CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to texasmad
Re: Had bad problems with Virus
Hello texasmad,
We are trying to help, but we need for you to give us more information. From your description it is like trying to diagnose a car engine problem from the description of a sound it makes.
Did you save the logs from scans as requested and can you post them here?
Ewido Security Scan log?
Panda Active Scan log?
Notes taken of anything Trend Micro found?
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
texasmad
join:2001-08-13
San Angelo, TX
clubs: | Sure give me a few minutes I am trying a panda scan right now. |
|
texasmad
join:2001-08-13
San Angelo, TX
clubs:
| Here is a report from installed antivirus I am running. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Thanks. A log is much easier to deal with than a screen shot as the screenshot doesn't give us the full path. But it looks like those things found by your AV can be cleared by cleaning our your TIF folder, cache and other things.
The Panda report will tell us more. Be sure to "save log" at the end and give us the text from that log.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
1 edit | reply to texasmad
Can you show column #4, but in full, from that report? What are file names? When these files were created? |
|
texasmad
join:2001-08-13
San Angelo, TX
clubs:
| reply to texasmad
Log File ViRobot
------------------------------------------------------------
Virus name Scan Type Date
Path Status
------------------------------------------------------------
Trojan.Win32.Downloader.10240 Monitoring 9/25/2005 3:50:21 PM
C:\Documents and Settings\Mitch\Local Settings\Temporary Internet Files\Content.IE5\GDUNOD2V\istrecover[1].exe Deleted
Trojan.Win32.Downloader.10240 Monitoring 9/25/2005 3:50:21 PM
C:\DOCUME~1\Mitch\LOCALS~1\Temp\etmugvnr.exe Deleted
Trojan.Win32.Dyfuca.52104.C Monitoring 9/25/2005 3:50:25 PM
C:\Documents and Settings\Mitch\Local Settings\Temporary Internet Files\Content.IE5\IQULHHOY\optimize[1].exe Deleted
Trojan.Win32.Dyfuca.52104.C Monitoring 9/25/2005 3:50:25 PM
C:\DOCUME~1\Mitch\LOCALS~1\Temp\optimize.exe Deleted
Trojan.Win32.Downloader.75912 Monitoring 9/25/2005 3:50:25 PM
C:\Documents and Settings\Mitch\Local Settings\Temporary Internet Files\Content.IE5\FJLPH1DU\stubinstaller5041[1].ex_ Deleted
Trojan.Win32.Downloader.75912 Monitoring 9/25/2005 3:50:25 PM
C:\DOCUME~1\Mitch\LOCALS~1\Temp\sais.exe Deleted
Java.Bytverify [The Shield AntiVirus 2005] 9/25/2005 4:08:43 PM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-414e4909-65e62cf0.zip (Dummy.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/25/2005 4:08:43 PM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-414e4909-65e62cf0.zip (GetAccess.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/25/2005 4:08:43 PM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-414e4909-65e62cf0.zip (InsecureClassLoader.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/25/2005 4:08:43 PM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-414e4909-65e62cf0.zip (Installer.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/25/2005 4:08:43 PM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-70d7f4b6-1e38664f.zip (Dummy.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/25/2005 4:08:43 PM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-70d7f4b6-1e38664f.zip (GetAccess.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/25/2005 4:08:43 PM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-70d7f4b6-1e38664f.zip (InsecureClassLoader.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/25/2005 4:08:43 PM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-70d7f4b6-1e38664f.zip (Installer.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/29/2005 8:11:18 AM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-414e4909-65e62cf0.zip (Dummy.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/29/2005 8:11:19 AM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-414e4909-65e62cf0.zip (GetAccess.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/29/2005 8:11:19 AM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-414e4909-65e62cf0.zip (InsecureClassLoader.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/29/2005 8:11:19 AM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-414e4909-65e62cf0.zip (Installer.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/29/2005 8:11:19 AM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-70d7f4b6-1e38664f.zip (Dummy.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/29/2005 8:11:19 AM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-70d7f4b6-1e38664f.zip (GetAccess.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/29/2005 8:11:19 AM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-70d7f4b6-1e38664f.zip (InsecureClassLoader.class) Repair after decompression
Java.Bytverify [The Shield AntiVirus 2005] 9/29/2005 8:11:19 AM
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-70d7f4b6-1e38664f.zip (Installer.class) Repair after decompression |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
1 edit | As I see, your computer is getting some infected files into three locations.
C:\Documents and Settings\Mitch\Local Settings\Temporary Internet Files\Content.IE5\*\*.exe
C:\DOCUME~1\Mitch\LOCALS~1\Temp\*.exe
C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-*.zip (*)
1. For monitoring these locations your should have the administrator rights, download FileMon from www.sysinternals.com and install it.
2. Call filemon.exe file, insert the filter, as one string! to "Include" window and click "OK".
3. Your FileMon Filter is one string C:\Documents and Settings\Mitch\Local Settings\Temporary Internet Files\Content.IE5\*\*.exe;C:\DOCUME~1\Mitch\LOCALS~1\Temp\*.exe;C:\Documents and Settings\Mitch\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-*.zip
This line is inserted as here
Although appearance of "Include" window is small,it can accommodate an affair 
4. Work with your computer until FileMon "catches" any alert.
5. Copy log and send it here for further help.
Notice. Probably, " (*)" fragment in the third path is extra and I deleted it from FileMon Filter. Check and add to filter, if need |
|
texasmad
join:2001-08-13
San Angelo, TX
clubs:
| I tried this but nothing has been logged but since then I have figured out what it is but don't know how to get rid of it. Its something called APRPS and I have removed it from my registry a dozen times but it just shows back up within seconds. I have run all my scans in safe mode and they find this and get rid of it but as soon as I boot back into normal running mode its back. It's driving me crazy now. |
|
garys_2k
join:2004-05-07
Farmington, MI | reply to texasmad
Run the Panda scan and post the real log here, please. |
|
texasmad
join:2001-08-13
San Angelo, TX
clubs:
| reply to texasmad
Can't run Panda scan for some reason, it starts running and then will freeze. I have tried rebooting and running it again and it does the same thing. I run the Shield Antivirus on my computer but it does not pick this up, I found it with Spyware Nuker. |
|
texasmad
join:2001-08-13
San Angelo, TX
clubs:
1 edit | reply to texasmad
I just ran SSI which is a program designed to help find and get rid of programs such as this and it came up with the following running process that it cannot identify mllvclnt.dll I researched this on the web and came up empty handed also. I know this is turning into a marathon post but if this happens to someone else I hope to be able to help them since this does not appear to be as simple as run a trojan or anti virus program fix. I did see some other threads on a couple of different forums where a few other people were going through the same frustration. If you want to read more on SSI here is a link to it. »www.spywaredata.com/ |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to texasmad
said by texasmad  : Its something called APRPS and I have removed it from my registry a dozen times but it just shows back up within seconds. Ah yes. Aprps...Ok, this is a new version of Apropos Adware that is being studied by Spyware researchers now to get a fix and is still being tested to be sure it is safe before final release. It is very difficult to remove due to some very clever tricks. Some versions have had success with removal using Ewido Security Suite (free trial) with updates in Safe mode. Have you tried that yet?
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| reply to texasmad
said by texasmad :I tried this but nothing has been logged but since then I have figured out what it is but don't know how to get rid of it. Its something called APRPS and I have removed it from my registry a dozen times but it just shows back up within seconds. I have run all my scans in safe mode and they find this and get rid of it but as soon as I boot back into normal running mode its back. It's driving me crazy now. There are over 40 variants of this malware :-(
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
texasmad
join:2001-08-13
San Angelo, TX
clubs:
| reply to CalamityJane
Yes I gave that a shot but when booting back up to Window's in normal mode it would blue screen and have a memory dump then reboot and bam there it would be in the registry again. The really funny thing is when I look for spyware removal tools or virus info it actually gives me spyware removal pop ups. So I guess it has suicidal tendencies..lol |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Ok, was worth a try. I've asked for some expert help to look in here to see if they can help with a manual removal. This thing likes to hide processes and files. |
|
miekiemoes
Premium
join:2005-07-19
| reply to texasmad
Hi,
Download Registry Search
Unzip it to its own folder.
Reboot in Safe Mode!!
This is really important, otherwise it won't show us what we search!!
In safe mode, open the regsearchfolder and doubleclick Regsearch.exe
Enter "adchannel" in the edit and click "Ok".
Notepad will be opened with text in it (the file will be saved in the program's folder as well).
Reboot back to normal mode and Post this text. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
|  The cavalry has arrived. Thanks for helping here, miekiemoes You're in expert hands now, Texas |
|
texasmad
join:2001-08-13
San Angelo, TX
clubs:
| reply to texasmad
Here is what it came up with on the log. By the way thanks so much in advance!
REGEDIT4
; Registry Search by Bobbi Flekman
; Version: 1.0.2.1
; Results at 10/8/2005 5:00:51 PM for strings:
; 'adchannel'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_LOCAL_MACHINE\SOFTWARE\CuXeEAv5MN25]
"ServerAddress"="adchannel.contextplus.net"
[HKEY_LOCAL_MACHINE\SOFTWARE\CuXeEAv5MN25]
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
[HKEY_USERS\S-1-5-21-796845957-920026266-839522115-1003\Software\CuXeEAv5MN25\Cookies\Data\net\contextplus\adchannel.contextplus.net/services]
[HKEY_USERS\S-1-5-21-796845957-920026266-839522115-1003\Software\CuXeEAv5MN25\Cookies\Data\net\contextplus\adchannel.contextplus.net/services]
"freq_caps4"="MSCF;freq_caps4;1zRIQzTUR0PXNEhDGUBIQyIAAABYFQAAAAAAAAIAAAC9LUdD8C1HQw4YAAABAAAAAAAAAIIaAAAAAAAAAQ AAALMfR0ODGgAAAAAAAAEAAADjH0dDJxwAAAAAAAABAAAAhypHQzocAAAAAAAAAQAAABwAR0NBHAAAAAAA AAEAAACTPEdDURwAAAAAAAABAAAAmv1GQ3kcAAAAAAAAAQAAABPgRUOLHAAAAQAAAAAAAAAaHQAAAAAAAA IAAACAH0dD8t1HQx0dAAAAAAAAAgAAACE/R0OPQ0dDNR0AAAEAAAAAAAAAdh0AAAAAAAABAAAANOFFQ40dAAABAAAAAAAAAJkdAAAAAAAAAQAAANTfRU PUHQAAAAAAAAEAAAB0EkVD3B0AAAAAAAABAAAA7j5HQ+0dAAAAAAAAAgAAACYmP0MsqEZD7h0AAAAAAAABAAAAJiY/Q+8dAAAAAAAAAQAAACyoRkMaHgAAAQAAAAAAAAAeHgAAAAAAAAEAAAAqPEdDIR4AAAEAAAAAAAAAQx4AAAAA AAABAAAA/vhGQ0ceAAAAAAAAAQAAAPFqRkNLHgAAAAAAAAEAAACeHUFDYB4AAAAAAAABAAAAAhNAQ40eAAABAAAAAAA AAJUeAAABAAAAAAAAANUeAAAAAAAAAQAAALD4RkPdHgAAAQAAAAAAAAD8HgAAAAAAAAEAAAA01EdD/R4AAAAAAAABAAAANCNBQy9VRPw|||||;967242368;30107242;adchannel.contextplus.net;/services;0;{NULL};"
; End Of The Log... |
|
miekiemoes
Premium
join:2005-07-19
| reply to texasmad
Okay..
Boot again in safe mode Important!!
In safe mode, go to start > run and copy and paste next command in the field:
regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\CuXeEAv5MN25"
Reboot back tto normal mode and copy and paste the contents of look.txt which you will find on your C:\ |
|
texasmad
join:2001-08-13
San Angelo, TX
clubs: | reply to texasmad
I tried and it came back and said Windows could not open the file so could not export it. |
|
