GUI.exe, Aproposmedia, and Maxifiles

On last saturday night I was fortunate enough to get infected with a trojan . I ran spyware doctor, McAfee, Ad-aware, Microsoft Anti-spyware, Spybot S&D, and AVG to scan my pc. Avg got majority of the files infected by the trojan *over 1000 shudders*. Now everytime I boot up I get a message by microsoft anti-spyware telling it has blocked an application that is caused by dnscatcher? For couple times I got a from AVG as well saying, "Virus found!" and it displays the GUI.exe trojan downloader, now that is gone I'm assuming that its permanently gone, or is it? Every time I boot up I scan my pc with spyware doctor and it picks up Maxifiles and Aproposmedia*I have done this in safe mode to no effect *, these are really annoying pop -ups*bloody adware telling me I have adware and spyware*. I ask help on www.tankweb.net but no one has replied so far. Any help would help helpful

 

Sorry for double posting*can't find the bloody edit button *
I keep on getting the blue screen error when I scan my pc on normal mode more then 3~4 times when I do it one at a time, I have no problem with this when I scan in safemod.

 

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Instructions followed:

Bitdefender:
C:\Documents and Settings\Owner\a.exe=>(RAR Sfx o)=>mc-58-12-0000140.exe
Infected with: Trojan.Downloader.4204
C:\Documents and Settings\Owner\a.exe=>(RAR Sfx o)=>mc-58-12-0000140.exe
Disinfection failed
C:\Documents and Settings\Owner\a.exe=>(RAR Sfx o)=>mc-58-12-0000140.exe
Deleted
C:\Documents and Settings\Owner\a.exe=>(RAR Sfx o)
Update failed
C:\Program Files\AIM\aim95.exe=>wise0037=>wise0008
Detected with: Adware.Wheaterbug.A
C:\Program Files\AIM\aim95.exe=>wise0037=>wise0008
Disinfection failed
C:\Program Files\AIM\aim95.exe=>wise0037=>wise0008
Deleted
C:\Program Files\AIM\aim95.exe=>wise003
Update failed
C:\Program Files\Common Files\InetGet2\mc-58-12-0000140.exe
Infected with: Trojan.Downloader.4204
C:\Program Files\Common Files\InetGet2\mc-58-12-0000140.exe
Disinfection failed
C:\Program Files\Common Files\InetGet2\mc-58-12-0000140.exe
Deleted
C:\Program Files\Common Files\mc-58-12-0000140.exe
Infected with: Trojan.Downloader.4204
C:\Program Files\Common Files\mc-58-12-0000140.exe
Disinfection failed
C:\Program Files\Common Files\mc-58-12-0000140.exe
Deleted
C:\Program Files\Common Files\system32.dll=>gui.exe
Infected with: Trojan.Downloader.Agent.RV
C:\Program Files\Common Files\system32.dll=>gui.exe
Disinfection failed
C:\Program Files\Common Files\system32.dll=>gui.exe
Deleted
C:\Program Files\Common Files\system32.dll
Updated
C:\WINNT\a.exe=>(RAR Sfx o)=>mc-58-12-0000140.exe
Infected with: Trojan.Downloader.4204
C:\WINNT\a.exe=>(RAR Sfx o)=>mc-58-12-0000140.exe
Disinfection failed
C:\WINNT\a.exe=>(RAR Sfx o)=>mc-58-12-0000140.exe
Deleted
C:\WINNT\a.exe=>(RAR Sfx o)

RAV:
C:\Program Files\WinRAR\Uninstall.exe - Backdoor:Win32/Poebot.E -> Suspicious

Scanned
============================
Objects: 42342
Directories: 3588
Archives: 6372
Size(Kb): 1498071
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 1
Disinfected files: 0
Mail files: 151

Stinger:
Scanned no infected files

Ad-aware SE with plugin:
Scanned no infected files

Spybot S&D:
Scanned got these
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security Center\AntiVirusDisableNotify!=dword:0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security Center\AntiVirusDisableNotify!=dword:0

CWshredder:
Scanned no infected files

Kill2Me:
scanned

HSremove:
Scanned 8 files removed
------------------------------------------
I attached the HJT file on to this post. I'm still on safe mode sicne I'm afraid of the infections coming back

 

Thanks finally some progress! I got rid of McAfee since I havn't able to update due to the subscription running out, and right now it seems I don't have IE to use anymore But put that aside for now and here is the new HJT log.

 

I failed on the last post re attached:

 

Download
- Pocket Killbox

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Next In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE andopen Windows Explorer navigate to and DELETE the following:

Now run CCleaner and delete all the files in the C:\Windows\Prefetch folder.

Now reboot in normal mode and post a new HJT log.

 

Got killbox and hoster, but I cannot find "C:\Program Files\Common Files\mc-58-12-0000140.exe" where you have told me to find it.

 

NP, then killbox deleted it on reboot.

Finish the rest a post a new HJT.

 

Alright done and here is the HJT log file.

 

OK, your log looks fine.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.

2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

How are things working, any more problems that may need to be addressed.

 

Done everything you have said to do. No problem so far but when I was in safe mode to open IE to get to HJT I got the about:blank page for the administrator accoutn Its not showing up now but should there be further inspection?

 

Reset the Web Settings for each User Account.

 

Done but another problem/question. I ran spyware doctor to see how things are but I still have Aproposmedia and Maxifiles Any ideas why?

 

Download and Run
- FixAprop

In Add or Remove Programs locate MaxiFiles and uninstall it.


Copy the contents of the quote box to notepad and save as MaxiFix.reg to your desktop.

Double-click MaxiFix.reg and answer yes.

Reboot

Run Spyware Doctor, what does it find.

 

Maxifiles isn't located in the add remove so skip that and go to the next step?

 

Do the Reg Fix, have Spyware Doctor fix what it finds, then search your HDD for MaxiFiles and delete the directory.

 

Didn't find anything pertaining to Maxifiles after fixing it with spyware doctor, other then the MaxiFix.reg file you told me make :/

 

Ok, you can delete MaxiFix.reg. How are things running now?

 

Good news and badnews

Good:
The maxifiles is gone

Bad:
AproposMedia is still around, possibly a newer version so the scanner won't pick up?

 

This may come in handy:
Infection Name Location Risk
AproposMedia HKLM\SOFTWARE\Aprps Medium
AproposMedia HKLM\SOFTWARE\Aprps## Medium
AproposMedia HKLM\SOFTWARE\Aprps\Client Medium
AproposMedia HKLM\SOFTWARE\Aprps\Client## Medium
AproposMedia HKLM\SOFTWARE\Aprps\Client##PartnerId Medium
Advertising C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y0WMD1AD\bins=1[1].gif Low
Tracking Cookie(s) C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt Medium

Scan Results:
scan start: 9/26/2005 5:05:47 PM
scan stop: 9/26/2005 5:07:08 PM
scanned items: 23390
found items: 5
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Browser Defaults, Favorites and ZoneMap Scanner, ActiveX Scanner, Browser Activity Scanner, Disk Scanner

Infection Name Location Risk
AproposMedia HKLM\SOFTWARE\Aprps Medium
AproposMedia HKLM\SOFTWARE\Aprps## Medium
AproposMedia HKLM\SOFTWARE\Aprps\Client Medium
AproposMedia HKLM\SOFTWARE\Aprps\Client## Medium
AproposMedia HKLM\SOFTWARE\Aprps\Client##PartnerId Medium

 

From Add or Remove Programs in the Control Panel uninstall the following if found:

Now Run a full system scan with Spyware Doctor and let it fix what it finds.

Delete the value from the registry

Important: Back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only.

1. Click Start > Run.
2. Type regedit
   
   Then click OK.
3. Navigate to the key
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the following values if present:
   
   "AutoLoaderAproposClient" = "C:\WINDOWS\Downloaded Program Files\aprload.exe /ShowLegalNote /PC="POP.POP"
   
   "POP" = "C:\WINDOWS\Downloaded Program Files\PopSrv225.exe"
   
   "AutoLoaderEnvoloAutoUpdater" = "auto_update_loader.exe"
   
   "[random name]" = "intfaxui.exe"
5. Navigate to the key:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
6. In the right pane, delete the following values if present:
   
   "[random name]" = "atmon.exe"
7. Navigate to and delete the keys if they are present:
   
   HKEY_CLASSES_ROOT\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}
   
   HKEY_CLASSES_ROOT\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
   
   HKEY_CLASSES_ROOT\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}
   
   HKEY_CLASSES_ROOT\CLSID\{5EB250D7-2F0D-2C7A-0DC0-8A508FE8F3C}\{6B16BB4F-0B38-8762-1D21-878D02D8C66}
   
   HKEY_CLASSES_ROOT\CLSID\{5EB250D7-2F0D-2C7A-0DC0-8A508FE8F3C}\{7096C141-D32A-7EA3-B355-B2410136DDE}
   
   HKEY_CLASSES_ROOT\CLSID\{5967BAE1-2AB3-00FC-21E8-57362EAE900}\{758A7D6C-1952-3347-39E5-45F8F2D6433}
   
   HKEY_CLASSES_ROOT\CLSID\{645FD3BC-C314-4F7A-9D2E-64D62A0FDD78}
   
   HKEY_CLASSES_ROOT\CLSID\{65C8C1F5-230E-4DC9-9A0D-F3159A5E7778}
   
   HKEY_CLASSES_ROOT\CLSID\{8023A3E7-AB95-4C23-8313-0BE9842CC70E}
   
   HKEY_CLASSES_ROOT\CLSID\{976C4E11-B9C5-4B2B-97EF-F7D06BA4242F}
   
   HKEY_CLASSES_ROOT\CLSID\{D5580D6F-0E5F-4BDB-9CDF-F8EE68BEB008}
   
   HKEY_CLASSES_ROOT\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
   
   HKEY_CLASSES_ROOT\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904}
   
   HKEY_CLASSES_ROOT\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10}HKEY_CLASSES_ROOT\POP.Server.1
   
   HKEY_CLASSES_ROOT\POP.Server
   
   HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{8023A3E7-AB95-4C23-8313-0BE9842CC70E}
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Apropos
   
   HKEY_CURRENT_USER\Software\POP
   
   HKEY_LOCAL_MACHINE\Software\AutoLoader
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Envolo
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{D5580D6F-0E5F-4BDB-9CDF-F8EE68BEB008}
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{645FD3BC-C314-4F7A-9D2E-64D62A0FDD78}
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\POP
8. Exit the Registry Editor.

 

I did checked to see if I had any of the files you listed below on regedit but none of them showed up, but I did find one called aprps. I still have apropoposmedia :/

 

Sorry if my posts are rather difficult with grammatical erros but here is what I got as location of these files on spyware doctor.
AproposMedia HKLM\SOFTWARE\Aprps Medium
AproposMedia HKLM\SOFTWARE\Aprps## Medium
AproposMedia HKLM\SOFTWARE\Aprps\Client Medium
AproposMedia HKLM\SOFTWARE\Aprps\Client## Medium
AproposMedia HKLM\SOFTWARE\Aprps\Client##PartnerId

 

Let's try this one.

Using Add or Remove Programs Uninstall the following if the exist:

Next In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process. Exit HJT.

Start > Run and type 'regedit', OK

Delete the following keys:

Restart the computer and boot into Safe Mode.

Open Windows Explorer and delete the following Directories:

Now Reboot and run Spyware Doctor.

 

No go I can't find any of the below keys, I'm beginning to think this is going to be impossible

 

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments and a fresh HJT log, you will need to do 2 posts to attach all 4 logs.

 

I can do every one of those except for the pandascan. I was using Firefox which prompted me I need to use IE, but when I tried to on IE it did not open a new window.

 

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report and a fresh HJT log.

 

Here is the ewido and the HJT log

 

Your HJT log is clean and Ewido found and cleaned IstBar. Does Spyware Doctor still find Aproposmedia? Have you tried running Spyware Doctor in Safe Mode?

 

I'm in safe mode now and finished scanning my pc seems that Aproposmedia is gone! If this is the last of it, I'll be so happy! Thanks for all your Shadow_Puter_Dude!

 

UPDATE:
Seems that scanner lied to me in safe mode :/ I don't even think AproposMedia is even functioning I'm not having any problems or any things installed on my pc. For all I can now it may not do anything :/ but thats the only problem I'm having now Spyware Doctor picking it up on normal boot.

 

It may be a false positive, Pest Patrol is supposed to be able to fix AproposMedia. You could download their evaluation version and give it a shot. Make sure the defs are updated first.

 

I still got apropos but in a different area:
HKEY_LOCAL_MACHINE\software\aprps\client

I'll see if it comes back after deletion.

 

No problem, but I already scanned my PC with that :/ I scanned again a little bit of go but it didn't pick up any Apropos related files.

 

Pestpatrol found:
Apropos,HKEY_LOCAL_MACHINE\software\aprps\client,na,na,9/26/2005,00-D0-9E-48-FD-AB,USA
But I'm unable to delete it since its an evaluation version

 

Yeah, tried it but it isn't removing Aproposmedia, this could be a newer variant. I was thinking PandaScan but that wouldn't run for tennohaika.

 

I got panda scan wroking! Turns out my internet security level was on high for IE :/

 

Run that and post the log after it is finished. Panda real good at finding things.

 

This is going to take some time, and I figured that this was a newer version of AproposMedia since every site I found about it had the same instructions to remove it but nothing in common :/

 

Here is the pandascan and it seems maxifile is still on my PC :/

 

Copy and Paste the contents of the quote box into notepad and save as ApropFix.reg to your desktop:

Now Double-click ApropFix.reg and answer "Yes".

Reboot into Safe Mode. Using Search on the Start Menu search your drive for "a.exe", include the quotes. DELETE every instance of the file you find. According to the Panda log they should be in C:\Documents and Settings\Owner and C:\WINNT.

Now Reboot and run Panda Online Scan. After the scan attach the log to your next post along with a fresh HJT log.

 

Here are the requested logs.

 

HJT is clean, Panda still shows adware/apropos.

Open Regedit and manually remove the follwing keys/values:

Now Reboot and run Panda Online Scan. After the scan attach the log to your next post.

 

When ever you give me these registry values to delete I never find them in regedit.

 

Run a registry cleaner and see if that fixes the problem. Panda only finds the registry entries and none of the files. That may work. Then run PandaScan again, after a reboot, and see if is still there.

 

Do you mind posting how I got about with the resgistry cleaner?