MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Twaintec & Installer2 - dastardly do-badders
November 14, 2019, 05:05:46 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 14, 2019, 05:05:46 PM

Login with username, password and session length
 Featured Sites:
News
12th Anniversary Celebrating 12 Years! (1997 - 2009) 12th Anniversary
Thanks to ALL that make this site what it is!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: Twaintec & Installer2 - dastardly do-badders  (Read 2825 times)
PrinceRoc
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« on: August 05, 2004, 06:08:37 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:Windows 98
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:




I have a lot of bad things going on inside my computer. Some program (or virus?) is running in the background of my system and downloading data when I make an internet connection. Something is using my net connection to download stuff onto my PC when I connect to the internet - even without my browser or any application running. Checking my C:/WINDOWS/TEMP directory there are always a number of folders and executable files loaded which continually appear no matter how many times I delete them. These folders are invariably loaded with Installer2, Twaintec and Polmx application software.
Twaintec is particularly troublesome - it leaves an entry in the registry under HK_LOCAL_MACHINE/Software which I delete only for it to reappear every time I system reboot and reconnect to the internet. I scan for adware and spyware with spybot and Noadware but the dastardly data immediately downloads again when I reboot and reconnect.

I don't know how to stop it. Here is the saved log if anyone can help.

Logfile of HijackThis v1.97.7
Scan saved at 17:18:38, on 05/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\TEMP\X.EXE
C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
C:\WINDOWS\SYSTEM\WNKPMQO.EXE
C:\WINDOWS\APPLICATION DATA\RUON.EXE
C:\WINDOWS\SYSTEM\MKGUA.EXE
C:\PROGRAM FILES\WINDUPDATES\WINKA.EXE
C:\WINDOWS\SYSTEM\CMMBDE40.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\BROWSER HIJACK BLASTER\BHBLASTER.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {37A8170B-E811-2DB5-8753-60550DA62942} - C:\WINDOWS\SYSTEM\OKRNJIF.DLL
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [dialuk] C:\WINDOWS\dialuk.exe --start
O4 - HKLM\..\Run: [X] C:\WINDOWS\TEMP\X.EXE
O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
O4 - HKLM\..\Run: [kbznlvgcosdbu] C:\WINDOWS\SYSTEM\wnkpmqo.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Ruso] C:\WINDOWS\Application Data\ruon.exe
O4 - HKCU\..\Run: [Pfq] C:\WINDOWS\SYSTEM\mkgua.exe
O4 - HKCU\..\Run: [aBqERWipW] CMMBDE40.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: SideFind (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37877.1689814815
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.pcganes.com/games/pcganes.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildAppNonUS.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?fT=ie&p=5b2f12423f01fa3f255a10cc9af8f7b5d60c0438
ad44fd2a1a760d51c0241936773ca04aab077905855565abe08139a2080b:c7857c068f27d7cc50f91b20c15a3e0e



« Last Edit: August 06, 2004, 04:38:34 AM by benditup » Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: August 06, 2004, 04:41:47 AM »

I would uninstall NoAdware, reasons why from this link
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Next, delete your copy of Hijackthis and download the latest version
Do another scan and post a log, you have some issues to take care of
download from
HERE or HERE
Logged

 
PrinceRoc
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« Reply #2 on: August 06, 2004, 08:38:49 AM »

Uninstalled Noadware. Here is the latest scan.

Logfile of HijackThis v1.98.1
Scan saved at 09:33:36, on 06/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\TEMP\X.EXE
C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
C:\WINDOWS\SYSTEM\WNKPMQO.EXE
C:\WINDOWS\APPLICATION DATA\RUON.EXE
C:\PROGRAM FILES\WINDUPDATES\WINKA.EXE
C:\WINDOWS\SYSTEM\MKGUA.EXE
C:\WINDOWS\SYSTEM\CMMBDE40.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BROWSER HIJACK BLASTER\BHBLASTER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\LWKGP3SC\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {37A8170B-E811-2DB5-8753-60550DA62942} - C:\WINDOWS\SYSTEM\OKRNJIF.DLL
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [dialuk] C:\WINDOWS\dialuk.exe --start
O4 - HKLM\..\Run: [X] C:\WINDOWS\TEMP\X.EXE
O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
O4 - HKLM\..\Run: [kbznlvgcosdbu] C:\WINDOWS\SYSTEM\wnkpmqo.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Ruso] C:\WINDOWS\Application Data\ruon.exe
O4 - HKCU\..\Run: [Pfq] C:\WINDOWS\SYSTEM\mkgua.exe
O4 - HKCU\..\Run: [aBqERWipW] CMMBDE40.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL (file missing)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.pcganes.com/games/pcganes.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildAppNonUS.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?fT=ie&p=5b2f12423f01fa3f255a10
cc9af8f7b5d60c0438ad44fd2a1a760d51c0241936773ca04aab077905855565abe08139a20
80b:c7857c068f27d7cc50f91b20c15a3e0e

shortened 016 entry
« Last Edit: August 07, 2004, 05:48:08 PM by benditup » Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #3 on: August 07, 2004, 01:12:07 AM »

Set Windows to Show Hidden Files and Folders

Navigate to these files and let me know what they are related too
Right click on them, left click properites--version
Could you submit them to Kapersky's for a free virus scan
http://www.kaspersky.com/scanforvirus
Simply use the Browse button to navigate to the file
Right click on it-----Select---Submit

C:\WINDOWS\Application Data\ruon.exe <--this file
C:\WINDOWS\SYSTEM\MKGUA.EXE <--this file
C:\WINDOWS\SYSTEM\CMMBDE40.EXE <--this file
C:\WINDOWS\SYSTEM\wnkpmqo.exe <--this file

Let me know what you find out about them

Next: Download and Install the free version of Ad-Aware
After installation-CHECK FOR UPDATES
Set these additional options for a custom scan
click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

RESTART your computer

Your running hijackthis from your temp directory,
Important---Create a permanent folder hijackthis
EG---- Open MyDocuments----Right click an empty spot and select NEW---Folder----Name the new folder HJT ---this is where you will want to save Hijackthis too, also, backups will be stored there.
redownload from
HERE or HERE
We will be emptying your temp. folders later and backups made by hijackthis will be lost.....

I also see no AV running on your computer---I would suggest that you do a free Online virusscan at
Housecall's---set to Autoclean
or Panda's
or we try and get you somewhat clean and get you to download and Install a Free Antivirus--I'll supply a link later
Logged

 
PrinceRoc
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« Reply #4 on: August 07, 2004, 03:44:53 PM »

Executable files ruon, mkgua, cmbde40 are unknowns with no version data tab
in the properties window.

Executable file wnkpmqo is an installation utility for www.callinghome.biz
and is released under the product name "Calling Home". Original file is
"caller.exe". (I do not recognise this URL)

All four files identified as viruses when submitted to Kaspersky's:-
ruon.exe - packed with UPX
ruon.exe - infected by TrojanDownloader.Win32.PurityScan.e
mkgua.exe - infected by TrojanDownloader.Win32.PurityScan.f
cmmbde40.exe - infected by TrojanDownloader.Win32.Apropo.f
wnkpmqo.exe - infected by TrojanDownloader.Win32.Agent.ae

Ad-Aware located 144 bad files which have been eliminated. My PC seems to be
cleaner, especially after using Housecall's online scan which detected
and deleted 4 viruses.

You are quite correct - I don't have a current antivirus solution running
on my PC. Do you know of any free AV software than can keep my PC relatively
virus-free by blocking viruses realtime at point of entry before they
infect?

Is there anything else I need to do to check my PC is clean?

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #5 on: August 07, 2004, 03:49:18 PM »

What did you do with the files?
Could you follow the instructions to create a permanent folder for hijackthis and download the newest version

I forgot to ask you to post a new hijackthis log afterwards...
Could you do that, thanks..
Logged

 
PrinceRoc
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« Reply #6 on: August 07, 2004, 05:09:54 PM »

Here is the latest log.

Logfile of HijackThis v1.98.1
Scan saved at 17:37:20, on 07/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\TEMP\X.EXE
C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
C:\WINDOWS\SYSTEM\WNKPMQO.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\WINDUPDATES\WINKA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [dialuk] C:\WINDOWS\dialuk.exe --start
O4 - HKLM\..\Run: [X] C:\WINDOWS\TEMP\X.EXE
O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
O4 - HKLM\..\Run: [kbznlvgcosdbu] C:\WINDOWS\SYSTEM\wnkpmqo.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.pcganes.com/games/pcganes.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?fT=ie&p=5b2f12423f01fa3f255
a10cc9af8f7b5d60c0438ad44fd2a1a760d51c0241936773ca04aab077905855565abe08139a2080b:c7857c068f2
7d7cc50f91b20c15a3e0e
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


I have navigated to the files ruon.exe, mkgua.exe and cmmdbe40.exe by following
their pathnames but these objects have been deleted (by either Ad-Aware or
Housecall I presume). The wnkpmqo executable is a little more troublesome and
after checking it still remains in C:\Windows\System. I have tried to delete this
file manually by right clicking and then "delete" but there's an error "Cannot
delete as specified file used by windows".

I have created a permanent folder for HijackThis in "My Documents" as you requested.
« Last Edit: August 07, 2004, 05:49:12 PM by benditup » Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #7 on: August 07, 2004, 05:47:04 PM »

Can you go back to Kapersky's and submit this entry also
C:\WINDOWS\dialuk.exe <--this file

You can fix it if found bad

Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)

O4 - HKLM\..\Run: [X] C:\WINDOWS\TEMP\X.EXE
O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
O4 - HKLM\..\Run: [kbznlvgcosdbu] C:\WINDOWS\SYSTEM\wnkpmqo.exe

O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.pcganes.com/games/pcganes.exe
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?fT=ie&p=5b2f12423f01fa3f255a
10cc9af8f7b5d60c0438ad44fd2a1a760d51c0241936773ca04aab077905855565abe08139a2
080b:c7857c068f27d7cc50f91b20c15a3e0e

RESTART your computer in Safe Mode

Find and delete these files or folders if they exist
C:\WINDOWS\SYSTEM\wnkpmqo.exe <--this file
C:\WINDOWS\TEMP\X.EXE <--this file or delete the whole contents of the temp folder

C:\PROGRAM FILES\WINDUPDATES <--this folder

Restart your computer and post back a fresh hijackthis log
Logged

 
PrinceRoc
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« Reply #8 on: August 07, 2004, 08:39:32 PM »

Here is the latest log.

Logfile of HijackThis v1.98.1
Scan saved at 21:31:45, on 07/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
C:\PROGRAM FILES\WINDUPDATES\WINKA.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [dialuk] C:\WINDOWS\dialuk.exe --start
O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


After a system reboot the executables twaintec, alchem and installer2
downloaded into C:\Temp and also C:\Program Files\Temp once again. I have deleted the whole contents of C:Program Files\Temp folder.

the executable dialuk does not exist with the pathname and could not be located using Find Files.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #9 on: August 07, 2004, 08:51:02 PM »

Access your add/Remove programs and Remove TwainTech if it exists

Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL

O4 - HKLM\..\Run: [dialuk] C:\WINDOWS\dialuk.exe --start
O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe

RESTART in safe mode
Empty the Temp Folder and Temporary Internet Files folder

Delete these
 C:\PROGRAM FILES\WINDUPDATES <--this folder
C:\WINDOWS\ALCHEM.exe <--this file
C:\WINDOWS\2_0_1browserhelper2.dll <--this file
C:\WINDOWS\TWAINTEC.DLL <--this file

Do another scan with Ad-Aware in safe mode
Restart in safe mode and post back a fresh hijackthis log
 
Logged

 
PrinceRoc
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« Reply #10 on: August 07, 2004, 10:54:50 PM »

Twaintec not accessible in add/remove programs. Windupdates was so took the initiative to remove it. Emptied contents of Temp and Temporary Internet Files folders in safe mode and deleted files indicated - however, Windupdates could not be found by navigation or search. Ok to use Ad-Aware and hijackthis in safe mode but cannot make an internet connection in safe mode so had to switch to normal mode to post current log. Here it is.

Logfile of HijackThis v1.98.1
Scan saved at 23:37:20, on 07/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
F1 - win.ini: run=hpfsched
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #11 on: August 08, 2004, 02:04:37 AM »

Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE

RESTART your computer

You should install these 2 apps., they add extra security while
silently protecting you without running in the background
 
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
http://www.bleepingcomputer.com/forums/index.php?showtutorial=53

With both---Check for updates every couple of weeks

READ THIS
How did I get Infected
Logged

 
PrinceRoc
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« Reply #12 on: August 08, 2004, 11:12:39 AM »

My PC seems healthier and cleaner. The twaintec/alchem/installer2 viruses have not updated. I'm wiser and better informed as to whats really going on inside my PC. However, I have a few questions.

1. Does SpywareBlaster need to be opened everytime I reboot?
2. Is it worthwhile downloading and installing SpywareGuard for extra protection?
3. I'm seriously contemplating switching my browser to Mozilla/Firefox as the security risks associated with IE seem just too easy to exploit by hijackers. Is this a good thing and do I need to maintain IE-Spyad if I choose to do so?
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #13 on: August 08, 2004, 03:10:10 PM »

You can try SpywareGuard, I don't use it but it comes highly recommended
It's a realtime scanner, running in the background, somewhat like a virus scanner

Spywareblaster-----check for updates every couple of weeks
If there is an update----download---enable all protection
This just adds reg entries....
you can look in your Internet options under security---restricted zones
and privacy--edit
for entries it adds....

IE-Spyad--again check for updates every couple of weeks
Use this link https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
You can see at the top of the page
Last Updated: Aug 8 '04
If there is an update--scroll down to

Download:
IE-SPYAD.EXE


Download the update to desktop
NEXT---Go to the IE-Spyad directory
C:\ie-spyad
Double click on ie-ads-uninst follow the prompts
This will remove the entries in the registry
Go back to desktop where you saved the download IE-Spyad.exe
Double click and allow to overwrite the entries in the IE-spyad folder
Go back to the ie-spyad folder
Double click on ie-ads follow the prompts
This adds the entries back into the registry

What this does is adds entries to your restricted zones
Both of these don't run in the background
SpywareBlaster only needs opened when your checking for updates
IE-Spyad only needs opened when the website has an update
Logged

 
PrinceRoc
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 21


Bookmark and Share

View Profile
« Reply #14 on: August 08, 2004, 05:02:47 PM »

I'm running SpywareBlaster, SpywareGuard and IE-Spyad. Updating seems relatively straightforward.

Thanks for your assistance with this infection. Your help is greatly appreciated.

Cheers!
Logged

 
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page September 04, 2018, 09:03:09 PM