1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Virus Help

Discussion in 'Virus & Other Malware Removal' started by tstr, Jan 4, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. tstr

    tstr Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    22
    Hello,

    I have this problem: When my PC boots (XP SP2), I get an error "application cannot load because WININET.DLL is missing or not found. Reinstalling may fix the problem." At this point, the desktop or icons are not visible, but I can gain access to applications and files through the task manager, but that is all.

    Prior to this, I did have a virus that AGP picked up and fixed called "Trojan Horse Generic Law" and "Java/Byte Verify"

    Any suggestions or help, please!?
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Please do this:

    * Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Doubleclick on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. tstr

    tstr Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    22
    Here is the Hijack this log. What should be deleted?

    Logfile of HijackThis v1.99.1
    Scan saved at 3:37:09 PM, on1/4/2006
    platform: windows XP sp2 (winNT 5.01.2600)
    MSIE: Internet Explorer vG.OO sp2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWs\system32\smss.exe
    C:\WINDOWs\system32\winlogon.exe
    C:\WINDOWs\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWs\system32\spoolsv.exe
    C:\WINDOWs\system32\packethsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA-1\Grisoft\AVGFRE-1\avgupsvc.exe
    c:\Program Files\cisco systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWs\system32\taskmgr.exe

    C:\WINDOWS\s¥stem32\wscntfy.exe
    c:\program Flles\Hijackthis\Hijackihis.exe

    R1 -HKCU\software\Microsoft\Internet Explorer\Main,Search Bar =

    res://C:\WINDows\qniit.dll/sp.html#53142%
    Rl -HKCU\Software\Microsoft\Internet Explorer\Main,Search page =
    reS://C:\WINDows\qniit.dll/sp.htm1#53142%

    R1 -HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_uRL = about:blank
    R1 -HKLM\software\Microsoft\Internet Explorer\Main,Default_search_URL =
    res://c:\WINDOWS\qniit.dll/sp.html#53142%
    R1 -HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

    res://c:\WINDOWS\qniit.dll/sp.html#53142%

    R1 -HKLM\Software\Microsoft\Internet Explorer\Main,search page =
    res://C:\WINDows\qniit.dll/sp,html#53142%
    R1 -HKCU\software\Microsoft\Internet Explorer\Search,searchAssistant =

    res://c:\WINDOWS\qniit.dll/sp.html#53142%

    RO -HKLM\Software\Microsoft\Internet Explorer\Search,searchAssistant =
    res://C:\WINDOws\qniit.dll/sp.html#53142%
    R1 -HKCU\software\Microsoft\Internet Explorer\SearchURL,(Default) =

    http://search.yahoo.com/search?p=%s

    R1 -HKCU\software\Microsoft\Internet Explorer\Main,window Title = Microsoft
    Internet Explorer provided by compaq
    R1 -HKCU\software\Microsoft\windows\Currentversion\Internet settings,proxyoverride
    = 127.0.0.1

    R3 -Default uRLsearchHook is missing

    02 -BHO: class -{OB7B9D60-15AA-747F-18EE-64D61F5D7661} -C:\WINDOWS\ntap32.dll
    (fil e mi s5i ng)
    02 -BHO: HomepageBHo -{eOl03cd4-d1ce-411a-b75b-4fec072867f4} -
    C:\WINDOWS\system32\hpBDB6.tmp

    04 -HKLM\..\Run: NvcP1DaemOn] RUNDLL32.EXE NvQTWk,NvcplDaemon initialize
    04 -HKLM\..\Run: CARPservice] carpserv.exe
    04 -HKLM\..\Run: fCPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button
    support\startEAK.exe
    04 -HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    04 -HKLM\..\Run: [srmclean] C:\Cpqs\scom\srmclean.exe
    04 -HKLM\..\Run: [Smapp] c:\program Files\Analog Devices\SOundMAX\Smtray.exe
    04 -HKLM\..\Run: [Microsoft works portfolio] C:\program Files\Microsoft

    works\wkssb.exe /Allusers
    04 -HKLM\..\Run: [Microsoft works update Detection] c:\Program Files\common
    Files\Microsoft shared\works shared\wkuFind.exe

    04 -HKLM\..\Run: [HPDJ Taskbar Utility]
    C:\WINDOWs\system32\spool\drivers\w32x86\3\hpztsb07.exe
    04 -HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmonO4.exe
    04 -HKLM\.. \Run: [HPHUPDO4]"C:\Program Files\HP photosmart11\hphinstall\unipatch\hphupdO4.exe"
    04 -HKLM\..\Run: [share-to-web NamespaceDaemon]c:\program
    Files\Hewlett-packard\HP share-to-web\hpgs2wnd.exe

    04 -HKLM\..\Run: [AVG7_CC]C:\PROGRA~l\Grisoft\AVGFRE~l\avgcc.exe /STARTUP04 -HKLM\..\Run: [AVG7_EMC]C:\PROGRA~l\Grisoft\AVGFRE~l\avgemc.exe04 -HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

    -atboottime
    04 -HKLM\.. \Run: [TkBellExe] "C:\Program Files\common
    Files\Real\update_OB\realsched.exe" -osboot
    04 -HKCU\..\Run: [MSMSGS]"c:\Program Files\Messenger\msmsgs.exe" /background
    04 -Global startup: cisco systems VPN client.lnk = c:\Program Files\Cisco

    systems\VPN client\vpngui.exe04 -Global startup: Image Transfer.lnk = ?
    04 -Global startup: Microsoft office.lnk = C:\Program Files\Microsoft
    office\office10\osA.EXE
    04 -Global startup: Microsoft works calendar Reminders.lnk = ?
    08 -Extra context menu item: E&xport to Microsoft Excel res://
    c:\PROGRA~1\MICROS~3\office10\EXCEL.EXE/300009 -Extra button: Yahoo! Login -{2499216C-4BA5-11D5-BD9C-OOO103Cl16DS}

    -
    c:\Program Files\Yahoo!\common\ylogin.dll

    09 -Extra 'Tools' menuitem: Yahoo! Login -{2499216C-4BAS-11DS-BD9C-OOO103Cl16DS}c:\
    program Files\Yahoo!\Common\ylogin.dll
    09 -Extra button: Real.com -

    {CD67F990-D8E9-11d2-98FE-OOCOFO318AFE}
    C:\WINDOWs\system32\shdocvw.dll09 -Extra button: Moneyside -{EO23F504-0C5A-4750-A1E7-A9046DEA8A21}-c:\ProgramFiles\Microsoft Money\system\mnyviewer.dll (file missing)
    09 -Extra button: Messenger --c:\Program

    {FB5F1910-F110-11d2-BB9E-OOCO4F795683}
    Files\Messenger\msmsgs.exe
    09 -Extra 'Tools' menuitem: windows Messenger {
    FB5F1910-F110-11d2-BB9E-OOCO4F79S683}-c:\program Files\Messenger\msmsgs.exe

    014 -IERESET.INF:

    START_PAGE-URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dl1?s=consumerfav&c=2cO2&lc=O409
    016 -DPF: JT'S Blocks -http://download.games.yahoo.com/games/clients/y/blt1-x.cab

    016 -DPF: Yahoo! Euchre -http://download.games.yahoo.com/games/clients/y/et1-x.cab016 -DPF: {6414S12B-B978-451D-AOD8-FCFPF33E833C} (wuwebcontrol class) http://
    vS.windowsupdate.microsoft.com/v5consumer/V5controls/en/x86/client/wuweb_site

    .cab?1095295312046
    016 -DPF: {74DO5D43-3236-11D4-BDCD-OOcO4F9A3B61} (Housecall control) http://
    a840.g.akamai.net/7/840/S37/2004061001/housecall.trendmicro.com/housecall/xsc

    an53.cab
    016 -DPF: {D44C7SD8-c827-473E-8F68-A77E42500782} (uploader class) http://
    photo.walmart.com/photo/uploads/webuploadClient.cab

    023 -service: NetWork security service ( 11FBao#.oAo'I) -unknown owner C:\
    WINDOWS\system32\ieii.exe (file missing)
    023 -service: AVG7Alert Manager Server (Avg7Alrt) -GRISOFT, s.r.o. C:\
    PROGRA-1\Grisoft\AVGFRE-1\av9amsvr.exe

    023 -service: AVG7update SerVlce (Avg7updsvc) s.r.o.

    -GRISOFT,

    C:\PROGRA-1\Grisoft\AVGFRE-1\avgupsvc.exe023 -service: compaqAdvisor (compaq_RBA)-Neoplanet -c:\ProgramFiles\COMPAQ\compaqAdvisor\bin\compaq-rba.exe023 -service: cisco systems, Inc. VPNService (CVPND)-Cisco systems, Inc. c:\
    Program Files\cisco systems\vPN Client\cvpnd.exe
    023 -service: Content Monitoring Tool (msCMTSrvc) -unknown owner C:\
    WINDOWs\system32\msCMTsrvc.exe (file missing)
    023 -service: NVIDIA Driver Helper Service (NVSVC) -NVIDIA corporation C:\
    WINDOWs\system32\nvsvc32.exe

    023 -service: Virtual NIC Service (Packethsvc) -Americaonline, Inc. C:\
    WINDOWS\system32\packethSvc.exe023 -service: pml Driver HPH11-HP -C:\WINDOWS\System32\HPHipm11.exe
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Please repost your Hijack This log. That one is too mixed up to read. Before you post it again, rescan with Hijack This and save the log. With the log open in notepad, go to Format > Word Wrap. Make sure Word Wrap is checked.

    After you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
     
  5. tstr

    tstr Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    22
    Flrman1,

    Sorry for the trouble. I really appreciate the help. Here is the HJT log with word wrap on:

    hijackthis


    Logfile of HijackThis v1.99.1
    Scan saved at 3:37:09 PM, on1/4/2006
    platform: windows XP sp2 (winNT 5.01.2600)
    MSIE: Internet Explorer vG.OO sp2 (6.00.2900.2180)


    Running processes:
    C:\WINDOWs\system32\smss.exe
    C:\WINDOWs\system32\winlogon.exe
    C:\WINDOWs\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWs\system32\spoolsv.exe
    C:\WINDOWs\system32\packethsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA-1\Grisoft\AVGFRE-1\avgupsvc.exe
    c:\Program Files\cisco systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWs\system32\taskmgr.exe


    C:\WINDOWS\s¥stem32\wscntfy.exe
    c:\program Flles\Hijackthis\Hijackihis.exe


    R1 -HKCU\software\Microsoft\Internet Explorer\Main,Search Bar =

    res://C:\WINDows\qniit.dll/sp.html#53142%
    Rl -HKCU\Software\Microsoft\Internet Explorer\Main,Search page =
    reS://C:\WINDows\qniit.dll/sp.htm1#53142%


    R1 -HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_uRL = about:blank
    R1 -HKLM\software\Microsoft\Internet Explorer\Main,Default_search_URL =
    res://c:\WINDOWS\qniit.dll/sp.html#53142%
    R1 -HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =


    res://c:\WINDOWS\qniit.dll/sp.html#53142%


    R1 -HKLM\Software\Microsoft\Internet Explorer\Main,search page =
    res://C:\WINDows\qniit.dll/sp,html#53142%
    R1 -HKCU\software\Microsoft\Internet Explorer\Search,searchAssistant =


    res://c:\WINDOWS\qniit.dll/sp.html#53142%


    RO -HKLM\Software\Microsoft\Internet Explorer\Search,searchAssistant =
    res://C:\WINDOws\qniit.dll/sp.html#53142%
    R1 -HKCU\software\Microsoft\Internet Explorer\SearchURL,(Default) =


    http://search.yahoo.com/search?p=%s


    R1 -HKCU\software\Microsoft\Internet Explorer\Main,window Title = Microsoft
    Internet Explorer provided by compaq
    R1 -HKCU\software\Microsoft\windows\Currentversion\Internet settings,proxyoverride
    = 127.0.0.1


    R3 -Default uRLsearchHook is missing


    02 -BHO: class -{OB7B9D60-15AA-747F-18EE-64D61F5D7661} -C:\WINDOWS\ntap32.dll
    (fil e mi s5i ng)
    02 -BHO: HomepageBHo -{eOl03cd4-d1ce-411a-b75b-4fec072867f4} -
    C:\WINDOWS\system32\hpBDB6.tmp


    04 -HKLM\..\Run: NvcP1DaemOn] RUNDLL32.EXE NvQTWk,NvcplDaemon initialize
    04 -HKLM\..\Run: CARPservice] carpserv.exe
    04 -HKLM\..\Run: fCPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button
    support\startEAK.exe
    04 -HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    04 -HKLM\..\Run: [srmclean] C:\Cpqs\scom\srmclean.exe
    04 -HKLM\..\Run: [Smapp] c:\program Files\Analog Devices\SOundMAX\Smtray.exe
    04 -HKLM\..\Run: [Microsoft works portfolio] C:\program Files\Microsoft


    works\wkssb.exe /Allusers
    04 -HKLM\..\Run: [Microsoft works update Detection] c:\Program Files\common
    Files\Microsoft shared\works shared\wkuFind.exe

    04 -HKLM\..\Run: [HPDJ Taskbar Utility]
    C:\WINDOWs\system32\spool\drivers\w32x86\3\hpztsb07.exe
    04 -HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmonO4.exe
    page 1


    hijackthis


    04 -HKLM\.. \Run: [HPHUPDO4]"C:\Program Files\HP photosmart11\hphinstall\unipatch\hphupdO4.exe"
    04 -HKLM\..\Run: [share-to-web NamespaceDaemon]c:\program
    Files\Hewlett-packard\HP share-to-web\hpgs2wnd.exe

    04 -HKLM\..\Run: [AVG7_CC]C:\PROGRA~l\Grisoft\AVGFRE~l\avgcc.exe /STARTUP04 -HKLM\..\Run: [AVG7_EMC]C:\PROGRA~l\Grisoft\AVGFRE~l\avgemc.exe04 -HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

    -atboottime
    04 -HKLM\.. \Run: [TkBellExe] "C:\Program Files\common
    Files\Real\update_OB\realsched.exe" -osboot
    04 -HKCU\..\Run: [MSMSGS]"c:\Program Files\Messenger\msmsgs.exe" /background
    04 -Global startup: cisco systems VPN client.lnk = c:\Program Files\Cisco

    systems\VPN client\vpngui.exe04 -Global startup: Image Transfer.lnk = ?
    04 -Global startup: Microsoft office.lnk = C:\Program Files\Microsoft
    office\office10\osA.EXE
    04 -Global startup: Microsoft works calendar Reminders.lnk = ?
    08 -Extra context menu item: E&xport to Microsoft Excel res://
    c:\PROGRA~1\MICROS~3\office10\EXCEL.EXE/300009 -Extra button: Yahoo! Login -{2499216C-4BA5-11D5-BD9C-OOO103Cl16DS}

    -
    c:\Program Files\Yahoo!\common\ylogin.dll

    09 -Extra 'Tools' menuitem: Yahoo! Login -{2499216C-4BAS-11DS-BD9C-OOO103Cl16DS}c:\
    program Files\Yahoo!\Common\ylogin.dll
    09 -Extra button: Real.com -


    {CD67F990-D8E9-11d2-98FE-OOCOFO318AFE}
    C:\WINDOWs\system32\shdocvw.dll09 -Extra button: Moneyside -{EO23F504-0C5A-4750-A1E7-A9046DEA8A21}-c:\ProgramFiles\Microsoft Money\system\mnyviewer.dll (file missing)
    09 -Extra button: Messenger --c:\Program

    {FB5F1910-F110-11d2-BB9E-OOCO4F795683}
    Files\Messenger\msmsgs.exe
    09 -Extra 'Tools' menuitem: windows Messenger {
    FB5F1910-F110-11d2-BB9E-OOCO4F79S683}-c:\program Files\Messenger\msmsgs.exe

    014 -IERESET.INF:

    START_PAGE-URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dl1?s=consumerfav&c=2cO2&lc=O409
    016 -DPF: JT'S Blocks -http://download.games.yahoo.com/games/clients/y/blt1-x.cab

    016 -DPF: Yahoo! Euchre -http://download.games.yahoo.com/games/clients/y/et1-x.cab016 -DPF: {6414S12B-B978-451D-AOD8-FCFPF33E833C} (wuwebcontrol class) http://
    vS.windowsupdate.microsoft.com/v5consumer/V5controls/en/x86/client/wuweb_site

    .cab?1095295312046
    016 -DPF: {74DO5D43-3236-11D4-BDCD-OOcO4F9A3B61} (Housecall control) http://
    a840.g.akamai.net/7/840/S37/2004061001/housecall.trendmicro.com/housecall/xsc

    an53.cab
    016 -DPF: {D44C7SD8-c827-473E-8F68-A77E42500782} (uploader class) http://
    photo.walmart.com/photo/uploads/webuploadClient.cab

    023 -service: NetWork security service ( 11FBao#.oAo'I) -unknown owner C:\
    WINDOWS\system32\ieii.exe (file missing)
    023 -service: AVG7Alert Manager Server (Avg7Alrt) -GRISOFT, s.r.o. C:\
    PROGRA-1\Grisoft\AVGFRE-1\av9amsvr.exe

    023 -service: AVG7update SerVlce (Avg7updsvc) s.r.o.


    -GRISOFT,

    C:\PROGRA-1\Grisoft\AVGFRE-1\avgupsvc.exe023 -service: compaqAdvisor (compaq_RBA)-Neoplanet -c:\ProgramFiles\COMPAQ\compaqAdvisor\bin\compaq-rba.exe023 -service: cisco systems, Inc. VPNService (CVPND)-Cisco systems, Inc. c:\
    Program Files\cisco systems\vPN Client\cvpnd.exe
    023 -service: Content Monitoring Tool (msCMTSrvc) -unknown owner C:\
    WINDOWs\system32\msCMTsrvc.exe (file missing)
    023 -service: NVIDIA Driver Helper Service (NVSVC) -NVIDIA corporation C:\
    WINDOWs\system32\nvsvc32.exe

    023 -service: Virtual NIC Service (Packethsvc) -Americaonline, Inc. C:\
    WINDOWS\system32\packethSvc.exe023 -service: pml Driver HPH11-HP -C:\WINDOWS\System32\HPHipm11.exe
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    The log is the same. Word Wrap is not checked.
     
  7. tstr

    tstr Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    22
    Flrman1,

    Here is the problem ... because of the problems, I do not have access to the internet on that PC. I had to print the log (where the word wrap was not checked). I am posting this from work, so I will need to print the log again (with word wrap checked) and post it tomorrow, unless you have any other suggestions. If I post tomorrow, will that work okay with you?

    Thanks again Flrman1.
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    We will definitely have to wait until you are at that computer and have time to spend and fix it. This Hijack is tricky to remove because the entries in HJT and the file names etc... will change with certain events.

    Again I remind you, after you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
     
  9. tstr

    tstr Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    22
    Flrman,

    Okay. I have done exactly what you have asked. Hopefully this one is better.

    hijackthis
    Logfile of HijackThis vl.99.1
    Scan saved at 4:00:06 PM, on 1/5/2006
    platform: windows x sP2 (W1nNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C: \wINDOWS\System32\smss .exe
    C: \wIND0WS\system32\wi WI ogon .exe
    C: \wIND0wS\system32\servi ces .exe
    C: \wINDOwS\system32\l sass .exe
    C: \wINDOWS\system32\svchost .exe
    C: \WINDCwS\System32\svchost. exe
    C: \WINDOWS\system32\spool sv • exe
    C: \wINDowS\System32\PackethSvc. exe
    C: \PROGRA-1\Gri soft\AVGFRE-1\avgamsvr .exe
    C: \PROGRA-.1\Gri soft\AvGFRE.4\avgupsvc.exe
    C:\Program Fl les\Ci sco Systems\vPN client\cvpnd .exe
    C: \wINDOWS\System32\nvsvc32 .exe
    C: \wINDS\System32\svchost .exe
    C: \wINDOws\system32\taskmgr.exe
    C: \wINDOwS\system32\wuaucl t .exe
    C: \wIND0wS\system32\wscntfy.exe
    C:\wINDowS\SoftwareDi stri bution\Download\s-1-5-18\7fb9aldcdOOc55662f93dcfclb3aeOe6\u
    pdate\update.exe
    c:\Program Fiies\Hijackthis\HijackThis.exe
    Ri - HKCU\Software\Microsoft\Internet Expiorer\Main,Search Bar = res : //C: \wIND0wS\qni it. dli /sp . html #53142%
    Ri - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page res://c:\wINDOws\qniit.dll/sp.html#53142%
    Ri - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank Ri - HKLM\Software\Mi crosoft\internet Expi orer\Mai n , Defaul t_Search_URL =
    res :1/c: \wINDcwS\qni it. dl l/sp. html #53142%
    Ri - HKLM\Software\Microsoft\Internet Explorer\Maln,Search Bar = res://C:\wINDowS\qnhit.dll/sp.html#53142%
    Ri - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res : f/C: \wINDows\qni it. dli Isp. html #53142%
    Ri - HKCU\Software\Mi crosoft\internet Expiorer\Search, SearchAssi stant = res ://c: \wINDows\qni it. dli Isp. html #53142%
    RO - HKLM\Software\Ml crosoft\internet Explorer\Search , SearchAssi stant = res ://c: \wIND0wS\qni it .dll /sp. html#53142%
    Ri - HKCU\Software\Microsoft\Internet Explorer\SearchuRL, (Default) = http: //search . yahoo. com/search?p=%s
    Ri - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    Ri - HKCU\software\Mi crosoft\wi ndows\currentversion\Internet Settings, ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    02 - BHO: Class - {0B789D60-1SAA-747F-18EE-64D61F5D7661} - C:\WINDOWS\ntap32.dll (file missing)
    02 - BHO: HomepageBHo - {eOlO3cd4-dlce-411a-b75b-4fec072867f4} - C: \WINDOWS\system32\hpBDB6 . tmp (file missing)
    04 - HKLM\..\Run: NvCplDaemon) RUNDLL32.EXE NvQTwk,NvCploaemon initialize
    04 - HKLM\. .\Run: CARPService) carpserv.exe
    04 - HKLM\. .\Run: CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button
    Support\StartEAK.exe
    04 - HKLM\..\Run: WCOLOREAL] “C:\Program Files\COMPAQ\Coioreal\coloreai.exe”
    04 - HKLM\..\Run: srmclean] C:\Cpqs\Scom\srmclean.exe
    04 - HKLM\..\Run: Smapp) C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    04 - HKLM\. .\Run: Microsoft works Portfolio) c:\Program Files\Microsoft
    works\wkssb.exe /Al 1 users
    04 - HKLM\..\Run: [Microsoft works update Detection) C:\Program Files\Common Fl 1 es\Mi crosoft Shared\works Shared\wkuFi nd. exe
    Page 1
    hijackthi S
    04 - HKLM\..\Run: EHPDJ Taskbar utility)
    C: \wINDOws\System32\spool \dri vers\w32x86\3\hpztsbo7 .exe
    04 - HKLM\. .\Run: [HPHmonO4] c:\wlNoows\system32\hphmon04.exe
    04 - HKLM\..\Run: [HPHUPDO4) “C:\Program Files\HP Photosmart
    11\hphi nstal 1 \uni Patch\hphupdO4. exe”
    04 - HKLM\..\Run: [Share-to-web Namespace Daemon) C:\Program
    Fi 1 es\Hewl ett-Packard\HP share-to-web\hpgs2wnd.exe
    04 - HKLM\. .\Run: [AvG7_CC) C:\PR0GRA.-1\Grisoft\AVGFRE-..1\avgcc.exe /STARTUP
    04 - HKLM\. . \Run: [AVG7_EMC] C: \PROGRA-4\Gri soft\AvGFRE-1\avgemc .exe
    04 - HKLM\. .\Run: IQuickTime Task) “C:\Program Files\QuickTime\qttask.exe”
    -atbootti me
    04 - HKLM\. .\Run: [TkBellExe] “c:\Program Files\Common
    Fi 1 es\Real \update_oB\ real sched .exe” -osboot
    04 - HKCU\. .\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
    04 - Global startup: Cisco Systems VPN client.lnk = c:\Program Files\Cisco
    Systems\vPN client\vpngui .exe
    04 - Global Startup: Image Transfer.lnk = 7
    04 - Global Startup: Microsoft Office..lnk = C:\Program FileS\Microsoft
    off I ce\Off I celO\OSA. EXE
    04 - Global startup: Microsoft works Calendar Reminders.lnk = 7
    08 - Extra context menu item: E&xport to Microsoft Excel -
    res :1/C: \PR0GRA—1\MICROS-.3\Offi celO\EXCEL. EXE/3000
    09 - Extra button: Yahoo! Login - {2499216c-4BA5-11D5-BD9C-000103C116D5} -
    C:\Program Fi les\YahooRcomnion\ylogi n .dll
    09 - Extra ‘Tools’ menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -
    C:\Program Flles\Yahoo!\Common\ylogin..dll
    09 - Extra button: Real.com - {cD67F990-08E9-11d2-98FE-OOcOFO318AFE} -
    C: \WINDowS\System32\Shdocvw.dll
    09 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046oEA8A21} - c:\Program
    Fi les\Microsoft Money\system\mnyviewer .dll (file missing)
    09 - Extra button: Messenger - {FB5F191O-F11O-11d2-BB9E-00C04F795683} - C:\Program
    Fl 1 es\Messenger\msmsgs .exe
    09 - Extra ‘Tools’ menuitem: Windows Messenger -
    {FB5F191O-F11O-11d2-BB9E-00C04F795683} - C:\Program Fl les\Messenger\msmsgs .exe
    014 - IERESET.INF:
    START_PAGE_URL=http :1/store. presari o. net/scri pts/redi rectors/presari o/storeredi r2 . dl
    1 ?s=consumerfav&c=2c02&l c=0409
    016 - DPF: JT’ s Blocks - http://download .games .yahoo. coin/games/cl i ents/y/bltl...x. cab
    016 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/etLx.cab
    016 - DPF: {6414512B-B978-451D-AOD8-FcFDF33E833c} (wUwebcontrol Class) -
    http://v5 .wi ndowsupdate .microsoft. com/v5consumer/V5Control s/en/x86/cl ient/wuweb_site
    • cab?1095295312046
    016 - DPF: {74D05D43-3236-11D4-BDco-0Oc04F9A3B61} (HouseCall Control) -
    http://a840.g . akamai . net/7/840/537/2004061001/housecal 1 . trendmi cro. com/housecal l/xsc
    an53 . cab
    016 - DPF: {D44c75D8-C827-473E-8F68-A77E42500782} (uploader Class) -
    http: I/photo. walmart. com/photo/upl oads/webupl oadCl i ent . cab
    023 - Service: Network Security Service C 11FBaO#°AO’I) — unknown owner -
    C:\wINDCws\system32\iei i .exe (file missing)
    023 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r,o. -
    C: \PROGRPL-.1\Gri soft\AVGFRE-.1\avgamsvr. exe
    023 - Service: AVG7 Update Service (Avg7updsvc) - GRISOFT, s.r.o. -
    C: \PROGRA-..1\GrI soft\AvGFRE-.1\avgupsvc. exe
    023 - Service: Compaq Advisor (Compaq....RBA) - NeoPlanet - C:\Program
    Ff1 es\C0MPAQ\compaq Advi sor\bi n\compaq- rba.exe
    023 - Service: Cisco Systems, Inc. VPN service (cvPNo) - cisco Systems, Inc. -
    C:\Program Fi 1 es\Ci sco Systems\vPN cli ent\cvpnd .exe
    023 - Service: Content Monitoring Tool (mscrrrSrvc) - Unknown owner -
    C: \WINDOWS\system32\msCMTSrvc. exe (file missing)
    023 - service: NVIDIA Driver Helper Service (NvSvc) - NVIDIA Corporation -
    C: \wIND0WS\system32\nvsvc32 . exe
    023 - Service: Virtual NIC Service (PackethSvc) - America online, Inc. -
    C: \wIND0ws\system32\Packethsvc .exe
    Page 2
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Can you get online with this computer now?
     
  11. tstr

    tstr Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    22
    I can work on this now, if you have time. The PC itself is not able to access the internet.
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    There's no way you're going to be able to help your buddy fix this hijack over the phone. We need to download and run several tools to fix this.

    You might be able to walk him through fixing the wininet.dll file.

    Have him click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Restart the computer into safe mode.

    Now go to the C:\Windows\System32\dllcache folder and find the wininet.dll file that is there. Right click it and choose "Copy" to copy the file.

    Now go back to the C:\Windows\System32 folder. Find the wininet.dll file that is there, if there is one. Right click it and choose "Rename". Rename it to wininet.old. After you have renamed the wininet.dll files, paste the copy you made from the dllcache folder in the System32 folder. If the wininet'dll file is missing from the System32 folder, go ahead and paste the copy there.

    Go to View > Refresh.

    Restart the computer and see if you can access the internet now.

    If he can access the internet, come back here and post a new Hijack This log. This will have to be done by someone that is on the actual computer, not over the phone from this point on. Have him come here and post the HJT log himself.

    After you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
     
  13. tstr

    tstr Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    22
    Flrman1,

    There is no wininet.dll file int he ddlcache folder. Also, he cannot access the desktop. when the PC load, it is a blank screen. he can only access things by pressing ctrl-alt-del to start the task manager to gain access to things that way. Any ideas? He is running XP, Home Edition, Version 2002, Service Pack 2. Can a file be copied from somewhere else?
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Do a file aearch for wininet.dll and let me know exactly where it is found.
     
  15. tstr

    tstr Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    22
    This thing is really locked down!

    He cannot do a search from "start" because the desktop is blank. No start bar, icons, my computer, nothing. Nothing happens when he right clicks on the desktop. I had him try a search by gaining access to folders using the task manager, but he gets the error message "application failed to start because wininet.dll was not found" when he tries the search or explore options. I had him try to start in safe mode, but it will not start in that mode. Any suggestions?

    I'll be sure to make a donation for all the help you have provided and hopefully still can!

    Thanks!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/430982

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice