TheTechGuide Forum
General Category => Tech Clinic => Topic started by: Crashin' Jack on April 24, 2005, 10:09:36 AM
-
Problem removing the AlwaysUpdatedNews Installation popup when trying to run a video...
I have run AdAware SE, Spybot (latest version), and AntiVir, rebooting after each. Now I have run Hijack This, and here is my logfile:
Logfile of HijackThis v1.99.1
Scan saved at 10:00:30 AM, on 4/24/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\LINKSYS WIRELESS-G PCI ADAPTER\WMP54GV4.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\DESK98.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\T2ERAHLP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
D:\OPERA7\OPERA.EXE
C:\MY DOCUMENTS\UTILITIES\ANTI VIRUS SPYWARE\HIJACK THIS 1.99\HIJACKTHIS.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [xeepu] C:\WINDOWS\XCQOHRT.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [o32T37e] THERXY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [WMP54Gv4] C:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [Z0t3RXKpW] T2ERAHLP.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: http://ny.contentmatch.net (http://\"http://ny.contentmatch.net\") (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409\")
Any help in removing this pest would be deeply appreciated!!
Thanks...
-
==Download and Install this small program
to help clean your temp folders,cookies, recylebin, etc..
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet
Open Hijackthis>>Open Misc Tools>>Open Process manager
Kill this process if running
C:\WINDOWS\SYSTEM\T2ERAHLP.EXE
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't log off or restart yet
Do another scan with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [xeepu] C:\WINDOWS\XCQOHRT.EXE
O4 - HKLM\..\Run: [o32T37e] THERXY.EXE
O4 - HKCU\..\Run: [Z0t3RXKpW] T2ERAHLP.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (http://\"http://ny.contentmatch.net\") (HKLM)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer
Delete these files if found
C:\WINDOWS\SYSTEM\T2ERAHLP.EXE <-file
C:\WINDOWS\XCQOHRT.EXE <-file
THERXY.EXE <-Do a search for this one
-
Thanks for the response, guestolo. I followed your instructions, but no joy. The AlwaysUpdatedNews is still present. While removing the files listed at the end of your post, I also found this file:
c:\windows\system\T2EMBED.DLL
Is this related to the T2ERAHELP.EXE ? Here is a new log from Hijack This:
Logfile of HijackThis v1.99.1
Scan saved at 6:52:42 AM, on 4/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\LINKSYS WIRELESS-G PCI ADAPTER\WMP54GV4.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\DESK98.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
D:\OPERA7\OPERA.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HJT\HIJACKTHIS.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [WMP54Gv4] C:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409\")
Again thanks for your help. it is very much appreciated!!
-
Can you search on your computer for this file
C:\Windows\System\winupdt.exe.
Let me know if it exists
Your Windows media player
wmplayer.exe may be infected, we may be able to replace it without a reinstall of Media player
But let's make sure
Can you navigate to this folder
C:\Program Files\Windows Media Player
Open the folder and look for wmplayer.exe
Right click on wmplayer.exe and left click properties
Can you let me know date modified please
Can you also run an Online Virus scan at Panda's
Save the incident report afterwards and post it back here
http://www.pandasoftware.com/products/acti...n_principal.htm (http://\"http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm\")
After running Panda's scan, if wmplayer.exe is infected but can be repaired
Can you let me know what version of media player your running
Could you also
Download dpf.zip and unzip it to desktop
Double click on dpf.bat and post back the contents
-
Guestolo, thanks again for the effort in helping...
Searched all of my C:\, and then my whole system; no file named winupdt.exe.
wmplayer date modified is Tuesday, April 12, 2005, 6:46:12 AM
(That looks suspicious I would say...)
For the Panda scan, I couldn't find an incident report to copy and paste. I ran it once and my AntiVir progam said it was trying to download the virus micro128. I shut off my AntiVir and ran three more times, getting a "No Virus Found" message.
I tried to start Windows Media Player, but the AlwaysUpdatedNews program started. I also noted the icon on the program directory was incorrect - it was the "blank" generic icon. I checked proerties and clicked on Find Target and found this line:
WMPLAYER.EXE 5KB Application Extension 4/12/2005 6:46am
Now, clicking on WMPLAYER2.EXE in the same folder started Windows Media Player, Version 6.4.07.1112
I then ran the dpf batch file from my desktop and the Notepad "dpflist.txt" was blank.
The mystery continues...
I am not very familiar with the files used for Media Player, but is it possible it has been renamed and this new file put in it's place?
-
It looks like Windows media player exe is infected
You could Uninstall Windows media player through add/remove programs and then remove the Window Media player folder from Program files
C:\Programs files\Windows Media player
If you intend on using an older version of WMP you can get it here
http://www.oldversion.com/program.php?n=wmp (http://\"http://www.oldversion.com/program.php?n=wmp\")
You could update to WMP player 9, I would create a fresh restore point however before installing
In case you don't want it, but it is very good in my opinion
Here's a Microsoft link
http://www.microsoft.com/downloads/details...&displaylang=en (http://\"http://www.microsoft.com/downloads/details.aspx?FamilyID=e0175119-9a5b-44c3-b1de-9b2a9aa6cff6&displaylang=en\")
You may also think about visiting Windows Updates and getting all latest Critical updates and service packs to keep secure
Keep revisiting until you get them all
Don't get the recommended unless they are something preferred
Again, create a fresh restore point ahead of time, just in case
You should set up protection against future attacks
SpywareBlaster 3.3 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
-
Thanks for the advice, guestolo. I looked for the program in Add/Remove and it's not listed. Oh well...I guess I'll just leave it be for the moment and use the file player that came with my ATI card. I have set the files to open with that, and it works alright.
As for the Windows updates, I appreciate what you are saying, but I tend to reinstall my OS rather frequently and I don't care to go through the hassle of updating all the time.
For my browser I use Opera almost exclusively, AOL mostly for my email and becuse my wife insists we have it, and use IE only very rarely. So I don't know the IE-related stuff would do me any good.
But, I do thank you for the time you have given me, that is most generous...I will continue my quest to rid myself of this pest, mostly for my own curiosity. Typically, I don't worry about programs like this too much as I don't use these types of programs very often, but this particular pest is tenacious and has become a challenge to rid my system of it.
Thanks also for the utilities you suggested, I have some, but others have been helpful.
If I have any success I will post back here.
Cheers!
-
you could try right click on wmplayer.exe and rename too wmplayer.ex_
and then try reinstalling your current version of Windows Media Player