wininet.dll file hijacked by virus-help

Discussion in 'Windows - Virus and spyware problems' started by hitwriter, Aug 11, 2006.

  1. hitwriter

    hitwriter Member

    Joined:
    Mar 2, 2006
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    16
    Ok, a virus is on my computer, it will not allow me to pull up internet explorer. My computer is mentioning the wininet.dll file is corrupt. I have a windows xp original cd. If I upgrade will it reapir the problem. Also, if I upgrade will it ERASE all info on my hard drive, I don't want that to happen. I just want to replace the bad file. For some reason when I pop the disk in the computer, the windows xp prompt is not finding the boot disk on the cd. However, it is there. So I don't have the repair option.
     
    hitwriter, Aug 11, 2006
    #1
  2. DoubleDwn

    DoubleDwn Regular member

    Joined:
    Sep 27, 2005
    Messages:
    877
    Likes Received:
    0
    Trophy Points:
    26
    Make sure that your BIOS is set to boot from CD. Once to get into the recovery console, type the following command

    expand d:\i386\wininet.dl_ c:\windows\system32\wininet.dll

    (assuming d: is your cd drive) This will expand the wininet.dll file and replace your corrupt one.

    ~Rich
     
    DoubleDwn, Aug 11, 2006
    #2
  3. hitwriter

    hitwriter Member

    Joined:
    Mar 2, 2006
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    16
    I made sure the cd is the first to boot. it still won't bring up the windows xp installation sik allowing me to select repair/ recovery. This is a working cd. On my desktop once I select windos xp through my computer, I can go to set up windows xp, or i can upgrade. Should I upgrade. i don't want to erase files on my hard drive.
     
    hitwriter, Aug 11, 2006
    #3
  4. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,167
    Likes Received:
    136
    Trophy Points:
    143
    moved to correct forum
     
    ddp, Aug 11, 2006
    #4
  5. maca1

    maca1 Regular member

    Joined:
    Mar 15, 2006
    Messages:
    630
    Likes Received:
    0
    Trophy Points:
    26
    download SmitfraudFix (by S!Ri) http://www.geekstogo.com/modules.php?modid=5&action=download&id=80
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.
     
    Last edited: Aug 11, 2006
    maca1, Aug 11, 2006
    #5
  6. hitwriter

    hitwriter Member

    Joined:
    Mar 2, 2006
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    16
    Here is my log from the siri. however, It could not remove the file because it said " it is being used by another person" I am still not able top access internet.


    SmitFraudFix v2.81

    Scan done at 18:37:11.31, Fri 08/11/2006
    Run from C:\Documents and Settings\terea stewart\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

     
    hitwriter, Aug 11, 2006
    #6
  7. hitwriter

    hitwriter Member

    Joined:
    Mar 2, 2006
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    16
    Here's the infected log.. From siri, I pressed 1 this time

    SmitFraudFix v2.81

    Scan done at 23:39:18.04, Fri 08/11/2006
    Run from C:\Documents and Settings\terea stewart\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\terea stewart\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\TEREAS~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

     
    hitwriter, Aug 11, 2006
    #7
  8. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    You are infected. Post a HijackThis log. Let's see what the problem is.
     
    Niobis, Aug 11, 2006
    #8
  9. maca1

    maca1 Regular member

    Joined:
    Mar 15, 2006
    Messages:
    630
    Likes Received:
    0
    Trophy Points:
    26
    maca1, Aug 12, 2006
    #9
  10. hitwriter

    hitwriter Member

    Joined:
    Mar 2, 2006
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    16
    I did try to place the wininet.dll file in the system 32 file. Actually I extracted it from winrar into that destination. The file shows up, but my computer still acts the same when it was restarted. i am assuming the virus is still on the computer.

    Here is my hijack log

    Logfile of HijackThis v1.99.1
    Scan saved at 11:27:49 PM, on 8/13/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Southwest Airlines\Ding\Ding.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Documents and Settings\terea stewart\Desktop\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - blank (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - blank (file missing)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: Trlokom IE Toolbar - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - blank (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Trlokom IE Toolbar - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - blank (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - ms-its:mhtml:file://c:\nesunec.mht!http://adgate.info/zscript/mca.chm::/speedtest2.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

     
    hitwriter, Aug 13, 2006
    #10
  11. hitwriter

    hitwriter Member

    Joined:
    Mar 2, 2006
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    16
    I don't see any files in the system 32 folder, that are close or similar to wininet.dll. i don't know which file to replace.
     
    hitwriter, Aug 15, 2006
    #11
  12. maca1

    maca1 Regular member

    Joined:
    Mar 15, 2006
    Messages:
    630
    Likes Received:
    0
    Trophy Points:
    26
    maca1, Aug 15, 2006
    #12
  13. hitwriter

    hitwriter Member

    Joined:
    Mar 2, 2006
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    16
    Here is my active scan log, i hooked my hard drive up to my sister's computer. My hard drive that had the missing wininet,dll is drive D.
    When I ran avg free on the hard drive, it had detected 1 virus, but it said it deleted it. Do you think my drive will work on its own now?

    Logfile of HijackThis v1.99.1
    Scan saved at 9:30:45 AM, on 8/16/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ewido.net/redirect.cgi?buy
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [AS00_Gear311T] "C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe" -hide
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    ************************************

    AVG LOG FILE


    history>
    - <!-- 01c6c0d924ea7820
    -->
    - <rec time="2006/08/15 23:18:03" user="Administrator" source="General">
    <value>@HL_TestStarted</value>
    <attr name="testname">@TestName_02</attr>
    </rec>
    - <rec time="2006/08/16 02:10:12" user="Administrator" source="Virus">
    <value>@HL_ReportFind</value>
    <attr name="where">D:\WINDOWS\??crosoft\lsass.exe</attr>
    <attr name="type">@EID_Id_trj</attr>
    <attr name="what">Downloader.Generic.YMY</attr>
    </rec>
    - <rec time="2006/08/16 02:10:28" user="Administrator" source="General">
    <value>@HL_TestEnded</value>
    <attr name="testname">@TestName_02</attr>
    <attr name="infectedfiles">1</attr>
    </rec>
    - <rec time="2006/08/16 02:10:32" user="Administrator" source="Virus">
    <value>@HL_ActionTaken</value>
    <attr name="filename">D:\WINDOWS\??crosoft\lsass.exe</attr>
    <attr name="action">@HL_ActCleaned</attr>
    </rec>
    </history>

     
    hitwriter, Aug 16, 2006
    #13
  14. hitwriter

    hitwriter Member

    Joined:
    Mar 2, 2006
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    16
    Here is the ACTIVE SCAN LOG

    Incident Status Location

    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@112.2o7[2].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@247realmedia[2].txt
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@2o7[1].txt
    Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@888[1].txt
    Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@888[2].txt
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@ad.yieldmanager[1].txt
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@adrevolver[1].txt
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@adrevolver[2].txt
    Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@ads.addynamix[1].txt
    Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@ads.pointroll[1].txt
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@advertising[2].txt
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@apmebf[2].txt
    Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@as-eu.falkag[1].txt
    Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@as-us.falkag[2].txt
    Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@as1.falkag[2].txt
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@atdmt[2].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@atwola[2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@belnk[1].txt
    Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@bfast[1].txt
    Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@bluestreak[2].txt
    Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@bravenet[2].txt
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@burstnet[1].txt
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@casalemedia[2].txt
    Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@cassava[1].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@cgi-bin[1].txt
    Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@clickbank[1].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@com[1].txt
    Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@counter.hitslink[2].txt
    Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@data.coremetrics[1].txt
    Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@did-it[1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@dist.belnk[2].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@doubleclick[1].txt
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@ehg-dig.hitbox[2].txt
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@ehg-micron.hitbox[1].txt
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@ehg.hitbox[2].txt
    Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@entrepreneur[2].txt
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@fastclick[2].txt
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@go[1].txt
    Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@hc2.humanclick[1].txt
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@hg1.hitbox[2].txt
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@hitbox[2].txt
    Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@landing.domainsponsor[2].txt
    Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@maxserving[1].txt
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@mediaplex[2].txt
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@microsofteup.112.2o7[2].txt
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@overture[1].txt
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@perf.overture[1].txt
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@phg.hitbox[1].txt
    Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@qksrv[2].txt
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@questionmarket[1].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@realmedia[1].txt
    Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@revenue[2].txt
    Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@searchportal.information[1].txt
    Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@server.iad.liveperson[2].txt
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@serving-sys[1].txt
    Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@spylog[1].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@statcounter[1].txt
    Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@stats1.reliablestats[2].txt
    Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@statse.webtrendslive[2].txt
    Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@toplist[1].txt
    Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@tradedoubler[2].txt
    Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@trafficmp[2].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@tribalfusion[2].txt
    Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@valueclick[1].txt
    Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@www.burstbeacon[2].txt
    Spyware:Cookie/GimmyCash Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@xtrigger.gimmycash[1].txt
    Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@z1.adserver[1].txt
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tandrea Tarver\Cookies\tandrea tarver@zedo[2].txt
    Potentially unwanted tool:Application/Zango Not disinfected C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll
    Potentially unwanted tool:Application/Zango Not disinfected C:\Program Files\Zango Programs\Zango Toolbar\ZangoTBUninstaller.exe
    Adware:Adware/WUpd Not disinfected C:\WINDOWS\MediaGateway.exe
    Spyware:Cookie/2o7 Not disinfected D:\Documents and Settings\terea stewart\Cookies\terea stewart@2o7[1].txt
    Spyware:Cookie/Atwola Not disinfected D:\Documents and Settings\terea stewart\Cookies\terea stewart@atwola[1].txt
    Spyware:Cookie/360i Not disinfected D:\Documents and Settings\terea stewart\Cookies\terea stewart@ct.360i[1].txt
    Spyware:Cookie/Belnk Not disinfected D:\Documents and Settings\terea stewart\Cookies\terea stewart@dist.belnk[2].txt
    Spyware:Cookie/2o7 Not disinfected D:\Documents and Settings\terea stewart\Cookies\terea stewart@microsofteup.112.2o7[1].txt
    Spyware:Cookie/Media-motor Not disinfected D:\Documents and Settings\terea stewart\Cookies\terea stewart@mmm.media-motor[2].txt
    Spyware:Cookie/Searchportal Not disinfected D:\Documents and Settings\terea stewart\Cookies\terea stewart@searchportal.information[1].txt
    Spyware:Cookie/Target Not disinfected D:\Documents and Settings\terea stewart\Cookies\terea stewart@target[1].txt
    Spyware:Cookie/Toplist Not disinfected D:\Documents and Settings\terea stewart\Cookies\terea stewart@toplist[1].txt
    Spyware:Cookie/Tucows Not disinfected D:\Documents and Settings\terea stewart\Cookies\terea stewart@tucows[1].txt
    Spyware:Cookie/myaffiliateprogram Not disinfected D:\Documents and Settings\terea stewart\Cookies\terea stewart@www.myaffiliateprogram[1].txt
    Spyware:Cookie/Yadro Not disinfected D:\Documents and Settings\terea stewart\Cookies\terea stewart@yadro[2].txt
    Potentially unwanted tool:Application/Processor Not disinfected D:\Documents and Settings\terea stewart\Desktop\SmitfraudFix\Process.exe
     
    hitwriter, Aug 16, 2006
    #14
  15. maca1

    maca1 Regular member

    Joined:
    Mar 15, 2006
    Messages:
    630
    Likes Received:
    0
    Trophy Points:
    26
    what ever drive you did these scans on do this:

    rescan and check these, click fix checked
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    Click here to download ATF Cleaner by Atribune and save it to your desktop.

    http://majorgeeks.com/ATF_Cleaner_d4949.html


    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.
    o If you use Firefox:
    + Click Firefox at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    o If you use Opera:
    + Click Opera at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    * Click Exit on the Main menu to close the program.




    DownLoad http://www.downloads.subratam.org/KillBox.zip

    you may want to copy these instrcutions as youll be going in to safe mode soon.

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    Note: It is possible that Killbox will tell you that one or more files do not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.

    C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll

    C:\Program Files\Zango Programs\Zango Toolbar\ZangoTBUninstaller.exe

    C:\Program Files\Zango Programs

    C:\WINDOWS\MediaGateway.exe


    post another hjt log from normal mode
     
    maca1, Aug 16, 2006
    #15
  16. hitwriter

    hitwriter Member

    Joined:
    Mar 2, 2006
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    16
    New hijack log

    Logfile of HijackThis v1.99.1
    Scan saved at 10:12:09 PM, on 8/16/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [AS00_Gear311T] "C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe" -hide
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

     
    hitwriter, Aug 16, 2006
    #16
  17. hitwriter

    hitwriter Member

    Joined:
    Mar 2, 2006
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    16
    uh oh, ignore the previous hijack, I need to run killbox first.
     
    hitwriter, Aug 16, 2006
    #17
  18. hitwriter

    hitwriter Member

    Joined:
    Mar 2, 2006
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    16
    I did everything you said.

    I ran the at cleaner, and also ran the other program, however it wouldn't let me run it in safe mode. i did run it in normal mode though, and deleted the zango progam files. i did not see the Windows/mediagateway folder. I saw a folder that said media, but it was " windows xp battery low,critical stop,recycle,ringout." Is that the folder?

    My hijack log is below:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:34:32 PM, on 8/16/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [AS00_Gear311T] "C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe" -hide
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

     
    hitwriter, Aug 16, 2006
    #18
  19. hitwriter

    hitwriter Member

    Joined:
    Mar 2, 2006
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    16
    ***I decided to go hook my hard drive up to my computer. I am receiving the same error message. Should I just wipe my computer clean?????

    ** I keep getting this error message: "The procedure entry point SHRegGetValueW could not be located in the dynamic link library SHLWPI.dll" Then I believe my startup programs give error messages,saying the " entry point could not be found"
    these are


    hpqtr08.exe
    dwwin.exe
    juschjed.exe
    apdproxy.exe
    tmas.exe
    swdoctor.exe
    wzqkpick.exe


    ** I still get error message" cannot find import; DLL may be missing corrupt or wrong version file wininet.dll"

    ** I did download wininet.dll and extract it in systems 32. When you asked me to remove it, what file, I don't see any resemblance to a wininet.dll, except what I just dropped in a couple of days ago.

    A couple of files that resemble wininet.dll, in the systems 32 folder were; winnt, winnt32 (text) , winnt256

    ** Why doesn't xp boot cd/ operating system work when I boot up my computer, all settings are correct. I normally would just access the windows xp repair capability,since this virus I am not able to do so. Can I access it through command prompt.

    *** Should I reload internet explorer on my computer?


    ****** Do I need to just wipe my computer clean?????? :( **********


     
    hitwriter, Aug 16, 2006
    #19
  20. maca1

    maca1 Regular member

    Joined:
    Mar 15, 2006
    Messages:
    630
    Likes Received:
    0
    Trophy Points:
    26
    yeah reformat, it's probably the best solution at this stage
     
    maca1, Aug 17, 2006
    #20

Share This Page