Losing Battle to Casprog -- Please help.

jrt · Cadet Joined: Apr 23, 2004 Posts: 5 Location: USA

I have been marooned on "Adware Island" for almost a month.

I have attempted any number of fixes and fudges to try to rid myself of this casprog thing and its legion of invading cohorts. Mostly, I think I have just managed to put my finger in my own eye.

I have purged with Ad-aware and Spybot till the cows came home. I found and used HijackThis without appropriate instruction or the good sense to seek additional help. I deleted, removed, and destroyed dozens of what appeared to me to be evil entries in my registry.

Ultimately, I reloaded WindowsXP Home and reimported all updates. I updated Symantec (actually bought and installed 2004 SystemWorks), reinstalled Office, etc. Then reran Ad-aware and Spybot. Then again. Then several more times.

[This bit written as of April 23 -- My system is now running. I have not experienced any malware symptoms today, but, guess what, casprog is still there.

And then, there's this thing called MediaTickets; I haven't a clue what it is. For all I know it is an announcement that I've won the Bill Gates Powerball contest and merely have to press button A to have $10,000,000 deposited in my account, or altenatively it may be the .exe file for launching Word. However, I've deleted it a dozen or so times and it keeps coming back.]

This is the condition as of April 26: System currently running but my browser is still subject to being hijacked by various coolshader type search engines and/or porn offerings. I have successfully eliminated all remnants of the name "casprog" and all related "unist_cp" or "uinst_cp" named files. MediaTickets seems to be gone. I get no significant hits from either SpyBot or Ad Aware (one each showing trivial tracking cookies).

When loggin on, users are greeted with the following messages:

C:\Windows\System32\services\wmplayer.exe

Could not load or run 'C:\Windows\System32\services\wmplayer.exe' Make sure you typed the name correctly, the try again. To searchfor a file, click Start button, and then Search.

When I click ok, I get:

Desktop

Could not load or run 'C:\Windows\System32\services\wmplayer.exe'Specified in registry. Make sure the file exists on your computer or remove.

I will be eternally grateful for a helping hand in guiding me through this maze.

Here is my HijackThis file (Updated):

Logfile of HijackThis v1.97.7
Scan saved at 10:28:35 AM, on 4/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Onfolio\onfserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [OnfolioStorage] C:\Program Files\Onfolio\onfserv.exe nosignal
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Caao] C:\Documents and Settings\Bob\Application Data\wolw.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Capture &Image To Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: Capture &Page To Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddLinkEntryFromDocument.html
O8 - Extra context menu item: Capture &Snippet To Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentSelection.html
O8 - Extra context menu item: Capture &Target To Onfolio... - res://C:\Program Files\Onfolio\Onfolio.WindowsResources.dll/AddEntryFromDocumentElement.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Onfolio Capture... (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...4011574074
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar.../cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup...mAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab

Thanks for reading this far. As I said earlier, I will be extremely grateful for help, including the admonishment to me of not trying to practice computer medicine without a license, which has clearly gotten me in over my head.

jrt

football · Guest

O4 - HKCU\..\Run: [Caao] C:\Documents and Settings\Bob\Application Data\wolw.exe
O4 - HKCU\..\Run: [Rrtn] C:\Documents and Settings\Bob\Application Data\roda.exe

Two applications running here. Do you know about them?

jrt · Cadet Joined: Apr 23, 2004 Posts: 5 Location: USA

Nope. I have identified them as suspicious but, then, what do I know?

Skip · Guest

Go to the control panel , add/remove programs.
Remove mediatickets

Use the file search utility and search all directories for mediatickets. Delete the files

Run regedit and search on mediatickets. Delete all entries.

This will get rid of mediatickets. I don't know where it downloads from but I got it once.

jrt · Cadet Joined: Apr 23, 2004 Posts: 5 Location: USA

Thanks, Skip. I have already managed to delete MediaTickets through a "hunt and peck" method much like you described. Apparently it's the least of my problems.

UrbanCyborg · Guest

A couple of general tips for problems of this sort.

First, uninstalling your operating system, or even reformatting or destroying the partition doesn't actually kill most of the data. It only removes formatting marks and a few flags. Reinstalling on top of a disk like that can sometimes inadvertently reinsert malware into operating form. If you're concerned with this sort of thing, grab any decent disk scrubber (I'd use DBAN, at Darik\'s Boot and Nuke, because you can examine its source code, it's free, and it does pretty much the same job as a commercial one) and make sure there's really nothing left on the disk.

A more likely source for the reinfection, though, is infected backup or install files you used when you reinstalled your operating system, programs, and files. I'd check all of them with a checker that can spot the malware in question on a machine you know to be clean (make sure, of course, that you don't give anything on the media you're checking a chance to execute on the test machine, certainly don't copy any of it to that machine, and if AutoRun is enabled for removable media on the machine, disable it completely before testing.

Second, if you want to find out what process or program owns or runs questionable items on your system, visit SysInternals and snag the latest copy of their free utility Process Explorer. Think of it as Task Manager with testosterone injections. Wink

It has something of a learning curve, but you're asking questions about things involving system internals already, so you have to expect that. It's an exceedingly powerful tool. You'll find that that site, as well as Windows Internals and FoundStone have many excellent and free tools, many with downloadable source, if you happen to be a programmer. Besides that, these are the sites for some of the best computer security outfits going, and not only is their code excellent, with much of it free, but you'll find whitepapers, newsletters, and forums with some of the best information of this sort you can get. I've never visited this forum before, so a lot of what I've said may be common knowledge here, but I offer the advice in good faith. Take it for what you will.

Danielle · Guest

i have casprog stuck on my computer and when i go to add/remove programs and remove it it just says 'uninstalled' but when i go to the add/remove list again its there again. iv tried searching it aswell but it doesnt come up in the search and its slowing down my computer. any advice?

Guest · Posted: Fri Jun 25, 2004 1:10 pm Post subject:

http://www.computercops.biz/postx24406-0-45.html

Digital Spyders Corp · Guest

Hello,

Here is what I did to get rid of a tonne of sticky spy/malware

1. HiJackthis.exe and remove all exect for items that start with HO: and remove all unknown items in msconfig.
2. Ran Adware with full indepth scan.
3. SpyBot Search & Destroy
4. Norton AV 2004 comprehensive scan.

Then for the real sticky stuff I ran
5. Pest Patrol (very good)
6. Spy Sweeper (even better)

To get CasProg out of your system delete the cp_install.exe in your c:\windows\system32\. What every you do, don't execute this file, it will install back on your system and you will have to rescan. CP stands for Casino Program.

7. Open regedit and search for casprog and delete all casprog folders. I believe I deleted 2 or 3 Use Find Next to look for more after you find the first one.

8. Reboot and it's gone from the Program list in Add/Remove Programs.

Hope this helps.

Brad
http://www.digitalspyders.com


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1601 pages served in previous 5 minutes. Page Rendered: 1.073 seconds.