Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Alemod.f.dll and StartPage-DU.dll [RESOLVED]


  • This topic is locked This topic is locked

#1
LosingMyMind

LosingMyMind

    Member

  • Member
  • PipPip
  • 13 posts
:tazz:

Hi. I'd like to start by thanking you for any help you can provide.

I have followed all the instructions on your "Start Here" page regarding Viruses/Trojans. I have installed and run: CleanUp, *Ad-Aware SE (although it did not prompt me to save the log file), CWShredder, *TrendHousecall (page would not load/did not install or run), Spy Bot S&D, DSO Exploit Fix, *Rogue/Suspect Anti Spyware Products page would not load and 'froze'.... upon doing a 'Ctl, Alt, Del", it said the page was "not responding", The 2 free online scans didn't work for me either. The first link didn't work and Panda wouldn't load. Then I did a Windows update, restarted the computer, installed and ran HijackThis (log included).
I have McAfee Virus Scan on my computer and it tells me I have:
1. Trojan C:\Windows\SEHEL.dll infected by StartPage-DU.dll
2. Trojan C:\Windows\System\Wininet.dll infected by W32/Alemod.f.dll

Thank you so much,
Kris
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Kris and welcome to GTG.

Where is the HijackThis log?
  • 0

#3
LosingMyMind

LosingMyMind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

Hi Kris and welcome to GTG.

Where is the HijackThis log?


Thanks for the welcome. I THOUGHT I attached my HijackThis log, but apparently I didn't. Let me try again.

Logfile of HijackThis v1.99.1
Scan saved at 5:24:00 AM, on 10/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\JAVABC32.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SONY\SMART LABEL\SSLOSERV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SYSKX32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE
C:\PROGRAM FILES\E-COLOR\COLORIFIC\HGCCTL95.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0A\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0A\SHELLMON.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACRORD32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sehel.dll/sp.html#22048
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {2DE519B4-B1BB-A18D-2628-F00E71456676} - C:\WINDOWS\SYSTEM\ADDYK.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Smart Label OServer] C:\PROGRAM FILES\SONY\SMART LABEL\SSLOSERV.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [eTrustPPAP] "C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SYSKX32.EXE] C:\WINDOWS\SYSTEM\SYSKX32.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [JAVABC32.EXE] C:\WINDOWS\SYSTEM\JAVABC32.EXE /s
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SonnReg.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O4 - Startup: Colorific.lnk = C:\Program Files\E-Color\Colorific\hgcctl95.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...587/mcfscan.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, before you jump into the fix, I want to indicate one very important step here. You see the below in RED? Make SURE that you can CURE that wininet.dll file before you proceed any further. If you have problems curing it (which you shouldn't), make sure you STOP right there and ask me for help if needed.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Download AboutBuster http://www.greyknigh...AboutBuster.zip and unzip the files to a folder on your Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sehel.dll/sp.html#22048
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2DE519B4-B1BB-A18D-2628-F00E71456676} - C:\WINDOWS\SYSTEM\ADDYK.DLL
O4 - HKLM\..\Run: [SYSKX32.EXE] C:\WINDOWS\SYSTEM\SYSKX32.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [JAVABC32.EXE] C:\WINDOWS\SYSTEM\JAVABC32.EXE /s


Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Delete these if found:

C:\WINDOWS\sehel.dll
C:\WINDOWS\SYSTEM\ADDYK.DLL
C:\WINDOWS\SYSTEM\SYSKX32.EXE
C:\WINDOWS\SYSTEM\JAVABC32.EXE


Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

If you are using Windows 95/98 or Windows ME, you MUST do the following steps that are enclosed in the starting and ending double lines before proceeding any further (if you have problems STOP right now and tell us what the problem is):
========================================================================
Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

copy c:\windows\system\wininet.dll c:\windows\desktop
del copy.bat


Save the file as "copy.bat". Make sure to save it with the quotes. Double click on it.

Reboot. Scan the desktop folder with eTrust Web Scanner at http://www3.ca.com/s...sinfo/scan.aspx. When done, make sure the box is checked for wininet.dll and click cure.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

del c:\windows\system\wininet.dll
del c:\windows\system\oleadm.dll
del c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.
========================================================================


Open Ad-aware and do a full scan. Remove all it finds.

Next go to Control Panel->Display->Desktop (or Appearance)->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft.../activescan.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

Then post the Panda log here along with the logs for HijackThis and smitfiles.txt. Also give me the AboutBuster log.
  • 0

#5
LosingMyMind

LosingMyMind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Problem already :tazz:
When I downloaded Ewido Security Suite and tried to install, it said it is only for Windows 2000 and up. I am using Win98.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I always forget to take that part out :tazz: I edited my post so Ewido is not mentioned there :) Continue on...
  • 0

#7
LosingMyMind

LosingMyMind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

I always forget to take that part out :tazz: I edited my post so Ewido is not mentioned there :woot: Continue on...



Thanks :woot: I will continue on with the "fix". *salute* :)
  • 0

#8
LosingMyMind

LosingMyMind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok.... another problem. (I really AM losing my mind, lol)
Everything was fine until I downloaded and tried to run AboutBuster. When I did, I got a message that says: "The database is either corrupted or missing. Please download a new one." So, I downloaded it again, but the same thing happened. So, um... help :tazz:

Thanks for everything,
Kris :)
  • 0

#9
LosingMyMind

LosingMyMind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok.... another problem. (I really AM losing my mind, lol)
Everything was fine until I downloaded and tried to run AboutBuster. When I did, I got a message that says: "The database is either corrupted or missing. Please download a new one." So, I downloaded it again, but the same thing happened. So, um... help :tazz:

Thanks for everything,
Kris :)
  • 0

#10
LosingMyMind

LosingMyMind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok.... another problem. (I really AM losing my mind, lol)
Everything was fine until I downloaded and tried to run AboutBuster. When I did, I got a message that says: "The database is either corrupted or missing. Please download a new one." So, I downloaded it again, but the same thing happened. So, um... help :tazz:

Thanks for everything,
Kris :)
  • 0

Advertisements


#11
LosingMyMind

LosingMyMind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok.... another problem. (I really AM losing my mind, lol)
Everything was fine until I downloaded and tried to run AboutBuster. When I tried to run it (to see if there are any updates), I got a message that says: "The database is either corrupted or missing. Please download a new one." So, I downloaded it again, but the same thing happened. So, um... help please. :tazz:

Thanks for everything, I really appreciate your help. :)
Kris
  • 0

#12
LosingMyMind

LosingMyMind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok.... another problem. (I really AM losing my mind, lol)
Everything was fine until I downloaded and tried to run AboutBuster. When I tried to run it (to see if there are any updates), I got a message that says: "The database is either corrupted or missing. Please download a new one." So, I downloaded it again, but the same thing happened. So, um... help please. :tazz:

Thanks for everything, I really appreciate your help. :)
Kris
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Run the CleanUp program (again). Download AboutBuster here and try it again. Don't click on Update button (even though it should be working now). Just go straight to the scan (Begin Removal)...
  • 0

#14
LosingMyMind

LosingMyMind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
*sigh* Hi again. First a couple things: 1. I really appreciate your help more than you'll ever know. I don't know how you do this, I would lose my mind for sure.
2. Sorry about the multiple posts up there. I kept getting an error when I tried to post my reply and I didn't know the posts were going through.
3. I downloaded AboutBuster again - using your link - and it seemed fine. (keyword here is "seemed" lol)
So, I went into Safe Mode, ran CleanUp!, ran HiJackThis. (the only thing that stood out here is that I checked and hit "Fix Checked" for each of the things on the list EXCEPT for "02 - BHO: Class - {2DE519B4-B1BB-A18D-2628-F00E71456676} - C:\Windows\System\ADDYK.DLL" because it didn't exist on my list.

Anyway, the problem came when I ran AboutBuster and clicked "Begin Removal". It did its thing and then I clicked "OK" when it was done. It was then that I received an error message that stated "Run-time error '339': Component "comctl32.ocx' or one of its dependencies not correctly registered. a file is missing or invalid." Therefore, I do not have a "Ab LogFile.txt" file.

So, what do I do now?? :) *looks for the smily that indicates a pounding headache* This should do :tazz:

Thanks so much,
Kris
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yeah, saw the multiple posts but figured you had some problems posting. Next time though, try hitting the refresh button to make sure it wasn't posted already...it will usually show up posted if it went through :tazz:

Download the run-time files and install them. Try running AboutBuster in Safe Mode again.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP