c:\windows\system32\proper.exe

[solotekk]

hi, let me introduce myself. My name is Solotekk and I am a computer consultant.

I was wondering if anyone might be willing to help me out.
Before I go any further...... I need to personally thank Broni for pointing me in the right direction.... kudos to you.....

Here is the issue. My client had a crapload of viruses and trojans, spyware....you name it....it was there. I removed everything but am now getting a windows error msg window that pops up when rebooting. this is the msg:

c:\windows\system32\proper.exe

the msg states that windows is unable to locate the file proper.exe and instructs to do a search for the file.

If you would be so kind as to assist me in this matter, I would greatly appreciate it.

let me know,
thanks
solotekk

[evilfantasy]

You may not have gotten rid of all of the remnants of the malware as proper.exe is malicious.

Check the processes in Task Manager to see if proper.exe is running and end the process if so.

Then go to to C:\WINDOWS\System32\proper.exe and delete the file/folder proper.exe

[solotekk]

i did a search for the filename and no such filename exists.
i went into task manager and there are no processes called proper.exe.

What's the next step?

[solotekk]

p.s.  i also went to folder options and unchecked the hidden folders and files box, the hide files of known types box, and the hide system files box.
that way, i am able to see all files in a folder. I still didn't find proper.exe.

(kewl skull)

[evilfantasy]

Download
HijackThis.exe
Double-click on the installer you just downloaded.
Click on the "Install" button to install.
It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Please do not change the default install location.
Upon install, HijackThis should open for you.

Next click on the "Do a system scan and save a log file" button.
HijackThis will scan and then a log will open in notepad.
In the top left of the notepad window click "File" > "Save As" name it hijackthis and then save it to the Desktop.
Please save the log as a text (.txt) file or .log
In your post, add the log as an Attachment

Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


How to attach logs in a post

Save the log to somewhere you can easily find it. (usually the desktop)

To do this, from within the notepad go to the top of the page and select "File" > "Save As..." enter the file name and click "Save" Be sure the desktop is the location selected to save to.
Please save all files as Text Documents (.txt)

Posting the log

1. Below the text box click "Additional Options..."
1.1  If replying in a thread, before putting text into the reply box select "Preview"
2. Scroll down and select "Additional Options..."
3. Click "Browse"
4. Locate the file you want to attach and double click it to enter it into the window.
5. If you have more than one log click "(more attachments)" and a new window will open for adding another log.

You will need to enter a message in the text box as well.

[solotekk]

hi, here is the log file you requested.

thx.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:50 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\byxwxyv.dll (file missing)
O2 - BHO: (no name) - {AD461068-7F93-4C9D-9B22-A867A84E30CF} - C:\WINDOWS\system32\mljgg.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll
O2 - BHO: {138316a1-f7cc-abe9-ae94-48a3d6e97d8d} - {d8d79e6d-3a84-49ea-9eba-cc7f1a613831} - C:\WINDOWS\system32\dljskqma.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://67.77.132.2/activex/AxisCamControl.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O20 - AppInit_DLLs: sol323.txt
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: byxwxyv - byxwxyv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: lxcy_device -   - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7805 bytes

[evilfantasy]

There are two antivirus and two firewalls running. This is unnecessary and can cause system conflicts, and slowdowns. You should pick one and uninstall the other.

----------

The computer is still infected.


Do the steps in this post and submit the logs and we will go from there. There will likely be more steps involved but we need to let the scanners get what they can first.

[solotekk]

hi, i uninstalled the eztrust antivirus\firewall program. My client found it disturbing anyway. She has roadrunner(yuck) and I personally don't care for them myself, so no loss if that program is removed.

i'm downloading the required programs that were mentioned in your guide.

i will run the scans and send you the logs.

thx
solotekk

[solotekk]

hi,
here are the log files for eset and super scans.
i'm installing java 6_update_3 and ie_7 on my clients pc. She has dial up,
so these downloads are going to take a while.

ttyl
solotekk

[saving space - attachment deleted by admin]

[evilfantasy]

You may want to try the Java Offline installer since it is dialup. http://www.java.com/en/download/manual.jsp

Post a fresh hijackThis log please.

[solotekk]

here is the latest hjt log.

thx


[saving space - attachment deleted by admin]

[evilfantasy]

Open HijackThis and select Do a system scan only then place a check mark next to:

O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - (no file)
O2 - BHO: (no name) - {AD461068-7F93-4C9D-9B22-A867A84E30CF} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll (file missing)
O2 - BHO: {138316a1-f7cc-abe9-ae94-48a3d6e97d8d} - {d8d79e6d-3a84-49ea-9eba-cc7f1a613831} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O20 - Winlogon Notify: byxwxyv - byxwxyv.dll (file missing)

Close all windows and click Fix checked.

----------

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

• Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
• When finished, it will produce a log for you.
• Attach that log in your next reply.
  

Important:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall

-----------

Then run a new HijackThis scan and attach that log also.

[solotekk]

here is the combo_log and a new hjt_log.

thx


[saving space - attachment deleted by admin]

[evilfantasy]

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

File::
C:\WINDOWS\system32\kyjvrrpe.ini
C:\WINDOWS\system32\qgxougab.ini
C:\WINDOWS\system32\pqwvokku.ini
C:\WINDOWS\system32\ggjlm.ini2
C:\WINDOWS\system32\ggjlm.ini

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\74d31d7c]
rundll32.exe C:\WINDOWS\system32\eprrvjyk.dll,b

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

----------

Post the Combofix.txt in your next reply and let me know how the computer is running now.

[solotekk]

here is the second log from combofix.

no more start up error msgs. The computer is working good, however now i just recieved a pop up msg and this is what it says:

You (or a program) is requesting information from sn21.mailshell.net
Which connection would you like to use?

I haven't seen this before, or even heard of sn21.mailshell.net. Could this be another issue? or leftovers from the malware/trojan/virus?
 
Oh, and just within the past 5 minutes it popped up on the screen, stayed for about 30 seconds, and then disappeared, then reappeared again after about a minute.  I didn't click on the window or anything either, so it doesn't require user input to disappear.
Any advice?
Other than that, the computer seems to be fine.



[saving space - attachment deleted by admin]

[evilfantasy]

sn12.mailshell.net has to do with AVG antivirus (I think), why it is suddenly popping up I am not sure. maybe check the settings in AVG. Or even check for updates.

Go to C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe <--Delete the whole CA folder.

Also download and use the Norton removal Tool

One more HijackThis log please.

[solotekk]

That folder was automatically removed when I uninstalled the eTrust EZ Antivirus software two days ago. But just to be sure, I did a file search, and nothing came back.

I ran the Norton Removal Tool as requested.

Here is the hjt log after norton.

thx.


[saving space - attachment deleted by admin]

[evilfantasy]

The logs are clean.

Run CCleaner.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u



Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again


I will look around for some info. on the sn12.mailshell.net pop up and see what I can find.

[solotekk]

that is such a kewl little program (combofix)

I will search around as well and see what i can find. So far, all i've found is a bunch of jargon, but that's what i get for googling.  I wish I knew more places to look. What do you when you want to find something? Besides checking the popular search engines....

[evilfantasy]

Google is the best tool there is.

I visit a lot of security related forums so sometimes it is things I have either seen before or read about.

Just be careful with combofix, it is an advanced tool and should be used with caution for good reason.

Towards the bottom of this post is a discussion on sn12.mailshell.net

[solotekk]

Hey thanks for everything. You are a tremendous help. My client will be so pleased.

I look forward to working with you in the future.

Have a great evening.