Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Viruses Detected, Check Log Please! [CLOSED]


  • This topic is locked This topic is locked

#1
trogita

trogita

    New Member

  • Member
  • Pip
  • 1 posts
Hi, my anti-virus program has given me these two messages lately.

1.The file C:\\WINDOWS\System32\wininet.dll is infected by the W32/Alemod.b.dll virus and cannot be cleaned.

2.C:\\WINDOWS\System32\OLDEAM.dll is infected by the Spy-Agent.h trojan and cannot be cleaned.

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 12:48:32 AM, on 7/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\LiteStep\litestep.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\CursorXP\CursorXP.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://websearchnetwork.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://websearch.drs...=132345732&id=5

.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(

Default) = websearch.shopnav.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page_bak = http://gamefaqs.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04

FD64497} - (no file)
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 82.179.166.164 lender-search.com
O1 - Hosts: 82.179.166.165 hot-searches.com
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} -

(no file)
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} -

C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695

ECA05670} - C:\Program Files\Yahoo!

\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D

6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0

\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} -

(no file)
O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A

96CC0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF

10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} -

C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-

94d91c6ae7f4} - C:\WINDOWS\pumba3.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - C:\Program Files\Yahoo!

\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search Toolbar - {a19ef336-01d4-48e6-926a-fe7e1c

747aed} - C:\WINDOWS\pumba3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-

905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [LogonStudio] "C:\Program

Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1

\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.

com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.

com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.

com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.

com\vso\mcmnhdlr.exe" /checktask
O4 - HKCU\..\Run: [CursorXP] "C:\Program

Files\CursorXP\CursorXP.exe" -s
O8 - Extra context menu item: &AOL Toolbar search - res://C:

\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C

:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Get Flash by &Arty Flash Ripper -

C:\Program Files\Softdigger\FlashRipper\IEMenu.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:

\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-

000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5

-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B

41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-

00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-

11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!

\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}

- C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F

795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110

-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F

683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350

\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i

/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/

games/clients/y/pote_x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:

mhtml:file://C:\foo.mht!http://82.179.170.82/e9xr2.chm::/file.

exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) - http://go.microsoft.com/

fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://

download.sidestep.com/get/k00719/sb028.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.

56.176.78/webplugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan

Installer Class) - http://www.pandasoft...activescan/as5/

asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.

dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1

\WINDOW~1\fastload.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America

Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) -

America Online, Inc - C:\Program Files\Common

Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International,

Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C

:\Program Files\Common Files\Macromedia

Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.

exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee

.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (

MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1

\mcafee.com\vso\mcvsrte.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown

owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (

TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program

Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -

America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.

I see you are running Hijackthis from your desktop. Please create a directory on your c: drive called c:\hijackthis and move hijackthis into that directory. Run the program from that directory from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.


Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Edited by Buckeye_Sam, 17 July 2005 - 08:54 AM.

  • 0

#3
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP