Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need New Intell32 & PSGuard Help... [RESOLVED]


  • This topic is locked This topic is locked

#136
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
You got it...going to the site right now...and begin:)
  • 0

Advertisements


#137
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Great :tazz: I gotta go to bed I hate work :) )

Ill post back as soon as I can After I see the results, and maybe we can get your computer back tomorrow :)
  • 0

#138
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Cool...here's the scan. Pretty much all the stuff I found before. But a complete and total scan was a good idea. Here's the list:

FILE INFECTION STATUS PATH
----- ------------ --------- ------

kbrfp9cf2yyi5c.dll Win32.Startpage.IK infected C:\WINDOWS\SYSTEM\

00wwt1lw4h09.bak Win32.Startpage.IK infected C:\WINDOWS\SYSTEM\

do93br5hnilz89.dll Win32.Startpage.IK infected C:\WINDOWS\SYSTEM\

lnxude75hdobz8w.bak Win32.Startpage.IK infected C:\WINDOWS\SYSTEM\

MTC.dll Win32.Startpage.JS infected C:\WINDOWS\SYSTEM\

oleext.dll Win32.Alemod.I infected C:\WINDOWS\SYSTEM\

WININET.DLL Win32.Alemod.H infected C:\WINDOWS\SYSTEM\

intell32.exe Win32.Spudrag.C infected C:\WINDOWS\SYSTEM\

update.exe Win32.Mitglieder.BA infected C:\ProgramFiles\Internet Explorer\

html.vbs VBS.Petch infected C:\Program Files\America Online 7.0\download\

D263.TMP JS.Seeker.Generic infected C:\Program Files\Trend Micro\PC-cillin 2002\QUARANTINE\

80B4.TMP REG.Seeker infected C:\Program Files\Trend Micro\PC-cillin 2002\QUARANTINE\

intell32.exe Win32.Spudrag.C infected C:\!Submit\

birdihuy32.dll Win32.Fisec.H infected C:\!Submit\
------------------------------------------------------------------
  • 0

#139
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Yea Im still not in bed.....lol busy night

Cant remember if you have pocket killbox :) , if you do dont download it

Click here to download Pocket Killbox by Option^Explicit

Now open pocketkillbox Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'
The entire list should now be in the "Full Path of File to Delete"
field.To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there

C:\WINDOWS\SYSTEM\kbrfp9cf2yyi5c.dll
C:\WINDOWS\SYSTEM\00wwt1lw4h09.bak
C:\WINDOWS\SYSTEM\do93br5hnilz89.dll
C:\WINDOWS\SYSTEM\lnxude75hdobz8w.bak
C:\WINDOWS\SYSTEM\MTC.dll
C:\WINDOWS\SYSTEM\intell32.exe
C:\ProgramFiles\Internet Explorer\update.exe
C:\Program Files\America Online 7.0\download\html.vbs

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES.When it asks if you would like to Reboot now, click YES.

Reboot and we will try to replace that file tomorrow :tazz:

Im waiting to see if another method works thats being tried....shoul know by tomorrow
  • 0

#140
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Coolness...I completed the above tasks and used the KillBox to remove the listed items. I'll do another E-Trust scan when I get a chance here real soon. Then I'll post it...thanks again for all the big time help!

Hope you finally got to sleep...I'm still awake...but I'm having a frozen pizza in hopes it will make me tired:)
  • 0

#141
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Hi...ok...did another online scan via "E-Trust"...looks like the last fix got rid of that old crap on my computer. Not too much left now...here's the scan results:
--------------------------------------------------------------------------
intell32.exe Win32.Spudrag.C infected C:\!Submit\

birdihuy32.dll Win32.Fisec.H infected C:\!Submit\

update.exe Win32.Mitglieder.BA infected C:\Program Files\Internet Explorer\

D263.TMP JS.Seeker.Generic infected C:\Program Files\Trend Micro\PC-cillin 2002\QUARANTINE\

80B4.TMP REG.Seeker infected C:\Program Files\Trend Micro\PC-cillin 2002\QUARANTINE\

oleext.dll Win32.Alemod.I infected C:\WINDOWS\SYSTEM\

WININET.DLL Win32.Alemod.H infected C:\WINDOWS\SYSTEM\
---------------------------------------------------------------------------

It appears that the "oleext.dll" is either whats wrong or is at least related to whats wrong with my stinkin' Wininet.dll. Here's a little bit more info I found concerning it's properties and it's correlation to what's it doing in my system:

(Info obtained by right-clicking and viewing properties of "oleext.dll")

oleext.dll
----------

File Uses:
----------
Name: Path:
----- -----
OLE32.DLL C:\WINDOWS\SYSTEM
SHELL32.DLL C:\WINDOWS\SYSTEM
MSVCRT.DLL C:\WINDOWS\SYSTEM
ADVAPI32.DLL C:\WINDOWS\SYSTEM
USER32.DLL C:\WINDOWS\SYSTEM
SHLWAPI.DLL C:\WINDOWS\SYSTEM
KERNEL32.DLL C:\WINDOWS\SYSTEM

File Is Used By:
----------------
Name:
-----
ADAWAY.DLL C:\PROGRAM FILES\ADWARE AWAY
(Though this file could not be found anywhere and supposedly doesn't exist!)
________________________________________________________________

Don't know if the above info is helpful or not. Just figure I'd list it for future reference in case it becomes relevent.

Thanks again...:tazz:
  • 0

#142
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Ok...me again. I was just trying to do more research concerning the "infections" found via "E-Trust". Namely the (2) that have the most in common:

oleext.dll Win32.Alemod.I infected C:\WINDOWS\SYSTEM\

WININET.DLL Win32.Alemod.H infected C:\WINDOWS\SYSTEM\

Even after ALL that my Wininet.dll uses on my system (bad or not), the above "Alemod" seems to be the ONLY thing labled as "infection". (via E-Trust)

In this case..."Alemod.H". Which, surprisingly there is little info via Google on this particular infection. Apparently, if I had WinXP, Ewido would have "fixed" it a long time ago. So I know it IS fixable at least.

What about simply trying to destroy the "path" via KillBox? I don't know if we've tried that yet. Also...

What about the "Alemod" associated with the "oleext.dll"? I don't remember if we've tried to destroy that via KillBox either? In that case, couldn't we try to simply destroy the whole thing? Since it's separate from Wininet.dll...?

I know you're already familiar with the (2) above infections. I also saw them awhile ago. It's just that it's bugging me to no end! So I feel I have to make notes and post them. If anything...for my own piece of mind!

Anyways, just thought I'd bring this up for future reference...ok...I'm done:)

Thanks again...!
  • 0

#143
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Ok...back again. One more time. I went back to the "E-Trust' site to do more research. I found a recently updated page about info concerning the "Intell32/Win32.Alemod.H". This page has ALL the info about this particular infection and lists every property about it. Everything I've found on my computer and what I've seen is explained in detail. Here's the link:

http://www3.ca.com/s...s.aspx?id=43729

At the top of the page there appears to be a series of "downloads" that claim to fix the various problems/infections. I suppose (guessing really) separate from the regular scan page I normally visit. They appear to be "free" though there are many to choose from.

I almost downloaded the top one but figured I'd let you take a look at it first. Just something I thought I'd bring to your attention. Just in case it potentially ends up being somewhat of a solution.

Thanks again...:tazz:
  • 0

#144
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Can you try this. Seems to easy but lets try it before we go to more drastic measures

Please go to start>my computer then navigate to this file:

C:\Windows\System\wininet.dll

right click on it and rename it to wininet.old

go to your desktop (The clean wininet)right click on the wininet.dll present there, choose copy and then paste it in your system-folder.( The same folder as the bad wininet.).

Reboot

Please remove just the files from the following paths using Windows Explorer (if present):

C:\Windows\System\wininet.old

please post and let me know the results.


Thanks,

Edited by loophole, 09 September 2005 - 04:01 PM.

  • 0

#145
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Ok..tried it. Same thing as before, unfortunately...:
--------------------------------------------------
"Cannot rename Wininet-
The specified file is being used by Windows"
--------------------------------------------------
Thanks again:)

PS- I'm going to attempt to do more research concerning all the processes that my Wininet.dll is being used by. The E-Scan tells me the infection is the "Alemod.H" thing. But When I view the Wininet.dll, THIS particular "process" doesn't show up in that vast list I posted earlier. But it obviously is...somewhere.

Like the E-Trust site says, the Alemod hides quite effectively. The E-Trust site clearly states that it IS in the Wininet.dll file...somewhere. Or at least connected to it somehow. Of ALL the stuff listed as dependencies, it could be there...just renamed. I know that a good portion of the listed dependencies are bogus. I guess I should just try and research a little more as to what needs to go and what is vital to my system.

It's crazy...the path is clearly listed...:

WININET.DLL Win32.Alemod.H infected C:\WINDOWS\SYSTEM\

But I sure can't find it. The only other thing with "Alemod" attached to it is the "oleext.dll". THIS...I can find. It's just sitting there in the System folder plain as day. I think we got rid of it before but it just came back because the"other" still existed.

Anyways, I'll just wait for your next request...thanks a bunch!!!
  • 0

Advertisements


#146
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
***Update***
------------------
Concerning "Replacement" of my Wininet.dll
----------------------------------------------------

Hi again...I decided to try something obvious. I opened, on my desktop, the file that contains the icon for the "new & clean" Wininet.dll I downloaded and My Computer/Windows/System folder.

I then dragged the NEW dll over to the System folder. Of course, an ERROR messege pops up claiming "being used by windows". Like it won't let me do it.

Then, immediately afterwards, the window that asks if you wish to replace the new file with the old pops up. AS IF...it's now willing to let me do it...? And that it's possible!

Naturally, I cancelled at the last second as I was too surprised that THAT...might actually work?! Maybe it was just messing with me and would've STILL denied me at the last second.

But it SURE looked as if it was going work and actually replace the old file with the new dll. If it had...let's just say...what would have been my next IMMEDIATE course of action BEFORE retuning online? Simply because I know a good portion of my pet malware is still lurking on my system...run some of the various tools I have?

Anyways, just thought I'd bring this to your attention. I've had stranger things happen in this same vein...so I wouldn't put it past my system to let it be replaced in such a manner... :tazz:

Thanks again...!

Edited by totenkopff, 10 September 2005 - 03:01 PM.

  • 0

#147
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Go for it :tazz: havent we tried this? I would disconnect from the internet

If you lose internet connection just replace it back with the bad one and if you have internet connection delete the bad one

Worth a shot
  • 0

#148
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Darn...no dice. It must have just been my pet malware forcing my computer to play a game of psychological warfare. It's like that movie "War Games"...from way back...but in reverse.

And instead of being a computer wiz...I'm an idiot. And you're the Pentagon...telling me I'm making things worse by trying to fix stuff on my own.LOL!!!!!!!!

Anyways...I guess I'll just wait for your next request....:tazz:

Thanks again...
  • 0

#149
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
I've got another suggestin , Ill be back in a little bit
  • 0

#150
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
{edit]
If you seen my previous post I told you to rename the clean wininet
Rename the clean wininet back to wininet.dll

Open pocket killbox

*Tick the replace on reboot
*Two boxes will appear at the top
*in the top box copy and paste this C:\Windows\System\wininet.dll
*in the next box copy and paste this C:\windows\desktop\wininet.dll
*now click the red x
* if it ask to reboot click yes or reboot manuallyif it doesnt

Let me know

Edited by loophole, 10 September 2005 - 04:24 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP