ATLEvents hijack

Hello:
This is my first post. I spent all day yesterday going through the instructions on your "READ ME FIRST" post. I was initially optimistic but alas have not cleared my problem.

I have a program called "Spyware Guard" which purportedly stops hijacks. It keeps popping up that "ATLevents.ATLevents.1" is trying to change my BHO. Pops up everytime I access the net and everytime I use Word or Excel.

I have XP, SP2, Spywareblaster, Spyware Doctor, Spyware Guard, AdawareSE and all of the other tools recommende (CWshredder, Avert stinger, etc.)

After following all of your tools I cleared about 12 trojans from my system but it wasn't until Bitdefender that I found the culprit in my Locals/Temp folder. There is a folder called "smwavaj.dat" and "minst.exe". After deleting these, they always return upon re-boot.

Finally I ran HijackThis last night and followed instructions on their site but I don't see any listings that appear abnormal.

Thank you for your help,
Steve54

 

Additional information:
Adaware shows the Virtumundo everytime I run it...even after it deletes
Spybot shows ATLevents and DSO exploit everytime...even after delets
Thanks!

 

Thanks! I was going through those posts and notice a lot are related to HJT files...should I try to follow those HJT solutions recommended for others?

 

I have tried to go thru all the virtumundo thresads. i ran the a2 anti virus which found the bad file, deleted it...but it is still there. I've looked at my HJT log but cannot tell what is bad. I suspect it is
C:\PROGRA~1\uptosv\rqtvow.exe or the
O4 - HKLM\..\Run: [QgFHY9Ew] C:\PROGRA~1\uptosv\rqtvow.exe
Anyway, I will appreciate your help.
I have not re-booted since running this log.
I await your response.
Thank you.
steve54

 

Thanks! I just downloaded the Hijack This yesterday from your site...but I will try again. Also, i had closed all programs before running HJT....so I am not sure what you mean by closing running programs.

 

Hi!
I downloaded the Hijack This again...it should be the current version.

I tried to remove the running processes on startup, but some of them start even when I delete them from the startup list (such as NAV).

I went through and removed the programs noted. After taking spyware guard off the start up, the CATLevents BHO was added (spyware guard kept this from being added). So, I "fixed" this and rebooted (in normal mode....am I suppossed to be running HJT in safe mode?) As you can see on the re-scan...it is back again.

Two files keep showing up in my Documents...Local\Temp even after deleting them...they keep coming back
MINST.exe
smwavaj.dat (this is the one spyguard says is related to the ATLevents hijack)

my suspicion is there is a program which keeps putting them back in the folder on start-up.

I appreciate your help...this has been very frustrating.
steve54

 

Hi Steve,

Please download this tool: http://www.cexx.org/lspfix.zip - But do not run it yet.

I will try to check back tonight.

Best,

PP

 

Thanks. I did download it but have not unzipped it. i will wait for your reply.
Steve

 

Hi Steve,

Go ahead and run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the calsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move calsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Now, Reboot and then scan with HijackThis and attach that log and we'll go after the others. I'll check back when I get a chance.

PP

 

Ok..i ran the lspfix and have attached the updated log. thanks for staying with me.
steve

 

Hi Steve,

Got tied up and forgot to post this for you. . .Sorry!

This is my generic fix for Stopguard/Virtumundo-related malware infections. I have had a lot of success with it, but there have been some failures as well. Please note that this particular Malware mutates on reboot, so if you have rebooted subsequent to attaching your HJT Log, the file names may have changed.

ALSO NOTE that the tough part is nailing that pesky running process that always springs back to life. To do this, I use the Delete a File on Reboot option in HijackThis. If you do this successfully, that process will be Deleted before it ever gets a chance to run! This should work every time. Please make sure to enter the correct path for the file to be deleted. If, for some reason, you are not able to delete the file in question, please try again before posting back.

ANYHOO:
Please print out these instructions so that you can operate with All Browser Windows CLOSED. Please follow the instructions very carefully - Do them in the exact order given.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NEXT:
Look in C: > WINDOWS > PREFETCH & Delete javawms.exe ( or any javawms or smwavaj entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

ALSO: take a look inside the C:\WINDOWS\Windows Update Setup Files Folder for any backups (javawms.bak or smwavaj.bak, etc. . . ) – Note that they will probably be Hidden Files – Delete the ones that allow you to do so.


NOW:
Run HijackThis and Check the Boxes for the Following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\spurcell\LOCALS~1\Temp\smwavaj.dat

O4 - HKLM\..\Run: [*javawms] C:\WINDOWS\Windows Update Setup Files\javawms.exe

O4 - HKLM\..\RunOnce: [*javawms] C:\WINDOWS\Windows Update Setup Files\javawms.exe rerun

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - (no file)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - (no file)

O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)

O19 - User stylesheet: (file missing)

Click FIX and then, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, Enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Windows Update Setup Files\javawms.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click OKAY and DO NOT REBOOT AGAIN.

THEN:
Use Windows Explorer to run a search of your computer for:
bkinst
javawms
smwavaj

and DELETE the related files. (We especially want to get rid of javawms.ini & javawms.dat & javawms.bak AND smwavaj.ini & smwavaj.dat & smwavaj.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions. I will try to check back Monday night.

Best luck
PP

 

Thanks PP.
I followed your instructions carefully....even did it twicw...but as you can see, it is still there. I will not reboot this time until i hear back from you.

Thanks!
Steve

 

Just a little more info for you: I went through all of your instructions as indicated. When I re-booted, javawms was still in C:\Windows\Windows Update Setup Files along with smwavaj.ini. I was unable to manually delete these after finding them there with Windows Explorer search as you suggested. Smwavaj.dat was in the C:\Documents and Settings\spurcell\local\temp and I was able to delete it, but it was also in the
C:\Documents and Settings\administrator\local\temp and I was NOT able to delete.

My last log is attached to my previous post. Yesterday when I ran spybot before closing I was clean except for ATLEvents. This am upon booting I had 13 new infections! How can this be?

Anyway thanks for your help. This is VERY frustrating.

Steve

 

PP:
a little more info...i was reading some other posts and they said 'delete on reboot" was the cure. just want you to know I followed all of your instructions to a T....including delte on reboot. on the second try, i put all of the suspect files in the delete on reboot...not just javawms.exe. Still came back.

thanks! I know you are busy.

Steve

 

Hang in there Steve i've replied to more threads than I have free time for and I am a bit overextended! Our resident genius, Chaslang, comes back in a day or two and we'll get caught up!

You might try downloading this tool: Pocket KillBox

Perhaps you can kill the files ( or entire folder ) with it. See what you are able to accomplish and then attach a fresh HJT log - I probably won't be able to look until tomorrow, though.

PP