Sign in with
Sign up | Sign in
Your question

virus desktophijacker -W32 wininet and oleext - HELP!

Last response: in Windows XP
Share
Anonymous
September 15, 2005 7:27:02 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Well, I have to virusus that i cannot get rid-of, wininet.dll is infected
with W32.Desktophijack. And oleext.dll with Trojan.Desktophijack. I have and
ran Norton Antivirus and is Up-to-date. When I ran a full system scan it
wasn't able to repair or delete the infected files. Well i followed the
direction's on how to correct the registery editor but none of the key's and
values showed up. All of this while having system restore turned off. The
message I got was click yes or no. Then on the desktop the message Warning
your computer maybe infected with spyware... I then downloaded Ad-Aware, ran
a full system scan and deleted over 140 registry key's and values. Restarted
computer and the message on desktop was clear. But, When running Nortan again
it still came up with the same to desktophijacke virusus and am not able to
repair or delete. Also I have SP2.. The icon(s) on the startup programs
taskbar show PSGUARD..When clicking the icon it show IE. spyware removal wich
i know is spyware. I have disabled Automatic Updates and turned off system
restore if this is any help.
Anonymous
September 16, 2005 2:51:12 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Download, install, update and run all of the following.

Ad-Aware
http://www.pcbutts1.com/downloads/aawsepersonal.exe

Spybot search and destroy
http://www.pcbutts1.com/downloads/spybotsd14.exe

Ewido Security Suite Trial version
http://www.pcbutts1.com/downloads/ewidosetup.exe

Microsoft Windows AntiSpyware (Beta1)
http://www.microsoft.com/downloads/details.aspx?FamilyI...

If none of the above fixes the issue then download Hijack this, run it, save
a copy of the log file and cut and paste it back here to this group so that
I can analyze it. Ignore anyone especially the troll Leythos, who will tag
along a nonsense post to this message, who tells you to post it elsewhere. I
need to see it not them.


HijackThis
http://www.pcbutts1.com/downloads/HijackThis.zip


The authors of the above programs, with the exception of Microsoft has given
the owner of pcbutts1.com express written permission to redistribute their
software.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"Bartsimpson" <Bartsimpson@discussions.microsoft.com> wrote in message
news:8D56C351-1D75-4DAF-8CA0-B6942F6A4A0B@microsoft.com...
> Well, I have to virusus that i cannot get rid-of, wininet.dll is infected
> with W32.Desktophijack. And oleext.dll with Trojan.Desktophijack. I have
> and
> ran Norton Antivirus and is Up-to-date. When I ran a full system scan it
> wasn't able to repair or delete the infected files. Well i followed the
> direction's on how to correct the registery editor but none of the key's
> and
> values showed up. All of this while having system restore turned off. The
> message I got was click yes or no. Then on the desktop the message Warning
> your computer maybe infected with spyware... I then downloaded Ad-Aware,
> ran
> a full system scan and deleted over 140 registry key's and values.
> Restarted
> computer and the message on desktop was clear. But, When running Nortan
> again
> it still came up with the same to desktophijacke virusus and am not able
> to
> repair or delete. Also I have SP2.. The icon(s) on the startup programs
> taskbar show PSGUARD..When clicking the icon it show IE. spyware removal
> wich
> i know is spyware. I have disabled Automatic Updates and turned off system
> restore if this is any help.
Anonymous
September 16, 2005 2:51:13 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Logfile of HijackThis v1.99.1
Scan saved at 7:12:52 PM, on 9/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\WINDOWS\system32\intmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for
HijackThis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.security2k.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.security2k.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http://www.security2k.net/
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} -
C:\WINDOWS\system32\hp609E.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program
Files\America Online 8.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 -
HKLM\System\CCS\Services\Tcpip\..\{DB18D8D5-FADD-4A3F-9237-22563347CD60}:
NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
Online, Inc. - C:\WINDOWS\wanmpsvc.exe



"1sttubcp" wrote:

> Download, install, update and run all of the following.
>
> Ad-Aware
> http://www.pcbutts1.com/downloads/aawsepersonal.exe
>
> Spybot search and destroy
> http://www.pcbutts1.com/downloads/spybotsd14.exe
>
> Ewido Security Suite Trial version
> http://www.pcbutts1.com/downloads/ewidosetup.exe
>
> Microsoft Windows AntiSpyware (Beta1)
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
> If none of the above fixes the issue then download Hijack this, run it, save
> a copy of the log file and cut and paste it back here to this group so that
> I can analyze it. Ignore anyone especially the troll Leythos, who will tag
> along a nonsense post to this message, who tells you to post it elsewhere. I
> need to see it not them.
>
>
> HijackThis
> http://www.pcbutts1.com/downloads/HijackThis.zip
>
>
> The authors of the above programs, with the exception of Microsoft has given
> the owner of pcbutts1.com express written permission to redistribute their
> software.
>
> --
>
>
> The best live web video on the internet http://www.seedsv.com/webdemo.htm
> NEW Embedded system W/Linux. We now sell DVR cards.
> See it all at http://www.seedsv.com/products.htm
> Sharpvision simply the best http://www.seedsv.com
>
>
>
> "Bartsimpson" <Bartsimpson@discussions.microsoft.com> wrote in message
> news:8D56C351-1D75-4DAF-8CA0-B6942F6A4A0B@microsoft.com...
> > Well, I have to virusus that i cannot get rid-of, wininet.dll is infected
> > with W32.Desktophijack. And oleext.dll with Trojan.Desktophijack. I have
> > and
> > ran Norton Antivirus and is Up-to-date. When I ran a full system scan it
> > wasn't able to repair or delete the infected files. Well i followed the
> > direction's on how to correct the registery editor but none of the key's
> > and
> > values showed up. All of this while having system restore turned off. The
> > message I got was click yes or no. Then on the desktop the message Warning
> > your computer maybe infected with spyware... I then downloaded Ad-Aware,
> > ran
> > a full system scan and deleted over 140 registry key's and values.
> > Restarted
> > computer and the message on desktop was clear. But, When running Nortan
> > again
> > it still came up with the same to desktophijacke virusus and am not able
> > to
> > repair or delete. Also I have SP2.. The icon(s) on the startup programs
> > taskbar show PSGUARD..When clicking the icon it show IE. spyware removal
> > wich
> > i know is spyware. I have disabled Automatic Updates and turned off system
> > restore if this is any help.
>
>
>
Related resources
Anonymous
September 16, 2005 3:32:11 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

In article <50F494E8-B8F7-4197-AB23-4F0276480C34@microsoft.com>,
Bartsimpson@discussions.microsoft.com says...

Posting of HIJack log files is a violation of the groups Charter -
please don't do it, even if asked by lamers.


--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
September 16, 2005 5:39:13 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

You have a lot of junk running. First Ignore Leythos, there is no charter
stating no HJT logs. Have hijackthis fix the following lines by placing a
check next to each line and then click on the fix checked button on the
bottom.

Kill these running processes in the task manager:

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmon.exe

Have HJT fix these lines

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.security2k.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.security2k.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http://www.security2k.net/
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} -
C:\WINDOWS\system32\hp609E.tmp


Reboot in safe mode, search for these files in these exact locations and
delete them
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmon.exe

Update your Antivirus software as 3 of those are viruses.



"Bartsimpson" <Bartsimpson@discussions.microsoft.com> wrote in message
news:50F494E8-B8F7-4197-AB23-4F0276480C34@microsoft.com...
> Logfile of HijackThis v1.99.1
> Scan saved at 7:12:52 PM, on 9/15/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
Anonymous
September 16, 2005 9:37:26 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

In article <HLCWe.1108$7x4.1082@newssvr13.news.prodigy.com>,
mvp@dumb.com says...
> Path: news-wrt-01.ohiordc.rr.com!news-server.columbus.rr.com!hwmnpeer01.lga!hwmedia!news.glorb.com!newscon02.news.prodigy.com!prodigy.net!newsmst01b.news.prodigy.com!prodigy.com!postmaster.news.prodigy.com!newssvr13.news.prodigy.com.POSTED!84a38bcb!not-for-mail
> From: "===============" <mvp@dumb.com>
> Newsgroups: microsoft.public.windowsxp.help_and_support
> References: <8D56C351-1D75-4DAF-8CA0-B6942F6A4A0B@microsoft.com> <AVmWe.940$7x4.862@newssvr13.news.prodigy.com> <50F494E8-B8F7-4197-AB23-4F0276480C34@microsoft.com> <5npWe.2346$3V6.1629@newssvr11.news.prodigy.com> <MPG.1d9472295527f52e98a07f@news-server.columbus.rr.com>
> Subject: Re: virus desktophijacker -W32 wininet and oleext - HELP!
> Lines: 110
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> X-RFC2646: Format=Flowed; Original
> Message-ID: <HLCWe.1108$7x4.1082@newssvr13.news.prodigy.com>
> NNTP-Posting-Host: 69.224.66.92
> X-Complaints-To: abuse@prodigy.net
> X-Trace: newssvr13.news.prodigy.com 1126889575 ST000 69.224.66.92 (Fri, 16 Sep 2005 12:52:55 EDT)
> NNTP-Posting-Date: Fri, 16 Sep 2005 12:52:55 EDT
> Organization: SBC http://yahoo.sbc.com
> X-UserInfo1: OH]UB_SGABSUS^I]^JKBOW@@YJ_ZTB\MV@BT]_MIJQR@EPIB_VUKAH_[MTX\IS[K[NGYJJFNOFZR_G[BUNTAOQLFE^TEHRPI]PZZRP_BMDSFQFL_]CBHXRWCMDCUZAZN@D_AKMNLEI]MWHCSXL^]NNC__CZFGSGHYYXWPFG@SCAVA]\FT\@B\RDGENSUQS^M
> Date: Fri, 16 Sep 2005 16:52:55 GMT
> Xref: news-wrt-01.ohiordc.rr.com microsoft.public.windowsxp.help_and_support:579108

Usenet abuse reported to your ISP.

If you really think that posting my throw-away email address is going to
impact anything I do, you've got no idea. I change the throw-away
account any time I need to stop spam.


--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
September 16, 2005 9:40:26 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

In article <HLCWe.1108$7x4.1082@newssvr13.news.prodigy.com>,
mvp@dumb.com says...
> X-RFC2646: Format=Flowed; Original
> Message-ID: <HLCWe.1108$7x4.1082@newssvr13.news.prodigy.com>
> NNTP-Posting-Host: 69.224.66.92
> X-Complaints-To: abuse@prodigy.net
> X-Trace: newssvr13.news.prodigy.com 1126889575 ST000 69.224.66.92 (Fri, 16 Sep 2005 12:52:55 EDT)
> NNTP-Posting-Date: Fri, 16 Sep 2005 12:52:55 EDT
> Organization: SBC http://yahoo.sbc.com

It won't be hard for your ISP - Prodigy.net to find you, as you've been
posting from the same IP for a long time.


--

spam999free@rrohio.com
remove 999 in order to email me
!