Apropos Media has infected my computer

[Lomondra]

I checked out all your 'do this first stuff' and this is everything I have completed:

Ran a Microsoft Antispyware scan and deleted the AproposMedia Browser and removed it (but I've done this numerous times and it comes back)

Ran Trend Micro PCcillin Internet Security 2005, but it finds nothing.

Ran Ad-Aware SE Professional Edition and deleted all baddies.
Ran Ad-Aware's VX2 Cleaner and it came up clean.
Ran Ad-Aware's online virus scan and it too came up clean.

Checked out the rogue program spywarrior.com and I'm sure I do not have any of these programs.

I always update Windows, Microsoft, Office and Internet Explorer. (Mainly because I used to be a Windows 98se user with a Mozilla browser and had no problems and recently upgraded to WindowsXP -the edition for 98se with sp2 already included...i.e. not a separate disk- and even since I've been having problems of some sort, but this problem is of course my fault.)

I downloaded and installed to HJT file on C drive the Hijackthis and the Analyzer and have copied the result file below:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:49:46 PM, on 10/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\IOMEGA~1\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\BELKIN-SSA\UPSData.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CreateCD] E:\IOMEGA~1\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Startup: BELKIN.lnk = C:\Program Files\BELKIN-SSA\Upsmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CDA5C27-FAC1-4CFB-993B-ABA632A1B85E}: Domain = Sonic.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CDA5C27-FAC1-4CFB-993B-ABA632A1B85E}: NameServer = 208.201.224.11,208.201.224.33
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = Sonic.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{3CDA5C27-FAC1-4CFB-993B-ABA632A1B85E}: Domain = Sonic.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{3CDA5C27-FAC1-4CFB-993B-ABA632A1B85E}: NameServer = 208.201.224.11,208.201.224.33
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = Sonic.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{3CDA5C27-FAC1-4CFB-993B-ABA632A1B85E}: Domain = Sonic.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{3CDA5C27-FAC1-4CFB-993B-ABA632A1B85E}: NameServer = 208.201.224.11,208.201.224.33
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = Sonic.net
O23 - Service: BELKIN_Service - Unknown owner - C:\Program Files\BELKIN-SSA\UPSsrv.EXE


End of KRC HijackThis Analyzer Log.
====================================================================

[sUBs]

Please download the file I have attached to this post - FindAP.zip

**IMPORTANT - extract/unzip the contents to a folder of it's own **

From within that folder, double-click on FindAP.bat
It will produce a log for you to post back to me.


Next, download RootKitRevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file.
Please post the entire contents of the log file in your next reply.

If the file is too big, place it as an attachment instead.

[Lomondra]

Windows Antispyware keeps giving me an alert the 'a script requires your approval' and I keep clicking allow, this has gone on for quite some time, does it need to do this or is it not running?

what is the grep executable that was in the zip? when do I run that?

[Lomondra]

Running from directory:
C:\FindAP
~~~~~~
Registry entries found:


[HKEY_LOCAL_MACHINE\Software\Aprps]

[HKEY_LOCAL_MACHINE\Software\Aprps\Client]
"PartnerId"="WB.VER2"


~~~~~~

[sUBs]

Please post RootkitRevealer's log when you have completed running it.

[Lomondra]

previously had to uninstall ms antispyware to run the bat file, I have sent the results log, and now this is the reveal log I have attached.

[sUBs]

Please download the file I have attached to this post. - fixARP.zip

**IMPORTANT - Extract/Unzip it to it's own folder


Next, please reboot your computer in SafeMode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


From within it's folder, double click on fixARP.bat
Wait for it to present you with a log.

Then reboot to Normal Mode & post that along with a new FindAP log.

[Lomondra]

fixAPR:
Deletion of folder succeeded!

Deletion of file C:\WINDOWS\system32\drivers\ipsparse9.sys succeeded!

Deletion of file C:\WINDOWS\system32\MMSOEX32.EXE succeeded!

new findAP:
Running from directory:
C:\FindAP
~~~~~~
Registry entries found:



~~~~~~

[sUBs]

Your system is clean

Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE
   Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
6. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
    
    
    
11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[Lomondra]

I already had system restore off for all drives,
should I just turn it back on?
do I have to do this all over?

[sUBs]

Never EVER turn System Restore off.
If anyting had gone bad during the fix, you would have lost your only option to rescue the Operating System.

You neednt re-do the fix. You're clean. Just re-enable System Restore.

[Lomondra]

I thought with sys restore on that anything I deleted would reappear, guess I was wrong, got it back on now.

Thanks for all your help, I will gladly send something when I get paid Thursday!