W32/Alemod.f.dll

Unknown

Dear ShortMedia,

We managed to get a slew of investations, Smitfraud included. I've run AdAware and Spybot. These plus McAfee seem to have gotten rid of everything except W32/Alemod.f.dll virus in winnet.dll. McAfee detects it but can't clean it out. Ad-Aware finds Psguard and MRU list and deletes them, but they're there again the next time I run Ad-aware.

I hope you can help!

Thanks,

Bonnie
HJT log is:
Logfile of HijackThis v1.99.1
Scan saved at 21:49:36, on 02-12-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMER\FæLLES FILER\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\PROGRAMMER\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAMMER\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAMMER\FæLLES FILER\SYSTEM\MOSEARCH\BIN\MOSDMN.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMMER\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAMMER\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAMMER\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMMER\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMER\HEWLETT-PACKARD\TOOLBOX\STATUSCLIENT\STATUSCLIENT.EXE
C:\PROGRAMMER\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAMMER\HEWLETT-PACKARD\TOOLBOX\JRE\BIN\JAVAW.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAMMER\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAMMER\LOGITECH\ITOUCH\KBDTRAY\KBDTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMER\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\SpyBot\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Skan registreringsdatabase] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Job-oversigt] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WinFast_Gamma] rundll32.exe wfcpl.dll,DllLoadGammaRampSettings
O4 - HKLM\..\Run: [WinFast_Taskbar] rundll32.exe wftask.dll,WFDllLoadDefaultSettings
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Omnipage] C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

Crunchie

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Please download smitRem.zip and save it to your desktop.
Right click on the file and extract it to its own folder on the desktop.

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:

===================================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Website -> Uncheck "Security Info" if present.

Also uncheck "View my Active desktop as a web page".
Click OK then Apply and OK.


Restart your computer in normal mode.

Run Panda's online virus scan and perform a full system scan. Make sure the Autoclean box is checked!

Finally, restart your computer once more, and please post a new, complete HijackThis log as well as the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Let us know if any problems persist.

BonnueVuf

Thanks for the quick answer! I'll try it out and get back if I can't get it to work.

Bonnie

BonnueVuf

Hi again,

I've run through the whole process but still get the Wininet.dll infected with W32/Alemod.f.dll message from McAfee.

The smitRem tool also flagged wininet.dll as being infected.

Maybe it was the Panda scan that didn't work right. It didn't follow the description in your write up. The link goes to Panda Activescan 5.51.01 which doesn't have a "full system scan" nor an "autoclean" box - at least that I can find.

The logs you asked for are below.

What to do now?

Thanks,

Bonnie




smitRem © log file
version 2.8

by noahdfear


Windows 98 [Version 4.10.2222]


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

spyaxe uninstaller NOT present

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~

warnhp.html


~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Starting registry repairs

Deleting files

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~





~~~~ wininet.dll ~~~~

wininet.dll INFECTED!!



Logfile of HijackThis v1.99.1
Scan saved at 20:05:11, on 06-12-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAMMER\FæLLES FILER\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\PROGRAMMER\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAMMER\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAMMER\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAMMER\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMMER\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAMMER\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAMMER\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMMER\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMER\HEWLETT-PACKARD\TOOLBOX\STATUSCLIENT\STATUSCLIENT.EXE
C:\PROGRAMMER\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMER\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAMMER\LOGITECH\ITOUCH\KBDTRAY\KBDTRAY.EXE
C:\PROGRAMMER\HEWLETT-PACKARD\TOOLBOX\JRE\BIN\JAVAW.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMER\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\SpyBot\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Skan registreringsdatabase] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Job-oversigt] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WinFast_Gamma] rundll32.exe wfcpl.dll,DllLoadGammaRampSettings
O4 - HKLM\..\Run: [WinFast_Taskbar] rundll32.exe wftask.dll,WFDllLoadDefaultSettings
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Omnipage] C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\\NVCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programmer\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Programmer\Hewlett-Packard\hp color LaserJet 2550 Series\SetConfig.exe -c Direct -p DOT4_002 -pn "hp color LaserJet 2550 PCL6" -n 1 -l 1030 -sl 120000
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\RunServices: [Planlægningsagent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\FÆLLES~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Programmer\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Programmer\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google-søgning - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Oversæt engelsk ord - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Øjebliksbillede af side i cache - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Lignende sider - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Tilbage via links - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: YNBtTczjenyLs - {316D1CDA-9BC7-B670-7777-5ED4624C913F} - C:\WINDOWS\SYSTEM\NVEL.DLL

Crunchie

Run the smitrem fix again and see if the wininit file comes back infected again. If it does, do the following;

Open Notepad, and copy/paste the following into a new file:

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt

Save this as FindFiles.bat, choose to save it as *all files and place it on your desktop.

Double click on FindFiles.bat and post the content of the text file you get in your next reply

BonnueVuf

Hi Crunchie,

Thanks for the reply!

I ran smitrem and the wininet.dll file still comes back infected:

~~~~ wininet.dll ~~~~

wininet.dll INFECTED!!


McAfee still gives the same alert too.

findfiles.bat didn't work like I copied it out of your reply. I got an error: too many parameters - h

I deleted the h in "/a h" (hope that's right. . . ) and got the following files.txt:

Enheden i drev C er MAIN DRIVE
Enhedens serienummer er 316D-1CD9

Indhold af C:\WINDOWS\SYSTEM

WININET DLL 585.728 18-11-05 15.01 WININET.DLL
1 fil(er) 585.728 byte

Viste filer i alt:
1 fil(er) 585.728 byte
0 mappe(r) 9.919,23 MB ledig


Thanks again for the help.

Bonnie

Crunchie

I need you to do this instead;

Please download FileFind from Atribune:
http://www.atribune.org/downloads/FileFind.zip

Unzip the file and save it to your desktop.

To run FileFind, please do the following:

* Click on FileFind.exe
* In the box labeled "Enter the directory to search"
o Enter Drive eg.. C:\
* In the box labeled "Enter the file to search"
o Enter the file or use *.(file extention) to search for the file(s)
* Now click on the "Find" button
* Once the utility has found the files click on "Export"
* This will save a text file to your C:\ drive as "Export.txt"
* Double click on Export.txt, copy and paste this information in your next post

So in your case, WININET.DLL is what to search for. What I am doing is trying to find a clean copy of WININET.DLL on your PC.

BonnueVuf

OK it only comes back with the following'.

C:\WINDOWS\SYSTEM\WININET.DLL - 585728 Bytes

BonnueVuf

I've checked my W98v2 CD (yes, I have XP but this machine is still running 98 - don't laugh, it runs!) and there's no wininet.dll on it.

Whats next?

Thanks,

Bonnie

BonnueVuf

Hi again,

Can I just use a downloaded wininet.dll like the one I just found on http://www.dll-files.com/dllindex/dll-files.shtml?wininet

If so I have it.

Bonnie

Crunchie

Yep. Copy the file to C:\WINDOWS\SYSTEM\wininet.dll

BonnueVuf

Copied the file - you have to boot to a DOS prompt to do it since
Windows won't let the file be overwritten while its in use - maybe a good thing to mention in the future for other computer challenged folk like me.

No matter - it WORKED!

Thanks a million. You guys are just great and I plug you whereever I go!

Bonnie

Crunchie

Cool. Thanks for letting me know. DOS is something whose use I am not familiar with .

Hurley6x

Ran the tool instructed above (smitrem.zip) and said i have infected file,

"wininet.dll"

when it tries to find a copy it is unsucessful.

Then ran adaware scan and restarted, ran Mcaffee 8.0 Enterprise and got the virus again still unable to delete. Please help

Hurley6x

sorry will start my own thread!

NY35

Short-Media

I am experiencing the same problem as Hurley6x with W32/alemod.f.dll on c:/windowssytem32/wininet.dll. Although I am pretty good on the computer I am not a technician by any means. Can you walk me through how I could clean this virus from by computer?

Sincerely,

JI35

profdlp

NY35 wrote:

Short-Media

I am experiencing the same problem as Hurley6x with W32/alemod.f.dll on c:/windowssytem32/wininet.dll. Although I am pretty good on the computer I am not a technician by any means. Can you walk me through how I could clean this virus from by computer?

Sincerely,

JI35

Start your own thread in this forum and someone will be along to help you. Make sure you read the instructions carefully.

Welcome to Short-Media.