pls help smitfraud.c? hijackthis log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

mikeburns

Thread Starter
Joined
Jun 26, 2005
Messages
9
hi
i left my computer on and unattended for about half an hour, when i returned i got this bluescreen saying:

Fatal Error in IE has occurred at 0028:C0011E36 in VXD VMM(01)+00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c

computer cannot run in normal mode...

after rebooting the bluescreen reappeared along with an error message that IE can not be initialised...and now i am unable to do anything apart from open the taskmanager, in normal mode...

followed the steps to remove smitfraud i found here: http://www.wilderssecurity.com/showthread.php?t=75890


but none of the files to be deleted were there(i did activate the display all files tag), did all the steps nonetheless and now the problem remains....maybe theres something else in there?

ran hijackthis in safemode...

pls take a look and help me out...
thx
mike


hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 04:24:06, on 27.06.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Programme\SideFind\sfbho.dll
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Programme\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang DE /H
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Parallel Tasking] C:\Programme\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [3CDb] C:\WINDOWS\lrsia.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Tqzhvlx] C:\Program Files\Bzqvthj\Motxcka.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Programme\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\Programme\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O4 - Global Startup: ScheduleTV.lnk = C:\Programme\honestech\honestech TVR\scheduleTV.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programme\SideFind\sidefind.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOKUME~1\MASTER\LOKALE~1\TEMP\_VWUPSRV.EXE
 
Joined
Nov 3, 2003
Messages
79
I don't see smitfraud in your log. The steps outlined on that link should have removed it.

As yet, I don't have an explantion for your continued problems, but I do notice a few other entries in your log worthy of attention.

Before we address those, let's instead take a closer look at one possiblity.

From what you have said it is possible that you have already removed the intruding software that caused this problem, but you have just been left with a HTML page selected as your desktop. If this is the case then this method should help you. However, it may not work either.

Go to the Start Menu at the lower left corner of your desktop.

Click 'Settings', which will bring up an extended list of further options.

Click 'Control Panel', which will open a window with a long list of shortcuts to various sytem settings.

Double-click on 'Display' from this list, which will bring up a smaller dialog box (the 'Display Properties' dialog box).

This dialog box has several tabs at the top to choose different types of settings according to what you would like to change.

Click on the 'Desktop' tab, which will show the basic options for changing your desktop.

Click on the 'Customize Desktop...' button that you see here. This brings up yet another dialog box called 'Desktop Items'.

Here you should select the 'Web' tab at the top.

Now with a bit of luck you will see that there is an entry here for the html page you have on your desktop.

It could be called 'Desktop.html' but may not be. Just make sure you un-tick anything that is ticked here. (If nothing is ticked here when you go in then this method will not help you).

When you have finished click 'OK' on the open dialog boxes to accept your changes, and close the 'Control Panel' window.

Next, do these steps to remove the other unwanted entries.

1) Please disable Spybot's TeaTimer, as it will interfere with the cleaning process. We'll turn it on again later.
http://russelltexas.com/malware/teatimer.htm

2) Run the Adware.Istbar Removal Tool found here:
http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html

Also, delete temp files and Reset Web Settings according to the instructions on that page.

3) Please restart your computer, then before you get online or start any other programs, scan with HijackThis again and put a check by these then click "Fix checked".

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll

O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Programme\SideFind\sfbho.dll

O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [3CDb] C:\WINDOWS\lrsia.exe

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [Tqzhvlx] C:\Program Files\Bzqvthj\Motxcka.exe

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programme\SideFind\sidefind.dll

4) Restart in Safe Mode.

5) Delete the following files and folders.

Files
C:\WINDOWS\lrsia.exe
C:\WINDOWS\nem220.dll
C:\WINDOWS\wsem303.dll

Folders
C:\Program Files\Bzqvthj
C:\Program Files\Internet Optimizer
C:\Programme\ISTsvc
C:\Programme\SideFind

6) Restart in Normal Mode, get online, scan again with HijackThis, and post a fresh log.

If you have any questions before you start, or need help along the way, please let us know. I'm keenly interested in finding out if that HTML page was interfering with your Desktop diplay.
 

mikeburns

Thread Starter
Joined
Jun 26, 2005
Messages
9
ok thanks for the help....but i'm afraid no positive results... so please help...

seeing i couldnt access the start menu in normal mode, due to the blue screen, i did all this in safe mode. there was no html doc in the customize desktop settings so the bluescreen remains. i had done all the smitfraud removal tasks in safe mode in the admistrator account earlier, this should do it for all other user accounts on the system right? thats not why i still have the bluescreen when i log on with my normal account? i guess not....
i think i might do the smitfraud removal again...might have overlooked something....

i did all the other steps to remove stuff, only thing i encountered: when turning off teatimer, the "allow change" checkbox never appeared. on reebooting the box was not checked so i proceeded with the istbar removal...

plus, the files:
C:\WINDOWS\lrsia.exe
C:\WINDOWS\nem220.dll
C:\WINDOWS\wsem303.dll
weren't there so i didnt delete them...could they be in different locations? checked the system32 folder but they werent there either...

will that be ok?
guess you can see from my hijackthis log...

so now when booting in normal mode i still get the smitfraud bluescreen along with an error message entitled "explorer.exe" saying that IE failed to initialise with this number 0xc0000005... no access to the desktop, start menu or anything except the taskmanager. i'm writing this from another computer...and i used an external harddisk to transfer all the removal tools etc to the infected computer...just for info....

thx!!!

so did another hijackthis scan in safemode:

Logfile of HijackThis v1.99.1
Scan saved at 13:02:07, on 27.06.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Programme\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang DE /H
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Parallel Tasking] C:\Programme\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Programme\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\Programme\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O4 - Global Startup: ScheduleTV.lnk = C:\Programme\honestech\honestech TVR\scheduleTV.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOKUME~1\MASTER\LOKALE~1\TEMP\_VWUPSRV.EXE
 
Joined
Jul 26, 2002
Messages
46,353
Please read these instructions carefully and copy them to notepad! Save the notepad file to your desktop so you will have it to refer to. Be sure to follow ALL instructions!


* * Go here to download CCleaner.
  • Install CCleaner
  • Launch CCleaner and look in the upper right corner and click on the "Options" button.
  • Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
  • Click OK
  • Do not run CCleaner yet. You will run it later in safe mode.


* Click Here and download Killbox and save it to your desktop.


* Click here to download smitfraud.reg. Download it and "Save" it to your desktop and have it ready to run later.


* Click here for info on how to boot to safe mode if you don't already know how.


* Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
PSGuard
AdwareDelete
Search Maid


Exit Add/Remove Programs.


* Restart your computer into safe mode now. Perform the following steps in safe mode:



* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\wp.exe

C:\wp.bmp

C:\bsw.exe

C:\Windows\sites.ini

C:\Windows\popuper.exe

C:\Windows\system32\hhk.dll

C:\Windows\System32\wldr.dll

C:\Windows\System32\wp.bmp

C:\Windows\System32\helper.exe

C:\Windows\System32\intmon.exe

C:\Windows\System32\shnlog.exe

C:\WINDOWS\System32\OLEADM.dll

C:\Windows\System32\intmonp.exe

C:\WINDOWS\system32\hp8675.tmp

C:\WINDOWS\System32\winnook.exe

C:\Windows\system32\hookdump.exe

C:\Windows\System32\msmsgs.exe

C:\Windows\system32\msole32.exe

C:\WINDOWS\system32\hp5C68.tmp

C:\Windows\System32\ole32vbs.exe


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


* Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Find and delete these folders if they exist:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\PSGuard
C:\Program Files\AdwareDelete
C:\Program Files\Security IGuard
C:\WINDOWS\System32\Services
C:\Windows\System32\Log Files



* IMPORTANT!: If you forget to run the smitfraud.reg file you may not be able to boot your computer normally. DO NOT forget this step. Locate smitfraud.reg on your desktop and doubleclick on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", follow the rest of instructions below.


* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Restart back into Windows normally now.


* Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.


* Run ActiveScan online virus scan here.

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
 
Joined
Nov 3, 2003
Messages
79
mikeburns,

I'll watch this fix from the sidelines, to allow Flrman1 to proceed unhindered with his excellent advice.

You're in good hands.
 

mikeburns

Thread Starter
Joined
Jun 26, 2005
Messages
9
thnx for the help...

killbox found 2 files to delete this time:
C:\Windows\System32\wp.bmp
C:\WINDOWS\System32\OLEADM.dll


followed the instructions precisely to the point where you say restart into windows normally. on restarting, during the welcome screen i get the error message entitled "explorer.exe" saying that IE failed to initialise properly with this number 0xc0000005

the bluescreen that follows is blank however..no more fatal error caused by trojan smitfraud....

so in normal mode i still have no access to the start menu or the desktop, only the task manager...? what to do? is the windows explorer damaged?

did another hijackthis scan in safe mode:

Logfile of HijackThis v1.99.1
Scan saved at 18:20:42, on 27.06.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Programme\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang DE /H
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Parallel Tasking] C:\Programme\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Programme\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\Programme\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O4 - Global Startup: ScheduleTV.lnk = C:\Programme\honestech\honestech TVR\scheduleTV.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOKUME~1\MASTER\LOKALE~1\TEMP\_VWUPSRV.EXE
 
Joined
Jul 26, 2002
Messages
46,353
Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

In safe mode go to the C:\Windows\System32 folder and locate the wininet.dll file. Right click the file and choose "Rename". Rename the wininet.dll file to wininet.old.

Now restart your computer into windows normally and Windows file protection should replace the wininet.dll file automatically. Go to the System32 folder and verify that the file has been replaced. If it has not been replaced, go to the C:\Windows\System32\dllcache folder and find the wininet.dll file there and copy it then paste that copy in the System32 folder.

If by chance it has not been replaced and there is not o copy in the dllcache folder, you can download a copy of the file here:

http://www.dll-files.com/dllindex/dll-files.shtml?wininet

It is a zip file so you will have to unzip it first then copy the new file to the system32 folder.

After you have replaced the file, delete the wininet.old file then go to Start > Run and copy and paste this line in the Run box:

regsvr32 wininet.dll

Click OK.

You should receive a success or fail message.
 

mikeburns

Thread Starter
Joined
Jun 26, 2005
Messages
9
ok i renamed wininet.dll to wininet.old in safemode. wwhen restarting i get the error message that explorer.exe couldnt be started due to a missing component:wininet.dll and stating that reinstalling the program might solve this...
then comes the bluescreen. nothing accessible, also not via keyboard shortcuts so i couldnt replace wininet.dll etc....

what to do?
 

mikeburns

Thread Starter
Joined
Jun 26, 2005
Messages
9
no. same error message and no more desktop or start menu...should i fix windows from cd?
 
Joined
Jul 26, 2002
Messages
46,353
I'm sorry, but I should have had you do things in a different order.

If we can't get it to boot to safe mode we can use the Recovery Console to replace the file if you have the XP installation disk. Do you have it?
 

mikeburns

Thread Starter
Joined
Jun 26, 2005
Messages
9
ok found it, any special procedure or just boot from cd and select fix instalation?
 
Joined
Jul 26, 2002
Messages
46,353
Follow the directions here to boot to the Recovery Console:

http://www.kellys-korner-xp.com/win_xp_rec.htm
To start the computer and use the Recovery Console

From the Setup CD-ROM

Insert the Setup compact disc (CD) and restart the computer. If prompted, select any options required to boot from the CD.
When the text-based part of Setup begins, follow the prompts; choose the repair or recover option by pressing R. If you have a dual-boot or multiple-boot system, choose the installation that you need to access from the Recovery Console. When prompted, type the Administrator password. At the system prompt, type Recovery Console commands; type help for a list of commands, or help commandname for help on a specific command
.


Put the XP disk in the drive and boot to the Recovery Console.. If you only have one OS installed you will only have one option like so:

1: C:\Windows

Press the 1 key and then hit the Enter key.

You will be asked for a password. Press enter if you didn't set up an Administrator Password when you installed. That will get you in.
If you did set up a password type it in and press enter.

Once Recovery Console has loaded you should now be at a prompt like this:

C:\Windows>

At this prompt you will type in the follwing commands:

Type this and press enter:

copy c:\windows\system32\dllcache\wininet.dll c:\windows\system32

Spaces are very important in this command. Here it is to illustrate where the spaces are:

copy<Space here>c:\windows\system32\dllcache\wininet.dll<Space here>c:\windows\system32

To exit the Recovery Console and restart the computer, type exit.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top