longer getting the Norton alert. but the PC's still running the same. As soon as I added the last reply, It wouldn't let me type anymore. Also desktop icons stopped working again. It shows me the properties menu, but doesn't open. I can open them if I click on find target, but still can't type. As far as logon to administrator in safe mode, I believe I can. If I check now it could take me hours to get back online again. I have to keep rebooting at server till windows checks and fixes files. It's a long process and hit or miss. I did another Norton scan yesterday and had 1 infection that it clams to have fixed. also did an Ad-aware scan that showed 11 infected cookies which I deleted.


Jotti's malware scan 2.99-TRANSITION_TO_3.00

File to upload & scan:
Service
Service load: 0% 100%

File: wininet.dll
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 4f64d1df989e3aa2fad91a2f1167b9c7
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, and some people who prefer to remain anonymous... many thanks to all!

Statistics
Last file scanned at least one scanner reported something about: lorraine.zip, detected by:

Scanner Malware name
AntiVir W32/Mapson.Worm
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Win32.Mapson.A@mm
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet W32/Mapson.A-mm
Kaspersky Anti-Virus X
NOD32 Win32/Mapson.A
Norman Virus Control HTML/Mapson.A
UNA X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback



Page generated by JTPL

Copyright © 2004-2005 Jordi Bosveld <jotti@jotti.org>

Edited by ydnar522000, 24 October 2005 - 10:38 AM.

  • 0

#37
POADB

POADB

    Visiting Staff

  • Member
  • PipPip
  • 46 posts
More sniffing to do then...

Download rkfiles.zip - Unzip to a new folder

Download remv3.zip (look for the attachment) - Unzip to a new folder on the root drive C:

From the folder where you unzipped rkfiles to, double click rkfiles.bat
It will scan for awhile, so please be patient.
Wait until the DOS window closes.
Open the C:\log.txt it created and rename it log1.txt.

Now Open the folder were you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entry’s from one tools log before running the other as it will overwrite the file if you don’t.

Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post.
  • 0

#38
ydnar522000

ydnar522000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
OK, here's the results

Log1.txt

C:\Documents and Settings\randy\My Documents

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye


Log.txt

The batch is run from -- C:\Documents and Settings\randy

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C is GATEWAY
Volume Serial Number is 1172-19D6

Directory of C:\WINDOWS\SYSTEM32

msi.dll
Finished
  • 0

#39
ydnar522000

ydnar522000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
OOPS!!! Did you guys forget about me?? Still problems with the desktop and can't type.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP