| Author |
cycovision - pc help thread |
dude_se
Joined: Dec 16, 2004
Posts: > 500
From: Evesham, UK
PM |
for any hijack this logs you want help with... just go to hijackthis.de and paste in your log and it will tell you what to do.
dude_se
10 +'ve feedback's, 0 -'ves
--------------------------- |
|
|
leeboy13
Joined: Sep 28, 2005
Posts: > 500
From: Brissle - dodgy accients
PM |
hey cyco... this thread was in the pits 
Anyway i have a spyware infection in work mate and we have done our best to solve it alone, but i need your help. the spyware infection is called 'Alemod.E' after looking on teh net iwe followed these instructions:
http://forums.spywareinfo.com/lofiversion/index.php/t58305.html
i have my new Hijackthis report (after following these steps) and it is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 10:23:26, on 05/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesWindows DefenderMsMpEng.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSExplorer.EXE
C:antispywarehjtHijackThis.exe
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.meshcomputers.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.meshcomputers.com
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Tiscali Internet Access
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar1.dll
O4 - HKLM..Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM..Run: [CARPService] carpserv.exe
O4 - HKLM..Run: [PinnacleDriverCheck] C:WINDOWSSystem32PSDrvCheck.exe -CheckReg
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [Ept-jeEPSON Stylus Photo R800] C:WINDOWSSystem32spoolDRIVERSW32X863E_S4I2J1.EXE /P32 "Ept-jeEPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
O4 - HKLM..Run: [Auto EPSON Stylus Photo R800 on Ept-je] C:WINDOWSSystem32spoolDRIVERSW32X863E_S4I2J1.EXE /P38 "Auto EPSON Stylus Photo R800 on Ept-je" /O32 "EPT-JEEPSON Stylus Photo R800" /M "Stylus Photo R800"
O4 - HKLM..Run: [rock] rock.exe
O4 - HKLM..Run: [intell321.exe] C:WINDOWSsystem32intell321.exe
O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderMSASCui.exe" -hide
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 - HKCU..Run: [InstantTray] C:Program FilesPinnacleShared FilesInstantCDDVDPCLETray.exe
O4 - HKCU..Run: [IW_Drop_Icon] C:Program FilesPinnacleInstantCDDVDInstantWriteiwctrl.exe /DropDisc
O4 - HKCU..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Device Detector 2.lnk = C:Program FilesOlympusDeviceDetectorDevDtct2.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:Program FilesInterVideoCommonBinWinCinemaMgr.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O12 - Plugin for .pdf: C:Program FilesInternet ExplorerPLUGINSnppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1[....]a06595a815/netzip/RdxIE601.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/53[....]layer/Install3.0/Installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://utu.popcap.com/games/popcaploader_v5.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:Program FilesNetwork AssociatesVirusScanAvsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:antispywareewido anti-malwareewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:antispywareewido anti-malwareewidoguard.exe
O23 - Service: McShield - Network Associates, Inc. - C:Program FilesCommon FilesNetwork AssociatesMcShieldMcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe
basically is there anything stil in there dodgy mate? also the computer still says a spyware infection has been found.. the desktop is still blue 
any ideas matey?
thanks for all your help over the past mate, i hope i aint getting cheeky with my requests
Lee
[ This Message was edited by: leeboy13 on 2006-05-05 12:12 ]
[ This Message was edited by: leeboy13 on 2006-05-05 12:27 ] |
leeboy13
Joined: Sep 28, 2005
Posts: > 500
From: Brissle - dodgy accients
PM |
alos mate i saw thsi but wasnt convinced that it would work, aint tried it yet - what d you think?
http://forums.mcafeehelp.com/[....]077fdbd580f50fa41694eef1bb1fe2
basically your renaming teh file yeh?
cheers again mate |
Cycovision
Joined: Nov 30, 2003
Posts: > 500
From: England
PM, WWW
|
Yeah, you've got a worm:
O4 - HKLM..Run: [rock] rock.exe
O4 - HKLM..Run: [intell321.exe] C:WINDOWSsystem32intell321.exe
What antivirus are you runing?
Also, what's this windows defender thing? is it an antispyware app? Sorry, I'm a bit busy right now so I can't go looking things up! I'll be back in about an hour or so 
|
leeboy13
Joined: Sep 28, 2005
Posts: > 500
From: Brissle - dodgy accients
PM |
Quote:
|
On 2006-05-05 13:37:59, Cycovision wrote:
Yeah, you've got a worm:
O4 - HKLM..Run: [rock] rock.exe
O4 - HKLM..Run: [intell321.exe] C:WINDOWSsystem32intell321.exe
What antivirus are you runing?
Also, what's this windows defender thing? is it an antispyware app? Sorry, I'm a bit busy right now so I can't go looking things up! I'll be back in about an hour or so
|
|
the windows defender is a antivirus-spyware tool (which we installed today)
We are running Macafee full version (version 4) but Macafee only reconizes the spyware probelm and doesnt remove it...
No worries about being busy matey, i can wait i know how important it is to work on your snake and his flamethrower lol, only playing but whenever u get a chance pal. i realy appreciate this
|
Cycovision
Joined: Nov 30, 2003
Posts: > 500
From: England
PM, WWW
|
Right, well macafee is, shall we say, not my favourite AV app....
I'll find the manual removal instructions for you and post 'em here. Have you tried the other spyware removal apps such as Adaware and Spybot S+D?
|
leeboy13
Joined: Sep 28, 2005
Posts: > 500
From: Brissle - dodgy accients
PM |
cool, yeh i agree about macafee... but its work and they get it throught the office...
We have tried everything like spy-bot and adware se etc..... still no luck
Did you see that forum? it had this in it:
' have figured out how to fix this one. McAfee will find it but NOT fix it.
1. boot-up in Safe Mode w/ Command Prompt
2. rename the wininet.dll to wininet.old
3. reboot to normal windows
4. when logged in, select the homedrive:/windows/system32/wininet.old and run Virus Scan on it. McAfee WILL then CLEAN it.
5. rename wininet.old to wininet.dll and reboot.
all's well now with no McAfee errors found and no annoying messages.
best of luck '
link to source:
http://forums.mcafeehelp.com/[....]077fdbd580f50fa41694eef1bb1fe2
hope this helps? waht you reckon about that? but surely i see it as the probllem remains youve only 'ttricked' the pc into thinking its not there... am i right?
Anyhoots thanks so far and i hold my breath with regard to your squiral 
Cheers |
Cycovision
Joined: Nov 30, 2003
Posts: > 500
From: England
PM, WWW
|
Yeah, it's kind of a trick. The idea is that by renaming the file and rebooting, the registry will try to load up the original file (.dll) and not be able to find it.
Mcafee can then deal with it because the program is not running. This is why it's always a good idea to do virus scans in safe mode, since many viruses canot be healed or deleted if they are actually loaded into memory.
That suggestion is well worth a try, in fact it might be the manual removal instructions that I still haven't got round to digging out yet 
_________________
'He who laughs last, laughs longest. Or didn't get the joke...'
[ This Message was edited by: Cycovision on 2006-05-05 13:50 ] |
leeboy13
Joined: Sep 28, 2005
Posts: > 500
From: Brissle - dodgy accients
PM |
ok mate, i will prob give that a try soon, if you do mange to dig anything out and you think its a bad idea to proceed let me know and i wont do it (if its not to late). Fingers crossed
Lee |
leeboy13
Joined: Sep 28, 2005
Posts: > 500
From: Brissle - dodgy accients
PM |
@Cyco or anyone, i quick need to know the dos comand prompt for changning teh name of these files.....
wininet.dll to wininet.old
I cant seem to seem to rememebr as i havent used dos for years.....
as u can see im following teh instructions from that forum..
cheers
lee |
Cycovision
Joined: Nov 30, 2003
Posts: > 500
From: England
PM, WWW
|
You can use either 'ren' or 'rename'
ren winnet.dll winnet.old
|
leeboy13
Joined: Sep 28, 2005
Posts: > 500
From: Brissle - dodgy accients
PM |
k mate.. tried that..... couldnt change the name so i went and loaded wininet.dll and it said to choose a program to run it... i used this menu to change the name from wininet.dll to wininet.old. sadley thsi didnt work tho coz when i started up teh pc it said explorer could not load due to missing file wininet.dll
so i wnet back to teh beginning and renmaed it back... still problem
any suggestions mate?
when im in command prompt and i enter:
ren wininet.dll wininet.old it simply says no file etc..... but the line reads:
c:/documents and settings/cath/ ................. <- this is where i type 'ren wininet.dll wininet.old'
any ideas |
Cycovision
Joined: Nov 30, 2003
Posts: > 500
From: England
PM, WWW
|
Ahhhh, yeh! You need to specify the path to where the file is located, or change to that directory first.
e.g. if the file is in c:\\windows\\system32, you need to type:
cd c:\\windows\\system32
before you type
ren wininet.dll wininet.old
I forget to tell you that
|
leeboy13
Joined: Sep 28, 2005
Posts: > 500
From: Brissle - dodgy accients
PM |
woohoo... changed fine this time...
although when windows reboots after login i get the following message:
'this application failed to start because of teh missing file wininet.dll, please reinstall the application......
and it gets stuck on a blue screen.... (explorer aint loaded)......
i can go back and rename the file back to wininet.dll and it will load up but have a virus... any ideas?
Lee |
Cycovision
Joined: Nov 30, 2003
Posts: > 500
From: England
PM, WWW
|
See if it'll reboot in safe mode and then use hijack this to take out the r4 - HKLM/run........ line for wininet.dll. This should (hopefully) stop windows trying to load the file at startup.
|
|
|
Posted: 2006-04-17 20:36
