1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Removing wlnet.exe

Discussion in 'Virus & Other Malware Removal' started by hexx, Apr 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. hexx

    hexx Thread Starter

    Joined:
    Jun 28, 2003
    Messages:
    75
    hi, my firewall on every windows boot saying wlnet.exe conencting somewhere, wlnet.exe terminates all my anti virus, and security programs, so i have to relunch them. i Looked in regestry to remove it, buts its not there, i tried delete the file from system32 directory but the file was back i rebooted, is there a way I can get rid of that virus without actually formating??

    Thanks
     
  2. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Did not see anything on wlnet.exe from Sophos or Norton websites

    Go to http://www.merijn.org/files/HijackThis.exe and download 'Hijack This!'.
    make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log (in the security section)
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.

    If Merijn.org is still down due to the DDOS attack on it, the alternative download sites for Hijackthis are:
    http://www.oneknight.co.uk
    http://www.sherrylynn.us/HijackThis.exe
    http://mjc1.com/mirror/hjt/
    http://www.majorgeeks.com/downloads31.html
    http://www.spywareinfo.com/~merijn/downloads.html
     
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Please do this. Click here to download Hijack This. Click on the Hijackthis.exe.

    Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

    *Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
     
  4. hexx

    hexx Thread Starter

    Joined:
    Jun 28, 2003
    Messages:
    75
    thanks, its not "winet.exe" its "wlnet.exe" with L here the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:00:38 AM, on 10/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Net-Commando 2000\NC2000.EXE
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Winamp\Winamp.exe
    C:\Documents and Settings\home\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://hispeed.rogers.com
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [NetCommando2000AutoLoad] C:\Program Files\Net-Commando 2000\NC2000
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37813.5616666667
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    Restart your computer.


    Go here

    Scroll to the bottom of the page and look for the Submit file section.

    Click on Browse

    Navigate to the .... wlnet.exe .... file and let us know what you find.
     
  6. hexx

    hexx Thread Starter

    Joined:
    Jun 28, 2003
    Messages:
    75
    ok..it says the file is ok but i think its undetected..it still comes back up after I restarted.
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    There's nothing showing in your HJT log. Open HJT. Click on the "Config" button in the lower right corner. Now click on "Misc Tools" then under "Generate Startup List" put a check by "List also minor sections (full)". Now click on the "Generate Startup List" button and copy and paste the contents of the list back here in a reply.
     
  8. hexx

    hexx Thread Starter

    Joined:
    Jun 28, 2003
    Messages:
    75
    StartupList report, 10/04/2004, 12:31:03 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\home\Desktop\hijackthis\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Net-Commando 2000\NC2000.EXE
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Winamp\Winamp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\home\Desktop\hijackthis\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    NetCommando2000AutoLoad = C:\Program Files\Net-Commando 2000\NC2000
    PCCClient.exe = "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    pccguide.exe = "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    Pop3trap.exe = "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    InstallShieldSetup = C:\PROGRA~1\INSTAL~1\{7F5E2~1\Setup.exe -rebootC:\PROGRA~1\INSTAL~1\{7F5E2~1\reboot.ini -l0x9

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{42CE4021-DE03-E3CC-EA32-40BB12E6015D}]
    StubPath = C:\WINDOWS\System32\mskfbr.com

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\System32\ie4uinit.exe

    [{89820200-ECBD-11cf-8B85-00AA005B4395}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=C:\windows\system32\tskmon.exe

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    PCHealth Scheduler for Data Collection.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37813.5616666667

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [SDKInstall Class]
    InProcServer32 = C:\WINDOWS\sdkinst.dll
    CODEBASE = http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Creative Service for CDROM Access: C:\WINDOWS\System32\CTSvcCDA.exe (autostart)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
    nVidia WDM Video Capture (universal): System32\DRIVERS\nvcap.sys (autostart)
    NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    nVidia WDM TVTuner: System32\DRIVERS\nvtunep.sys (autostart)
    nVidia WDM TVAudio Crossbar: System32\DRIVERS\nvtvsnd.sys (autostart)
    nVidia WDM A/V Crossbar: System32\DRIVERS\NVxbar.sys (autostart)
    PC-cillin Personal Firewall: C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe (autostart)
    PCTEL Speaker Phone: %SystemRoot%\system32\pctspk.exe (autostart)
    PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\System32\inetsrv\inetinfo.exe (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Tmfilter: System32\drivers\TmXPFlt.sys (autostart)
    Trend NT Realtime Service: "C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe" (autostart)
    Tmpreflt: System32\drivers\Tmpreflt.sys (autostart)
    Trend Micro Proxy Service: C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe (autostart)
    Trend Micro TDI Driver: \SystemRoot\System32\Drivers\tmtdi.sys (autostart)
    Common Firewall Driver: \SystemRoot\System32\Drivers\tm_cfw.sys (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Vsapint: System32\drivers\Vsapint.sys (autostart)
    vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (autostart)
    TrueVector Internet Monitor: C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe -service (autostart)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    World Wide Web Publishing: %SystemRoot%\System32\inetsrv\inetinfo.exe (autostart)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: c:\documents and settings\victor\cookies\[email protected][2].txt||c:\documents and settings\victor\cookies\[email protected][2].txt


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll

    --------------------------------------------------
    End of report, 14,004 bytes
    Report generated in 0.156 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I don't see anything in the startuplist.

    Would you put a copy of that file in a zipped folder and send it to me here. Please include a link to this thread so I'll remember where it came from. I'll let you know what I find out.
     
  10. hexx

    hexx Thread Starter

    Joined:
    Jun 28, 2003
    Messages:
    75
    you got the email?
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Sorry about taking so long to get back to you, but it was a busy holiday. I submitted the file for analysis and this is the response I got "This is a modified BEAST trojan".

    Have you managed to get rid of it?
     
  12. hexx

    hexx Thread Starter

    Joined:
    Jun 28, 2003
    Messages:
    75
    no, no luck yet, i downloaded Trojan Hunter but it dont find anything, and i Lunch wlnet.exe its will just simple close the trojanhunter any idea how to remove it?
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I was told that Trojan Hunter would remove it. The only other program that I know of that should remove it is TDS-3.

    Download TDS-3 from http://www.wilders.org/anti_trojans.htm

    This is a Trial version so you will have to do the update manually.
    The automatic update only works with the registered version which costs $49.

    Update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update

    Under the "Manual Update" right click on the radius.td3 file and choose "Save target as".
    Then in the "Save in" box browse to the C:\Program Files\TDS3 folder
    (provided that is the location of your TDS-3 directory)and save it there.
    A prompt will appear telling you that there is already a radius.td3 file there "do you want to overwrite it" click Yes.

    Run the "full System scan" , preferably in safe mode.

    Note: Temporarily disable your Antivirus program.
    Launch TDS-3 and click on "System Testing" then "Full System Scan" and the scan will begin.

    TDS-3 does not automatically remove infected files that it finds. It will display what it has found in the lower portion of the main window and it will either say "Positive Identification etc...." or "Suspicious File". Anything with a positive identification you should right click and delete. Don't do anything with the suspicious ones yet just right click the suspicios ones and save as .txt. Leave TDS-3 open and running after the scan and then go to the TDS-3 folder (usually C:\Program Files\TDS) and look for a scandump.txt file. Open the scandump.txt file and copy and paste it's contents here. Once we see the scandump file we can determine what to do with the suspicious ones. Many times the suspicious files are harmless.
     
  14. hexx

    hexx Thread Starter

    Joined:
    Jun 28, 2003
    Messages:
    75
    Scan Control Dumped @ 20:58:10 13-04-04
    RegVal Trace: RAT.Beast: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run [COM Service=C:\windows\msagent\msptmf.com]

    RegVal Trace: RAT.Beast: HKEY_CURRENT_USER
    File: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run [COM Service=C:\windows\msagent\msptmf.com]

    Positive identification: RAT.Beast 2.05c
    File: c:\windows\tmp3.exe

    Positive identification (DLL): RAT.Toquito Bandito 1.1 FWB (dll)
    File: c:\windows\winhost32.dll

    Positive identification: RemoteAdmin.RAdmin 2.1
    File: c:\windows\system32\r_server.exe

    Positive identification (DLL): RemoteAdmin.RAdmin 2.0 (dll)
    File: c:\windows\system32\admdll.dll

    Positive identification: RAT.Beast 2.05c
    File: c:\windows\system32\wlnet.exe

    Positive identification (DLL): RAT.Optix Pro 1.32 Retail Cloaker (dll)
    File: c:\windows\system32\msvbvm06.dll

    Positive identification: RAT.Beast 2.05c
    File: c:\windows\system32\mskfbr.com

    Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: c:\windows\system32\[email protected]@@k.dll.tcf

    Positive identification (DLL): RAT.Optix Pro 1.32 Retail Cloaker (dll)
    File: c:\windows\system32\ldrmsvbvm06.dll

    Positive identification: RAT.Beast 2.05c
    File: c:\windows\msagent\msptmf.com

    Positive identification: TrojanDownloader.Win32.Dyfuca.g
    File: c:\program files\ddm\0\optimize.exe

    Positive identification (DLL): RemoteAdmin.RAdmin 2.0 (dll)
    File: c:\program files\radmin\admdll.dll

    Positive identification: RemoteAdmin.RAdmin 2.1
    File: c:\program files\radmin\r_server.exe
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Did you delete all those TDS-3 found?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Removing wlnet
  1. triciabard
    Replies:
    7
    Views:
    784
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218909

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice