MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 12-29-05, 14:28
Morlo's Avatar
Morlo Morlo is offline
Private E-2
 
Join Date: Dec 2005
Location: West Wales
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Question upapp - what is it

Hello. My first venture into trouble shooting through a forum but, having followed the instructions in one thread and the <READ & RUN ME FIRST Before Asking for Support> page - seemingly resulting in successfully getting rid of whatever was causing my PC to search for a spyware associated file "ibm00003.exe" (for which, many thanks), Major Geeks looks like he is the man to help. So, I thought I'd repeat a question that I have seen asked elsewhere and to which two very diiferent answers seem to be posted in various places on the web.

Whilst checking for Malware programs to delete in Control Panel \ Add or Remove programs, I noticed "upapp" listed. I cannot find it anywhere else on my PC, I know I didn't install it knowingly and I have no idea what it does or where is came from. As I cannot find it anywhere and at 45 Mb I am suspicious of it. One posting I have read says it is something nasty left behind by Spyware; two others say it is associate with an HP printer (checks for updates). I cannot find any sign of it within any HP directory and so believe it must be nasty - but would like to be sure before I hit the delete key.

Any confirmation one way or the other?

Many thanks

Morlo
Reply With Quote
Sponsored links
  #2  
Old 12-29-05, 15:24
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,458
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: upapp - what is it

You should have attached the three logs from the READ ME. BitDefender, PandaActiveScan, and HJT.

Note, if you had ibm00003.exe, consider changing all your passwords and login info especially for financial institutions. See: Malware - Bancos.LU

You should search your registry for upapp and see if there are any hits. Names used in the registry for programs do not always match the application names (developers can be pretty stupid sometimes. ) You could use the below to do the search if you do not know how.

Download the Registry Search Tool from here:

http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

upapp

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #3  
Old 12-30-05, 10:36
Morlo's Avatar
Morlo Morlo is offline
Private E-2
 
Join Date: Dec 2005
Location: West Wales
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: upapp - what is it

Many thanks for reply.

One of my on-line access bank accounts had been accessed without authorisation and I just changed the passwords etc a couple of days ago - at least now I might know how it happened - so thanks for this.

Anyway, logs from BitDefender, Panda and HJT are attached, as is also the log from the RegEdit search (file name: sOutTmp162210 - upapp Reg Edit search.txt)

Hope some of this makes sense to you - it doesn't to me

Regards

Morlo
Attached Files
File Type: txt sOutTmp162210 - upapp Reg Edit search.txt (2.3 KB, 4 views)

Last edited by Morlo; 12-30-05 at 10:41.. Reason: Not sure my attachments were uploaded
Reply With Quote
  #4  
Old 12-30-05, 10:47
Morlo's Avatar
Morlo Morlo is offline
Private E-2
 
Join Date: Dec 2005
Location: West Wales
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: upapp - what is it

The log files don't seem to have attached - try again

Morlo
Reply With Quote
  #5  
Old 12-30-05, 10:56
Morlo's Avatar
Morlo Morlo is offline
Private E-2
 
Join Date: Dec 2005
Location: West Wales
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: upapp - what is it

I am clearly having troubvle attaching these files ... here goes again

Morlo
Attached Files
File Type: txt Activescan.txt (1.6 KB, 3 views)
File Type: txt BitDefender Online Scanner -Scan Report.txt (11.9 KB, 3 views)
File Type: txt HJT log 301205.txt (12.3 KB, 2 views)
Reply With Quote
Sponsored links
  #6  
Old 12-30-05, 11:03
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,458
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: upapp - what is it

upapp appears to be something for Hewlett Packard. Is you PC an HP or do you use something else from HP (a printer etc)?
Quote:
upapp 0.20.0000 ({4EF69D40-4DC9-485E-95D3-B1C22F218FC8})
version: 1310720
version (minor): 20
install date: 20041020
install source: g:\upapp\
uninstall cmd: MsiExec.exe /I{4EF69D40-4DC9-485E-95D3-B1C22F218FC8}
publisher: Hewlett-Packard
comments: Your Comments
contact: Customer Support Department
help link: http://www.yourcompany.com/help
help telephone: 1-555-555-4505
readme: Readme.txt
Somemore of that keylogger that is stealing passwords still exists. Make sure you do not use this PC for any thing that must be secure. Either change your passwords on the phone or use another PC that you know is not infected.

Please run this: Running Ewido Security Suite it will help remove some more of this keylogger. Attach the Ewido log.

Also download HOSTER and then follow the below steps.
  • Unzip Hoster to a convenient folder such as C:\Hoster
  • Run Hoster.exe, click Restore Original Hosts and then click OK.
  • Click the X to exit the program
Make sure you empty:
- C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine
- your recycle bin
- if you use Norton N-protect to guard the recycle bin, make sure you empty the N-Protect stuff too.

I would then suggest you do another BitDefender scan and post the new log. It found a bunch of things and we must make sure you get this system cleaned up and trust worthy.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter

Last edited by chaslang; 12-30-05 at 11:20..
Reply With Quote
  #7  
Old 12-30-05, 12:01
Morlo's Avatar
Morlo Morlo is offline
Private E-2
 
Join Date: Dec 2005
Location: West Wales
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Red face Re: upapp - what is it

Many thanks

Yes, I do have an HP printer. I will leave upapp alone then.

As for the rest, I'll do as recommended and post results on completion.

Regards

Morlo
Reply With Quote
  #8  
Old 12-30-05, 13:28
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,458
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: upapp - what is it

Make sure you get that Norton stuff I mentioned cleaned up!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #9  
Old 12-30-05, 15:41
Morlo's Avatar
Morlo Morlo is offline
Private E-2
 
Join Date: Dec 2005
Location: West Wales
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: upapp - what is it

Hi again

Norton quarantine and trash can emptied

Ewido run and log attached

Hoster run as instructed

HJT re-run and new log attached

Thanks again

Morlo
Attached Files
File Type: txt BitDefender Online Scanner -Scan Report.txt (5.3 KB, 2 views)
File Type: txt Ewido Scan report_20051230.txt (68.5 KB, 1 views)
File Type: txt hijackthis log 301205-2.txt (12.5 KB, 2 views)
Reply With Quote
  #10  
Old 12-30-05, 23:37
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,458
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: upapp - what is it

There is still (or at least was) stuff in the NProtect folder from Norton. Did you forget to empty it? It takes special steps. Just empty the Recycle Bin is not sufficient. The below link explains how to empty this.

Emptying the Norton Protected Recycle Bin

The person (looks like Ross) downloading the below type programs should be show the Ewido log and should avoid downloading illegal cracks for software:
C:\Documents and Settings\Ross\Local Settings\Temp\Temporary Directory 1 for Sibelius v1.4 crack.zip\crackmasters.exe/loadadv458.exe -> Downloader.Agent.xq : Cleaned with backup
C:\Documents and Settings\Ross\Local Settings\Temp\Temporary Directory 1 for Sibelius v1.4 crack.zip\crackmasters.exe/loadadv458.exe -> Downloader.Agent.xq : Cleaned with backup

When you try to get something for free, you may got a lot more than you think.

Are you sure you ran Hoster properly? Also the O1 - Hosts line are still in your HJT log. If you are sure then disable all realtime protection of MS Antispyware and run Hoster again. Then get a new HJT log to attach but look at it first. If the O1 - Hosts lines are still there uninstall MS Antispware and disable Ewido (or uninstall) and try again.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter

Last edited by chaslang; 12-30-05 at 23:50..
Reply With Quote
Sponsored links
  #11  
Old 12-31-05, 05:54
Morlo's Avatar
Morlo Morlo is offline
Private E-2
 
Join Date: Dec 2005
Location: West Wales
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: upapp - what is it

Good morning

Thanks for the message to Ross - my dear 16 year old son who, like most teenagers, is sure he knows best and cannot be told otherwise. I think this exercise is actually teaching him something about internet security and perhaps the risks of getting something nasty through the wires are not just fairy tales told him by his elders!

I had indeed goofed on emptying the Norton recycle bin (I had uninstalled my old N utilities when I got NIS 2006 as they were incompatible - and the Norton recyled bin icon disappeared at that time - so I had to empty manually).

Hoster - I'd overlooked that it was set as Read Only. So I set to Writable and re-ran. No O1 lines now in HJT log. Does this mean we're getting there? I hope so as my wife is twitching about internet banking.

Should I have done another BitDefender scan?

Regards

Morlo
Attached Files
File Type: txt hijackthis log 311205.txt (11.0 KB, 2 views)
Reply With Quote
  #12  
Old 12-31-05, 17:27
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,458
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: upapp - what is it

Yes looks like we are almost there.

The below items that were in the previous Bitdefender log is a minor issue but it would be nice to fix it.:
C:\Documents and Settings\Blaise\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[Subject: Re: Hello again][From: Mary Mellor]>(body)Suspected of: Exploit.Iframe.Vulnerability

See if you can locate this Outlook message from Mary Mellor and delete it!

After that I would like to do two more things to make sure you are clean:
1) Run BitDefender one more time and post a final (hopefully) log.
2) Download, install and run BlackLight by F-Secure. Post the log once finished.

Questions:
1) Are you sure you took care of changing all passwords so that your financial info is safe?
2) Does your Norton app include a firewall and are you using it? A real firewall is a must have.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #13  
Old 01-01-06, 16:31
Morlo's Avatar
Morlo Morlo is offline
Private E-2
 
Join Date: Dec 2005
Location: West Wales
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Question Re: upapp - what is it

Hi

I deleted the offending archive file but it has appeared again in C:\ recycler - as seen in attached BitDefender log. Before I go ahead and delete this and four other files / folders in recycler dated today and two days ago, am I right in assuming they can be deleted?

I am confused by the other log reults -
C:\System Volume
Information\_restore{FAD31253-1C6F-4667-9D3B-0B60ECC5D88D}\RP1\A0000227.MSI=>(Quarantine-2)=>(Embedded
CAB)=>loadadv458.exe

This looks like something in quarantine - can I just delete this and items like it?

Lastly, I tried to download & install F-Secure's Backlight. I had to disable all the anti-Spyware programs I have installed over the last few days (SpyCatcher - recommended by SpyWare Warrior who I linked to from Major Geeks - in particular, would not let it download). And once I had downloaded it would not install without my uninstalling Norton Internet security 2006 and Ad-Aware. Since both of these are known to me I was unhappy about doing so and so have been unable to run Backlight. Will this be a serious shortcoming?

Morlo
Attached Files
File Type: txt BiteDefender Scan report 010106-1.txt (2.6 KB, 2 views)
Reply With Quote
  #14  
Old 01-01-06, 19:07
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,458
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: upapp - what is it

Just empty the Recycle Bin and also Norton NProtect like earlier.

Also since we are close to being cleaned up, goto the READ & RUN ME sticky and complete step 1 to remove all the Restore points that could be infected with the baddies.

Then do what I gave you in my previous post again (don't forget to answer questions). I'll repeat the steps:
Quote:

After that I would like to do two more things to make sure you are clean:
1) Run BitDefender one more time and post a final (hopefully) log.
2) Download, install and run BlackLight by F-Secure. Post the log once finished.

Questions:
1) Are you sure you took care of changing all passwords so that your financial info is safe?
2) Does your Norton app include a firewall and are you using it? A real firewall is a must have.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #15  
Old 01-02-06, 11:18
Morlo's Avatar
Morlo Morlo is offline
Private E-2
 
Join Date: Dec 2005
Location: West Wales
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: upapp - what is it

Thanls again

Will get on it. Lots of unistalling and installing - and work to interfere! - so will take a little time. Will post results a.s.a.p.

Morlo
Reply With Quote
Sponsored links
  #16  
Old 01-02-06, 13:14
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,458
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: upapp - what is it

Okay but don't forget to answer my questions.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #17  
Old 01-02-06, 15:31
Morlo's Avatar
Morlo Morlo is offline
Private E-2
 
Join Date: Dec 2005
Location: West Wales
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: upapp - what is it

Big troubles.

I uninstalled NIS and AdAware, disabled Anit SpyWare and installed F-Secure and then trouble began. PC failed to boot properly - got stuck in constant reboot loop showing error screen in attached jpeg. Error screen only appeared long enough for me to take digital photo, not even enough time to write down any of the detail. It took over an hour to manage to interupt the re-boot loop enough to get into safe mode and uninstall F-secure. I think machine has rebooted correctly now but am sending this from a different machine.

Having looked again at the F-secure site, I think I downloaded the Internet Security Suite not the Blacklight Beta version - can you confirm that it is Blacklight Beta I need? Thanks

Morlo
Attached Images
File Type: jpg error screen.JPG (48.1 KB, 11 views)
Reply With Quote
  #18  
Old 01-02-06, 15:38
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,458
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: upapp - what is it

Quote:
Originally Posted by Morlo
Having looked again at the F-secure site, I think I downloaded the Internet Security Suite not the Blacklight Beta version - can you confirm that it is Blacklight Beta I need?
Yes that is what I said. Blacklight is what you want.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter

Last edited by chaslang; 01-03-06 at 16:16..
Reply With Quote
  #19  
Old 01-03-06, 15:58
Morlo's Avatar
Morlo Morlo is offline
Private E-2
 
Join Date: Dec 2005
Location: West Wales
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Question Re: upapp - what is it

Hello again

Success! Sorry for being an idiot getting mixed up between Backlight and the full blown F-secure internet security. Backlight was no problem at all. So, I have:
- empitied recycle and N-protect bins

- run backlight - log attached (it showed results from Spy Catcher which I installed on recommendation from spyWare Warrior which I linked to from Major Geeks at http://www.spywarewarrior.com/rogue_...pyware.htm#rec - which I assume is OK

- re-run BitDefender - log attached which I assume means clean

Yes, have sorted passwords with banks via phone. The fraud team from the bank I said appeared to have had unauthorised access on my sign-in confirmed that there had been several attempts including a successful one which came just a few days after they had upgraded their security - which prevented money transfer. A lucky break. It was traced to a town in the north of England.

And yes, Norton Internet Security does indeed have a firewall. (My wireless network router also has a firewall). However, What NIS 2004 did not have - which I did not realise until I upraded to NIS 2006 in November - was any Anti-Spyware. So I suspect that most or all of the infections have been around for a while and it was only after upgrading to NIS 2006 and installing MS AntiSpyware at roughly the same time that I began to detect and delete - leading to the error message about ibm00003.exe which started me on this road.

Hope all is now clean and well?

Regards

Morlo
Attached Files
File Type: txt rtvr_rep 030106.txt (752 Bytes, 1 views)
File Type: log fsbl-20060103195917.log (1.2 KB, 1 views)

Last edited by Morlo; 01-03-06 at 16:00.. Reason: seplling error
Reply With Quote
  #20  
Old 01-03-06, 16:21
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,458
Thanks: 62
Thanked 7,698 Times in 4,150 Posts
Default Re: upapp - what is it

Yes it looks like you are clean now! If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link (some of which you already have done):

How to Protect yourself from malware!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 05:29.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger