ATLEvents

Hi,
I cannot seem to rid my comp of this crap. I've done the basic spyware tutorial on here and read a couple of the threads on Virtumundo, but they arent exactly the same as what I'm seeing. Same old story though, I can't get rid of it or the cat.exe junk. Spybot and Adaware keep finding it and can't get rid of it. Would really appreciate some help on what I know is already a much covered topic. Thanks.

Hmm

 

If you are sure your machine is otherwise free of malware, send us a HJT log.
Please follow these directions:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Send us a log and we'll go from there I'll try to check back when I get a chance. Please note that I am currently working on about 10 of these threads and I'm just a regular forum contributer without a lot of free time - so, be patient

Best,
PP

 

thanks for your time Phillie. and yes, i'm fairly sure there is nothing else on the comp. log attached.

 

Hi Hmm,

Do you recognize the following as your ISP or Proxy Server?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>

Let us know.

AnyHoo:
This is my generic fix for Stopguard-related malware infections. I bet visitors to this forum are tired of seeing it in every other thread!! Thankfully, I am able to cut and paste


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NEXT:
Look in C: > WINDOWS > PREFETCH & Delete cat.exe ( or any cat or tac entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

NOW:
Run HijackThis and Check the Boxes for the Following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\Hummer\LOCALS~1\Temp\tac.dat

O4 - HKLM\..\Run: [*cat] C:\WINDOWS\cat.exe

O4 - HKLM\..\RunOnce: [*cat] C:\WINDOWS\cat.exe rerun

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\cat.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if it should somehow remain:

C:\WINDOWS\cat.exe

THEN:
Use Windows Explorer to run a search of your computer for:

bkinst
cat
tac

and DELETE the related files. (We especially want to get rid of cat.ini & cat.dat & cat.bak AND tac.ini & tac.dat & tac.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

Best luck
PP

 

ok...had no troubles with the steps. first thing i noticed was that cat.exe was there running in safe mode spybot of course found the 4 ATLEvents in safe mode once again. fixed them. rebooted. still there. im not sure about the proxy server stuff. new log attached. thanks again phillie.

 

Hi Hmm,

I almost let your thread slip through the cracks. Sorry about that - I've seen so many of these lately, they all blend together!

Did you run into problems trying to delete the bad file on reboot? Sometimes, it is necessary to make more than one pass through the instructions. This baddie is tough!

You might also try this tool: Pocket KillBox

Try its Delete on Reboot option for C:\WINDOWS\cat.exe . Persistence seems to pay off with this nasty. Let me know how things shake out.

Best luck
PP