AproposO trojan

Mariah,

If you have completed all the steps of the READ ME FIRST, follow the guidelines below and post your HJT log.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

The only line in your HJT file that needs to be fixed is below.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O23 - Service: Content Monitoring Tool - Unknown - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)


After clicking Fix, exit HJT.


Is this the full actual path to the problem file.

C:\windows\temp\~aproposO\ph.exe

Assuming the answer is yes, download Pocket KillBox from http://www.downloads.subratam.org/KillBox.zip

Extract PocketKillbox to its own folder and run it. Select the option to Delete on Reboot.

1) Now, Copy and Paste C:\windows\temp\~aproposO\ph.exe into the box
2) Now, Click the Red X and Yes to the confirmation message.
3) A message will ask if you want to reboot now – Click yes.

Allow Pocket KillBox to Reboot your computer.

After reboot check to see that the file is actually gone. You may want to now delete the folder yourself:
C:\windows\temp\~aproposO

 

Actually all we did was remove an entry in the registry to load a file that was already missing.

Nothing we were doing has anything to do with this error message. Sounds like you have a hardware problem.

Does Norton still detect that C:\windows\temp\~aproposO\ph.exe?
It's strange you said you could see it before but now killbox cannot find it. That would mean it is already gone. So who deleted it.

 

Are you sure you have enabled viewing of hidden files?

When you do the below, exactly what happens? Make sure you use copy and paste!

 

The problem with Killbox has not related to your hardware problem. There are sometimes things running (including malware) that removes the instructions to delete on reboot from the Pending Operation list in the registry. That is what the message you are getting means.

Try this: use Killbox again and after clicking the Red X and Yes to the confirmation message, do not continue on to the next message that asks about reboot. Do the following (it's a sort of drastic measure). At this point, physically unplug the power cable into your PC. We do not want a gracefull shut down which could erase the pending operation info again.

Now wait a minute and them power back up. And see if we got the file deleted or not.

You should be more concerned about the possible failure of your hard disk. You should note the EXACT word for word message you get and paste that into a thread in the Hardware Forum.

 

Does the below link sound like your problem:

http://www.theglobeandmail.com/servlet/story/RTGAM.20021223.gts3/BNPrint/Technology/

If so, sounds like it is time to get a new one before you lose all your data.

The below may be a waste of time if your hard disk is on the verge of crashing but if you do buy a new one and perform an image copy, you will still need to be able to remove this file later). But it's up to you if you want to keep trying. I would look in the sale papers from last weekend and get a hard disk unless you are still under warranty.

I also want you to do two other things for me related to figuring out why we cannot delete that folder:

1) Generate a StartupList log using HijackThis
Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

2) Download ProcessExplorer from: http://www.sysinternals.com/files/procexpnt.zip
Unzip it and now run ProcessExplorer and lets configure some options first:
Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on explorer.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
Now click on File and then Save As. And save the process list. Post it back here as an attachment. You can use ProcessExplorer instead of Task Manager. Sometimes ProcessExplorer can show and kill things that Task Manager cannot.


Also a question: do you have an original WinXP bootable CD.

 

I don't see anything in those logs that would indicate a problem. See if you can locate your WinXP disk. I thinking about booting to the recovery console and then trying to delete the file.

 

Use regedit to search your registry for ph.exe

If you don't know how to do that see this:
http://www.maths.usyd.edu.au:8000/u/psz/pc/regedit.html

 

What else is in this folder: C:\windows\temp\~aproposO\

 

Try downloading and using this ExplorerXP to look at those folders. Does it should anything?

Also try this:

Open a command prompt by clicking Start, Run, and enter cmd and click OK.
Now in the command prompt window enter the following lines each followed by the enter key (at any prompts you get just answer yes! Make sure you enter the commands correctly, don't miss the spaces):

C:\windows\System32\cacls.exe C:\windows\temp\~aproposO /g Everyone:f
cd C:\windows\temp
attrib -r -h -s *.*
dir /s > c:\filelist.txt
exit

See if you can delete that folder now.
Then come back here and attach that filelist.txt file which is in the root folder of drive C.

 

Put the filelist.txt into a ZIP file and upload the ZIP file.

What were some of he filenames you saw?

Please download the below tools but only run what I specify:

Pocket KillBox

VX2.BetterInternet Finder XP/2k - Version Msg126

Generic Find It Tool - NT/2000/XP


Extract all the files from the Generic Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment.

 

Well it look like you did not go to the correct directory from the command prompt like I asked. You were supposed to be in c:\windows\temp when you executed the dir command. You were still in C:\Documents and Settings\Pam. So the file did not give me what I was looking for. However, something I saw in there (on a brief glance) is the following and I would lay odds that they are bad:

Directory of C:\Documents and Settings\Pam\Application Data\creativefork
12/20/2004 09:28 PM <DIR> .
12/20/2004 09:28 PM <DIR> ..
10/24/2004 08:11 PM 302,902 afoavayh.exe
11/17/2004 08:00 AM 302,902 guwbryvu.exe
11/18/2004 10:00 PM 62,038 new dupe bash once.exe
10/15/2004 04:17 PM 302,902 pcjjtqrc.exe
11/18/2004 10:00 PM 302,902 pnxlwflk.exe
11/18/2004 10:00 PM 10,498 Store Admin Noun.exe
10/19/2004 08:00 PM 302,902 xruqtvcu.exe

7 File(s) 1,587,046 bytes

Do you recognize this folder and these files? They all strike me to be rather typical of malware files!

 

Mariah,

Don't worry about how complicated it appears! We will get there eventually and you will learn a bunch on the way.

See if you can locate the below files mentioned in my last message. They are all in the C:\Documents and Settings\Pam\Application Data\creativefork folder.
10/24/2004 08:11 PM 302,902 afoavayh.exe
11/17/2004 08:00 AM 302,902 guwbryvu.exe
11/18/2004 10:00 PM 62,038 new dupe bash once.exe
10/15/2004 04:17 PM 302,902 pcjjtqrc.exe
11/18/2004 10:00 PM 302,902 pnxlwflk.exe
11/18/2004 10:00 PM 10,498 Store Admin Noun.exe
10/19/2004 08:00 PM 302,902 xruqtvcu.exe

I want you to rename each one by right clicking on them and select rename. Then for each one just change the .exe extension to .bad

The go back and do the below again and make sure your command prompt indicates that you are in the C:\windows\temp folder before doing the attrib and dir commands. If you have a problem doing this or do not understand something. Just tell me.

Open a command prompt by clicking Start, Run, and enter cmd and click OK.
Now in the command prompt window enter the following lines each followed by the enter key (at any prompts you get just answer yes! Make sure you enter the commands correctly, don't miss the spaces):

C:\windows\System32\cacls.exe C:\windows\temp\~aproposO /g Everyone:f
cd C:\windows\temp
attrib -r -h -s *.*
dir /s > c:\filelist2.txt
exit

See if you can delete that folder now.
Then come back here and attach that filelist2.txt file which is in the root folder of drive C.

 

That was in my last message and an earlier one!

cd C:\windows\temp


cd - means change directory which is what folders were originally called in older OS's. The words are used interchangeably now.

 

I thought the file was still in C:\windows\temp.
When you say trash, you mean Recycle Bin... right?

So are you saying you cannot empty anything from the Recycle Bin? Like if you create a test file and delete it, does it show in the Recycle Bin? Can you delete just it from the there?

 

Make sure your first empty all other files from your Recycle Bin.
Now download the attached ZIP file and extract the getRECY.bat from it into your c:\ folder.
The double click on the .bat file to run it. It will create a file named recycle-list.txt in the same folder ( that is C:\recycle-list.txt ). Upload that file back here as an attachment.

 

After completing steps from my previous message. Please do not do the steps in this message until you do the other one. I want to see the output from that file I asked you to attach.

Re-download and install ExplorerXP a new version (1.06) is out the fixes some bugs. Including a few I reported to them.

We may be using this again to try something. In fact...let's just try it. Run the new version of ExplorerXP and navigate your way into C:\Recycler and try to locate the problems files. They are likely in a sub-folder with a very long name beginning like S-1-5-21-......

When you find a file, click on it once to select it and then click the Edit menu and the select Delete Permanently

Does that work!

 

I don't see any files named like you mentioned:

 

I assume you are logging in as Pam. Do you have Admin priveledges?

 

You're welcome!

I would reboot! Run a full scan with Ad-Aware SE and your antivirus application. Fix anything found (hopefully nothing but cookies and MRUs) . And if clean, yes turn system restore back on.

Make sure you work thru the steps in How to Protect yourself from malware! to help avoid future problems.