virus desktophijacker -W32 wininet and oleext - HELP!

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Well, I have to virusus that i cannot get rid-of, wininet.dll is infected
with W32.Desktophijack. And oleext.dll with Trojan.Desktophijack. I have and
ran Norton Antivirus and is Up-to-date. When I ran a full system scan it
wasn't able to repair or delete the infected files. Well i followed the
direction's on how to correct the registery editor but none of the key's and
values showed up. All of this while having system restore turned off. The
message I got was click yes or no. Then on the desktop the message Warning
your computer maybe infected with spyware... I then downloaded Ad-Aware, ran
a full system scan and deleted over 140 registry key's and values. Restarted
computer and the message on desktop was clear. But, When running Nortan again
it still came up with the same to desktophijacke virusus and am not able to
repair or delete. Also I have SP2.. The icon(s) on the startup programs
taskbar show PSGUARD..When clicking the icon it show IE. spyware removal wich
i know is spyware. I have disabled Automatic Updates and turned off system
restore if this is any help.
6 answers Last reply
More about virus desktophijacker wininet oleext help
  1. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Download, install, update and run all of the following.

    Ad-Aware
    http://www.pcbutts1.com/downloads/aawsepersonal.exe

    Spybot search and destroy
    http://www.pcbutts1.com/downloads/spybotsd14.exe

    Ewido Security Suite Trial version
    http://www.pcbutts1.com/downloads/ewidosetup.exe

    Microsoft Windows AntiSpyware (Beta1)
    http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

    If none of the above fixes the issue then download Hijack this, run it, save
    a copy of the log file and cut and paste it back here to this group so that
    I can analyze it. Ignore anyone especially the troll Leythos, who will tag
    along a nonsense post to this message, who tells you to post it elsewhere. I
    need to see it not them.


    HijackThis
    http://www.pcbutts1.com/downloads/HijackThis.zip


    The authors of the above programs, with the exception of Microsoft has given
    the owner of pcbutts1.com express written permission to redistribute their
    software.

    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    NEW Embedded system W/Linux. We now sell DVR cards.
    See it all at http://www.seedsv.com/products.htm
    Sharpvision simply the best http://www.seedsv.com


    "Bartsimpson" <Bartsimpson@discussions.microsoft.com> wrote in message
    news:8D56C351-1D75-4DAF-8CA0-B6942F6A4A0B@microsoft.com...
    > Well, I have to virusus that i cannot get rid-of, wininet.dll is infected
    > with W32.Desktophijack. And oleext.dll with Trojan.Desktophijack. I have
    > and
    > ran Norton Antivirus and is Up-to-date. When I ran a full system scan it
    > wasn't able to repair or delete the infected files. Well i followed the
    > direction's on how to correct the registery editor but none of the key's
    > and
    > values showed up. All of this while having system restore turned off. The
    > message I got was click yes or no. Then on the desktop the message Warning
    > your computer maybe infected with spyware... I then downloaded Ad-Aware,
    > ran
    > a full system scan and deleted over 140 registry key's and values.
    > Restarted
    > computer and the message on desktop was clear. But, When running Nortan
    > again
    > it still came up with the same to desktophijacke virusus and am not able
    > to
    > repair or delete. Also I have SP2.. The icon(s) on the startup programs
    > taskbar show PSGUARD..When clicking the icon it show IE. spyware removal
    > wich
    > i know is spyware. I have disabled Automatic Updates and turned off system
    > restore if this is any help.
  2. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Logfile of HijackThis v1.99.1
    Scan saved at 7:12:52 PM, on 9/15/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\msole32.exe
    C:\WINDOWS\system32\shnlog.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\America Online 8.0\aoltray.exe
    C:\WINDOWS\system32\intmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\America Online 8.0\waol.exe
    C:\Program Files\America Online 8.0\shellmon.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for
    HijackThis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    http://www.security2k.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://www.security2k.net/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://www.security2k.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://www.security2k.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    http://www.security2k.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://www.security2k.net/search.php?qq=%1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    http://www.security2k.net/
    O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} -
    C:\WINDOWS\system32\hp609E.tmp
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
    SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
    O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
    Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
    Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
    C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program
    Files\America Online 8.0\aoltray.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
    C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 -
    HKLM\System\CCS\Services\Tcpip\..\{DB18D8D5-FADD-4A3F-9237-22563347CD60}:
    NameServer = 205.188.146.145
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec
    Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
    Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
    Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
    Online, Inc. - C:\WINDOWS\wanmpsvc.exe


    "1sttubcp" wrote:

    > Download, install, update and run all of the following.
    >
    > Ad-Aware
    > http://www.pcbutts1.com/downloads/aawsepersonal.exe
    >
    > Spybot search and destroy
    > http://www.pcbutts1.com/downloads/spybotsd14.exe
    >
    > Ewido Security Suite Trial version
    > http://www.pcbutts1.com/downloads/ewidosetup.exe
    >
    > Microsoft Windows AntiSpyware (Beta1)
    > http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en
    >
    > If none of the above fixes the issue then download Hijack this, run it, save
    > a copy of the log file and cut and paste it back here to this group so that
    > I can analyze it. Ignore anyone especially the troll Leythos, who will tag
    > along a nonsense post to this message, who tells you to post it elsewhere. I
    > need to see it not them.
    >
    >
    > HijackThis
    > http://www.pcbutts1.com/downloads/HijackThis.zip
    >
    >
    > The authors of the above programs, with the exception of Microsoft has given
    > the owner of pcbutts1.com express written permission to redistribute their
    > software.
    >
    > --
    >
    >
    > The best live web video on the internet http://www.seedsv.com/webdemo.htm
    > NEW Embedded system W/Linux. We now sell DVR cards.
    > See it all at http://www.seedsv.com/products.htm
    > Sharpvision simply the best http://www.seedsv.com
    >
    >
    >
    > "Bartsimpson" <Bartsimpson@discussions.microsoft.com> wrote in message
    > news:8D56C351-1D75-4DAF-8CA0-B6942F6A4A0B@microsoft.com...
    > > Well, I have to virusus that i cannot get rid-of, wininet.dll is infected
    > > with W32.Desktophijack. And oleext.dll with Trojan.Desktophijack. I have
    > > and
    > > ran Norton Antivirus and is Up-to-date. When I ran a full system scan it
    > > wasn't able to repair or delete the infected files. Well i followed the
    > > direction's on how to correct the registery editor but none of the key's
    > > and
    > > values showed up. All of this while having system restore turned off. The
    > > message I got was click yes or no. Then on the desktop the message Warning
    > > your computer maybe infected with spyware... I then downloaded Ad-Aware,
    > > ran
    > > a full system scan and deleted over 140 registry key's and values.
    > > Restarted
    > > computer and the message on desktop was clear. But, When running Nortan
    > > again
    > > it still came up with the same to desktophijacke virusus and am not able
    > > to
    > > repair or delete. Also I have SP2.. The icon(s) on the startup programs
    > > taskbar show PSGUARD..When clicking the icon it show IE. spyware removal
    > > wich
    > > i know is spyware. I have disabled Automatic Updates and turned off system
    > > restore if this is any help.
    >
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    In article <50F494E8-B8F7-4197-AB23-4F0276480C34@microsoft.com>,
    Bartsimpson@discussions.microsoft.com says...

    Posting of HIJack log files is a violation of the groups Charter -
    please don't do it, even if asked by lamers.


    --

    spam999free@rrohio.com
    remove 999 in order to email me
  4. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    You have a lot of junk running. First Ignore Leythos, there is no charter
    stating no HJT logs. Have hijackthis fix the following lines by placing a
    check next to each line and then click on the fix checked button on the
    bottom.

    Kill these running processes in the task manager:

    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\msole32.exe
    C:\WINDOWS\system32\shnlog.exe
    C:\WINDOWS\system32\intmon.exe

    Have HJT fix these lines

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    http://www.security2k.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://www.security2k.net/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://www.security2k.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://www.security2k.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    http://www.security2k.net/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://www.security2k.net/search.php?qq=%1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    http://www.security2k.net/
    O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} -
    C:\WINDOWS\system32\hp609E.tmp


    Reboot in safe mode, search for these files in these exact locations and
    delete them
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\msole32.exe
    C:\WINDOWS\system32\shnlog.exe
    C:\WINDOWS\system32\intmon.exe

    Update your Antivirus software as 3 of those are viruses.


    "Bartsimpson" <Bartsimpson@discussions.microsoft.com> wrote in message
    news:50F494E8-B8F7-4197-AB23-4F0276480C34@microsoft.com...
    > Logfile of HijackThis v1.99.1
    > Scan saved at 7:12:52 PM, on 9/15/2005
    > Platform: Windows XP SP2 (WinNT 5.01.2600)
    > MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    >
  5. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    In article <HLCWe.1108$7x4.1082@newssvr13.news.prodigy.com>,
    mvp@dumb.com says...
    > Path: news-wrt-01.ohiordc.rr.com!news-server.columbus.rr.com!hwmnpeer01.lga!hwmedia!news.glorb.com!newscon02.news.prodigy.com!prodigy.net!newsmst01b.news.prodigy.com!prodigy.com!postmaster.news.prodigy.com!newssvr13.news.prodigy.com.POSTED!84a38bcb!not-for-mail
    > From: "===============" <mvp@dumb.com>
    > Newsgroups: microsoft.public.windowsxp.help_and_support
    > References: <8D56C351-1D75-4DAF-8CA0-B6942F6A4A0B@microsoft.com> <AVmWe.940$7x4.862@newssvr13.news.prodigy.com> <50F494E8-B8F7-4197-AB23-4F0276480C34@microsoft.com> <5npWe.2346$3V6.1629@newssvr11.news.prodigy.com> <MPG.1d9472295527f52e98a07f@news-server.columbus.rr.com>
    > Subject: Re: virus desktophijacker -W32 wininet and oleext - HELP!
    > Lines: 110
    > X-Priority: 3
    > X-MSMail-Priority: Normal
    > X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    > X-RFC2646: Format=Flowed; Original
    > Message-ID: <HLCWe.1108$7x4.1082@newssvr13.news.prodigy.com>
    > NNTP-Posting-Host: 69.224.66.92
    > X-Complaints-To: abuse@prodigy.net
    > X-Trace: newssvr13.news.prodigy.com 1126889575 ST000 69.224.66.92 (Fri, 16 Sep 2005 12:52:55 EDT)
    > NNTP-Posting-Date: Fri, 16 Sep 2005 12:52:55 EDT
    > Organization: SBC http://yahoo.sbc.com
    > X-UserInfo1: OH]UB_SGABSUS^I]^JKBOW@@YJ_ZTB\MV@BT]_MIJQR@EPIB_VUKAH_[MTX\IS[K[NGYJJFNOFZR_G[BUNTAOQLFE^TEHRPI]PZZRP_BMDSFQFL_]CBHXRWCMDCUZAZN@D_AKMNLEI]MWHCSXL^]NNC__CZFGSGHYYXWPFG@SCAVA]\FT\@B\RDGENSUQS^M
    > Date: Fri, 16 Sep 2005 16:52:55 GMT
    > Xref: news-wrt-01.ohiordc.rr.com microsoft.public.windowsxp.help_and_support:579108

    Usenet abuse reported to your ISP.

    If you really think that posting my throw-away email address is going to
    impact anything I do, you've got no idea. I change the throw-away
    account any time I need to stop spam.


    --

    spam999free@rrohio.com
    remove 999 in order to email me
  6. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    In article <HLCWe.1108$7x4.1082@newssvr13.news.prodigy.com>,
    mvp@dumb.com says...
    > X-RFC2646: Format=Flowed; Original
    > Message-ID: <HLCWe.1108$7x4.1082@newssvr13.news.prodigy.com>
    > NNTP-Posting-Host: 69.224.66.92
    > X-Complaints-To: abuse@prodigy.net
    > X-Trace: newssvr13.news.prodigy.com 1126889575 ST000 69.224.66.92 (Fri, 16 Sep 2005 12:52:55 EDT)
    > NNTP-Posting-Date: Fri, 16 Sep 2005 12:52:55 EDT
    > Organization: SBC http://yahoo.sbc.com

    It won't be hard for your ISP - Prodigy.net to find you, as you've been
    posting from the same IP for a long time.


    --

    spam999free@rrohio.com
    remove 999 in order to email me
Ask a new question

Read More

Windows XP