does not work

[anthony dilwoth]

I recently noticed a lot of funny things running in Task
Manager. After
Googling, it was apparent that my machine had been
infected with something.

Basically, what happens is that programs are inserted in
my Startup
list in MSCONFIG.

When I run Task Manager, I can see new ones each day and
even several
times during the day.

These files are almost always in C:\Windows and
C:\Windows\System32.
They cannot be deleted because the attribute is set to
read-only.
The attrib command can not change the attribute so they
can not
be deleted. Instead, I rename them from Filename.EXE to
Filename.not.

It is necessary to run MSCONFIG frequently to uncheck the
items
which have miraculously appeared in the StartUp list.

The programs which invade my machine have names like
d3jg, javayi32,
ntoo, mskm, syslo, winno32, netkf32 and so on, all with
an .EXE
extension.

These invaders are all of certain sizes. For example, in
the C:\Windows
directory, there are thirteen programs having the size
16,384. Running
File-Compare (FC) indicates that the files are identical.
So, there
are about six or seven programs which get reinstalled
numerous times
with different file names. I have about 80 of them so far.


These programs do not appear to do anything, they just sit
there.
Doing what?

I upgraded to the latest McAfee Firewell, ran all the
spybot stuff
I have, ran the awful McAfee FreeScan, downloaded
Antispyware
from Microsoft (which found eight things the others didn't
find).

And the problem has still not gone away.

After running Antispyware for the first time, I ran it
again about
an hour later and it found another 'threat' which was not
there
an hour earlier. Looks like the Firewall is useless, no?

So, what is happening?

First idea: the Firewall does not prevent some machine
from
putting stuff on my machine and modifying the StartUp list
in MSCONFIG.

Second idea: lurking somewhere on my machine is a program
which
periodically runs itself, sees if the programs which it had
previously installed were still there, and, if not,
reinstalls
them with different names.

Some of the programs and their size follow: (If you have
any
of these you are infected.)


16,384 d3jg
17,183 javayi32
16,384 ntoo
17,183 mskm
17,183 syslo
17,183 sdkvb
16,384 atlxk32
17,183 winno32
17,201 msrn
17,018 javaai
16,384 netkf32
16,384 appcv32
16,384 javans
16,384 apilc
66,560 tyxcl
16,384 APIAH32
66,560 uvdfeu
16,384 MFCMM32
16,384 javalc
16,384 addil32
16,384 crvt32
16,384 ntuj

On the second day after installing Antispyware, I got a
message from it
saying that something wanted to add ntuj.exe to my StartUp
List. I
told it not to allow it, but it got installed anyway. So
much for
Antispyware! Furthermore, Antispyware should have told me
the name
of the program which wanted to add ntuj so that I could
find it and
perhaps kill it.


7:49am Friday: Antispyware (ASW) just told me that
something wanted
to install itself in the Startup List. I told it to
block, but it
got installed anyway.

8:04am Windows Firewall (not McAfee) told me that my
machine
was being invaded. It did not allow me an option to block
it. So,
there were two new programs in the Startup List: ntyq and
atplv32.

9:26am Message from ASW about SYSFS. Told it to block but
it didn't.

and on and on. . . .

 

[JohnF.]

Make sure you have a reputable antivirus program installed, updated, and
configured correctly. Make sure you have MSAS and one other anti-spywar app
installed. Download ccleaner and install that.

Reboot to safe mode and run ccleaner first to get rid of all the temporary
files that provide a way for these trojans to reload on your machine. Run
MSAS twice in deep full scan. Run your antirus program on a full scan.

Note where all the undeleteable bug apps are located and rename them while
in safe mode. Reboot and see how far towards clean you have gotten. Note
what is still running and go back to safe mode to do more battle. Note: you
may have to turn off System Restore to eliminate some trojans that hide.

Now, you got these things because you ran an unknown attachment from your
email or you went to a website you shouldn't have and clicked on a popup the
wrong way and you may also have a p2p application installed and got infected
that way. In any case, you clicked or double-clicked th wrong thing.

Here are some futher details to help you get clean:


--
If you are under attack and MSAS does not seem to help:

*Submit suspected spyware report in the tools menu of MSAS*

*Here is an excellent page showing you how to kill off spyware!*
http://tinyurl.com/awnad (smitfraud, in this case)

*Symantec Adware/Spyware removal tools:*
http://tinyurl.com/5y9cx

PREP YOUR MACHINE FIRST!
- IF you are using Spybot S/D, UN-Immunize your computer
- IF you are using Adaware, turn off AD-Watch
- Disable all other active anti-spy applications
- Dump all temporary file locations and Internet files

1. Download:
lspfix.exe www.cexx.org/lspfix.htm
winsockxpfix.exe www.snapfiles.com/get/winsockxpfix.html
ccleaner.exe www.ccleaner.com
killbox.exe www.bleepingcomputer.com/files/killbox.php

2. Clean out all temp file locations with ccleaner.exe

3. Install and use killbox to delete stubborn files

4. Reboot into safe mode - http://tinyurl.com/pfca
5. Run MSAS at least twice in full/deep mode
6. Run a robust, updated antivirus software scan
7. Reboot into normal mode,see if problem has been corrected

8. If you think something is there but can't see it, download:
- Blacklight by F-Secure
www.europe.f-secure.com/exclude/blacklight/blbeta.exe
- RootKitRevealer by SysInternals
www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

9. If your problem is Virus or Security patch related:
In the United States or Canada, call 1-866-PCSAFETY
MS will provide free support for those issues.

Battle Notes:
- If you have trojans (files that won't go away),
you may have to disable System Restore on XP:
http://tinyurl.com/movy

- If your Internet connectivity quits:
http://support.microsoft.com/kb/892350
http://support.microsoft.com/kb/811259
LSPFix - www.cexx.org/lspfix.htm
Winsockxpfix - www.snapfiles.com/get/winsockxpfix.html

- This program will not detect or remove viruses
http://www.microsoft.com/athome/security/viruses/default.mspx

Application Notes:
Registering a VB6 dll seems to fix missing agents:
1) Open up a command prompt (start -> run -> cmd)
2) Type in the following "regsvr32 msvbvm60.dll" (without the quotes).
3) Close and re-open Windows AntiSpyware
4) If that fails, install VB6 runtime files:
http://www.softwarepatch.com/windows/vbrun6download.htm

- To report false positives:
www.microsoft.com/athome/security/spyware/software/isv/fpform.aspx
- To submit disputes or requests:
www.microsoft.com/athome/security/spyware/software/isv/cdform.aspx
- To learn more about how MS analyzes suspected spyware:
www.microsoft.com/athome/security/spyware/software/isv/analysis.mspx
- To Run MSAS in passive mode:
http://support.microsoft.com/kb/892375

Alternative Anti-Spyware Applications:
- Spybot Search and Destroy
http://www.majorgeeks.com/download2471.html
- LavaSoft AdAware
http://www.majorgeeks.com/download506.html
- AdAware VX2 Cleaner Plugin
http://www.majorgeeks.com/download4283.html
- PestPatrol
http://www.majorgeeks.com/download1187.html
- Webroot Spysweeper
http://www.majorgeeks.com/download3263.html
- Ewido Security Suite
http://www.ewido.net/en/
- CounterSpy (Same Giant Company Engine as MSAS)
http://www.sunbelt-software.com
- A Squared Free
http://www.emsisoft.com/en/software/free/


Recommended Software to help protect you:
- Windows XP Service Pack 2
http://www.microsoft.com/windowsxp/sp2/default.mspx
- SpywareBlaster
http://www.javacoolsoftware.com
- Outpost Firewall Pro
http://www.agnitum.com/products/outpost
---------------------------------------------

 

[Alan]

Did a little digging and found most of these programs are
from Microsoft. The following programs are a part of the
Run, RunOnce, RunServices, RunServicesOnce, and
RunOnce\Setup part of Windows (along with their
associated program):

RunOnce:

d3jg
javayi32
ntoo
atlxk32
msrn
javaai
netkf32
appsv32
javans
mfcmm32
crvt32
ntuj

RunServices
syslo
winno32
javalc

You can find out more about these programs on Microsoft's
web site.

Even though many people say it's spyware, don't believe
what everyone is saying hust because they are telling you
it's spyware. Most people who don't know what a program
is, declare that program to be spyware without doing any
research. Then these idiots tell their friends to remove
this "spyware" program, and so on and so on, until no one
knows the real truth. It's like the question, 'If your
freinds jumped off a cliff, would you?' Just because
they did it, doesn't mean you should. A great place to
keep track of what's truely spware/malware is
http://www.liutilities.com/products/wintaskspro/processlib
rary/.

Now, I don't know how you came up with the assumption
that your system had been infected by simply using
Google, as I used Google and found out what Window's
function(s) most of these programs were related to. In
the future, don't just go to the first page, and listen
to what they have to say, dig a little further, as I did,
and you will uncover the truth. The truth is something
many people in the software business don't want you to
know about.

Many of these people try to tell the novice/non-
experienced computer user they have a big problem that
needs fixing. These users follow the advice, and when
that doesn't seem to work, they shell out hundreds of
dollars to fix a non-existant problem. This is how some
web sites make their money, by pitching unsuspecting
users products they really don't need, and the user is
none the wiser to what has happened.

I hope this keeps you from ending up like many computer
users who have been taken to the cleaners by unscrupulous
business tactics that many people use to sell either
their products or an advertisers products.

Alan

 

[Mikolaj]

Did a little digging and found most of these programs are from Microsoft.

The following programs are a
part of the Run, RunOnce, RunServices, RunServicesOnce, and RunOnce\Setup
part of Windows (along with their > associated program):

RunOnce:

d3jg
javayi32
ntoo
atlxk32
msrn
javaai
netkf32
appsv32
javans
mfcmm32
crvt32
ntuj

RunServices
syslo
winno32
javalc

You can find out more about these programs on Microsoft's web site.

Even though many people say it's spyware, don't believe
what everyone is saying hust because they are telling you
it's spyware. Most people who don't know what a program
is, declare that program to be spyware without doing any
research. Then these idiots tell their friends to remove
this "spyware" program, and so on and so on, until no one
knows the real truth. It's like the question, 'If your
freinds jumped off a cliff, would you?' Just because
they did it, doesn't mean you should. A great place to
keep track of what's truely spware/malware is
http://www.liutilities.com/products/wintaskspro/processlib
rary/.

Now, I don't know how you came up with the assumption
that your system had been infected by simply using
Google, as I used Google and found out what Window's
function(s) most of these programs were related to. In
the future, don't just go to the first page, and listen
to what they have to say, dig a little further, as I did,
and you will uncover the truth. The truth is something
many people in the software business don't want you to
know about.

Many of these people try to tell the novice/non-
experienced computer user they have a big problem that
needs fixing. These users follow the advice, and when
that doesn't seem to work, they shell out hundreds of
dollars to fix a non-existant problem. This is how some
web sites make their money, by pitching unsuspecting
users products they really don't need, and the user is
none the wiser to what has happened.

I hope this keeps you from ending up like many computer
users who have been taken to the cleaners by unscrupulous
business tactics that many people use to sell either
their products or an advertisers products.

Alan

Excuse me Alan, but how experienced with computers and MS Windows you really
are?

You give the advice, but you unfortunatelly MISLEAD..
You say, that the above apps are part of Windows, but they are ABSOLUTELLY
NOT!!
Your argument is that they are part of "Run, RunOnce, RunServices,
RunServicesOnce, and RunOnce\Setup". They are not - this "places" are just a
part of the startup procedure for Windows - this registry keys tell the
system what apps/processes should be launched at startup.
IT DOESN'T ABSOLUTELLY MEAN THAT ALL THAT APPEARS IN THIS KEYS IS A PART OF
THE WINDOWS!!!
But this is ABSOLUTELLY a place where trojans, viruses, spyware attaches to
be launched and "rule the system"..

And by the way - I sell nothing, this is for free..

 

[Alan]

I'm sorry for the confussion. I didn't mean to offend
anyone when I mentioned the part about making money.
What I was getting at is that there are a lot of people,
NOT all, who try to pray on the unsuspecting user, and
make a ton of money selling products, NOT advice, to
these users. I am sorry if I offended you, that wasn't
my intention. My intention was for the average user to
not to simply rely on what someone has posted on the
internet. There is a lot of bad advice floating around
the internet, and some users follow this bad advice and
end up getting screwed.

I've seen people say that some programs that have been
installed by a legit program are spyware, simply because
they "didn't" install it. The files and associated
programs will be installed on the system when they
install the main application on their system, and they
will not know all the programs that are installed in
order for this application to run properly. If people
follow this type of well-intentioned, but misguided
advice, then many people can end up with broken pieces of
software. I did not realize, as you put it, that many
trojans, viruses, and spyware attaches to these keys; and
unfortunately, my advise was indeed misleading.

The part that was not misleading, was when I said in my
reply that no one should rely on only a few sources to
determine what a program is, they should do as much
research as possible. This holds no matter what type of
program/service that a person is concerned about. Also,
many of these users don't know that when the advice
doesn't work, there are ways to help remedy the situation
without resorting to spending a lot of money. And there
are people out there who will try to take advantage of
these users. The proof of that point is to look at all
the ads on the internet for programs designed to keep
you "safe" while online, when all most people need to do
is install a firewall (hardware, software, or both) and
make certain their security settings are set high
enough. I was visiting a site that told me, I had
a "big" problem because their server was able to see my
IP address. However, their server needed that info in
order to properly route the requested file to my
computer. Without that info, the World Wide Web wouldn't
function.

As I said earlier, I'm sorry if I offended you, as that
wasn't my intention. I just wanted people to not take
what they see in forums/newsgroups as a written-in-stone
fact, as their are a lot of people who tell people they
have a big problem, when they really don't.

Sorry,

Alan