Jump to content



  • Please log in to reply
3 replies to this topic

#1 hammer0501



  • New Member
  • Pip
  • 3 posts

Posted 20 July 2004 - 09:44 PM

Hi Guys;

I'm new to this, but unfortuantely this seems to be a club everyone joins at some point. My homepage has been hijacked to "about:blank" and I get annoying pop ups in spite of pop up blockers. After updating my Nortin antivirus definitions I hnow have a pop up that says virus alert:

Object name C: WINNT\system32/wineapi.dll

#2 dolphins


    Advanced Member

  • Retired Staff - Helper
  • PipPipPip
  • 131 posts

Posted 20 July 2004 - 09:56 PM

Please follow instructions for posting a HJT log http://www.net-integ...hijackthis.html and post it here.

#3 hammer0501



  • New Member
  • Pip
  • 3 posts

Posted 21 July 2004 - 06:54 AM


Logfile of HijackThis v1.97.7
Scan saved at 7:47:25 AM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundcarolina.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundcarolina.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {8488436B-5F7E-44F0-8734-E7B5267F73E3} - C:\WINNT\System32\ijheh.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#4 Mish


    ďI am evil HomerÖĒ

  • Full Member
  • Pip
  • 9 posts

Posted 21 July 2004 - 07:47 AM


Did the problem just turn up in the last day or so after updating your Norton virus?

Sorry if I repeat my earlier suggestion in another thread, but you may find this suggested fix useful if you have a Norton virus alert window stuck open with a Backdoor.Trojan alert (and the Norton help page refered to no help/did not work)

Anyway the suggetsed fix is:

Youíll need to go to the registry kill the key that launches the fdll that the virus alert is referring to (in my case it was called msik.dll, but yours might be called wina.dll, logojfk.dll or something completely different - oh, I see yours is wineapi.dll). Then you have to change security permissions for system32 files to uncover/control the file, rename the file and finally you will be able to delete the wineapi dll. Lastly use HijackThis to clean any random BHOís and also CWShredder and Spybot. Looks like the AppInit_DLLs registry key launches the dll. Here's how...

1. Norton or other virus software should have indicated a Backdoor.Trojan virus infection. Note the dll and path (for example c:\windows\system32\wineapi.dll in this case)

2. Run HijackThis and find/note the value for the above dll (for example: 20-HKLM\..\WindowsNT\CurrentVersion\Windows :AppInit_DLLs=C:\WINDOWS\System32\wineapi.dll. Don't bother fixing at this point it as it will just come back again, just note it so you can rescan later make sure its gone.

3. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (use regedit). Find and remove the key with wineapi.dll in it by first renaming the Windows folder Windows2 and then deleting the AppInit_DLL corresponding to your target dllís name. If you donít rename the windows folder, the value with your dll will continue to just come back - (you can delete it then press F5 to see it just reload itself).

4. After deleting the AppInit_DLL value corresponding to the wineapi.dll (right click it to get the delete function) rename the Windows2 folder back to Windows.

5. Now to delete the actual wineapi.dll; go to Start-Settings-Control Panel-Administrative Tools-Local Security Policy-Security Settings-Local Policies-Security Options and change the Recovery Console options (x2 - both of them) to enable from disable.

6. Go to the system32 folder and change the file permissions to allow Full Control for Administrators to Modify, Read & Execute, List Folder Contents, Read and Write. Remove all controls from file Creator Owner. If you donít have a security tab go to folder options in control panel and enable it. If you have XP home edition you might not be able to do this but donít stress about as I think these are usually the default ones anyway.

7. Reboot in Safe Mode and the file wineapi.dll (or whatever it is called) will appear in the system32 folder.

8. Rename the file to msik.junk and then delete it.

9. Empty the Recycle Bin.

10.Use AboutBuster, CWShredder and HijackThis to clean up remaining remnants.

let me know how you go or if you need and clarifications.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button