HELP - no internet connection due to "aelupsvc32.dll"

[PhilliePhan]

Thanks again and wish you a Merry Christmas & Happy New Year!

The same to you!
'Tis the season to be jolly . . . Not to be tied up with computer issues!


By all means, take your time! If you don't mind me using your computer as a "guinea pig" to try a bunch of different fixes, I think we could eventually get it back to running smoothly - again, with rootkits, you never know. But we could remove a bunch.

-- I am going to try to rework my removal tool, so let me know ahead of time before you try it. I may have an update.

-- Definitely do the combofix.exe in safe mode that I described in the last post. Do that first - It should remove a few things.
You should navigate to and delete those other items I listed as well - unless you recognize them as something you want to keep.



Merry Christmas!
PP

[PhilliePhan]

Hi greenfish,

I was messing around and put together a possible fix for this baddie. If you like, you are welcome to try it - If you haven't already reformatted . . . .

- - Download RooGooKillerXP to your desktop and extract the RooGooKiller Folder to your desktop. Do not run it from inside the Zip.
- - Boot to Safe Mode
- - Open the RooGooKiller Folder and DoubleClick RunThis.bat and allow the tool to run. Then, run ATF-Cleaner.exe as you did before, REBOOT and give me a HJT Log and let me know if that had any effect....

BTW - This is strictly a "Run at your own risk" proposition. Please bear that in mind . . . Though, if a reformat is in the works anyway, no worries if we mess something up!

Have put together a bit of an updated version of the above. Haven't had time to test it . . . .
It addresses only the LSP Hijacker.

It should be run in Safe Mode as per the instructions above.
-- A log should pop up in Notepad. Please attach it with a fresh HJT.

No rush . . . . We'll be around!


Merry Christmas
PP

[barry80]

well, i'm new to this usefull forum here as for the topic stated, i'm also having this threat b4 & successfully using the same tool combofix provided by sifu sUBs. the final solution is reinstall tcp/ip protocol once the combofix had deleted the infected dll files. so far, i didn't encounter any problem yet

here's the link to my "saviour" http://forum.lowyat.net/topic/386752 thx anyway, ur steps to remove this threats is very detail. from now on, i'll keep in touch to ya'all.

Merry Christmas & Happy New Year!

[PhilliePhan]

i'm also having this threat b4 & successfully using the same tool combofix provided by sifu sUBs. the final solution is reinstall tcp/ip protocol once the combofix had deleted the infected dll files. so far, i didn't encounter any problem yet

Hi Barry and Welcome!

I agree that most of the visible components of this malware can be removed via Combofix when it is run in Safe Mode as per earlier instructions.
-- Of course, whenver you are dealing with a rootkit, there is always a question of whether you removed everything. . .

-- I also wonder whether combofix removed the registry keys associated with the infection. The fix I put together adresses this as well as the connectivity issue all in one fell swoop (I have not been able to test it yet, though ) I wonder if remnants remain in your registry?

-- Also, greenfish has a few other malware issues I neglected because I made the mistake of assuming they were Chinese language plug-ins. The lesson for me is to never assume!!!


Merry Christmas & Happy New Year!
pp

[greenfish]

Hi greenfish,
She also told me that combofix.exe should be able to remove the visible components of this malware.
-- First, delete old combofix.exe already on your machine
-- You should download a fresh combofix.exe to your Desktop and leave it there.
-- Then, boot to SAFE MODE
-- Click Start > Run and enter the following exactly as it is here: "%userprofile%\desktop\combofix.exe" /wow
(if need be, you can save it locally to notepad and copy&paste it into the box)

Let the tool run and submit the combofix log along with a fresh HJT log.

It may be a good idea to rerun the above combofix.exe steps. In re-examining all of the various logs, I see an item I missed! It is a different piece of malware - probably from last summer.
I looks like Adware to deliver popups. I missed it because I thought it was a Chinese language plug in.


04/17/2006 10:02 PM 188,413 bg_ppgoumini.exe

Checking %WinDir% folder...
aspack 6/25/2006 11:31:32 PM 100170 C:\WINDOWS\IEYHelper.dll (Eastday Corporation)
aspack 6/25/2006 11:32:26 PM 98896 C:\WINDOWS\YayaBands.dll (Eastday Corporation)
aspack 6/28/2006 12:19:44 AM 158288 C:\WINDOWS\YayaVerAtl.dll (Eastday Corporation)

Checking %System%\Drivers folder and sub-folders...
UPX! 6/25/2006 11:23:58 PM 71402 C:\WINDOWS\SYSTEM32\drivers\cdnprot.sys (Öйú»¥ÁªÍøÂçÐÅÏ¢ÖÐÐÄ(CNNIC))


PP

PP, thank you for your continuous efforts! However, I've re-installed the Windows XP yesterday, which took me really a long time, after performing the steps in the above that you told me last time but failed again. The new Combofix log and HJThis log don't look different from the previous ones and the internet connection didn't come back. Attached are the logs that I saved from the operation. FYI.

Meanwhile, I couldn't delect iExpl0re.dll and the other file that you mentioned before.

Anyway, thank you sooooooooo much for your help all these days! I really appreciate that! This forum is really a good place and the people here are so nice! Wish you all a Happy New Year!

-- Greenfish

[jholland1964]

Hi greenfish,
May I ask, did you totally unhook the internet cable from the computer and then do a complete reformat and reload when you did your reinstall or did you just install XP on top of the previous install while the computer was attached to the internet?
The reason I ask is you are right, this HJT log doesn't look much different than the others and with a reformat/reload it really should look different and this baddie;
O4 - HKLM\..\Run: [WinStar] C:\WINDOWS\IEXPL0RE.exe remains for sure.
The O10 entry has changed somewhat, showing now;
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\aelupsvc32.dll' missing.

A couple questions just to clarify for me really, since PP is the one working this thread;
Do you KNOW what the program Winstar is? Does it show in Add/Remove? Is it something that you, personally installed?

My search for Winstar finds several different programs this could be referring to;

it could be a data system company providing wireless, broadband, and data communications to businesses, generally.

it could be a group of casino's located in Texas.

it could be Winstar Display, located in Taiwan.

And it is also WinStar astrology software.
These are just a few of the companies I have found, there are others.

The reason I asked if you did a full reformat and reload of XP because if you HAD done a full reformat then this program shouldn't have reappeared unless you also reinstalled "something" other than XP. The key to reformat and reload is it should wipe the hard drive then reinstall XP, then install your internet service, update XP completely and then see if the computer works correctly.
You are also showing McAfee AND Norton anti-virus programs, or at least a portion of each in this log. Your first log did not show any Norton programs running, they came in after the second run. I may be missing it but I don't see anywhere that you installed Norton Anti-virus after posting this thread. Do you know, is the McAfee a result of the AOL Security Service? or What is the McAfee entry referring to?

This NEW log is also showing THIS running process which DID NOT appear in ANY of the other logs;

C:\WINDOWS\system32\conime.exe>>>this is indicative of BFGhost 1.0 which is a RAT: A Remote Administration Tool, or RAT, it is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine.
Now I do want to say here that if your system is using a non western language this can be a legitimate entry but it had NOT shown before in your logs so this is why I am questioning it now.

I would also like to know what this process is, since it did not show in any other logs either;
d:\sas\CORE\SASEXE\SASOACT.EXE
It may be perfectly fine but why was it running this time and no other?
I cannot stress enough that each time HJT is run that all other unnecessary programs should be turned off.

[PhilliePhan]

Hi guys,

-- I think those logs were from before the reformat, Judy.

-- I have run across conime.exe before. Chaslang and I (at MGs) discussed it at length and determined it to be safe:
Microsoft Console IME (Input Method Editor) for Asian language input - Seems logical to assume in greenfish's case ( of course I assumed similar before.... )

-- Greenfish,
Did you run Combofix in Safe Mode using the command as I mentioned a few posts ago. The reason I ask, is that it should have removed the baddies as it did for Barry. Also, the log would reflect differently...

Ahhhh . . . All's well that ends well, I guess



Happy New Year
PP

[jholland1964]

Thanks, PP, wondered about the non-western language reference concerning this, that is why I included it, just really wondered why this never showed in any of the other logs...also wonder about sudden appearance of the Norton programs when they were not present in the very first log.

[PhilliePhan]

-- Also, I still see both McAfee and Symantec AV in your HJT log. You should choose one and remove the other to prevent conflicts and to free up some system resources.

Hi Judy,

The Norton appeared a number of logs back. I assumed (man, I've been doing a lot of that these days - don't have the patience I used to,
I guess...) that greenfish had installed it after having problems with McAfee. Hence the post.

Happy New Year

[jholland1964]

Guess this thread is closed. Seems to be just you and I posting in it now, PP.
Happy New Year to you too!