Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack/ Virus help needed- HijackThis log [RESOLVED]


  • This topic is locked This topic is locked

#46
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Shoot...knew I forgot something there. I edited my reply along with another minor thing which is corrected now.
  • 0

Advertisements


#47
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
I am havinga problem getting this http://www3.ca.com/s...sinfo/scan.aspx to download. Here is what it shows-

Starting signature update. Please wait ...
Connecting to FTP server: connected.
Updating vet.dat (2514k): failed to create file.
Updating vet.da1 (1539k): succeeded.
Updating arclib.dll (198k): succeeded.

It just does nothing after that. I waited well over 1/2 hour. I even tried it again and nothing happens.
  • 0

#48
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I see one more that doesn't seem to be removed by SpySweeper. You may delete the Quarantines if you wish...but run the scan again to make sure nothing else is found now.

Then I want you to run the fix I gave you recently above. Saw something else so let's see if this program can weed it out :tazz:
  • 0

#49
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
I hope I did this right. I ran Spysweeper and deleted the quarantined files.( Trojan Horse: trojan-downloader-ruin, psguard and psguard desktop hijacker)I downloaded http://www3.ca.com/s...sinfo/scan.aspx again and it worked. I have that folder on my desktop but I couldn't find it in the dropdown list so I ran the scan on My Computer and it said no viruses found. What do I do next?
  • 0

#50
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Backup the wininet.dll file to a floppy or CD...I don't want it to be deleted by mistake (Panda might find it and eradicate the file...). So back it up to a floppy/CD now.

Then continue on with the rest of the instructions and post back the logs when done.
  • 0

#51
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
AdAware scan- I quarantined and deleted everything.
ArchiveData(auto-quarantine- 2005-11-17 12-42-30.bckp)
Referencefile : SE1R74 09.11.2005
======================================================

MALWARE.PSGUARD
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : interface\{0baca3c1-f734-4a5f-970a-15dbf7d3c09c}
obj[1]=RegValue : interface\{0baca3c1-f734-4a5f-970a-15dbf7d3c09c} ""
obj[2]=Regkey : interface\{0d4385df-f78a-4264-a32c-7dd4a72de539}
obj[3]=RegValue : interface\{0d4385df-f78a-4264-a32c-7dd4a72de539} ""
obj[4]=Regkey : interface\{19a0b5c9-65fe-4d3b-8bdd-efb7fe553c58}
obj[5]=RegValue : interface\{19a0b5c9-65fe-4d3b-8bdd-efb7fe553c58} ""
obj[6]=Regkey : interface\{19c99256-d011-47e2-bc64-6322096e20a5}
obj[7]=RegValue : interface\{19c99256-d011-47e2-bc64-6322096e20a5} ""
obj[8]=Regkey : interface\{2871b7af-2d4c-478f-be89-881881c272ab}
obj[9]=RegValue : interface\{2871b7af-2d4c-478f-be89-881881c272ab} ""
obj[10]=Regkey : interface\{2b94cdfd-4a45-4b08-b105-54c709d07b28}
obj[11]=RegValue : interface\{2b94cdfd-4a45-4b08-b105-54c709d07b28} ""
obj[12]=Regkey : interface\{2c354a9b-a5df-41a3-bf40-2d72feac14d3}
obj[13]=RegValue : interface\{2c354a9b-a5df-41a3-bf40-2d72feac14d3} ""
obj[14]=Regkey : interface\{2c797aa0-978c-4ac2-bbb4-f89d410b614e}
obj[15]=RegValue : interface\{2c797aa0-978c-4ac2-bbb4-f89d410b614e} ""
obj[16]=Regkey : interface\{54007809-0689-4a40-9d8f-94c79d87d931}
obj[17]=RegValue : interface\{54007809-0689-4a40-9d8f-94c79d87d931} ""
obj[18]=Regkey : interface\{557c3787-d066-496e-8caf-ba47da7365c1}
obj[19]=RegValue : interface\{557c3787-d066-496e-8caf-ba47da7365c1} ""
obj[20]=Regkey : interface\{5c083b7e-a083-4b20-a7ad-7c8e29085494}
obj[21]=RegValue : interface\{5c083b7e-a083-4b20-a7ad-7c8e29085494} ""
obj[22]=Regkey : interface\{649d371e-d3e3-4fc0-ac82-e91f73d8e79e}
obj[23]=RegValue : interface\{649d371e-d3e3-4fc0-ac82-e91f73d8e79e} ""
obj[24]=Regkey : interface\{655980f1-13d5-4da2-9e80-aa56c36876cb}
obj[25]=RegValue : interface\{655980f1-13d5-4da2-9e80-aa56c36876cb} ""
obj[26]=Regkey : interface\{6af126a9-b07a-4de4-883e-28d3eccd75d8}
obj[27]=RegValue : interface\{6af126a9-b07a-4de4-883e-28d3eccd75d8} ""
obj[28]=Regkey : interface\{6b436bdd-8b8b-4a1f-add5-e67b30c8f7dd}
obj[29]=RegValue : interface\{6b436bdd-8b8b-4a1f-add5-e67b30c8f7dd} ""
obj[30]=Regkey : interface\{71bf80fd-7e91-4730-b6e8-8f3e81f5c38b}
obj[31]=RegValue : interface\{71bf80fd-7e91-4730-b6e8-8f3e81f5c38b} ""
obj[32]=Regkey : interface\{81723c8c-918f-4456-b7e8-a68cf7a10c6d}
obj[33]=RegValue : interface\{81723c8c-918f-4456-b7e8-a68cf7a10c6d} ""
obj[34]=Regkey : interface\{82a10659-a1e5-4732-a839-c910d955c88b}
obj[35]=RegValue : interface\{82a10659-a1e5-4732-a839-c910d955c88b} ""
obj[36]=Regkey : interface\{84844b27-0d53-4c71-ab24-0151b33ab02f}
obj[37]=RegValue : interface\{84844b27-0d53-4c71-ab24-0151b33ab02f} ""
obj[38]=Regkey : interface\{a8bcf2b9-ed19-4637-ac77-bf59f131fa1f}
obj[39]=RegValue : interface\{a8bcf2b9-ed19-4637-ac77-bf59f131fa1f} ""
obj[40]=Regkey : interface\{a9a73a66-b0e0-4ffb-828f-3a55e1fa4271}
obj[41]=RegValue : interface\{a9a73a66-b0e0-4ffb-828f-3a55e1fa4271} ""
obj[42]=Regkey : interface\{b6049d5d-718f-44c0-b965-06840d27e206}
obj[43]=RegValue : interface\{b6049d5d-718f-44c0-b965-06840d27e206} ""
obj[44]=Regkey : interface\{b817d284-1b82-4793-b1f3-58a06dab03a1}
obj[45]=RegValue : interface\{b817d284-1b82-4793-b1f3-58a06dab03a1} ""
obj[46]=Regkey : interface\{bc077dd0-42b5-451c-b78c-4ac97e4b116b}
obj[47]=RegValue : interface\{bc077dd0-42b5-451c-b78c-4ac97e4b116b} ""
obj[48]=Regkey : interface\{c123dba0-52df-4272-bbaa-bfd092d07c2e}
obj[49]=RegValue : interface\{c123dba0-52df-4272-bbaa-bfd092d07c2e} ""
obj[50]=Regkey : interface\{cb9dd914-68b6-4710-a04e-4745470706ce}
obj[51]=RegValue : interface\{cb9dd914-68b6-4710-a04e-4745470706ce} ""
obj[52]=Regkey : interface\{de1e317f-716a-4784-ba90-fda6d6a8fad5}
obj[53]=RegValue : interface\{de1e317f-716a-4784-ba90-fda6d6a8fad5} ""
obj[54]=Regkey : interface\{e36dcdbc-57ad-4a1c-b9c6-1161441b51ca}
obj[55]=RegValue : interface\{e36dcdbc-57ad-4a1c-b9c6-1161441b51ca} ""
obj[56]=Regkey : interface\{e51ac62c-e82e-4e60-97ab-c66c4969af39}
obj[57]=RegValue : interface\{e51ac62c-e82e-4e60-97ab-c66c4969af39} ""
obj[58]=Regkey : interface\{ef5750b1-0aba-45c5-bf12-fb4d1d1150d2}
obj[59]=RegValue : interface\{ef5750b1-0aba-45c5-bf12-fb4d1d1150d2} ""
obj[60]=Regkey : interface\{f1d9585e-20a6-4689-84c7-c19fe21c9a71}
obj[61]=RegValue : interface\{f1d9585e-20a6-4689-84c7-c19fe21c9a71} ""
obj[62]=Regkey : interface\{f1e1a6b0-6cac-471b-99c4-4dbada883be8}
obj[63]=RegValue : interface\{f1e1a6b0-6cac-471b-99c4-4dbada883be8} ""
obj[64]=Regkey : interface\{f8c9d1a9-b7b7-47ca-8b93-27c5b64d3a47}
obj[65]=RegValue : interface\{f8c9d1a9-b7b7-47ca-8b93-27c5b64d3a47} ""
obj[66]=Regkey : software\psguard.com
obj[82]=File : C:\_RESTORE\TEMP\A0030607.CPY
obj[83]=File : C:\_RESTORE\TEMP\A0030615.CPY

Panda Activescan-
Incident Status Location

Virus:W32/Smitfraud.D Disinfected Operating system
Adware:adware program No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\on.exe
Adware:adware/sbsoft No disinfected Windows Registry
Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\Desktop\WININET.DLL
Adware:Adware/Megatds No disinfected C:\WINDOWS\SYSTEM\csdms.exe
Virus:Trj/Full.A Disinfected C:\WINDOWS\SYSTEM\dmmpq.exe
Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\SYSTEM\WININET.DLL
Adware:Adware/Megatds No disinfected C:\WINDOWS\SYSTEM\csgqr.exe
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0008759.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0008760.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0008877.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0008878.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0008886.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0008887.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0009885.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0009887.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0010885.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0010886.CPY
Virus:W32/Smitfraud.D Disinfected C:\_RESTORE\TEMP\A0011070.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0011885.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0011890.CPY
Virus:Bck/Galapoper.CW Disinfected C:\_RESTORE\TEMP\A0030683.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0030885.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0030886.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0030901.0
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0030902.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0031088.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0031089.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0031103.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0031104.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS20.CAB[A0000675.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS20.CAB[A0000676.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS17.CAB[A0000498.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS17.CAB[A0000499.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000003.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS24.CAB[A0001047.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS24.CAB[A0001048.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0002046.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0002047.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS27.CAB[A0002171.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS27.CAB[A0002172.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS28.CAB[A0003169.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS28.CAB[A0003171.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS29.CAB[A0004171.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS29.CAB[A0004172.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0002099.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0002100.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS30.CAB[A0005171.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS30.CAB[A0005172.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS33.CAB[A0005277.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS33.CAB[A0005278.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS37.CAB[A0005526.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS37.CAB[A0005527.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS38.CAB[A0005546.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS38.CAB[A0005547.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS39.CAB[A0005577.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS39.CAB[A0005578.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS32.CAB[A0005246.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS32.CAB[A0005247.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS31.CAB[A0005180.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS31.CAB[A0005181.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS36.CAB[A0005512.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS36.CAB[A0005513.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS35.CAB[A0005402.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS35.CAB[A0005403.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS41.CAB[A0005732.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS41.CAB[A0005734.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS47.CAB[A0008739.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS47.CAB[A0008740.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS48.CAB[A0008750.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS48.CAB[A0008751.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS43.CAB[A0006731.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS43.CAB[A0006732.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS46.CAB[A0008731.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS46.CAB[A0008732.CPY]
Adware:Adware/Megatds No disinfected C:\_RESTORE\ARCHIVE\FS45.CAB[A0007733.CPY]
Virus:Trj/Full.A No disinfected C:\_RESTORE\ARCHIVE\FS45.CAB[A0007734.CPY]

smitRem © log file
version 2.7

by noahdfear

Windows Millennium [Version 4.90.3000]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files
~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system folder ~~~

~~~ Icons in system folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~ wininet.dll ~~~~

wininet.dll Present!!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files
~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system folder ~~~

~~~ Icons in system folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~ wininet.dll ~~~~

wininet.dll INFECTED!! :(
  • 0

#52
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Logfile of HijackThis v1.99.1
Scan saved at 2:34:10 PM, on 11/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\NAVISCOPE\NAVISCOPE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\MY DOCUMENTS\HJT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.peoplestel.net"); (C:\PROGRAM FILES\NETSCAPE\Users\Default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://mail.yahoo.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9nxn93v1.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9nxn93v1.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunOnce: [Panda_cleaner_41898] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 41898
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Mozilla Quick Launch] C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE -turbo
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\PROGRAM FILES\ICQLITE\ICQLITE.EXE -trayboot
O4 - HKCU\..\RunServicesOnce: [ICQ Lite] C:\PROGRAM FILES\ICQLITE\ICQLITE.EXE -trayboot
O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...592/mcfscan.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
  • 0

#53
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
wininet.dll was deleted :tazz: You backed up that file already right? OK, copy that file to your Desktop. Go to that www3.ca.com site again and see if you can CURE the wininet.dll file now. IF you can, copy the clean file back to your system folder.

Go to Start->Settings->Control Panel and double click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Go back and UNcheck that Disable System Restore option so it's enabled back.

Check and fix this in HijackThis:

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_02.src"); C:\WINDOWS\Application Data\Mozilla\Profiles\default\9nxn93v1.slt\prefs.js)

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\DOWNLOADED PROGRAM FILES\on.exe
C:\WINDOWS\SYSTEM\csdms.exe
C:\WINDOWS\SYSTEM\dmmpq.exe


If you get a PendingOperations message, just close it and restart your computer manually.

Restart and boot into Safe Mode to run smitRem again. Save the log.

Restart to get back to normal mode. Run a new Panda scan. Post the log here along with a new HijackThis log and the smitfiles.txt log.
  • 0

#54
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
I did save that file on a floppy. But Internet Explorer won't work and http://www3.ca.com/s...sinfo/scan.aspx won't work on Netscape.
  • 0

#55
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Copy that file from the floppy back to the system folder. See if you can do that. If not, do you know your way around DOS? If so, try copying it in DOS if you can't do it in Windows.
  • 0

Advertisements


#56
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
I tried to copy it to the system folder and got this Error: cannot copy WININET: The system cannot read from the specific device. I think I did it right. And I have no idea what DOS even is. I really don't know much about computers but the very basic things.
  • 0

#57
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem, we'll try to walk you through it.

Did you try booting into Safe Mode to see if you can copy that wininet.dll file over?

If Safe Mode fails, then download this file. Insert a blank floppy disk to your floppy drive. Double click on that boot98se.exe file and install the files to the floppy disk.

Now leave the floppy in there and restart your computer. See if your computer will boot from the floppy disk. If it doesn't (and you'll know when it goes straight to Windows instead), then you will have to do some manual changes. Restart the computer again and look at your screen to see what key/keys to press to enter Setup or the BIOS. Hit the key it mentioned and that should bring you to the BIOS screen. Be careful in here now. I want you to look for something called Boot Sequence or Boot Order (that's usually what they call it). Once found, make sure the floppy drive is listed before the hard drive. Save and exit the BIOS...don't change anything else. That should boot from the floppy.

Once that floppy boots up, choose to boot without cdrom support. Let it load. When it's finished loading, it should have something like the following:

A:\>

Now, take out the floppy disk and insert the one with the wininet.dll file. Assuming you have that wininet.dll file in the main/top folder of that floppy disk, type in the following:

copy wininet.dll c:\windows\system\

and hit ENTER key. That should copy over the file. Now hit ctrl+alt+del to restart and take out the floppy. Let it load Windows and go to that www3.ca.com site again to see if you can cure that wininet.dll file again.
  • 0

#58
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
It didn't work in safe mode either so I went to the next step. I downloaded that file and copied it to a disk. My computer booted from the floppy. I chose to boot without cdrom support and when it was done loading, I typed in what you told me and got an Invalid directory message. I even typed it in again to be sure I had it right and still got the same message.
  • 0

#59
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, after the Windows 98 floppy finished loading, are you in this prompt:

A:\>

If so, take out the Windows 98 floppy disk and insert the disk with the wininet.dll file you backed up. Is that wininet.dll file in the main/top directory on the floppy? Make sure it is since the instructions I'm giving is for that only. Then try typing this instead:

copy a:\wininet.dll c:\windows\system\

and hit ENTER. Ctrl+alt+del to restart...try going online to cure that wininet.dll file.
  • 0

#60
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Yes I am getting the prompt A:\>. It keeps saying Invalid directory even after trying again with your last instructions. What do you mean by the wininet.dll file being in the main/top directory on the floppy?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP