Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

crgauker

3 Posts

795

July 18th, 2005 03:00

HELP ! i got tspy_alemod.a

i was told i could get some help if i would post my hijack this log here. Please respond with instructions in simple english. i am not very computer saavy. Thanks !!!
 
Logfile of HijackThis v1.99.1
Scan saved at 12:31:06 AM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Updater.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\M-Audio MobilePre\MPTask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/channel/START
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.earthlink.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us6.hpwis.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [ea_cleanup] C:\DOCUME~1\Owner\LOCALS~1\Temp\ea_cleanup.exe /cleanup
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Program Files\M-Audio MobilePre\MPTask.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://C:\Program Files\MHC Interactive\GEDONLINE\cab\awswax70.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094226130827
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{849CE8B4-2CC1-4853-9392-36D69651785E}: NameServer = 63.162.197.69 199.2.252.10
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: MobilePre Installer (MobilePreInstallerService) - Nemesis - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
 

RKinner

2 Intern

 • 

5.9K Posts

July 18th, 2005 20:00

Start, Run, sfc /scanboot, OK to turn on the sfc on boot option.  Nothing will happen right now.
 
Get killbox from:
http://www.downloads.subratam.org/KillBox.exe
 
Save it to your desktop.
 
Check Delete on Reboot then where it says Full Path of File to Delete, type or paste (Ctrl + V)
 
c:\Windows\system32\wp.bmp
then press the red button.  Agree that you want to delete the file on reboot but do not let it reboot yet.
repeat for each of these:
c:\Windows\system32\ w8673492.exe
c:\Windows\system32\ wininet.dll 
c:\Windows\system32\oleadm.dll
c:\windows\system32\oleadm32.dll
c:\windows\wininit.ini 
 
Let it reboot after the last one.  On reboot the system file checker will run and hopefully it will replace wininet.dll file for us.
 
Start, Run, sfc /revert, OK to turn off the sfc on boot option.
 
It may be useful to run the smitfraud.reg program from:
 
 
to clean up your desktop.
 
Ron

crgauker

3 Posts

July 19th, 2005 02:00

Thanks Ron ... i think this would have worked but i don't have my Windows files (Windows XP) on a disc set t... they came saved on a recovery partition on my hard drive. When Windows rebooted it ran through a check of the system files and then prompted for me to insert the Windows XP disc so it could restore files. There was no other option ... no BROWSE button or "get from another location" or anything like that. i eventually canceled the operation and am now not sure what is (or is not) missing / working / still corrupted etc.   Any ideas how to handle this part of the operation would be greatly appreciated.  Thanks alot ... craig

 

RKinner

2 Intern

 • 

5.9K Posts

July 19th, 2005 13:00

Start, Run, cmd, OK to bring up a black CMD screen.
 
Type:
 
sfc /revert
 
(This just turns off SFC scanning at boot since it isn't helping).
 
cd \
 
(Moves you to the root ( \ ) folder.)
 
dir /s wininet.dll
 
(Hunts for all copies of wininet.dll.  The result should tell you if you have more than one anywhere on your system.  I believe the good one on XP SP2 should have a size of 589,312.)
 
(If you find a good one or at least one different from the one in C:\windows\System32  then you can try to rename the old one to wininet.bad then copy the good one to the C:\Windows\system32.  Assume you found another one in C:\windows\system32\dllcache)
 
cd \windows\system32
ren wininet.dll wininet.bad
copy c:windows\system32\dllcache\wininet.dll .
 
(There is a space and then a period at the end of the above line)
 
Note:  If you have one in dllcache and it is the same as the infected one in system32 but you have a good one elsewhere then you will need to delete the one in dllcache first.  It also may be possible to download one
 
 
Ron
 

crgauker

3 Posts

July 19th, 2005 16:00

Ron,

... so do i send season tickets or name my next child after you ?  

The pest has been exterminated !  THANKS SO MUCH !!!!

The only variations from your instructions i made (which might help someone else reading this) is that i had to reboot into 'safe mode with command prompt' to alter or delete the wininet.dll file in the system32 folder. Access was denied in normal mode.

Also the good copy of wininet.dll which i found on my hard drive was in C:\windows\servicepackfiles\i386\wininet.dll and the size was 656,384 (08-04-04).

Best wishes to you and yours bro !

Was this post helpful?

View All

Top