1
   

Yuckware continued - searchmeup still there

Forums: Computers
Email this Topic Print this Page
 
 
silversurfer
 
Reply Sat 8 May, 2004 07:19 am
I went through the whole procedure in timberlandko's 611538, disabled Restore, twaintec was not listed in control panel>programs but it was in C:\windows and \lastgood, regsvr32 succeeded in dealing with it but had to rename twaintec.dll to .old then delete, weird multiplying copies in RECYCLERS but deleted all eventually. No sign of xtarget. Checked Windows Update for XP and IE but none listed.
Stinger downloaded and run, it eventually stopped with a message saying nnnnn clean files, so presumed it found nothing dirty.
Own AVG is eTrust EZ, with auto update but forced an update and scanned everything, nothing found.
Downloaded delcwssk.zip and ran miniremoval program, got almost immediate ambiguous message that "xxxxx v1/v2 has not been found on your system" which came so fast that I thought it was reporting an installation problem, five more downloads in different forms gave same result so had to assume it had run successfully and was reporting a clean system. Ran cwshredder, which seemed to give a clear report.
In SAFE mode, ran Spybot and Adaware with a short problem list (Spybot had one reference to VX2/f connected to Twaintec) , told to fix, emptied bin, defragged all drives, opened IE reset (General?) Security and Privacy to defaults, ran HijackThis and it fixed four items referenced XXXToolbar, IPBill, Dialler (log appended below).
Home page is still being hijacked in the User 'Chris Ltd' and internet connection being reset to a proxy like 127.0.0.1. All clean up was done in Administrator, ran SpyBot again but from inside User, found references to WWWCoolmaster, fixed them, IE started clean first time but reverted to hijack home page and proxy setting, checked and found four new Twaintec files (.inf .dll .ini .cab) in the User Local Files\Temp folder, none in registry, deleted.
Ran Spybot again, clean, but still hijacked.
Searched Internet for more advice, (Pest Patrol said it was caused by nvidia32.exe but this does not exist on my system). Picked up later posting that "Windows Search" was in in his Uninstall Programs list, not on mine.
Stuck now, any further ideas anyone?

HIJACK THIS LOG:
Logfile of HijackThis v1.97.7
Scan saved at 18:31:26, on 07/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
D:\Program Files\RFA\rfagent.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Downloads\Cleaning kit\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [RFAgent] D:\Program Files\RFA\rfagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MSOFFI~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.98/060160uk.exe
O16 - DPF: {0873478E-E67A-4876-B0A9-9A36D3AB3602} (vviewer control) - http://www.thepaymentcentre.com/build/vviewer.cab
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://download4.dialerconnection.com/download/dialer/cax.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.co.uk/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-gb/gb/games4.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38002.3593402778
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 1,465 • Replies: 12
No top replies

 
Craven de Kere
 
  1  
Reply Fri 14 May, 2004 04:55 pm
Please pare down your startup list, reboot, and post a fresh log.
0 Replies
 
silversurfer
 
  1  
Reply Fri 14 May, 2004 06:55 pm
Yuckware - Searchmeup - New log
I had tried to 'fix' a number of the entries from previous log without improvement. As suggested I pared down the Start list, rebooted (in SAFE mode) and ran a new log, below. Hijacking affects only one of the users, not administrator or two other users. The lines starting with * are those I had 'fixed' last time.
Appreciate any help you can give me,
Silversurfer

Logfile of HijackThis v1.97.7
Scan saved at 01:39:26, on 15/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Downloads\Cleaning kit\Hijack This\HijackThis.exe

*R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
*R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
*O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [RFAgent] D:\Program Files\RFA\rfagent.exe
O4 - HKCU\..\Run: [SpyKiller] D:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MSOFFI~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O13 - DefaultPrefix:
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.co.uk/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38002.3593402778
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0 Replies
 
Craven de Kere
 
  1  
Reply Fri 14 May, 2004 08:41 pm
The items I am commenting on are things in addition to the ones you marked that look suspicious to me:

Ok, the following look very suspicious to me. I was unable to find anything legit about them but was also not able to find any documented relationship with malware (though there was plenty of coincidental factors to indicate it..)/ Fix them but make sure hijackthis is backing them up:

O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKCU\..\Run: [RFAgent] D:\Program Files\RFA\rfagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

The following might be innocuous (some could be your spyware protection program locking certain options, but that's also what some malware does), but might not. And it will not hurt to remove them:

O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O13 - DefaultPrefix:

This looks like some anti-spyware program you use, it's raising some low level suspicions for me:

O4 - HKCU\..\Run: [SpyKiller] D:\Program Files\SpyKiller\spykiller.exe /startup
0 Replies
 
silversurfer
 
  1  
Reply Sat 15 May, 2004 08:46 pm
Yuckware - Searchmeup - further purge
I ran HijackThis in safe mode again, 'fixed' all the ones you suggested, rebooted but found IE still hijacked. Reset home page and disabled proxy and surfed to see if it would still switch back, which it did.

Safe mode puts me in administrator so tried running HijackThis in normal mode from within the hijacked limited user. This came up with half a dozen references to searchmeup, plus direct references to the 127.0.0.1 proxy which is inserted, which did not come up when running HijackThis in administrator. Listed all these to be fixed as well as any which you identified as suspicious.

I will check tomorrow whether it is clean but it looks OK for the moment.

Thanks for the help, getting support helps as much as the good advice as it makes it less like wrestling the octopus on your own.
Chris
0 Replies
 
silversurfer
 
  1  
Reply Sun 16 May, 2004 05:19 am
Yuckware - Searchmeup - Still there, new log
Bad news, HijackThis log on infected (limited user) account showed all the fixed searchmeup and 127.0.0.1 references were back in, so I'm still hijacked.
Ran SpyBot again before fixing HijackThis list, it picked up the searchmeup but not the 127.0.0.1 references.
Ran hijackthis and fixed the ones marked on the list, including a Symantec item I do not recognise, but suspect I am swatting the symptoms not the disease.
Chris

After running SpyBot, asterisks mark the ones to be fixed

Logfile of HijackThis v1.97.7
Scan saved at 11:59:07, on 16/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\wininet32.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
D:\Downloads\Cleaning kit\Hijack This\HijackThis.exe

* R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
* R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
* R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
* R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
* R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
* R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MSOFFI~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
* O9 - Extra button: Related (HKLM)
* O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
* O13 - DefaultPrefix:
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.co.uk/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38002.3593402778
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
* O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0 Replies
 
Craven de Kere
 
  1  
Reply Mon 17 May, 2004 12:10 pm
Don't do it in safemode this time. Run the fixes for each infected account.

BTW, are you using VET and Norton AV programs?
0 Replies
 
silversurfer
 
  1  
Reply Mon 17 May, 2004 12:46 pm
Yuckware - Searchmeup - more on the saga
That was the result of running HijackThis on the only infected account, three other limited users are clean (from the beginning), also administrator user is clean.
Not sure what VET is and do not use Norton after problems uninstalling it on a clients computer. I use CA e-Trust EZ antivirus, LinkSys router to protect home LAN.
Any prospect of simply blocking IE and proxy changes?
Chris
0 Replies
 
silversurfer
 
  1  
Reply Sun 23 May, 2004 07:19 pm
Yuckware - searchmeup - CURED?
After the long saga above of things tried without success, I searched the Documents and Settings folder for the infected user (four other users were not infected).
In C:\Documents and settings\User\Local settings\Temp listing the files by date modified produced a clump which were dated around the time of the infection, some of which were obviously suspect (e.g. twtini.cab contained twaintec files).
I moved the most suspect ones into a ZIP folder with password protection reset home page and proxy server in the six hours since then those settings have not changed; before they were being reset to searchmeup, 127.0.0.1;8080 after a matter of seconds.
I list the files I isolated below and expect there to be goodies as well as baddies in there as I was installing cleaners as fast as I could find them around that time. I'd be interested in any positive identifications as good files as well as bad ones. I'm also curious why some are listed in the ZIP archive with a + sign after the file name
cntr19312.exe 13,824
dia20.exe 119,808
dia23.exe 119,808
dload.exe 4,096
ist_install.exe+ 12,288
loader.exe 5,632
optimise.exe+ 38,656
powerscan.exe+ 69,120
preInsTT.exe 32,768
ps_install-mt.exe 48,128
sdexe.exe 56,840
whenU.exe+ 65,608
desktop.ini 67 (plus five identical)
index.dat 16,384
index.dat 32,768
index.dat 16,384
dummy.htm+ 0
twtini.inf 366
shortcuts.txt 6,496
~DF8AC6.tmp+ 16,384
cln8F.tmp+ 24,832
twtini.cab 87,867

I hope its the last time I post on searchmeup, my thanks to the community for your suggestions and support. It makes a big difference to know that there are fellow sufferers and also experts giving free help.

Chris
0 Replies
 
silversurfer
 
  1  
Reply Mon 24 May, 2004 09:48 am
Yuckware - Searchmeup - not cured, the saga continues
In spite of staying clean for longer than usual, the proxy server was switched to 127.0.0.1 again when I booted this morning. The home page is NOT being substituted as yet, so a minor improvement.
Any one getting anywhere?
Chris
0 Replies
 
silversurfer
 
  1  
Reply Tue 25 May, 2004 02:45 am
Yuckware - searchmeup - clean for 24 hours - runwin32.exe
I'm learning to be pessimistic, but the hijacking has not repeated for 24 hours.
I was checking what hijackthis produced when run inside the infected user (administrator is not infected) and saw runwin32.exe and wininet32.exe listed, Google search on these names produced a reference to Kephyr Labs. Kephyr Labs mentioned that runwin32 was cited as a password stealer by Symantec so I was motivated (i.e. desperate) to try the manual removal method given on the web site.
However Safe mode puts me in Administrator and I could not then find runwin32.exe in registry, though it had been listed by HijackThis in HKCU i.e. with infected user as the Current User. Coming out of Safe mode and logging on as the infected user before using regedit produced the two keys for runwin32 and wininet32 so I was able to delete them in registry and then in c:\Windows and also C:\Windows\Prefetch.
After that I ran everything from virus checker, Adaware, Spybot and HijackThis with negative results, and have booted several times without changes to proxy server or home page.
If it stays that way another day I'll reset Restor and make a backup.

I suppose the people who write this yuckware are among the best readers of thse posts but it is difficult to imagine the sort of person who is prepared to spread this kind of filth for a commercial reason, or the sort of company that is prepared to pay them to do so, making the internet such a cess pit that their long term business is damaged.
Chris
0 Replies
 
Mike386
 
  1  
Reply Tue 1 Jun, 2004 05:18 pm
Silversurfer, You nailed it. Thank you.
I removed runwin32 in safe mode from both WINNT and the registery. Clean now for 24 hours.
Thanks again for your help.
0 Replies
 
silversurfer
 
  1  
Reply Wed 2 Jun, 2004 02:35 am
Searchmeup - found more dregs
Glad it worked. I'm still clean but I later ran RegistryFirstAid (RFA) in search mode looking for "twt" "twaint" and "127.0.0.1" and was a little shocked to find them still in registry.

I used regedit in Admin and deleted "Proxy Override 127.0.0.1;local host" in HKEY_USERS\S-1-5-21-….Internet settings", and twtini.inf and twtini.pnf in HKEY_LOCAL_MACHINE\SYSTEM\ …\LastGood, could not find twaintec folder in HKEY_LOCAL_MACHINE\SOFTWARE or copy of 127.0.0.1 in HKEY_CURRENT_USER\Software\...\Internet Settings.

Checked also in user REGEDIT, could not find anything. Repeated RFA search, found nothing apart from search parameters.
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » Yuckware continued - searchmeup still there
Copyright © 2025 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.03 seconds on 12/23/2025 at 06:55:29