TechSpot

Privacy Scanner / Yield Manager and other malware on my machine

By JohnKing
Jun 27, 2005
Topic Status:
Not open for further replies.
  1. Hi:

    Well, they finally got me, and good. I've got popups and popunders all over the place.

    Not sure how to proceed. From other posts here, it looks like the log from a HiJackThis program is the place to start, so I've attached mine. I tried to include it in the body of the email, but apparently it has too many characters.

    Thanks for your help.

    John

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

  3. JohnKing

    JohnKing TS Rookie Topic Starter

    Hi:

    Thanks, yes, it's been like all these years I've successfully avoided this problem have been made up for in the last 24 hours.

    I've finished most of the steps and I'm in fairly good shape. However, if I try and go to

    http://www.safernetworking.org/files/delcwssk.zip

    I get:

    The page is not found

    The requested URL /files/delcwssk.zip was not found on this server.
    Apache/1.3.27 Server at landing.domainsponsor.com Port 80

    I poked around on the site and they all seem to be redirects to other sites. I searched for the file delcwssk.zip and found some, but I'd prefer to learn of a 'safe' source rather than invite more trouble.

    FYI: I used an uninfected machine (via Remote Desktop Connection) to try to access the page http://www.safernetworking.org/files/delcwssk.zip.

    Please let me know of a safe location from which I can access this file.

    Thanks,

    John
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

  5. JohnKing

    JohnKing TS Rookie Topic Starter

    Post cleaning HijackThis logs

    Hi:

    I've attached the Hijackthis logs that resulted after running AVs in Normal Mode (subsequent to the Safe Mode processes).

    I don't think I'm out of the woods yet.

    I'm anxious to know what you think. I really appreciate your time and help.

    Thanks,

    John
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Boot in Safe Mode.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    kpuara.exe
    sp4ssl.exe
    sysiew.exe
    exp.exe
    richup.exe
    vidctrl.exe
    VCMnet11.exe

    Next, In Control Panel/Add/Remove Programs UNinstall "Windows AFA Internet Enhancement" if it exists.

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    C:\WINNT\system32\kpuara.exe
    C:\WINNT\system32\sp4ssl.exe
    C:\WINNT\system32\sysiew.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.forteds.com/license/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.forteds.com/license/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Forte Design Systems
    ==>> if you use Netscape and want this homepahe, OK, otherwise FIX this N1 entry <<==
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://intranet.forteds.com/license/"); (C:\Program Files\Netscape\Users\jking\prefs.js)
    O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINNT\system32\richedtr.dll
    O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
    O4 - HKLM\..\Run: [richup] C:\WINNT\system32\richup.exe
    O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
    O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\kpuara.exe reg_run
    O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
    O4 - HKLM\..\Run: [02sS37g] sysiew.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chronology.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6EE0AA4F-79EC-4BD1-A094-EDE31147A61C}: NameServer = 172.16.2.5,172.16.2.14
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chronology.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chronology.com
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINNT\Temp (except files dated from TODAY).
    Boot normal.

    PS: you could make your system faster by switching off (Disable) the Indexing Service in Control Panel/Admin Tools/Services
  7. JohnKing

    JohnKing TS Rookie Topic Starter

    kpuara.exe is very resilient

    Interesting things are happening. What can you tell me about kpuara.exe? I haven't been able to find anything about it on the web.

    I ask because I have deleted it, but it continues to reappear both the registry entry and in the C:\WINNT\system32 directory. I cannot figure out where it is coming from. It is being blocked by Microsoft AntiSpyware and I am notified about the blocking.

    I have scanned my machine for any files containing the text 'kpuara' hoping to find it buried in another executable or script file, but no luck. I only found it in log and recovery files for the various spyware killing apps I've been running, and in an 'index.dat' file that is found in an Internet Temporary Files directory. It is in there as part of the URL for various web searches I've conducted looking for some variation of 'kpuara'.

    In addition, the file kpuara.exe and sp4ssl.exe, and the directory ' C:\WINNT\system32\vidctrl' and its contents NEVER displayed in Explorer even though I have the radio button for 'Show hidden files and folders' selected. When I went to use 'Start > Run > command' to bring up a DOS window and got the following message box:

    16 bit MS-DOS Subsystem
    C:\WINNT\system32\command.com
    C:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

    Close Ignore


    so it looks like my 'command.com' file has been replaced. I ran 'Start > Run > cmd' and was able to bring up a DOS window and in there I could find the files using DIR (interestingly, did not need '/ah' flag)

    Makes me concerned about what other files may have been replaced.

    I think this is the last problem on my machine. What do you make of this?

    Thanks very much for your help.

    John
  8. JohnKing

    JohnKing TS Rookie Topic Starter

    I think I'm all set.

    Hi:

    Well, once I realized that I couldn't depend on Explorer to show me hidden files, I also realized that I probably missed deleting items that are to be deleted while going through the

    How to remove Begin2Search / CoolWebSearch

    process, so I started through it all again.

    I found the following:

    winnt\system32\dllhost.exe

    There was also a winnt\system32\dllhst3g.exe with the exact same file size and date/timestamp, so I deep-sixed that as well

    winnt\system32\internat.exe

    HiJackThis found

    c:\documents and settings\all users\startmenu\programs\startup\dica.exe

    and I had HiJackThis 'fix' it and I deleted the file. I didn't find anything about dica.exe on the Internet, and that confuses me, along with not finding anything about kpuara.exe. Seems like there should have been something.

    Regardless, so far, everything looks good.

    Thanks againg for the help.

    John
  9. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    The 'command' program is only for real DOS. NT, W2K and XP have long since replaced this with 'cmd' as you found out.
    Windows Explorer is an antique program that should have been replaced long time ago.
    I've been using Ontrack's Powerdesk (now owned by V-Com, http://www.v-com.com/product/PowerDesk_Pro_Home.html ) which is a superb, enriched replacement for Explorer, which can almost make my coffee as well, it's that versatile.
    This shows every file/dir on your PC that Explorer can/will not.
    Windows Search also does not always show these (hidded) directories and files.

    If you work in HJT and come across a weird-looking program name, copy the filename and do a search in Google with it. If you get only a few hundred or even no finds at all, you can, with 99.99% certainty, be sure it is a baddie.
    I've been working with this HJT stuff for so long now, that I recognize uncommon names almost immediately. You still nead to look at the spelling of the program name, because some are very cleverly 'camouflaged' with e.g. 2 letters interposed, or an I instead of an l etc.

    It is still disappointing that the likes of Adaware and Spybot do not catch a lot of these things. And AV programs are not much use there either, particularly the 'bigger' names. Symantec/Norton is one of the worst offenders, but I have expressed my sentiments about their bloatware often enough in this forum already.
    M$ Antispyware does a reasonable job, but it won't be long (I guess) before you will have to pay for that 'privilege'.

    Final thought, there are probably a lot more programs on someones PC that are suspect, as long as they don't interfere, it's best to not think about them.
    Anyway, glad you got sorted.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.