Help With Virus Tspy_alemod.a

[PaulB1955]

Hi Mobo, Here is the latest rescan... Object "Quicken Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "l.exe Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
File C:\WINDOWS\Installer\a8c0f77.msi tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Installer\a8c0f7b.msi tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Lycos\ss_IGN1_setup.exe tagged as "not-a-virus:AdWare.Sidesearch.d". Action Taken: No Action Taken.
File C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\system32\Macromed\Shockwave 8\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Thanks again, Paul [img]style_emoticons/<#EMO_DIR#>/smile.gif[/img]

[Mobo]

No viral activity to repot now so thats good.

Have you scanned with both Adaware3 and spyboy search & destroy as well ? If not then please do as follows:

Now for the registry there are a few keys that need to be checked and removed if present by start / run / regedit

They are:
HKEY_CLASSES_ROOT\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}
HKEY_CLASSES_ROOT\AppID\{8B0FEF15-54DC-49F5-8377-8172DE975F75}
HKEY_CLASSES_ROOT\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}
HKEY_CLASSES_ROOT\CLSID\{9BBCF06C-DCD7-495D-80DF-CDD5399D0FF8}
HKEY_CLASSES_ROOT\CLSID\{E813099D-5529-47F4-9B37-4AFAFCB00A43}
HKEY_CLASSES_ROOT\Interface\{AD5BC1F0-72D8-44B3-8E3D-8E8FECCE43FB}
HKEY_CLASSES_ROOT\Interface\{E813099D-5529-47F4-9B37-4AFAFCB00A43}
HKEY_CLASSES_ROOT\AppID\Altnet Signing Module.EXE
HKEY_CLASSES_ROOT\SigningModule.SigningModule
HKEY_CLASSES_ROOT\SigningModule.SigningModule.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\App Management\ARPCache\AltnetDM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\AltnetDM
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet

[PaulB1955]

Hello Mobo, I checked my registry for the keys that you said and I was unable to find ANY of them! What does that mean? I also did a full rescan with Adaware and Spybot search & destroy, also with Microsoft Antispyware, Trend Micro SpySubtract & PC-cillin Internet Security also error nuker!! Not much is really showing up, HOWEVER, about every 2 minutes I get a pop-up window from Trend Mirco Internet Security that says: Real-time Scan
Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified.

Infected file: C:\WINDOWS\SYSTEM32\WININET.DLL
Virus name: TSPY_ALEMOD.A
User name: Brian
Scan action result: The Quarantine action was unsuccessful. Manually delete the file if you are sure that it is not needed.
Note: If Search for and clean Trojans is enabled and is executed after scanning, you can click Next to view final scan result information. When I click on the Virus name: TYSP_ALEMOD.A It brings me to their web page and says: TSPY_ALEMOD.A
Overview

--------------------------------------------------------------------------------


Type: Spyware

In the wild: Yes
Destructive: No
Language: English
Systems affected: Windows 98, ME, NT, 2000, XP
Encrypted: No
Overall risk rating: Low

--------------------------------------------------------------------------------

Reported detections: Low
System impact: High
Distribution potential:

High



--------------------------------------------------------------------------------


Description:


This spyware monitors network traffic packets to steal information from an affected system. It also attempts to download updated copies of itself from the Internet and execute them on the system.

It drops certain Dynamic Link Library (DLL) files, one of which contains a malicious code, in the Windows system folder.




--------------------------------------------------------------------------------

Description created: Jul 8, 2005

Revision history: Jul 12, 2005 - Modified Virus Report








Solution

--------------------------------------------------------------------------------


Minimum scan engine version needed: 6.810

Virus Pattern Version Needed: 2.718.02
Pattern release date: Jul 6, 2005

--------------------------------------------------------------------------------

Solution:



Restoring Deleted or Overwritten Files

Acquire a clean copy of the Windows file, WININET.DLL, from an installer or from a clean Windows system with the same version. Rename the copy as CLEAN.DLL and place it in the %System% folder.

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)

• On Windows 95 and ME


Copy and paste the following in a text editor:
[rename]
%System%\wininet.dll = "%System%\clean.dll"

Save the file as WININIT.INI.
Place the file in the Windows folder.

• On Windows 2000 and NT


Copy and paste the following in a text editor:
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\Session Manager]
"AllowProtectedRenames"=dword:00000001
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\Session Manager]
"PendingFileRenameOperations=hex(7):5c,00,3f,00,3f ,00,5c,00,43,00,3a,00,5c,00,\
57,00,49,00,4e,00,4e,00,54,00,5c,00,53,00,79,00,
73,00,74,00,65,00,6d,00,33,\
00,32,00,5c,00,77,00,69,0 0,6e,00,69,00,6e,00,65,00,74,00,2e,00,64,00,6c,00, \
6c,00,00,00,00,00,5c,00,3f,00,3f,00,5c,00,43,00,3a ,
00,5c,00,57,00,49,00,4e,\
00,4e,00,54,00,5c,00,53,00,79,00,73,00,74,00,65,00 ,
6d,00,33,00,32,00,5c,00,\
63,00,6c,00,65,00,61,00,6e,00,2e,00,64,00,6c,00,
6c,00,00,00,5c,00,3f,00,3f,\
00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,4e,00 ,
54,00,5c,00,53,00,79,00,\
73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,
69,00,6e,00,69,00,6e,00,65,\
00,74,00,2e,00,64,00,6c,00,6c,00,00,00,00,00

Save the file as FIX.REG.
Run FIX.REG by double-clicking the file.

• On Windows XP


Copy and paste the following in a text editor:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\Session Manager]
"AllowProtectedRenames"=dword:00000001 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\Session Manager]
"PendingFileRenameOperations"=hex(7):5c,00,3f,00,3 f,00,5c,00,43,00,3a,00,5c,00,\
57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,
53,00,79,00,73,00,74,00,65,\
00,6d,00,33,00,32,00,5c,00,77,00,69,00,6e,00,
69,00,6e,00,65,00,74,00,2e,00,\
64,00,6c,00,6c,00,00,00,00,00,5c,00,3f,00,3f,00,
5c,00,43,00,3a,00,5c,00,57,\
00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,
53,00,79,00,73,00,74,00,65,00, \
6d,00,33,00,32,00,5c,00,63,00,6c,00,65,00,61,00,
6e,00,2e,00,64,00,6c,00,6c,\
00,00,00,5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00 ,
57,00,49,00,4e,00,44,00,\
4f,00,57,00,53,00,5c,00,53,00,79,00,73,00,74,00,
65,00,6d,00,33,00,32,00,5c,\
00,77,00,69,00,6e,00,69,00,6e,00,65,00,74,00,2e,00 ,
64,00,6c,00,6c,00,00,00,\
00,00

Save the file as FIX.REG.
Run FIX.REG by double-clicking the file.

Restart System

After executing the FIX.REG or WININIT.INI files, restarting the system will replace the infected WININET.DLL file with a clean copy.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete files detected as TSPY_ALEMOD.A. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.










Technical Details

--------------------------------------------------------------------------------

Initial samples received on: Jul 6, 2005

File type: PE

Memory resident: Yes

Compression type: UPX


File size: 8,193 Bytes








Payload1: Others Payload Detail 1: Overwrites a system file




Payload2: Others Payload Detail 2: Downloads updated copies of itself





--------------------------------------------------------------------------------

Details:


Upon execution, this spyware drops the following files in the Windows system folder:

Oleadm.dll
Oleadm32.dll
It then drops the file WININIT.INI in the Windows folder. The said .INI file renames the dropped file OLEADM32.DLL to WININET.DLL when the system is restarted. It then overwrites the original WININET.DLL file, which is in the Windows system folder.

(Note: The file OLEADM32.DLL is a modified copy of the WININET.DLL. This modified copy contains a malicious code. Also note that Windows deletes WININIT.INI after it executes, so that this dropped file is only able to perform its routine once after the system is restarted.)

This spyware monitors network traffic packets to get information from an affected system. It also attempts to download updated copies of itself from the Internet and execute them on the system.

It runs on Windows 98, ME, NT, 2000, and XP.



Analysis by: Jonathan N. San Jose

Updated by: Mark Julius G. Dy









Statistics

--------------------------------------------------------------------------------


Time Period: 1d | 7d | 1m | 1y | All



Computers detected since July 8, 2005
North America 2,467
Europe 566
Asia 243
South America 63
Australia and New Zealand 30
Africa 9
(unknown) 9
Total 3,387

Top 10 countries
United States 2,442
France 197
Spain 140
Japan 81
Germany 75
Thailand 64
Brazil 51
Australia 29
Taiwan 29
United Kingdom 27

Rate of detection
Africa 11.1%
Australia and New Zealand 1.3%
Europe 0.9%
Asia 0.2%
North America 0.2%
South America 0.0%

Source: Trend Micro World Virus Tracking Center




Here is a rescan of the MicroWorld AntiVirus: Object "Quicken Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "l.exe Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
File C:\WINDOWS\Installer\a8c0f77.msi tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Installer\a8c0f7b.msi tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Lycos\ss_IGN1_setup.exe tagged as "not-a-virus:AdWare.Sidesearch.d". Action Taken: No Action Taken.
File C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\system32\Macromed\Shockwave 8\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.



Once Again...Thanks Soooo Much for your Help :beer: Paul

[Mobo]

Ok paul, were close to complete now, justa few more things to do yet.


First thing I want to do is start / search / all files & folders / l.exe in the upper window / then click the "more advanced options" button and make sure all files including hidden are checked.

When/if found take not of the files path for <span style="color:blue">example C:\WINDOWS\SYSTEM32\l.exe</span>


Now open killbox.exe again and pasteC:\WINDOWS\SYSTEM32\WININET.DLL
click the red x as well as "delete on reboot" but dont reboot just yet.
Paste the file path for l.exe if you have it then click the red x and delete on reboot.


Now reboot..

Post back with the results

[PaulB1955]

Hello Mobo, I have a few questions about your last reply. You said: When/if found take not of the files path for example C:\WINDOWS\SYSTEM32\l.exe, sorry I don't understand. Then you said: Paste the file path for l.exe if you have it then click the red x and delete on reboot, when I went to searched for all files & folders with l.exe I came up with about 175 different ones! Can you please explain your last reply in "simple" terms that I can better understand? Thanks, Paul

[Mobo]

Ok paul. Do the search again if you have closed it and after all the results are finished click.

edit/ select all
edit / copy

Then paste the results here for me to look at please.

[PaulB1955]

OK Mobo, I ran a search of all files & folders with l.exe and came up with 392!! The only problem is, when I selected them all and then copied them...I was unable to paste it to this forum!! I tried EVERYTHING...but the word paste wouldn't even highlight so that I could click on it. Any ideas?? Thanks, Paul

[Mobo]

Ok then please copy and paste this for the search item

"l.exe"

It should turn up fewer results.

If only one or two results are found then note the files path please.

[PaulB1955]

Hello Mobo, I searched for files "l.exe" and there were no results to display. Now what should I do?? Paul

[Mobo]

Thats it, good to go then..