Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack Log - I Have Alemod.g Trojan


  • Please log in to reply
3 replies to this topic

#1 dcboss

dcboss

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:00 AM

Posted 03 October 2006 - 10:50 AM

I was told to post this here. I am running win98SE with Pc-cillin that is telling me that I have Alemod.G trojan in Wininet.dll file. It is also saying that I have trojan TIBS.mv in Windows/x19b7d5190. I can't find any file called x19.... in my windows folder. I have been reading the other posts regarding this virus and the others seen to have Wininet.dll in their system32 folder under windows - my Wininet file is in my Win/Sys folder. My symptom - when I open Outlook Express my anti-virus prog warns me that something is attempting to put a setup.exe file in my temp folder and then a file called x19b7d5190.tmp. It states that it is a virus but cannot delete it -only quaranteen it. I have tried running Pc-cillin in safe mode, have hi-jack,ad-aware, spybot, etc nothing helps. As long as i don't use my email prog everything seems to be fine. I have also went to the 2 sites recommended in the forum to get an online scan so i can get a 2nd opinion as to actually having a bad wininet file but when i attempt to run them, my system locks up! I also ran McAfee Stinger and it didn't find anything. What to do????

Logfile of HijackThis v1.99.1
Scan saved at 11:25:11 PM, on 10/2/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\TMPROXY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCGUIDE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUPDISABLED\TRAYDATE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Shortcut to Traydate.exe.lnk = C:\WINDOWS\Start Menu\Programs\StartUpDisabled\TRAYDATE.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\SYSTEM\Oopiloko.dll (file missing)

Edited by dcboss, 03 October 2006 - 07:13 PM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:00 AM

Posted 10 October 2006 - 07:20 PM

Hello dcboss and welcome to the BC HijackThis forum. Let's see what we can do.

The wininet.dll file is used for IE and internet connections. It cannot be dealt withwhile the operating system is running. Let's try to make a copy of it and then clean the copy.

Please print these directions so they will be available and then proceed as follows.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Next we need to make sure all hidden files are showing so please:
  • Open My Computer.
  • Select the View menu and click Folder Options.
  • Select the View tab.
  • In the Hidden files section select Show all files.
  • Click OK.
Now navigate to c:\windows\system and copy the wininet.dll file to c:\.

Start Pc-Cillin (still in Safe Mode) and scan the c:\wininet.dll file. There should be an option to clean (or disinfect) it, Choose that to get a clean copy of the file.

Reboot the machine and post back here letting me know if everything up to this point has gone without any problems and then we will proceed to replace the infected file with the clean one.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 dcboss

dcboss
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:00 AM

Posted 15 October 2006 - 03:01 PM

Hello Oldtimer,
I followed your directions. PC-Cillian says that the file is not cleanable so it quaranteened it.
Whats next? Thanks,
Doug

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:00 AM

Posted 16 October 2006 - 06:47 PM

Hi dcboss. Wininet versions are updated frequently with various MS updates. We need to use the particular version that you currently have or there could be compatibility issues.

Let's try this. Zip a copy of your current wininet.dll file and email it to me at the email address below. Replace the AT with the @ symbol:

OldTimerATmail2technician.com

I will attempt to clean it and return it to you.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users