HELP - no internet connection due to "aelupsvc32.dll"

[greenfish]

Here is the ISeeYouXP log. I ran the blbeta, however, there is no popup window to save log. I saved the screenshots but the file is too big to upload to the forum. It's said "No hidden items found", "Total number of processed: 47", "Items queued for renaming: 0". Are these information useful for you?

Again, I really appreciate of your help. If the information I provided is still not enought for you to figure out where the problem is, that's fine. Maybe I should reinstall the whole system in my computer.

Thank you and enjoy the weekend!

[PhilliePhan]

Indeed, I would like to see the log from Blacklight, but that may not be necessary - I think I have enough information to try to work up a fix for you. The main reason I wanted you to run those last two scans was to verify the presence of the rootkit driver on your system and the ISeeYou log shows it:

CHECKING RECENTLY ADDED DRIVERS:
--------------------------------------------------------------------------

C:\WINDOWS\system32\drivers
12/12/2006 05:28 PM 29,184 wsfit32.sys

Also, if you are interested, this blog details the removal procedure we will attempt (at least I think it does - I don't read Chinese )
http://blog.yesky.com/41/storm_L/1595041.shtml
I do see that they used a tool similar to Blacklight called IceSword - You may want to try that scan and post the results, but I'm just going to go with a "blanket fix" that targets all known components of this baddie, so further scans aren't really necessary.

I will put together something similar for you - Hopefully by tonight (EST).

Again, I really appreciate of your help. If the information I provided is still not enought for you to figure out where the problem is, that's fine. Maybe I should reinstall the whole system in my computer.

Normally, a clean install is what I would recommend in cases where rootkits are involved! Because of their nature, it is often impossible to verify whether all components have been removed.
But, no harm in trying to clean it first!

I'll post a fix as soon as I get home this evening.

Cheers
PP

[PhilliePhan]

Hi GreenFish,

Let’s give this removal procedure a try, shall we?
Please take your time to read through this before continuing. If you have any questions, just ask.

*Please do the steps in the order they are given. This is quite important.

Please print out or save these instructions locally – This is necessary since you’ll be in Safe Mode for many of the steps.


FIRST:
--- Download ATF-Cleaner.exe by Atribune to your Desktop. Just leave it for now . . .

--- Download WinsockFix.zip by: Option^Explicit and unzip it to your Desktop where you can find it easily.

--- Download the attached FixMe.zip and extract FixMe.reg to your Desktop.

--- Download KillBox.exe to the desktop as well.

And off we go . . . . .

NOW:
Please Boot to Safe Mode.

THEN:
Please scan with HijackThis and then Check the boxes for the following:

O4 - HKLM\..\Run: [WinStar] C:\WINDOWS\IEXPL0RE.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll

Click "Fix Checked" and then close HijackThis.


NOW:
Locate the FixMe.reg on your Desktop and DoubleClick it and then OK any prompts to Allow it to merge into the registry.


Next, please run KillBox.exe.
Now, you will be entering items into KillBox. Please select the “Delete on Reboot” and “End Explorer Shell While Killing File ” Options. Enter or Copy&Paste each of the following into the box one by one, making sure Delete on Reboot and End Explorer Shell While Killing File are Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be Rebooted until the last item has been entered:
** Note: For the .dlls, check the Unregister .dll Before Deleting box as well. Also, note that the 0 in IEXPL0RE.exe below is a ZERO.

c:\windows\system32\aelupsvc32.dll
C:\WINDOWS\IEXPL0RE.exe
C:\WINDOWS\system32\drivers\wsfit32.sys
C:\WINDOWS\system32\exmple.dll
C:\WINDOWS\system32\sexmple.exe
C:\WINDOWS\system32\setup-238.exe
C:\WINDOWS\setup-238.exe

When the last item has been entered and you are prompted to reboot, ALLOW KillBox to Reboot your computer. If Killbox fails to Reboot your machine, do it manually.


Next:
Locate and Run WinsockFix.exe
-- Just Click the Fix button.


LASTLY:
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT



After ALL of the above has been completed, please Reboot to Normal Windows and Scan with HijackThis and submit that log.

Let me know of any problems you may have encountered with the above instructions and how your computer is running now. Also, please note that we may need to run a few steps again to be sure we get everything.

I’ll try to check back as time permits.

Best luck
PP

[greenfish]

PP, thanks for the detail instructions! I followed all steps, but the result is "Limited or no internet connection". When I ran WinsockFix.exe and clicked the Fix button, the program seemed freezed and didn't get back to me any confirmation. I am not sure whether there is any error in my operation. Attached please find the latest HiJackThis log. As you can see, in #10, it says broken internet connection.

Thanks again and sorry to take you so much time, esp. during the weekend. Thanks!!!!!!

[PhilliePhan]

As you can see, in #10, it says broken internet connection.

Winsockfix or LSPFix will address this.

Thanks again and sorry to take you so much time, esp. during the weekend. Thanks!!!!!!

Happy to help! - I don't answer nearly as many threads as I used to (in many different forums).

Yours is interesting because this particular baddie is new and protected by a rootkit. I enjoy the challenge!


As to the problem at hand . . .. .

On the plus side, HJT shows the dll as "missing." So, perhaps you got it.
-- Fix that entry with HijackThis and then try LSPFix again. We need to rebuild the LSP stack. . . . . Actually, let's run LSPFix a bit later (see below)

On the minus side, your HJT log also still shows this component of the malware:
O4 - HKLM\..\Run: [WinStar] C:\WINDOWS\IEXPL0RE.exe



Let's do this:

-- Download combofix.exe

Run combofix and follow the prompts. Don't do anything on your machine while it is running or it may freeze.
It will produce a logfile - please submit that for me.

THEN:
Run LSPFix as you did before. If aelupsvc32.dll does not show, just click Finish.

Reboot and give me a fresh HJT along with the ComboFix log.


-- Just to reiterate: With rootkits these days, I always suggest a reformat. Even if we get your machine back to what seems like "normal," we'll never know for sure if we got everything. This sort of stealthing tool is designed to hide from the Operating System itself. The only certain fix is to flatten the hard drive and reformat. For a lot of people, this is a problem because they lose all sorts of data that they failed to backup . . .


But, like I said, these new threats interest me and I am happy to help you try to remove it as long as you feel the endeavor will be productive.

-- Also, I still see both McAfee and Symantec AV in your HJT log. You should choose one and remove the other to prevent conflicts and to free up some system resources.

Best
PP

[greenfish]

PP,

Things seem not changed since yesterday. Still No Internet Connection and the iExpl0re.exe is still there, as you can see from the HJT log. Attached please find the ComboFix and HJT logs. Thanks again and, if a re-reinstallation is a recommendation from you at this point, I'll do it. Thanks!

[PhilliePhan]

Thanks again and, if a re-reinstallation is a recommendation from you at this point, I'll do it. Thanks!

I would lean that way - It seems that this baddie is pretty well dug into your system!

A couple questions first:

-- Were you able to rerun LSPFix? Did that have any effect?
-- Are you able to navigate to C:\WINDOWS\IEXPL0RE.exe and
C:\WINDOWS\system32\drivers\wsfit32.sys?
What happens if you try to delete them? (try in Safe Mode)

-- Try running Blacklight again. If I remember correctly, the logfile will be created in the Blacklight Folder..... I think...



I am tempted to ask you to prevail upon my friend Blender at SpywareWarrior.com. I'm sure she'd be quite interested to have a whack at this thing - The thing is, I am sure she is swamped with other threads as it is.

I think, though, the safest thing in the end would be a reformat! I hate to give up, but it may prove to be easier in the end (and 100% effective) . Then, be sure to have some good protection in place as per my linky below.

Also, if you are able, could you please Zip and attach those two files for me?

PP

[PhilliePhan]

Hi greenfish,

I was messing around and put together a possible fix for this baddie. If you like, you are welcome to try it - If you haven't already reformatted . . . .

- - Download RooGooKillerXP to your desktop and extract the RooGooKiller Folder to your desktop. Do not run it from inside the Zip.
- - Boot to Safe Mode
- - Open the RooGooKiller Folder and DoubleClick RunThis.bat and allow the tool to run. Then, run ATF-Cleaner.exe as you did before, REBOOT and give me a HJT Log and let me know if that had any effect....

BTW - This is strictly a "Run at your own risk" proposition. Please bear that in mind . . . Though, if a reformat is in the works anyway, no worries if we mess something up!


Cheers
PP

[PhilliePhan]

Hi greenfish,

I'd like to add one more thing

I was talking to a friend about this and she suggested that, after removing the visible baddies, it might be necessary to reset TCP/IP as per the instructions in the link below:

http://support.microsoft.com/kb/299357

I should probably include the netsh int ip reset resetlog.txt command in the fix I put together.


She also told me that combofix.exe should be able to remove the visible components of this malware.
-- First, delete old combofix.exe already on your machine
-- You should download a fresh combofix.exe to your Desktop and leave it there.
-- Then, boot to SAFE MODE
-- Click Start > Run and enter the following exactly as it is here: "%userprofile%\desktop\combofix.exe" /wow
(if need be, you can save it locally to notepad and copy&paste it into the box)

Let the tool run and submit the combofix log along with a fresh HJT log.

It may be a good idea to rerun the above combofix.exe steps. In re-examining all of the various logs, I see an item I missed! It is a different piece of malware - probably from last summer.
I looks like Adware to deliver popups. I missed it because I thought it was a Chinese language plug in.


04/17/2006 10:02 PM 188,413 bg_ppgoumini.exe

Checking %WinDir% folder...
aspack 6/25/2006 11:31:32 PM 100170 C:\WINDOWS\IEYHelper.dll (Eastday Corporation)
aspack 6/25/2006 11:32:26 PM 98896 C:\WINDOWS\YayaBands.dll (Eastday Corporation)
aspack 6/28/2006 12:19:44 AM 158288 C:\WINDOWS\YayaVerAtl.dll (Eastday Corporation)

Checking %System%\Drivers folder and sub-folders...
UPX! 6/25/2006 11:23:58 PM 71402 C:\WINDOWS\SYSTEM32\drivers\cdnprot.sys (Öйú»¥ÁªÍøÂçÐÅÏ¢ÖÐÐÄ(CNNIC))




Sorry about all the "fragmented" advice! I've been really busy lately, but this piece of malware was bugging me, so I asked a few friends about it and thought I should pass along their suggestions.

Best Luck & Happy Holidays
PP

[greenfish]

PP, thank you so much for your, and your friends', suggestions! Sorry I didn't have the chance to deal with my computer yesterday. I may try what your friends said in the next few days. （things are going crazy these days ^_^) Will definitely let you know the results. If that still doesn't work, I would have to do the re-installation.

Thanks again and wish you a Merry Christmas & Happy New Year!