1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Virus information

Discussion in 'Windows XP' started by vacowboy28, Apr 1, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. vacowboy28

    vacowboy28 Thread Starter

    Joined:
    Apr 1, 2004
    Messages:
    7
    Each time I open IE another window named C:\windows\system32 opens. How can I stop this?
     
  2. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    34,635
    First Name:
    James
    welcome :)

    Looks like you have a trojan / spyware.

    download and install HighJackThis.

    When you run HJT, press scan
    Then press Save Log. Save the log and the log will then appears in Wordpad.
    Copy and paste the log here.
     
  3. vacowboy28

    vacowboy28 Thread Starter

    Joined:
    Apr 1, 2004
    Messages:
    7
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.portalsearching.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portalsearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/access/allinone.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.portalsearching.com/search.php?phrase=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.portalsearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
    O2 - BHO: (no name) - {00000185-C745-43D2-44F1-01A1C789C738} - C:\PROGRA~1\SB\SMART-~1\BHO010~1.DLL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
    O2 - BHO: (no name) - {02F88FB9-CEF1-0BA0-F8F3-92DE7027E8DE} - C:\WINDOWS\system32\rwqdsvdl.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {BA25708B-154D-4D40-8607-67AA5190C395} - C:\PROGRA~1\INTELL~1\ISengine.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: (no name) - {B5263155-DD86-41A5-9653-CE2AB54D3226} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
    O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\system32\QaBar.dll (file missing)
    O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
    O3 - Toolbar: & IntelliStopper - {21C32A07-0176-4FFE-BCDA-65D4A24F4303} - C:\PROGRA~1\INTELL~1\INTELL~1.DLL (file missing)
    O4 - HKLM\..\Run: [wininetd] C:\WINDOWS\System32\wininetd.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Timothy\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} - http://install.global-netcom.de/ieloader.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://info.dcjs.state.va.us/CFIDE/classes/CFJava.cab
    O16 - DPF: {132BDF97-4059-46E6-BB76-9BFD2527226F} (CChat Class) - http://cuteandsingle.com/downloads/cc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} (Loader Class) - http://www.tnc4u.com/MCInst.cab
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://usa-scripts.downloadv3.com/binaries/DialHTML/EGDHTML_US.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://usa-download.nocreditcard.net/download/Object/DialerHTML/DHTMLAccessXP1043.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/daimlerchrysler/rrtstreetwise/install.cab
    O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.net/download/Object/DialerHTML/EGHTMLDialerXP.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D6862A22-1DD6-11D3-BB7C-444553540000} - http://www.portalsearching.com/BHO.CAB
    O16 - DPF: {E3F7205F-2AE0-4BF0-816B-2D24A5F20EC7} (EGStripDownload Class) - http://fr4-download.strip-player.com/download/stripplayer/bin/activestripsetup_minsize.cab
    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/v50/h2hpool/h2hpool.cab
    O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - http://toolbar2.i-lookup.com/toolbar2/windec32.cab
    O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab





    What do i do
     
  4. PC_Wiz

    PC_Wiz

    Joined:
    Nov 19, 2003
    Messages:
    1,245
  5. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    34,635
    First Name:
    James
    hey there. Please make sure you are posting in the same post. Please do not make another post for the same problem. If you want to make a reply to the post, click Post Reply on the bottom of the screen.

    OK, go back and rescan. Put a check against these and fix.

    O1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
    O2 - BHO: (no name) - {00000185-C745-43D2-44F1-01A1C789C738} - C:\PROGRA~1\SB\SMART-~1\BHO010~1.DLL

    O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\system32\QaBar.dll (file missing)
    O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
    O3 - Toolbar: & IntelliStopper - {21C32A07-0176-4FFE-BCDA-65D4A24F4303} - C:\PROGRA~1\INTELL~1\INTELL~1.DLL (file missing)
    O4 - HKLM\..\Run: [wininetd] C:\WINDOWS\System32\wininetd.exe


    You might want to do a scan for viruses. Also download and run the first three programs I have listed down in my signatrue.
     
  6. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    34,635
    First Name:
    James
    Here is some information of the virus you got.
    The file wininetd.exe was added as a result of the backdoor.winet virus

    REMOVAL INSTRUCTIONS:

    The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    Disable System Restore (Windows Me/XP).
    Update the virus definitions.
    Do one of the following:
    Windows 95/98/Me: Restart the computer in Safe mode.
    Windows NT/2000/XP: End the Trojan process.

    Run a full system scan and delete all the files detected as Backdoor.Winet.
    Delete the values that were added to the registry.

    For specific details on each of these steps, read the following instructions.

    1. Disabling System Restore (Windows Me/XP)
    If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

    Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

    Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

    For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
    "How to disable or enable Windows Me System Restore"
    "How to disable or enable Windows XP System Restore"

    For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

    2. Updating the virus definitions
    Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
    Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
    Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

    The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

    3. Restarting the computer in Safe mode or ending the Trojan process
    Windows 95/98/Me
    Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."

    Windows NT/2000/XP
    To end the Trojan process:
    Press Ctrl+Alt+Delete once.
    Click Task Manager.
    Click the Processes tab.
    Double-click the Image Name column header to alphabetically sort the processes.
    Scroll through the list and look for Wininetd.exe.
    If you find the file, click it, and then click End Process.
    Exit the Task Manager.


    4. Scanning for and deleting the infected files
    Start your Symantec antivirus program and make sure that it is configured to scan all the files.
    For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
    For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan All Files."

    Run a full system scan.
    If any files are detected as infected with Backdoor.Winet, click Delete.

    5. Deleting the values from the registry

    CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

    Click Start, and then click Run. (The Run dialog box appears.)
    Type regedit

    Then click OK. (The Registry Editor opens.)


    Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    In the right pane, delete the value:

    wininetd


    Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\WindowsRTS


    In the right pane, delete the value:

    SerialID


    In the left pane, delete the key:

    Wininetd


    Exit the Registry Editor.
     
  7. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    34,635
    First Name:
    James
  8. vacowboy28

    vacowboy28 Thread Starter

    Joined:
    Apr 1, 2004
    Messages:
    7
    I have found some viruses on my computer. I have McAfee and it done the checks without finding anything.. How do I remove these viruses?
     
  9. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    34,635
    First Name:
    James
    Try using an online scanner. There's a link to one on my signature.
     
  10. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    34,635
    First Name:
    James
    vacowboy28. Please DO NOT MAKE A NEW THREAD FOR THE SAME THING. It will confuse everyone if there is too many posts for the same thing. Like I said you can reply in this thread by either clicking on Post Reply or type your message in the Post QuickReply and then Submit QuickReply.
     
  11. vacowboy28

    vacowboy28 Thread Starter

    Joined:
    Apr 1, 2004
    Messages:
    7
    I have run a scan thru trendmicro and it will not remove or clean the viruses.. I have a total of 11. Can anyone help me remove them from my computer
     
  12. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    34,635
    First Name:
    James
    Try updating your virus definations for your software. MaCafee should be able to find them. Worse case scenario, there is a free anti-virus program call AVG

    BTW, what are the viruses?
     
  13. Triple6

    Triple6 Moderator

    Joined:
    Dec 26, 2002
    Messages:
    52,935
    First Name:
    Rob
    What viruses does it say you have?

    You can go to www.symantec.com and get virus removal instructions and/or tools. Just search for the viruses listed on your system.

    Is your McAfee up-to-date?
     
  14. vacowboy28

    vacowboy28 Thread Starter

    Joined:
    Apr 1, 2004
    Messages:
    7
    1.TROJ LALUS.A 2. TROJ PORNDIAL.BP 3. TROJ PORNDIAL.BP 4. TROJ ISTBAR.J


    tHESE ARE JUST SOME OF THEM
     
  15. buck52

    buck52 Banned

    Joined:
    Mar 9, 2001
    Messages:
    8,373
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/216620

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice