Solved: Virus Help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

tstr

Thread Starter
Joined
Jan 4, 2006
Messages
22
Hello,

I have this problem: When my PC boots (XP SP2), I get an error "application cannot load because WININET.DLL is missing or not found. Reinstalling may fix the problem." At this point, the desktop or icons are not visible, but I can gain access to applications and files through the task manager, but that is all.

Prior to this, I did have a virus that AGP picked up and fixed called "Trojan Horse Generic Law" and "Java/Byte Verify"

Any suggestions or help, please!?
 
Joined
Jul 26, 2002
Messages
46,353
Please do this:

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

tstr

Thread Starter
Joined
Jan 4, 2006
Messages
22
Here is the Hijack this log. What should be deleted?

Logfile of HijackThis v1.99.1
Scan saved at 3:37:09 PM, on1/4/2006
platform: windows XP sp2 (winNT 5.01.2600)
MSIE: Internet Explorer vG.OO sp2 (6.00.2900.2180)

Running processes:
C:\WINDOWs\system32\smss.exe
C:\WINDOWs\system32\winlogon.exe
C:\WINDOWs\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWs\system32\spoolsv.exe
C:\WINDOWs\system32\packethsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA-1\Grisoft\AVGFRE-1\avgupsvc.exe
c:\Program Files\cisco systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWs\system32\taskmgr.exe

C:\WINDOWS\s¥stem32\wscntfy.exe
c:\program Flles\Hijackthis\Hijackihis.exe

R1 -HKCU\software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINDows\qniit.dll/sp.html#53142%
Rl -HKCU\Software\Microsoft\Internet Explorer\Main,Search page =
reS://C:\WINDows\qniit.dll/sp.htm1#53142%

R1 -HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_uRL = about:blank
R1 -HKLM\software\Microsoft\Internet Explorer\Main,Default_search_URL =
res://c:\WINDOWS\qniit.dll/sp.html#53142%
R1 -HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://c:\WINDOWS\qniit.dll/sp.html#53142%

R1 -HKLM\Software\Microsoft\Internet Explorer\Main,search page =
res://C:\WINDows\qniit.dll/sp,html#53142%
R1 -HKCU\software\Microsoft\Internet Explorer\Search,searchAssistant =

res://c:\WINDOWS\qniit.dll/sp.html#53142%

RO -HKLM\Software\Microsoft\Internet Explorer\Search,searchAssistant =
res://C:\WINDOws\qniit.dll/sp.html#53142%
R1 -HKCU\software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://search.yahoo.com/search?p=%s

R1 -HKCU\software\Microsoft\Internet Explorer\Main,window Title = Microsoft
Internet Explorer provided by compaq
R1 -HKCU\software\Microsoft\windows\Currentversion\Internet settings,proxyoverride
= 127.0.0.1

R3 -Default uRLsearchHook is missing

02 -BHO: class -{OB7B9D60-15AA-747F-18EE-64D61F5D7661} -C:\WINDOWS\ntap32.dll
(fil e mi s5i ng)
02 -BHO: HomepageBHo -{eOl03cd4-d1ce-411a-b75b-4fec072867f4} -
C:\WINDOWS\system32\hpBDB6.tmp

04 -HKLM\..\Run: NvcP1DaemOn] RUNDLL32.EXE NvQTWk,NvcplDaemon initialize
04 -HKLM\..\Run: CARPservice] carpserv.exe
04 -HKLM\..\Run: fCPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button
support\startEAK.exe
04 -HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
04 -HKLM\..\Run: [srmclean] C:\Cpqs\scom\srmclean.exe
04 -HKLM\..\Run: [Smapp] c:\program Files\Analog Devices\SOundMAX\Smtray.exe
04 -HKLM\..\Run: [Microsoft works portfolio] C:\program Files\Microsoft

works\wkssb.exe /Allusers
04 -HKLM\..\Run: [Microsoft works update Detection] c:\Program Files\common
Files\Microsoft shared\works shared\wkuFind.exe

04 -HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWs\system32\spool\drivers\w32x86\3\hpztsb07.exe
04 -HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmonO4.exe
04 -HKLM\.. \Run: [HPHUPDO4]"C:\Program Files\HP photosmart11\hphinstall\unipatch\hphupdO4.exe"
04 -HKLM\..\Run: [share-to-web NamespaceDaemon]c:\program
Files\Hewlett-packard\HP share-to-web\hpgs2wnd.exe

04 -HKLM\..\Run: [AVG7_CC]C:\PROGRA~l\Grisoft\AVGFRE~l\avgcc.exe /STARTUP04 -HKLM\..\Run: [AVG7_EMC]C:\PROGRA~l\Grisoft\AVGFRE~l\avgemc.exe04 -HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
04 -HKLM\.. \Run: [TkBellExe] "C:\Program Files\common
Files\Real\update_OB\realsched.exe" -osboot
04 -HKCU\..\Run: [MSMSGS]"c:\Program Files\Messenger\msmsgs.exe" /background
04 -Global startup: cisco systems VPN client.lnk = c:\Program Files\Cisco

systems\VPN client\vpngui.exe04 -Global startup: Image Transfer.lnk = ?
04 -Global startup: Microsoft office.lnk = C:\Program Files\Microsoft
office\office10\osA.EXE
04 -Global startup: Microsoft works calendar Reminders.lnk = ?
08 -Extra context menu item: E&xport to Microsoft Excel res://
c:\PROGRA~1\MICROS~3\office10\EXCEL.EXE/300009 -Extra button: Yahoo! Login -{2499216C-4BA5-11D5-BD9C-OOO103Cl16DS}

-
c:\Program Files\Yahoo!\common\ylogin.dll

09 -Extra 'Tools' menuitem: Yahoo! Login -{2499216C-4BAS-11DS-BD9C-OOO103Cl16DS}c:\
program Files\Yahoo!\Common\ylogin.dll
09 -Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-OOCOFO318AFE}
C:\WINDOWs\system32\shdocvw.dll09 -Extra button: Moneyside -{EO23F504-0C5A-4750-A1E7-A9046DEA8A21}-c:\ProgramFiles\Microsoft Money\system\mnyviewer.dll (file missing)
09 -Extra button: Messenger --c:\Program

{FB5F1910-F110-11d2-BB9E-OOCO4F795683}
Files\Messenger\msmsgs.exe
09 -Extra 'Tools' menuitem: windows Messenger {
FB5F1910-F110-11d2-BB9E-OOCO4F79S683}-c:\program Files\Messenger\msmsgs.exe

014 -IERESET.INF:

START_PAGE-URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dl1?s=consumerfav&c=2cO2&lc=O409
016 -DPF: JT'S Blocks -http://download.games.yahoo.com/games/clients/y/blt1-x.cab

016 -DPF: Yahoo! Euchre -http://download.games.yahoo.com/games/clients/y/et1-x.cab016 -DPF: {6414S12B-B978-451D-AOD8-FCFPF33E833C} (wuwebcontrol class) http://
vS.windowsupdate.microsoft.com/v5consumer/V5controls/en/x86/client/wuweb_site

.cab?1095295312046
016 -DPF: {74DO5D43-3236-11D4-BDCD-OOcO4F9A3B61} (Housecall control) http://
a840.g.akamai.net/7/840/S37/2004061001/housecall.trendmicro.com/housecall/xsc

an53.cab
016 -DPF: {D44C7SD8-c827-473E-8F68-A77E42500782} (uploader class) http://
photo.walmart.com/photo/uploads/webuploadClient.cab

023 -service: NetWork security service ( 11FBao#.oAo'I) -unknown owner C:\
WINDOWS\system32\ieii.exe (file missing)
023 -service: AVG7Alert Manager Server (Avg7Alrt) -GRISOFT, s.r.o. C:\
PROGRA-1\Grisoft\AVGFRE-1\av9amsvr.exe

023 -service: AVG7update SerVlce (Avg7updsvc) s.r.o.

-GRISOFT,

C:\PROGRA-1\Grisoft\AVGFRE-1\avgupsvc.exe023 -service: compaqAdvisor (compaq_RBA)-Neoplanet -c:\ProgramFiles\COMPAQ\compaqAdvisor\bin\compaq-rba.exe023 -service: cisco systems, Inc. VPNService (CVPND)-Cisco systems, Inc. c:\
Program Files\cisco systems\vPN Client\cvpnd.exe
023 -service: Content Monitoring Tool (msCMTSrvc) -unknown owner C:\
WINDOWs\system32\msCMTsrvc.exe (file missing)
023 -service: NVIDIA Driver Helper Service (NVSVC) -NVIDIA corporation C:\
WINDOWs\system32\nvsvc32.exe

023 -service: Virtual NIC Service (Packethsvc) -Americaonline, Inc. C:\
WINDOWS\system32\packethSvc.exe023 -service: pml Driver HPH11-HP -C:\WINDOWS\System32\HPHipm11.exe
 
Joined
Jul 26, 2002
Messages
46,353
Please repost your Hijack This log. That one is too mixed up to read. Before you post it again, rescan with Hijack This and save the log. With the log open in notepad, go to Format > Word Wrap. Make sure Word Wrap is checked.

After you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
 

tstr

Thread Starter
Joined
Jan 4, 2006
Messages
22
Flrman1,

Sorry for the trouble. I really appreciate the help. Here is the HJT log with word wrap on:

hijackthis


Logfile of HijackThis v1.99.1
Scan saved at 3:37:09 PM, on1/4/2006
platform: windows XP sp2 (winNT 5.01.2600)
MSIE: Internet Explorer vG.OO sp2 (6.00.2900.2180)


Running processes:
C:\WINDOWs\system32\smss.exe
C:\WINDOWs\system32\winlogon.exe
C:\WINDOWs\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWs\system32\spoolsv.exe
C:\WINDOWs\system32\packethsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA-1\Grisoft\AVGFRE-1\avgupsvc.exe
c:\Program Files\cisco systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWs\system32\taskmgr.exe


C:\WINDOWS\s¥stem32\wscntfy.exe
c:\program Flles\Hijackthis\Hijackihis.exe


R1 -HKCU\software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINDows\qniit.dll/sp.html#53142%
Rl -HKCU\Software\Microsoft\Internet Explorer\Main,Search page =
reS://C:\WINDows\qniit.dll/sp.htm1#53142%


R1 -HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_uRL = about:blank
R1 -HKLM\software\Microsoft\Internet Explorer\Main,Default_search_URL =
res://c:\WINDOWS\qniit.dll/sp.html#53142%
R1 -HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =


res://c:\WINDOWS\qniit.dll/sp.html#53142%


R1 -HKLM\Software\Microsoft\Internet Explorer\Main,search page =
res://C:\WINDows\qniit.dll/sp,html#53142%
R1 -HKCU\software\Microsoft\Internet Explorer\Search,searchAssistant =


res://c:\WINDOWS\qniit.dll/sp.html#53142%


RO -HKLM\Software\Microsoft\Internet Explorer\Search,searchAssistant =
res://C:\WINDOws\qniit.dll/sp.html#53142%
R1 -HKCU\software\Microsoft\Internet Explorer\SearchURL,(Default) =


http://search.yahoo.com/search?p=%s


R1 -HKCU\software\Microsoft\Internet Explorer\Main,window Title = Microsoft
Internet Explorer provided by compaq
R1 -HKCU\software\Microsoft\windows\Currentversion\Internet settings,proxyoverride
= 127.0.0.1


R3 -Default uRLsearchHook is missing


02 -BHO: class -{OB7B9D60-15AA-747F-18EE-64D61F5D7661} -C:\WINDOWS\ntap32.dll
(fil e mi s5i ng)
02 -BHO: HomepageBHo -{eOl03cd4-d1ce-411a-b75b-4fec072867f4} -
C:\WINDOWS\system32\hpBDB6.tmp


04 -HKLM\..\Run: NvcP1DaemOn] RUNDLL32.EXE NvQTWk,NvcplDaemon initialize
04 -HKLM\..\Run: CARPservice] carpserv.exe
04 -HKLM\..\Run: fCPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button
support\startEAK.exe
04 -HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
04 -HKLM\..\Run: [srmclean] C:\Cpqs\scom\srmclean.exe
04 -HKLM\..\Run: [Smapp] c:\program Files\Analog Devices\SOundMAX\Smtray.exe
04 -HKLM\..\Run: [Microsoft works portfolio] C:\program Files\Microsoft


works\wkssb.exe /Allusers
04 -HKLM\..\Run: [Microsoft works update Detection] c:\Program Files\common
Files\Microsoft shared\works shared\wkuFind.exe

04 -HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWs\system32\spool\drivers\w32x86\3\hpztsb07.exe
04 -HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmonO4.exe
page 1


hijackthis


04 -HKLM\.. \Run: [HPHUPDO4]"C:\Program Files\HP photosmart11\hphinstall\unipatch\hphupdO4.exe"
04 -HKLM\..\Run: [share-to-web NamespaceDaemon]c:\program
Files\Hewlett-packard\HP share-to-web\hpgs2wnd.exe

04 -HKLM\..\Run: [AVG7_CC]C:\PROGRA~l\Grisoft\AVGFRE~l\avgcc.exe /STARTUP04 -HKLM\..\Run: [AVG7_EMC]C:\PROGRA~l\Grisoft\AVGFRE~l\avgemc.exe04 -HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
04 -HKLM\.. \Run: [TkBellExe] "C:\Program Files\common
Files\Real\update_OB\realsched.exe" -osboot
04 -HKCU\..\Run: [MSMSGS]"c:\Program Files\Messenger\msmsgs.exe" /background
04 -Global startup: cisco systems VPN client.lnk = c:\Program Files\Cisco

systems\VPN client\vpngui.exe04 -Global startup: Image Transfer.lnk = ?
04 -Global startup: Microsoft office.lnk = C:\Program Files\Microsoft
office\office10\osA.EXE
04 -Global startup: Microsoft works calendar Reminders.lnk = ?
08 -Extra context menu item: E&xport to Microsoft Excel res://
c:\PROGRA~1\MICROS~3\office10\EXCEL.EXE/300009 -Extra button: Yahoo! Login -{2499216C-4BA5-11D5-BD9C-OOO103Cl16DS}

-
c:\Program Files\Yahoo!\common\ylogin.dll

09 -Extra 'Tools' menuitem: Yahoo! Login -{2499216C-4BAS-11DS-BD9C-OOO103Cl16DS}c:\
program Files\Yahoo!\Common\ylogin.dll
09 -Extra button: Real.com -


{CD67F990-D8E9-11d2-98FE-OOCOFO318AFE}
C:\WINDOWs\system32\shdocvw.dll09 -Extra button: Moneyside -{EO23F504-0C5A-4750-A1E7-A9046DEA8A21}-c:\ProgramFiles\Microsoft Money\system\mnyviewer.dll (file missing)
09 -Extra button: Messenger --c:\Program

{FB5F1910-F110-11d2-BB9E-OOCO4F795683}
Files\Messenger\msmsgs.exe
09 -Extra 'Tools' menuitem: windows Messenger {
FB5F1910-F110-11d2-BB9E-OOCO4F79S683}-c:\program Files\Messenger\msmsgs.exe

014 -IERESET.INF:

START_PAGE-URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dl1?s=consumerfav&c=2cO2&lc=O409
016 -DPF: JT'S Blocks -http://download.games.yahoo.com/games/clients/y/blt1-x.cab

016 -DPF: Yahoo! Euchre -http://download.games.yahoo.com/games/clients/y/et1-x.cab016 -DPF: {6414S12B-B978-451D-AOD8-FCFPF33E833C} (wuwebcontrol class) http://
vS.windowsupdate.microsoft.com/v5consumer/V5controls/en/x86/client/wuweb_site

.cab?1095295312046
016 -DPF: {74DO5D43-3236-11D4-BDCD-OOcO4F9A3B61} (Housecall control) http://
a840.g.akamai.net/7/840/S37/2004061001/housecall.trendmicro.com/housecall/xsc

an53.cab
016 -DPF: {D44C7SD8-c827-473E-8F68-A77E42500782} (uploader class) http://
photo.walmart.com/photo/uploads/webuploadClient.cab

023 -service: NetWork security service ( 11FBao#.oAo'I) -unknown owner C:\
WINDOWS\system32\ieii.exe (file missing)
023 -service: AVG7Alert Manager Server (Avg7Alrt) -GRISOFT, s.r.o. C:\
PROGRA-1\Grisoft\AVGFRE-1\av9amsvr.exe

023 -service: AVG7update SerVlce (Avg7updsvc) s.r.o.


-GRISOFT,

C:\PROGRA-1\Grisoft\AVGFRE-1\avgupsvc.exe023 -service: compaqAdvisor (compaq_RBA)-Neoplanet -c:\ProgramFiles\COMPAQ\compaqAdvisor\bin\compaq-rba.exe023 -service: cisco systems, Inc. VPNService (CVPND)-Cisco systems, Inc. c:\
Program Files\cisco systems\vPN Client\cvpnd.exe
023 -service: Content Monitoring Tool (msCMTSrvc) -unknown owner C:\
WINDOWs\system32\msCMTsrvc.exe (file missing)
023 -service: NVIDIA Driver Helper Service (NVSVC) -NVIDIA corporation C:\
WINDOWs\system32\nvsvc32.exe

023 -service: Virtual NIC Service (Packethsvc) -Americaonline, Inc. C:\
WINDOWS\system32\packethSvc.exe023 -service: pml Driver HPH11-HP -C:\WINDOWS\System32\HPHipm11.exe
 

tstr

Thread Starter
Joined
Jan 4, 2006
Messages
22
Flrman1,

Here is the problem ... because of the problems, I do not have access to the internet on that PC. I had to print the log (where the word wrap was not checked). I am posting this from work, so I will need to print the log again (with word wrap checked) and post it tomorrow, unless you have any other suggestions. If I post tomorrow, will that work okay with you?

Thanks again Flrman1.
 
Joined
Jul 26, 2002
Messages
46,353
We will definitely have to wait until you are at that computer and have time to spend and fix it. This Hijack is tricky to remove because the entries in HJT and the file names etc... will change with certain events.

Again I remind you, after you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
 

tstr

Thread Starter
Joined
Jan 4, 2006
Messages
22
Flrman,

Okay. I have done exactly what you have asked. Hopefully this one is better.

hijackthis
Logfile of HijackThis vl.99.1
Scan saved at 4:00:06 PM, on 1/5/2006
platform: windows x sP2 (W1nNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C: \wINDOWS\System32\smss .exe
C: \wIND0WS\system32\wi WI ogon .exe
C: \wIND0wS\system32\servi ces .exe
C: \wINDOwS\system32\l sass .exe
C: \wINDOWS\system32\svchost .exe
C: \WINDCwS\System32\svchost. exe
C: \WINDOWS\system32\spool sv • exe
C: \wINDowS\System32\PackethSvc. exe
C: \PROGRA-1\Gri soft\AVGFRE-1\avgamsvr .exe
C: \PROGRA-.1\Gri soft\AvGFRE.4\avgupsvc.exe
C:\Program Fl les\Ci sco Systems\vPN client\cvpnd .exe
C: \wINDOWS\System32\nvsvc32 .exe
C: \wINDS\System32\svchost .exe
C: \wINDOws\system32\taskmgr.exe
C: \wINDOwS\system32\wuaucl t .exe
C: \wIND0wS\system32\wscntfy.exe
C:\wINDowS\SoftwareDi stri bution\Download\s-1-5-18\7fb9aldcdOOc55662f93dcfclb3aeOe6\u
pdate\update.exe
c:\Program Fiies\Hijackthis\HijackThis.exe
Ri - HKCU\Software\Microsoft\Internet Expiorer\Main,Search Bar = res : //C: \wIND0wS\qni it. dli /sp . html #53142%
Ri - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page res://c:\wINDOws\qniit.dll/sp.html#53142%
Ri - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank Ri - HKLM\Software\Mi crosoft\internet Expi orer\Mai n , Defaul t_Search_URL =
res :1/c: \wINDcwS\qni it. dl l/sp. html #53142%
Ri - HKLM\Software\Microsoft\Internet Explorer\Maln,Search Bar = res://C:\wINDowS\qnhit.dll/sp.html#53142%
Ri - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res : f/C: \wINDows\qni it. dli Isp. html #53142%
Ri - HKCU\Software\Mi crosoft\internet Expiorer\Search, SearchAssi stant = res ://c: \wINDows\qni it. dli Isp. html #53142%
RO - HKLM\Software\Ml crosoft\internet Explorer\Search , SearchAssi stant = res ://c: \wIND0wS\qni it .dll /sp. html#53142%
Ri - HKCU\Software\Microsoft\Internet Explorer\SearchuRL, (Default) = http: //search . yahoo. com/search?p=%s
Ri - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
Ri - HKCU\software\Mi crosoft\wi ndows\currentversion\Internet Settings, ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
02 - BHO: Class - {0B789D60-1SAA-747F-18EE-64D61F5D7661} - C:\WINDOWS\ntap32.dll (file missing)
02 - BHO: HomepageBHo - {eOlO3cd4-dlce-411a-b75b-4fec072867f4} - C: \WINDOWS\system32\hpBDB6 . tmp (file missing)
04 - HKLM\..\Run: NvCplDaemon) RUNDLL32.EXE NvQTwk,NvCploaemon initialize
04 - HKLM\. .\Run: CARPService) carpserv.exe
04 - HKLM\. .\Run: CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button
Support\StartEAK.exe
04 - HKLM\..\Run: WCOLOREAL] “C:\Program Files\COMPAQ\Coioreal\coloreai.exe”
04 - HKLM\..\Run: srmclean] C:\Cpqs\Scom\srmclean.exe
04 - HKLM\..\Run: Smapp) C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
04 - HKLM\. .\Run: Microsoft works Portfolio) c:\Program Files\Microsoft
works\wkssb.exe /Al 1 users
04 - HKLM\..\Run: [Microsoft works update Detection) C:\Program Files\Common Fl 1 es\Mi crosoft Shared\works Shared\wkuFi nd. exe
Page 1
hijackthi S
04 - HKLM\..\Run: EHPDJ Taskbar utility)
C: \wINDOws\System32\spool \dri vers\w32x86\3\hpztsbo7 .exe
04 - HKLM\. .\Run: [HPHmonO4] c:\wlNoows\system32\hphmon04.exe
04 - HKLM\..\Run: [HPHUPDO4) “C:\Program Files\HP Photosmart
11\hphi nstal 1 \uni Patch\hphupdO4. exe”
04 - HKLM\..\Run: [Share-to-web Namespace Daemon) C:\Program
Fi 1 es\Hewl ett-Packard\HP share-to-web\hpgs2wnd.exe
04 - HKLM\. .\Run: [AvG7_CC) C:\PR0GRA.-1\Grisoft\AVGFRE-..1\avgcc.exe /STARTUP
04 - HKLM\. . \Run: [AVG7_EMC] C: \PROGRA-4\Gri soft\AvGFRE-1\avgemc .exe
04 - HKLM\. .\Run: IQuickTime Task) “C:\Program Files\QuickTime\qttask.exe”
-atbootti me
04 - HKLM\. .\Run: [TkBellExe] “c:\Program Files\Common
Fi 1 es\Real \update_oB\ real sched .exe” -osboot
04 - HKCU\. .\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
04 - Global startup: Cisco Systems VPN client.lnk = c:\Program Files\Cisco
Systems\vPN client\vpngui .exe
04 - Global Startup: Image Transfer.lnk = 7
04 - Global Startup: Microsoft Office..lnk = C:\Program FileS\Microsoft
off I ce\Off I celO\OSA. EXE
04 - Global startup: Microsoft works Calendar Reminders.lnk = 7
08 - Extra context menu item: E&xport to Microsoft Excel -
res :1/C: \PR0GRA—1\MICROS-.3\Offi celO\EXCEL. EXE/3000
09 - Extra button: Yahoo! Login - {2499216c-4BA5-11D5-BD9C-000103C116D5} -
C:\Program Fi les\YahooRcomnion\ylogi n .dll
09 - Extra ‘Tools’ menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -
C:\Program Flles\Yahoo!\Common\ylogin..dll
09 - Extra button: Real.com - {cD67F990-08E9-11d2-98FE-OOcOFO318AFE} -
C: \WINDowS\System32\Shdocvw.dll
09 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046oEA8A21} - c:\Program
Fi les\Microsoft Money\system\mnyviewer .dll (file missing)
09 - Extra button: Messenger - {FB5F191O-F11O-11d2-BB9E-00C04F795683} - C:\Program
Fl 1 es\Messenger\msmsgs .exe
09 - Extra ‘Tools’ menuitem: Windows Messenger -
{FB5F191O-F11O-11d2-BB9E-00C04F795683} - C:\Program Fl les\Messenger\msmsgs .exe
014 - IERESET.INF:
START_PAGE_URL=http :1/store. presari o. net/scri pts/redi rectors/presari o/storeredi r2 . dl
1 ?s=consumerfav&c=2c02&l c=0409
016 - DPF: JT’ s Blocks - http://download .games .yahoo. coin/games/cl i ents/y/bltl...x. cab
016 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/etLx.cab
016 - DPF: {6414512B-B978-451D-AOD8-FcFDF33E833c} (wUwebcontrol Class) -
http://v5 .wi ndowsupdate .microsoft. com/v5consumer/V5Control s/en/x86/cl ient/wuweb_site
• cab?1095295312046
016 - DPF: {74D05D43-3236-11D4-BDco-0Oc04F9A3B61} (HouseCall Control) -
http://a840.g . akamai . net/7/840/537/2004061001/housecal 1 . trendmi cro. com/housecal l/xsc
an53 . cab
016 - DPF: {D44c75D8-C827-473E-8F68-A77E42500782} (uploader Class) -
http: I/photo. walmart. com/photo/upl oads/webupl oadCl i ent . cab
023 - Service: Network Security Service C 11FBaO#°AO’I) — unknown owner -
C:\wINDCws\system32\iei i .exe (file missing)
023 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r,o. -
C: \PROGRPL-.1\Gri soft\AVGFRE-.1\avgamsvr. exe
023 - Service: AVG7 Update Service (Avg7updsvc) - GRISOFT, s.r.o. -
C: \PROGRA-..1\GrI soft\AvGFRE-.1\avgupsvc. exe
023 - Service: Compaq Advisor (Compaq....RBA) - NeoPlanet - C:\Program
Ff1 es\C0MPAQ\compaq Advi sor\bi n\compaq- rba.exe
023 - Service: Cisco Systems, Inc. VPN service (cvPNo) - cisco Systems, Inc. -
C:\Program Fi 1 es\Ci sco Systems\vPN cli ent\cvpnd .exe
023 - Service: Content Monitoring Tool (mscrrrSrvc) - Unknown owner -
C: \WINDOWS\system32\msCMTSrvc. exe (file missing)
023 - service: NVIDIA Driver Helper Service (NvSvc) - NVIDIA Corporation -
C: \wIND0WS\system32\nvsvc32 . exe
023 - Service: Virtual NIC Service (PackethSvc) - America online, Inc. -
C: \wIND0ws\system32\Packethsvc .exe
Page 2
 

tstr

Thread Starter
Joined
Jan 4, 2006
Messages
22
I can work on this now, if you have time. The PC itself is not able to access the internet.
 
Joined
Jul 26, 2002
Messages
46,353
tstr said:
Sorry, was on the way home from work when you left it. I am available now to work on the problem(s), if you are.

I need to let you know that I am helping my buddy with this by telling him what we need to do over the phone or using scans of Hijack this to post on the board.

I am very thankful for the help with these problems and patience with us.

Tstr
There's no way you're going to be able to help your buddy fix this hijack over the phone. We need to download and run several tools to fix this.

You might be able to walk him through fixing the wininet.dll file.

Have him click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Restart the computer into safe mode.

Now go to the C:\Windows\System32\dllcache folder and find the wininet.dll file that is there. Right click it and choose "Copy" to copy the file.

Now go back to the C:\Windows\System32 folder. Find the wininet.dll file that is there, if there is one. Right click it and choose "Rename". Rename it to wininet.old. After you have renamed the wininet.dll files, paste the copy you made from the dllcache folder in the System32 folder. If the wininet'dll file is missing from the System32 folder, go ahead and paste the copy there.

Go to View > Refresh.

Restart the computer and see if you can access the internet now.

If he can access the internet, come back here and post a new Hijack This log. This will have to be done by someone that is on the actual computer, not over the phone from this point on. Have him come here and post the HJT log himself.

After you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
 

tstr

Thread Starter
Joined
Jan 4, 2006
Messages
22
Flrman1,

There is no wininet.dll file int he ddlcache folder. Also, he cannot access the desktop. when the PC load, it is a blank screen. he can only access things by pressing ctrl-alt-del to start the task manager to gain access to things that way. Any ideas? He is running XP, Home Edition, Version 2002, Service Pack 2. Can a file be copied from somewhere else?
 
Joined
Jul 26, 2002
Messages
46,353
Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Do a file aearch for wininet.dll and let me know exactly where it is found.
 

tstr

Thread Starter
Joined
Jan 4, 2006
Messages
22
This thing is really locked down!

He cannot do a search from "start" because the desktop is blank. No start bar, icons, my computer, nothing. Nothing happens when he right clicks on the desktop. I had him try a search by gaining access to folders using the task manager, but he gets the error message "application failed to start because wininet.dll was not found" when he tries the search or explore options. I had him try to start in safe mode, but it will not start in that mode. Any suggestions?

I'll be sure to make a donation for all the help you have provided and hopefully still can!

Thanks!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top