Privacy Scanner / Yield Manager and other malware on my machine

[JohnKing]

Hi:

Well, they finally got me, and good. I've got popups and popunders all over the place.

Not sure how to proceed. From other posts here, it looks like the log from a HiJackThis program is the place to start, so I've attached mine. I tried to include it in the body of the email, but apparently it has too many characters.

Thanks for your help.

John

 

[RealBlackStuff]

You really got hit!

Go to this post here first, and follow the instructions EXACTLY, especially about UPDATING and HJT-location.
How to remove Begin2Search/Coolwebsearch and Other Nasties

Then see How to post your Hijackthis log-files as an attachment and post a fresh log.

 

[JohnKing]

Hi:

Thanks, yes, it's been like all these years I've successfully avoided this problem have been made up for in the last 24 hours.

I've finished most of the steps and I'm in fairly good shape. However, if I try and go to

http://www.safernetworking.org/files/delcwssk.zip

I get:

The page is not found

The requested URL /files/delcwssk.zip was not found on this server.
Apache/1.3.27 Server at landing.domainsponsor.com Port 80

I poked around on the site and they all seem to be redirects to other sites. I searched for the file delcwssk.zip and found some, but I'd prefer to learn of a 'safe' source rather than invite more trouble.

FYI: I used an uninfected machine (via Remote Desktop Connection) to try to access the page http://www.safernetworking.org/files/delcwssk.zip.

Please let me know of a safe location from which I can access this file.

Thanks,

John

 

[RealBlackStuff]

Thanks for letting me know, I'll change it in that post.
http://www.bleepingcomputer.com/files/spyware/delcwssk.zip

 

[JohnKing]

Post cleaning HijackThis logs

Hi:

I've attached the Hijackthis logs that resulted after running AVs in Normal Mode (subsequent to the Safe Mode processes).

I don't think I'm out of the woods yet.

I'm anxious to know what you think. I really appreciate your time and help.

Thanks,

John

 

[RealBlackStuff]

Boot in Safe Mode.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
kpuara.exe
sp4ssl.exe
sysiew.exe
exp.exe
richup.exe
vidctrl.exe
VCMnet11.exe

Next, In Control Panel/Add/Remove Programs UNinstall "Windows AFA Internet Enhancement" if it exists.

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\WINNT\system32\kpuara.exe
C:\WINNT\system32\sp4ssl.exe
C:\WINNT\system32\sysiew.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.forteds.com/license/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.forteds.com/license/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Forte Design Systems
==>> if you use Netscape and want this homepahe, OK, otherwise FIX this N1 entry <<==
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://intranet.forteds.com/license/"); (C:\Program Files\Netscape\Users\jking\prefs.js)
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINNT\system32\richedtr.dll
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [richup] C:\WINNT\system32\richup.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\kpuara.exe reg_run
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [02sS37g] sysiew.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chronology.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EE0AA4F-79EC-4BD1-A094-EDE31147A61C}: NameServer = 172.16.2.5,172.16.2.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chronology.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chronology.com
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINNT\Temp (except files dated from TODAY).
Boot normal.

PS: you could make your system faster by switching off (Disable) the Indexing Service in Control Panel/Admin Tools/Services

 

[JohnKing]

kpuara.exe is very resilient

Interesting things are happening. What can you tell me about kpuara.exe? I haven't been able to find anything about it on the web.

I ask because I have deleted it, but it continues to reappear both the registry entry and in the C:\WINNT\system32 directory. I cannot figure out where it is coming from. It is being blocked by Microsoft AntiSpyware and I am notified about the blocking.

I have scanned my machine for any files containing the text 'kpuara' hoping to find it buried in another executable or script file, but no luck. I only found it in log and recovery files for the various spyware killing apps I've been running, and in an 'index.dat' file that is found in an Internet Temporary Files directory. It is in there as part of the URL for various web searches I've conducted looking for some variation of 'kpuara'.

In addition, the file kpuara.exe and sp4ssl.exe, and the directory ' C:\WINNT\system32\vidctrl' and its contents NEVER displayed in Explorer even though I have the radio button for 'Show hidden files and folders' selected. When I went to use 'Start > Run > command' to bring up a DOS window and got the following message box:

16 bit MS-DOS Subsystem
C:\WINNT\system32\command.com
C:\WINNT\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

Close Ignore


so it looks like my 'command.com' file has been replaced. I ran 'Start > Run > cmd' and was able to bring up a DOS window and in there I could find the files using DIR (interestingly, did not need '/ah' flag)

Makes me concerned about what other files may have been replaced.

I think this is the last problem on my machine. What do you make of this?

Thanks very much for your help.

John

 

[JohnKing]

I think I'm all set.

Hi:

Well, once I realized that I couldn't depend on Explorer to show me hidden files, I also realized that I probably missed deleting items that are to be deleted while going through the

How to remove Begin2Search / CoolWebSearch

process, so I started through it all again.

I found the following:

winnt\system32\dllhost.exe

There was also a winnt\system32\dllhst3g.exe with the exact same file size and date/timestamp, so I deep-sixed that as well

winnt\system32\internat.exe

HiJackThis found

c:\documents and settings\all users\startmenu\programs\startup\dica.exe

and I had HiJackThis 'fix' it and I deleted the file. I didn't find anything about dica.exe on the Internet, and that confuses me, along with not finding anything about kpuara.exe. Seems like there should have been something.

Regardless, so far, everything looks good.

Thanks againg for the help.

John

 

[RealBlackStuff]

The 'command' program is only for real DOS. NT, W2K and XP have long since replaced this with 'cmd' as you found out.
Windows Explorer is an antique program that should have been replaced long time ago.
I've been using Ontrack's Powerdesk (now owned by V-Com, http://www.v-com.com/product/PowerDesk_Pro_Home.html ) which is a superb, enriched replacement for Explorer, which can almost make my coffee as well, it's that versatile.
This shows every file/dir on your PC that Explorer can/will not.
Windows Search also does not always show these (hidded) directories and files.

If you work in HJT and come across a weird-looking program name, copy the filename and do a search in Google with it. If you get only a few hundred or even no finds at all, you can, with 99.99% certainty, be sure it is a baddie.
I've been working with this HJT stuff for so long now, that I recognize uncommon names almost immediately. You still nead to look at the spelling of the program name, because some are very cleverly 'camouflaged' with e.g. 2 letters interposed, or an I instead of an l etc.

It is still disappointing that the likes of Adaware and Spybot do not catch a lot of these things. And AV programs are not much use there either, particularly the 'bigger' names. Symantec/Norton is one of the worst offenders, but I have expressed my sentiments about their bloatware often enough in this forum already.
M$ Antispyware does a reasonable job, but it won't be long (I guess) before you will have to pay for that 'privilege'.

Final thought, there are probably a lot more programs on someones PC that are suspect, as long as they don't interfere, it's best to not think about them.
Anyway, glad you got sorted.