programs stop reponding

Hi Kim,

Thanks for the feedback.

This:
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer)
appears to be malware according to this page:
http://www.pestpatrol.com/PestInfo/w..._installer.asp

follow the instructions in this page for its removal. But before,
export the registry using Start run regedit File Export and
create a restore point.

You might also want to post your Hijack This log he
http://www.cybertechhelp.com/forums/
for more opinions.

That one is the main suspect.

After you have done this, let's see if you can get to Yahoo Games.

Good luck

On Mon, 12 Apr 2004 12:46:05 -0700, Kim M.
wrote:

I finally was able to get HiJackThis to download and here is what it found. Again, thank you soooo much for all the help and I hope you will be able to make some suggestions that will fix the new problems. I am now able to get to Google but Yahoo Games
still won't open for the tables and it won't open some websites. I had to go back and restore to yesterday just to be able to download this software but again I still have these other problems that I can't take care of yet (i.e. trojans, etc.).

Thank you, Kim M.

P.S. I can't tell you how grateful I am for all your help, again, THANK YOU!!

Logfile of HijackThis v1.97.7
Scan saved at 3:37:09 PM, on 4/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DiskeeperWorkstation\DKService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\toshiba\ivp\ISM\pinger.exe
C:\PROGRA~1\EzButton\CP888M1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
c:\Temp\Rar$EX12.032\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CP888M1] C:\PROGRA~1\EzButton\CP888M1.EXE
O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/game...ts/y/it1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/game...ts/y/st2_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

I downloaded the PestPatrol software and located the malware file but now the program is telling me that I have to purchase the licensed version to be able to quarantine of delete the file. I really don't want to spend the $40 to get this problem fixed...
is there any way that I can delete or quarantine it for free? I know it sounds like I am cheap but I had just purchased a copy of the "revered" Norton Internet Security just to find that it is not protecting me from the 6 odd trojans that have been found.
If I sound bitter, it's because I am now. Until now, I just ASSumed that Norton knew about every virus and trojan known to man but you can now see where that got me...Thanks, Kim

Hi Kim,

On Mon, 12 Apr 2004 17:56:02 -0700, Kim M.
wrote:

I downloaded the PestPatrol software and located the malware file but now the program is telling me that I have to purchase the licensed version to be able to quarantine of delete the file. I really don't want to spend the $40 to get this problem fixed..
.is there any way that I can delete or quarantine it for free? I know it sounds like I am cheap but I had just purchased a copy of the "revered" Norton Internet Security just to find that it is not protecting me from the 6 odd trojans that have been found
. If I sound bitter, it's because I am now. Until now, I just ASSumed that Norton knew about every virus and trojan known to man but you can now see where that got me...Thanks, Kim

You don't have to buy the software. Especially when you can use
ad-aware and spybot which are free to do your routine scans for
malware.

To get rid of this specific malware, you can do it yourself, manually,
if you follow the instructions of this page:
http://www.pestpatrol.com/PestInfo/w..._installer.asp

You only have to delete some registry keys:

HKEY_CLASSES_ROOT\clsid\{1d6711c8-7154-40bb-8380-3dea45b69cbf}
HKEY_CLASSES_ROOT\webp2pinstaller.installer
HKEY_CLASSES_ROOT\webp2pinstaller.installer.1
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution
units\{1d6711c8-7154-40bb-8380-3dea45b69cbf}

Make a copy of it before you start (Start Run regedit File
Export) and create a restore point for added safety.

Good luck

Hi Kim,

Comments inline.

On Tue, 13 Apr 2004 19:31:03 -0700, Kim M.
wrote:

I was able to follow the directions on the pestpatrol page and delete the files from the registry keys. I also posted my HiJack This log and this was what they posted back so far...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R3 - Default URLSearchHook is missing
O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

Am I supposed to delete these as well or not? I have posted the same question back to the site but have not yet received a reply. I am re-running the virus scans and adware and so far I still have these trojans:


Let's wait until you receive a reply.

File: C:\Documents and Settings\citrus\Local Settings\Temporary Internet Files\Content.IE5\OV5RMUNL\dw[1].exe
Virus: Tool:PornDialer.EA Status: Infected

File: C:\Temp\bii.cab-biprep.exe
Virus: TrojanSpy/Win32.BiSpy.A Status: Infected

File: C:\Temp\biprep.exe
Virus: TrojanSpy/Win32.BiSpy.A Status: Infected

These files in temporary folders are not used by the system and so
safe to delete.

File: C:\WINDOWS\system32\benceed.dll
Virus: TrojanDownloader:Win32/Rameh.A Status: Infected

I don't have this file in my system. If you're apprehensive about
deleting it, change its name and move it to a folder of your choosing
(like Pest folder or so) and wait for a few days, if your system works
fine, then delete it.


I am hesitant to delete or quarantine these files because of all the problems I ran into the last time I did so. Is there any way of telling if a file is required or not? Thank you,everyone, again for all the help.

If a file is in a temporary folder, it's not used by the system and
should be safe to delete. Files in the System32 folder are different,
though, and require searching the name of the file in google and
making sure they are not a system file.


P.S. I am now able to get into Yahoo games and Google so most of the bugs seem to be fixed.

Good, then we are on the right track

Good luck

Hi Kim,

Comments inline.

On Tue, 13 Apr 2004 19:31:03 -0700, Kim M.
wrote:

I was able to follow the directions on the pestpatrol page and delete the files from the registry keys. I also posted my HiJack This log and this was what they posted back so far...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R3 - Default URLSearchHook is missing
O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

Am I supposed to delete these as well or not? I have posted the same question back to the site but have not yet received a reply. I am re-running the virus scans and adware and so far I still have these trojans:


Let's wait until you receive a reply.

File: C:\Documents and Settings\citrus\Local Settings\Temporary Internet Files\Content.IE5\OV5RMUNL\dw[1].exe
Virus: Tool:PornDialer.EA Status: Infected

File: C:\Temp\bii.cab-biprep.exe
Virus: TrojanSpy/Win32.BiSpy.A Status: Infected

File: C:\Temp\biprep.exe
Virus: TrojanSpy/Win32.BiSpy.A Status: Infected

These files in temporary folders are not used by the system and so
safe to delete.

File: C:\WINDOWS\system32\benceed.dll
Virus: TrojanDownloader:Win32/Rameh.A Status: Infected

I don't have this file in my system. If you're apprehensive about
deleting it, change its name and move it to a folder of your choosing
(like Pest folder or so) and wait for a few days, if your system works
fine, then delete it.


I am hesitant to delete or quarantine these files because of all the problems I ran into the last time I did so. Is there any way of telling if a file is required or not? Thank you,everyone, again for all the help.

If a file is in a temporary folder, it's not used by the system and
should be safe to delete. Files in the System32 folder are different,
though, and require searching the name of the file in google and
making sure they are not a system file.


P.S. I am now able to get into Yahoo games and Google so most of the bugs seem to be fixed.

Good, then we are on the right track

Good luck

Kim

The adaware and such programs will probably identify the Yahoo files as a problem. You may have them quarantined which is why your Yahoo games won't work. Get a copy of Spybot and try it (it was the last one I tried and I wish I had used it first since i
t gives valuble info on the files identified by it).

Sorry I wasn't able to get back on here before now. It took me longer to "clean" my brother's computer than I expected. I still am not positive as to the exact "culprit" but I think it may have been a dialer program EGHTML. I would quarantine bad files
and then they would multiply so I think a dialer must have been downloading as I was cleaning.

Anyway, the initial solution by Roger -- uncheck enable 3rd party extensions -- works to let the infected computer's IE work and connect to the net. But it doesn't get rid of the offending items. His IE Homepage was still hijacked to : res://mshp.dll/ind
ex#37049

As a side note, you should disable the "System Restore" before using the antivirus scanners. Not sure about before using Adaware and Spybot. I did it on his computer just to be sure.

Steps I took in disinfecting his computer: (Yeah it was overkill but I wanted to see what these programs did and how they compared):

1. Ran CWShredder program
2. Ran Adaware Program (update before running to latest ref file )
The Smartscan identified 9 processes, 418 Registry Keys, 32 Reg Values, 305 files and 35 folders as possibly "bad".

Everything identified as "Malware" I removed. I also removed some of the dataminers and "objects" I could determine wasn't needed.

3. I rebooted in safe mode and reran Adaware. Had 0 Processes, 65 Reg Keys, 5 Reg Values, 22 files and 4 folders now identified. Many were ok. One I didn't know about was "Promulgate". After he came home, it was deleted also.

4. I restarted in Normal Mode and ran the Free online Virus checker from pandasoftware

5. It identified Trj/Virtumonde.A as being a virus on his machine. Symantec (Norton's antivirus does not identify it as a virus but rather as Adware). I know because I ran his NAV and it didn't identify it so I checked definitions and it lists the file
as adware and your normal NAV doesn't deal with it.

6. I reran Adware (I had not yet removed Virtumonde) and this time I used custom mode and had it scan everything. It now found 66 Reg Keys, 5 Reg Values, 661 files and 16 folders. The most prevalent object was LOP.com malware.

7. I installed and ran Spybot. It identified the Egroup dialer as still being present even though I had sought to remove it using Adaware. Spybot is useful because it has a function to identify exactly what the program is that it suspects is a problem s
o you can decide if it is or isn't.

I removed all files I knew from the defs were not needed.

8. I manually removed the Virtumonde infection

9. Rescanned and his computer was clean.

10. Enabled 3rd party extensions and the computer still had no problems.

Tim

Kim

The adaware and such programs will probably identify the Yahoo files as a problem. You may have them quarantined which is why your Yahoo games won't work. Get a copy of Spybot and try it (it was the last one I tried and I wish I had used it first since i
t gives valuble info on the files identified by it).

Sorry I wasn't able to get back on here before now. It took me longer to "clean" my brother's computer than I expected. I still am not positive as to the exact "culprit" but I think it may have been a dialer program EGHTML. I would quarantine bad files
and then they would multiply so I think a dialer must have been downloading as I was cleaning.

Anyway, the initial solution by Roger -- uncheck enable 3rd party extensions -- works to let the infected computer's IE work and connect to the net. But it doesn't get rid of the offending items. His IE Homepage was still hijacked to : res://mshp.dll/ind
ex#37049

As a side note, you should disable the "System Restore" before using the antivirus scanners. Not sure about before using Adaware and Spybot. I did it on his computer just to be sure.

Steps I took in disinfecting his computer: (Yeah it was overkill but I wanted to see what these programs did and how they compared):

1. Ran CWShredder program
2. Ran Adaware Program (update before running to latest ref file )
The Smartscan identified 9 processes, 418 Registry Keys, 32 Reg Values, 305 files and 35 folders as possibly "bad".

Everything identified as "Malware" I removed. I also removed some of the dataminers and "objects" I could determine wasn't needed.

3. I rebooted in safe mode and reran Adaware. Had 0 Processes, 65 Reg Keys, 5 Reg Values, 22 files and 4 folders now identified. Many were ok. One I didn't know about was "Promulgate". After he came home, it was deleted also.

4. I restarted in Normal Mode and ran the Free online Virus checker from pandasoftware

5. It identified Trj/Virtumonde.A as being a virus on his machine. Symantec (Norton's antivirus does not identify it as a virus but rather as Adware). I know because I ran his NAV and it didn't identify it so I checked definitions and it lists the file
as adware and your normal NAV doesn't deal with it.

6. I reran Adware (I had not yet removed Virtumonde) and this time I used custom mode and had it scan everything. It now found 66 Reg Keys, 5 Reg Values, 661 files and 16 folders. The most prevalent object was LOP.com malware.

7. I installed and ran Spybot. It identified the Egroup dialer as still being present even though I had sought to remove it using Adaware. Spybot is useful because it has a function to identify exactly what the program is that it suspects is a problem s
o you can decide if it is or isn't.

I removed all files I knew from the defs were not needed.

8. I manually removed the Virtumonde infection

9. Rescanned and his computer was clean.

10. Enabled 3rd party extensions and the computer still had no problems.

Tim

Kim

I sent you an email with the programs

Ad_aware
Spybot Search and Destroy
hijackthis
pandasoftware free internet virus scanner

which I used to remove the pest from my brother's comnputer and they are all free and can be downloaded from the net.

Tim

PS: If anyone actually identifies the precise pest I'd love to know. My brother had too many on his computer for me to isolate which one was the culprit for this problem

I was able to follow the directions on the pestpatrol page and delete the files from the registry keys. I also posted my HiJack This log and this was what they posted back so far...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R3 - Default URLSearchHook is missing
O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

Am I supposed to delete these as well or not? I have posted the same question back to the site but have not yet received a reply. I am re-running the virus scans and adware and so far I still have these trojans:

File: C:\Documents and Settings\citrus\Local Settings\Temporary Internet Files\Content.IE5\OV5RMUNL\dw[1].exe
Virus: Tool:PornDialer.EA Status: Infected

File: C:\Temp\bii.cab-biprep.exe
Virus: TrojanSpy/Win32.BiSpy.A Status: Infected

File: C:\Temp\biprep.exe
Virus: TrojanSpy/Win32.BiSpy.A Status: Infected

File: C:\WINDOWS\system32\benceed.dll
Virus: TrojanDownloader:Win32/Rameh.A Status: Infected

I am hesitant to delete or quarantine these files because of all the problems I ran into the last time I did so. Is there any way of telling if a file is required or not? Thank you,everyone, again for all the help.

Kim M.

P.S. I am now able to get into Yahoo games and Google so most of the bugs seem to be fixed.