Dropper Trojan

Why are you posting in multiple threads for the same problems? You are going to find it more difficult and slower to resolve issues this way.

 

If you had run the READ ME FIRST, you would have run CCleaner which should have deleted all this alread. You said you ran the READ ME in the other thread.

Do not run scans with Internet Explorer windows running.

 

Your other thread said,

"Does the ByteVerify disable anti virus software or could there be another trojan or virus on the computer or could it just be that my CD isn't copying on his computer right?"

That sounds to me like your installing your software on someone else's PC. Not legal! Unless you bought it for your friend and gave the CD to him and did not install it on another PC (like your own).

 

Do you have multiple user accounts on this PC? Is PR the account you were logged in as when you ran CCleaner and other scanners?

 

So you need to run all the steps (including CCleaner) of the READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal thread for each user account. If you cannot run certain steps in safe mode when not logged on as the Administrator then run them in normal boot mode.

 

I believe the default setting is to delete files in Windows Temp folder older than 10 days.
But note, that's only Windows Temp. It does not have options for things like:
C:\Documents and Settings\PR\Local Settings\Temp\Temporary Internet Files

 

First make sure you updated to today's Ad-Aware SE reference file. Then click Scan now and on the next screen uncheck the Search for negligible risk entries selection. Now make sure you have Perform smart system scan selected, then click next. See if that helps.

 

Have you run all of the steps from READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal on this user account?

 

Unless you really know what you are doing you should not be editing the registry. You can totally break your computer. And first you should perform a registry backup.

You could be deleting entries that you see there that the spyware blocking (immunize feature) of Spybot put there on purpose.

Please stop skipping around and follow directions. When you selected smart scan did you disable negligible risk entries?

 

I don't understand what this means. If everything you deleted is not back (and it was bad) then what's the problem. Also you don't need to save the registry. As soon as you edit it with regedit the changes are already made.

What version of Ad-Aware SE are you using and what is the reference file version.

 

You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or from a sub-folder of C:\Documents and Settings, or choose run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Make sure you follow the above directions!!

 

Please post your full un-edited log. There must be more running processes than that on any WinXP system. Follow directions!! This C:\Program Files\Internet Explorer\iexplore.exe should not be running. We specifically ask for browsers to be shut down.

This C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe should not be running either.

 

Goto Add/Remove programs and uninstall
WebRebates
or
WebSavingsfromEbates

Also uninstall: BearShare

You have a bunch of trojans on this PC. That's your problem.

 

I wouldn't but that's up to you. Do you like having problems like this?

Read this from PestPatrol:

P2P: Any peer-to-peer file swapping program, such as Audiogalaxy, Bearshare, Blubster, E-Mule, Gnucleus, Grokster, Imesh, KaZaa, KaZaa Lite, Limewire, Morpheus, Shareaza, WinMX and Xolox. In an organization, can degrade network performance and consume vast amounts of storage. May create security issues as outsiders are granted access to internal files. Often bundled with Adware or Spyware.

But it's your decision in the end. If you want to live with the potential problems it can cause (and it may be the reason for all your trojan problems), don't uninstall it.

 

I still need your FULL unedited HJT log so we can work on removing the trojans.

 

Okay I'll assume you uninstalled it and that you are having a problem posting full HJT logs. Do the following exactly:

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them (if found) :
BROWSELC.exe
hpalyab.exe
winmgm32.exe
mscvb32.exe
svrhost.exe <--- be careful of the spelling this is not svchost.exe
svphost.exe <--- be careful of the spelling this is not svchost.exe
urpo.exe
wnstsit.exe
webclnt.exe
slmss.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server224.smartbotpro.net/7search/?003
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O4 - HKLM\..\Run: [7d62dcdd86ec] C:\WINDOWS\System32\BROWSELC.exe
O4 - HKLM\..\Run: [hpalyab] C:\WINDOWS\System32\hpalyab.exe
O4 - HKCU\..\Run: [WindowsMGM] C:\WINDOWS\winmgm32.exe
O4 - HKCU\..\Run: [System MScvb] C:\WINDOWS\mscvb32.exe
O4 - HKCU\..\Run: [svrhost.exe] C:\WINDOWS\system32\svrhost.exe
O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Paul Ragozine\Application Data\urpo.exe
O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstsit.exe
O4 - HKCU\..\Run: [webclnt] C:\WINDOWS\System32\webclnt.exe
O4 - HKCU\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\WebRebates\System\Temp\topr1150_script0.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\BROWSELC.exe
C:\WINDOWS\System32\hpalyab.exe
C:\WINDOWS\winmgm32.exe
C:\WINDOWS\mscvb32.exe
C:\WINDOWS\system32\svrhost.exe <--- be careful of the spelling DO NOT delete svchost.exe
C:\WINDOWS\system32\svphost.exe <--- be careful of the spelling DO NOT delete svchost.exe
C:\Documents and Settings\Paul Ragozine\Application Data\urpo.exe
C:\WINDOWS\System32\wnstsit.exe
C:\WINDOWS\System32\webclnt.exe
C:\Program Files\Common Files\slmss <--- delete the whole directory

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay I see you did not remove BearShare yet.

I also see these are still present did you fix these last time:
O4 - HKLM\..\Run: [7d62dcdd86ec] C:\WINDOWS\System32\BROWSELC.exe
O4 - HKLM\..\Run: [hpalyab] C:\WINDOWS\System32\hpalyab.exe

 

We also need to clean up remnants of the W32.Sobig.A@mm worm.

1. Click Start, and then click Search.
2. Click All files and folders.
3. In the "All or part of the file name" box, type, or copy and paste, the file names: dwn.dat sntmls.dat.
4. Verify that "Look in" is set to "Local Hard Drives," or to (C:\)
5. Click "More advanced options."
6. Check "Search system folders."
7. Check "Search subfolders."
8. Click Search.
9. Delete the displayed files.

 

Check all accounts for this and also for the other stuff too.

Have you run the McAfee Stinger program on each account. If not, please do so.

 

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause


Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\BearShare <--- the whole directory


You may need to repeat the above for each user account.

Now reboot in normal mode and post a new HJT log.

If BearShare is still in your HJT log, you will need to search the registry for it.

I'm not sure about Updaterinstall.dat. Is could be part of one those annoying Casino programs. Try right clicking on it and get Properties, Version information.