Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Internet Browser spyware

Started by Lew , Sep 06 2004 09:54 PM

  • Please log in to reply

#1
Lew
Posted 06 September 2004 - 09:54 PM

Lew

    Member

  • Member
  • PipPip
  • 10 posts
I am having some trouble getting rid of an ALTEvents spyware. I have updated to XP SP2, updated symantec virus software defs, and ran Ad-aware se, spyware blaster, hijckthis, and spybot S&D. CWShredder sees nothing but does not update. Spybot finds ATLEvents (4), Ad Aware finds Virtumond (4), and hijck this log follows. In Hijack log, I suspect the CatlEvent and the other two lines that include svceula (reverse aluecvs? in first line). The lines return even after multiple "fix" and reboots.

The symptoms I experience with IE are ppersistent popup windows for winantivirus2004 and stopguard antivirus software sales pages come up when searching from address bar. Another post mentioned these guys are russian and will return money to dissatified subscribers, but more than the annoying popups, Internet Explorer IS MISERABLY SLOW.

I found a file with svceula in the name and deleted it in "safe" mode. (It was in the Windows/Font folder, but it was hidden even with with the "show hidden files" option <on>. Perhaps this was a rash move, but since the symtops persist, I figure it is still being created from somewhere at bootup and startup of IE or Win Explorer..

Please help! Thanks in advance!

Logfile of HijackThis v1.98.2
Scan saved at 11:15:59 PM, on 9/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Windows\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Windows\System32\gearsec.exe
C:\Windows\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Windows\System32\snmp.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Funk Software\Proxy Host\phtray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Windows\Fonts\svceula.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\IadarolL-HALHPN\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\IADARO~1\LOCALS~1\Temp\aluecvs.dat
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\phtray.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [*svceula] C:\Windows\Fonts\svceula.exe
O4 - HKLM\..\RunOnce: [*svceula] C:\Windows\Fonts\svceula.exe rerun
O4 - HKCU\..\RunOnce: [*MS Setup] C:\Windows\java\Packages\nettask.exe ren
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094353399965
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hal.hitachi.local
O17 - HKLM\Software\..\Telephony: DomainName = hal.hitachi.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hal.hitachi.local
  • 0

Advertisements

#2
Lew
Posted 07 September 2004 - 09:31 AM

Lew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Well, the file name has apparently changed overnight.

The old files named svceula.exe and aluecvs.dat could be deleted using Hijackthis.

The new files are named apinet.exe and tenipa.dat.

Similarities to svcuela I noticed:
1) reversed naming scheme
2) again BHO and a runonce
3) BHO dat file is again in temp folder

Difference:
1) apinet.exe is in windows/security/database folder

If anyone has has success getting rid of this, your asssitance is greatly appreciated!

Logfile of HijackThis v1.98.2
Scan saved at 11:27:44 AM, on 9/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Windows\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Windows\System32\gearsec.exe
C:\Windows\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Windows\System32\snmp.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Funk Software\Proxy Host\phtray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Windows\security\Database\apinet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\IadarolL-HALHPN\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: CATLEvents Object - {BF755B85-EA69-4F58-9A59-D85F384A15FF} - C:\DOCUME~1\IADARO~1\LOCALS~1\Temp\tenipa.dat
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\phtray.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\RunOnce: [*apinet] C:\Windows\security\Database\apinet.exe rerun
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094353399965
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hal.hitachi.local
O17 - HKLM\Software\..\Telephony: DomainName = hal.hitachi.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hal.hitachi.local
  • 0

#3
coachwife6
Posted 07 September 2004 - 10:48 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Before we start looking at your log, I'd like for you to do a couple of things for us.

Please run a free online virus scan here (tick the "Auto Clean checkbox):
http://housecall.antivirus.com/

Reboot and run:

And a free trojan scan here:
http://www.moosoft.com/

Reboot and run:

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

* Automatically save log-file
* Automatically quarantine objects prior to removal
* Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

* Scan Within Archives
* Scan Active Processes
* Scan Registry
* Deep Scan Registry
* Scan my IE favorites for banned URL’s
* Scan my Hosts file
* Under Click here to select drives + folders, choose:
* All of your hard drives

-> Click on the Advanced button on the left and select:

* Include additional process information
* Include additional file information
* Include environment information
* Include additional object details

-> Click the Tweak button and select:

* Under the Scanning Engine:
o Unload recognized processes during scanning
o Include basic Ad-aware settings in logfile
o Include additional Ad-aware settings in logfile
* Under the Cleaning Engine:
o Let Windows remove files in use at next reboot

-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

* Use Custom Scanning Options

-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

-> Reboot your computer.

One last thing: Run Spybot Search and Destroy.

Spybot Search & Destroy Download and install. Start Spybot S&D using the "Spybot-S&D (easy mode)" link from your Start menu . Click the Search for updates button, if any are found then click the Download Updates button. After all updates are downloaded, click the Check for problems button. When the scan is complete, place a check next to anything marked in red, then click the Fix selected problems button. You may need to run Spybot S&D multiple times to remove all infections.

When finished, Reboot your computer. Finally, reply to this post with a new HiJackThis log so we can look for any nasties that may have been missed.
  • 0

#4
Lew
Posted 07 September 2004 - 08:02 PM

Lew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks very much for your assistance. I did as told and here are the results.

Moosoft found nothing.

Symantec realtime scan during Ad Aware se scanning

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan Horse
File: C:\DOCUME~1\IADARO~1\LOCALS~1\Temp\AAWTMP\C4810176\MainApp.class
Location: C:\DOCUME~1\IADARO~1\LOCALS~1\Temp\AAWTMP\C4810176
Computer: HPNL-IADAROLL
User: IadarolL-HALHPN
Action taken: Delete succeeded : Access denied
Date found: Tuesday, September 07, 2004 9:07:45 PM

Housecall locked up and the download of the setupex.exe took a long time. After a couple attempts, it did load

The files found were
Troj 167.A Cannot Access C:\Documents and Settings\IadarolL-HALHPN\ApplicationData\SUn\Java\Deployment\Cache\cache\javapi\v1.0\file\SecurityClassLoader.class-26734d8e-33d54037.class

Troj 167.A Cannot Access C:\Documents and Settings\IadarolL-HALHPN\ApplicationData\SUn\Java\Deployment\Cache\cache\javapi\v1.0\file\SecurityClassLoader.class-1ac02c55-5632c12f.class

JAVA BYTEVER.A-1 Cannot Access C:\Documents and Settings\IadarolL-HALHPN\ApplicationData\SUn\Java\Deployment\Cache\cache\javapi\v1.0\jar\proc.jar-579b8cc2-4edd954d.zip *My Function.class*

JAVA BYTEVER.A-1 Cannot Access C:\Documents and Settings\IadarolL-HALHPN\ApplicationData\SUn\Java\Deployment\Cache\cache\javapi\v1.0\jar\proc.jar-579b8cc2-4edd954d.zip *Main App.class*

Spybot found ALTEvents (4) and stated it fixed them

Here is the Hijackthis log

Logfile of HijackThis v1.98.2
Scan saved at 9:54:41 PM, on 9/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Windows\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Windows\System32\gearsec.exe
C:\Windows\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Windows\System32\snmp.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Funk Software\Proxy Host\phtray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Windows\security\Database\apinet.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Documents and Settings\IadarolL-HALHPN\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: CATLEvents Object - {BF755B85-EA69-4F58-9A59-D85F384A15FF} - C:\DOCUME~1\IADARO~1\LOCALS~1\Temp\tenipa.dat
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\phtray.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [*apinet] C:\Windows\security\Database\apinet.exe
O4 - HKLM\..\RunOnce: [*apinet] C:\Windows\security\Database\apinet.exe rerun
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094353399965
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hal.hitachi.local
O17 - HKLM\Software\..\Telephony: DomainName = hal.hitachi.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hal.hitachi.local
  • 0

#5
coachwife6
Posted 07 September 2004 - 08:26 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Thanks for doing that. I was hoping it would get rid of some extra items. I will research it early tomorrow morning and get back to you very soon, probably before lunch.
  • 0

#6
Lew
Posted 07 September 2004 - 08:55 PM

Lew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks for the heads up. Let's crush this thing like a jelly bean. <_<
  • 0

#7
coachwife6
Posted 08 September 2004 - 07:52 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
That's a new one on me, but whatever works. <_<

Before we go any further, can you tell me if you know what apinet is?
  • 0

#8
Lew
Posted 08 September 2004 - 08:25 AM

Lew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I have no idea. I did not see it before this weekend. I think it replaced aluecvs--svceula in my first log post.
  • 0

#9
coachwife6
Posted 08 September 2004 - 08:46 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
OK. Then we'll get rid of it. I'm finishing it up.
  • 0

#10
coachwife6
Posted 08 September 2004 - 09:43 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I submitted your log for staff to look at. One more question: who is your ISP?
  • 0

Advertisements

#11
coachwife6
Posted 08 September 2004 - 12:55 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


O2 - BHO: CATLEvents Object - {BF755B85-EA69-4F58-9A59-D85F384A15FF} - C:\DOCUME~1\IADARO~1\LOCALS~1\Temp\tenipa.dat


Reboot your PC.

Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\Windows\security\Database\apinet.exe rerun
C:\Windows\security\Database\apinet.exe
C:\Windows\security\Database\apinet.exe rerun


Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<
  • 0

#12
Lew
Posted 08 September 2004 - 08:40 PM

Lew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Sadly, I still have the slowdowns, and stopguard/winantivirus issues with IE.

I followed the directions, except that I had to reboot in "safe mode with networking" in order for windows to accept my login password.

Another problem was that although I was able to delete the file c:\windowprefetch\apinet.exe-2799BF4.pf I was not allowed to delete the file c:\windows\security\database\apinet.exe I have full permossion but the warning stated that the file was in use and could not be deleted. All other windows were closed, perhaps I need to turn off some windows process?

I looked at some of the files in the windows security folders, and to an amateur like me, they look legit and appear to have been installed with the SP2 update.

I look forward to hearing back. Thanks for the continued support!

Logfile of HijackThis v1.98.2
Scan saved at 10:15:45 PM, on 9/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Windows\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Windows\System32\gearsec.exe
C:\Windows\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Windows\System32\snmp.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Funk Software\Proxy Host\phtray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Windows\security\Database\apinet.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Windows\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: CATLEvents Object - {BF755B85-EA69-4F58-9A59-D85F384A15FF} - C:\DOCUME~1\IADARO~1\LOCALS~1\Temp\tenipa.dat
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\phtray.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [*apinet] C:\Windows\security\Database\apinet.exe
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094353399965
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hal.hitachi.local
O17 - HKLM\Software\..\Telephony: DomainName = hal.hitachi.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hal.hitachi.local
  • 0

#13
coachwife6
Posted 08 September 2004 - 08:46 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I know you're frustrated and you're working hard to get it resolved. Take a breather. It's time for me to call in the big guys with the heavy guns: admin, ditto, soxrock.

I see that it's still there in your temp file:

O2 - BHO: CATLEvents Object - {BF755B85-EA69-4F58-9A59-D85F384A15FF} - C:\DOCUME~1\IADARO~1\LOCALS~1\Temp\tenipa.dat

And you cleaned out your temp. files too? I had this problem one time too. The temp. file would not go away.
  • 0

#14
Lew
Posted 08 September 2004 - 09:25 PM

Lew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I am going on a white water rafting trip so paddling will be my focus until Sunday. Thanks for all the assistance so far. I just found an update for Symantec and moosoft, so I'll run those again tonight before I take off.

Look forward to some more ideas when I return..

Have a good weekend and Thanks Again. <_<
  • 0

#15
admin
Posted 08 September 2004 - 09:30 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Click Here to download TheKillbox. Extract TheKillBox.exe from the zip file and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\DOCUMENTS AND SETTINGS\IADARO... (you'll need to complete this folder name)\LOCAL SETTINGS\Temp\tenipa.dat
C:\Windows\security\Database\apinet.exe

Click 'Exit' when done.

Note: If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run: http://www.javacools...ngfilesetup.exe. Then try TheKillbox again.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP