"wininet.dll" is infected by "W32/Alemod.f.dll"

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by programmer04, Mar 15, 2006.

  1. programmer04

    programmer04 Private First Class

    When I woke up this morning, I found my computer completely screwed up. The first thing I noticed was that the desktop was white instead of the picture I chose for it. Then I noticed that a McAfee window stated that "C:\WINDOWS\system32\wininet.dll is infected by the W32/Alemod.f.dll virus and cannot be cleaned." I began looking around and also found that McAfee had been removed from the system tray and replaced by a program called AlphaCleaner (never heard of it). Also, there was a DownloadManager installed as well. I ran most of the programs in the "try this first" malware removal thread while in safe mode and discovered two other viruses, "GenericDownloader.v" and "Exploit-ANIfile". I was able to clean those two as well as remove the two unwanted programs and a number of adware files, but the W32/Alemod.f.dll could not be cleaned, quarantied, or deleted because wininet.dll is a system file and is write protected. I need help in getting rid of this virus as well as getting my desktop back.

    P.S. - I found out that, last night, my wife googled "Britney Spears pregnant" beacause she loves gossip. If I was there, I would have told her what kind of results she would have got and what to watch out for, but I wasn't. The link she clicked on caused an explosion of porn sites. She said that after she got them all closed out, the computer started acting up.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please complete the following:

    SpyFalcon Removal Procedure

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

    Downloading, Installing, and Running HijackThis


    When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
    • Bitdefender
    • Panda Scan
    • HijackThis
    • smitfiles.txt
     
  3. programmer04

    programmer04 Private First Class

    Well, I don't have a program called SpyFalcon installed on my computer, nor do I have the two files mentioned in my WINDOWS\system32 folder. I'll continue with the other steps.

    I do have one other thing to mention, though. The white desktop appears to be some sort of html code. When I right click and click properties, I get a window with just a "General" tab that literally says nothing about the white 'page'. There is a "View Source" when I right click, and it brings up a Notepad text box labeled "C__WINDOWS_warnhp", and states in one part that "This file is automatically generated by Microsoft Windows". The source of this file is apparently located in "C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\...\C__WINDOWS_warnhp".
    It also says, towards the end, something about a file called "warnhp.htm" located in "C:/WINDOWS/", but I can't find that file. I have hidden ans system files set to viewable, but I can't locate the files. Deleting Tempoary Internet Files does nothing.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just complete ALL the steps. Make sure you run SmitRem and attach the log along with all the others when finished.
     
  5. programmer04

    programmer04 Private First Class

    I completely went through the "Run this first" tutorial. Quite a number of problems were found. Spybot S&D and BitDefender seemed to be the most effective in my case. Many hidden viruses and other malware were found. I only had a problem trying to install WindowsDefender for some reason. But, my 'wininet.dll' appears to be ok now.

    However, my desktop still has a white screen. I am attaching the log files, including the hijackthis log.
     

    Attached Files:

  6. programmer04

    programmer04 Private First Class

    If you need any more info, let me know. I still need help with the white desktop.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes because the program I wanted you to run (SmitRem) fixed it when it removed another bad DLL (the oleext.dll file).

    Are the below items something your downloaded and installed?
    C:\Download\Excursion9.5.Install.exe
    C:\Excursion9.5\ex1.dll


    Are you sure they are safe and clean?

    You did not follow step 0 of the READ ME! I still see Viewpoint Manager and P2Pneworking (it may be named MediaPipe P2P Loader)installed. Uninstall both pf them now.
    Also you did not follow step 7 of the READ ME. You installed HijackThis exactly where we request it not be installed.

    Please fix these two issues and attach a new HJT log. And also tell me how things are working.
     
    Last edited: Mar 16, 2006
  8. programmer04

    programmer04 Private First Class

    Excursion is a program that I've had for nearly 2 years. It is a program used in conjunction with mIRC, a program used for chat, trivia, and file transfers. I've never had a problem with it. I also noticed the P2Pnetwork, I wasn't sure if it was part of my registered version of Limewire. I wasn't sure about Viewpoint. I couldn't remember if it was something that came with another program.

    I've had HijackThis installed for quite some time, that's why I didn't think to follow the instructions on installing it.
     
  9. programmer04

    programmer04 Private First Class

    Here's the hijackthis.log ran from C:\Program Files\HJT. Viewpoint and P2PNetwork have been uninstalled.
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    But is listed in step 0 of the READ & RUN ME along with many other items to look for and uninstall.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
    O20 - Winlogon Notify: ssttr - C:\WINDOWS\SYSTEM32\ssttr.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete(if found):
    C:\Program Files\p2pnetworks <--- the whole folder
    C:\Program Files\MediaPipe <--- the whole folder
    C:\PROGRAM FILES\Winad Client <--- the whole folder
    C:\Program Files\DownloadManager\insdl.dll
    C:\WINDOWS\INF\conscorr.inf
    C:\keys.ini
    C:\x.cab
    C:\WINDOWS\alchem.ini
    C:\WINDOWS\deskbar.ini
    C:\WINDOWS\sepsd.bin
    C:\WINDOWS\uninstDsk.exe
    C:\WINDOWS\system\UpdInst.exe
    C:\WINDOWS\conscorr.ini
    C:\WINDOWS\inf\conscorr.inf
    C:\WINDOWS\inst <--- the whole folder
    C:\WINDOWS\SYSTEM32\ssttr.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.
    Additional step to delete WinadX.inf:
    - Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
    - Enter the following command lines each followed by the enter key
    cd C:\WINDOWS\Downloaded Program Files\
    attrib -r -h -s WinadX.inf
    del WinadX.inf
    exit

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).


    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
  11. programmer04

    programmer04 Private First Class

    Ok. A couple of issues. First, my desktop is still white. Right clicking on it still gives me the same options as if I were right clicking on a web page.

    Second, I cannot seem to get rid of the last item on the list, "ssttr.dll." I even tried KillBox with no success. The properties only listed it as hidden (I unchecked that). Task manager made no mention of it running.

    Also, "C:\WINDOWS\inf\conscorr.inf" is mentioned twice. I did delete conscorr.inf and noticed a file called conscorr.PNF, but I didn't delete that one.

    Here's the hijackthis.log attachment.
     

    Attached Files:

  12. programmer04

    programmer04 Private First Class

    I've also noticed that the "ssttr.dll" is now listed as a BHO. Also, every time I fix it in hijackthis, it instantly reappears.
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I was hoping that it would show the rest of itself after trying to fix the O20 line. I new something was missing and I was sure it would not fix. Run the below procedure and attach the requested log.

    Virtumonde aka Trojan Vundo Removal


    For your Desktop let's first try the below.

    Fixing Locked Desktop
    Also you should right click on your Desktop and select Properties. Then click the Desktop tab and then the Customize Desktop button. Now in the next window that comes up click the Web tab. Make sure at the bottom that Lock desktop items is unchecked. Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too. Then click OK. Apply. OK.
     
  14. programmer04

    programmer04 Private First Class

    Nothing found.

    Desktop problem fixed.
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are the below two lines still in your HJT log?

    O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINDOWS\system32\ssttr.dll
    O20 - Winlogon Notify: ssttr - C:\WINDOWS\SYSTEM32\ssttr.dll
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm assuming they are still there!!!

    Start by downloading two tools we will need:

    - Process Explorer

    - Pocket KillBox

    Extract them to there own folder somewhere that you will be able to locate them later. You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of ssttr.dll once and then click the kill button. After you have killed all of the ssttr.dll under winlogon click ok. (If you do not find the dll, just continue on.)
    Next double click on explorer.exe and again click once on each instance of ssttr.dll and kill it.

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINDOWS\system32\ssttr.dll
    O20 - Winlogon Notify: ssttr - C:\WINDOWS\SYSTEM32\ssttr.dll

    Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now attach a new HJT log.

    Make sure you tell me how these steps went and how things are working now!
     
  17. programmer04

    programmer04 Private First Class

    Sound the "All Clear". "ssttr.dll" is gone!

    Is it time to disable System Restore, reboot, and re-enable system restore so that I can be done with this mess?
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!


    Make sure you pay attention to the part about updating Java because you are out of date.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds