Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cold popups to www.loadingwebsite.com and others...


  • This topic is locked This topic is locked
46 replies to this topic

#1 sobeflyer

sobeflyer

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 30 April 2005 - 01:52 PM

Help! I have been invaded with something that I can't get rid of...

I am getting cold popups (while IE is not running) to websites that include the following:
www.loadingwebsite.com/....
www.inqwire.com/...
adserver.sharewareonline.com/...
64.192.130.141/...
adopt.hbmediapro.com/...
www.partypoker.com
adv.eblocs.com
www.spyhear.com
(and others...)

I have run up to date versions of the following:
Norton AV2005
Ad-Aware SE
TrojanHunter
HiJack This

All seem to find and remove stuff on a daily basis. I "fixed" several R3 lines and "host" entries with HJT and that helped a few symptoms. TrojanHunter first found and removed 9 trojans. Now, it seems to recurringly find them and delete them. Also, I caught a program called "Web Offer Installer" running in my taskbar, and deleted it. I have deleted Web Offer several times now, but something somewhere else is continually installing and loading adware/trojans as fast as I can get rid of them.
Thanks for any help...

Here's most recent HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:50:53 PM, on 4/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MONITR32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [tsvcin] C:\PROGRAM FILES\COMMON FILES\SYSTEM\MAPI\1033\95\N20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunServices: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\RunServices: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\RunServices: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\RunServices: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\PROGRAM FILES\COMMON FILES\SYSTEM\MAPI\1033\95\EZSTUB.EXE
O4 - Startup: Canon MultiPASS Server.lnk = c:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\PalmOne\hotsync.exe
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\fdaie.htm
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: eCrew Delta Technology V14141 - http://ecrew.delta-air.com/eCrew14141.cab
O16 - DPF: eCrew Delta Technology V14169 - http://ecrew.delta-air.com/eCrew14169.cab
O16 - DPF: eCrew Delta Technology V14170 - http://ecrew.delta-air.com/eCrew14170.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: eCrew Delta Technology V14180 - http://ecrew.delta-air.com/eCrew14180.cab
O16 - DPF: eCrew Delta Technology V14200 - http://ecrew.delta-air.com/eCrew14200.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:17 AM

Posted 30 April 2005 - 03:59 PM

Hello sobeflyer and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [tsvcin] C:\PROGRAM FILES\COMMON FILES\SYSTEM\MAPI\1033\95\N20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunServices: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\RunServices: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\PROGRAM FILES\COMMON FILES\SYSTEM\MAPI\1033\95\EZSTUB.EXE

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

Win98 Show Hidden files/delete files

We need to make sure all hidden files are showing so please:
  • Open My Computer.
  • Select the View menu and click Folder Options.
  • Select the View tab.
  • In the Hidden files section select Show all files.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\PROGRAM FILES\COMMON FILES\SYSTEM\MAPI\1033\95\N20050308.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MAPI\1033\95\EZSTUB.EXE
C:\WINDOWS\SYSTEM\nsvsvc\ <--folder
C:\WINDOWS\SYSTEM\PICSVR\ <--folder
C:\PROGRAM FILES\ezula\ <--folder
C:\PROGRAM FILES\Web Offer\ <--folder

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot your computer normally.
  • Start AdAware SE
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Save the log file when it asks and then click ‘Finish’
  • REBOOT to complete the removal of what Ad-Aware SE found.
Step #6

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 sobeflyer

sobeflyer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 30 April 2005 - 06:51 PM

OldTimer,
Thank you for taking up my case!!!

I performed the above steps with the following to note:

1. When I rerun HJT in Safe Mode, the following items did not show up:
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunServices: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\RunServices: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\PROGRAM FILES\COMMON FILES\SYSTEM\MAPI\1033\95\EZSTUB.EXE

I suspect that the earlier run of AdAwareSE that I performed had them delete upon startup, and so they were deleted when I restarted in SafeMode.

2. I Deleted the files you listed, except that N20050308.exe exisited in BOTH the PROGRAM FILES directory and the WINDOWS directory. I only deleted the one in the PROGRAM FILES directory as you indicated. SHOULD I GO BACK AND DELETED THE COPY IN THE WINDOWS DIRECTORY?????

3. When I ran AdAwareSE again, it detected NO critical items. While it was scanning, several instances of IE popped up again, so the problem is still existent.

Here's most recent HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:39:54 PM, on 4/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PALMONE\HOTSYNC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Canon MultiPASS Server.lnk = c:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\PalmOne\hotsync.exe
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\fdaie.htm
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: eCrew Delta Technology V14141 - http://ecrew.delta-air.com/eCrew14141.cab
O16 - DPF: eCrew Delta Technology V14169 - http://ecrew.delta-air.com/eCrew14169.cab
O16 - DPF: eCrew Delta Technology V14170 - http://ecrew.delta-air.com/eCrew14170.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: eCrew Delta Technology V14180 - http://ecrew.delta-air.com/eCrew14180.cab
O16 - DPF: eCrew Delta Technology V14200 - http://ecrew.delta-air.com/eCrew14200.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:17 AM

Posted 30 April 2005 - 09:27 PM

Hi sobeflyer. Your log is now clean so we know it's not there now. Let's look for some additional items that are not showing in the log.

Please do the following:
  • Download l2mfix.exe and save it to your desktop.
  • Double click l2mfix.exe to start the installation.
  • Click the Install button to extract the files and follow the prompts.
  • Open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing the Enter key.
This will scan your computer and it may appear nothing is happening, then, after a minute or 2, Notepad will open with a log. Copy/paste the entire content of that log into this thread and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 sobeflyer

sobeflyer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 30 April 2005 - 11:59 PM

When I double click I2mfix.bat, I get a DOS window that pops up, then a notepad window that pops up showing:

"Not compatible with 9x or windows nt"

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:17 AM

Posted 01 May 2005 - 12:48 AM

Hi sobeflyer. My mistake. I wasn't thinking about you using Windows 98. Please do the following:

Download Agent Ransack and install it.
  • Start Agent Ransack.
  • Put a check in the Expert User checkbox (upper right-hand corner).
  • Copy/paste the line below into the Containing text field:
    • (UMonitor|IsProcessorFeaX|NictechNetworks)+
  • Copy/paste the line below into the Look in: field:C:\windows\system
  • Uncheck the box to Search subfolders.
  • Click the Start search button.
  • When the search is finished go to File>Save Results and
    • Select Clipboard.
    • Uncheck File contents.
    • Now click the Save button.
The data will now be on the clipboard. Please use the Add Reply button and paste the data from the clipboard back into this topic.

I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 sobeflyer

sobeflyer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 01 May 2005 - 08:44 AM

Here is what was saved to the clipboard:

C:\windows\system\DVVACM.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\MTR2C.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\SAOOLSS.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\GBOUPPOL.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\APRESX32.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\WMBCHECK.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\LGOUSE32.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\MX3216.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\DBNLOBBY.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\BpCmd.dll (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\iA1xgdev.dll (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\mfimusic.dll (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\LBKRN62N.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\DJCOBJ.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\mcpbde40.dll (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\DZSCRIPT.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\wlnetmgr.dll (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\ASICAP32.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\windows\system\igfxrplk.lrc (440 KB, 8/8/00 2:09:46 PM)
C:\windows\system\mwc71.dll (222 KB, 4/24/05 7:52:04 PM)

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:17 AM

Posted 01 May 2005 - 02:12 PM

Hi sobeflyer. I think we found the culprit. Please print these directions and then proceed with the following steps in order.

Step #1

Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
    • C:\windows\system\DVVACM.DLL
      C:\windows\system\MTR2C.DLL
      C:\windows\system\SAOOLSS.DLL
      C:\windows\system\GBOUPPOL.DLL
      C:\windows\system\APRESX32.DLL
      C:\windows\system\WMBCHECK.DLL
      C:\windows\system\LGOUSE32.DLL
      C:\windows\system\MX3216.DLL
      C:\windows\system\DBNLOBBY.DLL
      C:\windows\system\BpCmd.dll
      C:\windows\system\iA1xgdev.dll
      C:\windows\system\mfimusic.dll
      C:\windows\system\LBKRN62N.DLL
      C:\windows\system\DJCOBJ.DLL
      C:\windows\system\mcpbde40.dll
      C:\windows\system\DZSCRIPT.DLL
      C:\windows\system\wlnetmgr.dll
      C:\windows\system\ASICAP32.DLL
      C:\windows\system\mwc71.dll
  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
You system will reboot now.

Step #2

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #3

Please run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
Make sure that you choose "fix" or "clean".

Step #4

Update AdAware SE (there was an update put out late last week) and run a new scan. Please make sure that you have the following settings:
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Save the log file when it asks and then click ‘Finish’
  • REBOOT to complete the removal of what Ad-Aware SE found.
Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 sobeflyer

sobeflyer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 05 May 2005 - 03:37 PM

Old Timer,
I apologize for the delay, as I have been out of town working for a few days. Anyway, I performed the KillBox action, and the CCleaner too. While performing the virus scans, the popups continued piling up and enventually locked the system up several times. Something keeps putting malware on my system, probably on restarts. I routinely perform Trojan Hunter scans and get the following programs:

appsetup.exe
nsvsvc.exe
picsvr.exe

Also, I re-ran AgentRansack with the search criteria as before, and i get the following:

C:\WINDOWS\USER.DAT (1565 KB, 5/4/05 10:38:14 PM)
C:\WINDOWS\icont.exe (42 KB, 5/1/05 6:26:10 PM)
C:\WINDOWS\iconu.exe (50 KB, 5/1/05 5:26:10 PM)
C:\WINDOWS\INF\DRVIDX.BIN (1185 KB, 4/24/05 8:43:20 PM)
C:\WINDOWS\INF\DRVDATA.BIN (354 KB, 4/24/05 8:43:20 PM)
C:\WINDOWS\HELP\windows.chw (596 KB, 1/5/03 2:37:20 PM)
C:\WINDOWS\Temporary Internet Files\Content.IE5\2VSZ23IX\cold_popups_to_wwwloadingwebsitecom_and_others-t17337[2].html (110 KB, 5/1/05 9:50:54 PM)
C:\WINDOWS\SYSTEM\DVVACM.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\MTR2C.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\WRW32.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\SAOOLSS.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\GBOUPPOL.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\APRESX32.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\WMBCHECK.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\LGOUSE32.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\DBNLOBBY.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\BpCmd.dll (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\iA1xgdev.dll (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\mfimusic.dll (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\LBKRN62N.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\DJCOBJ.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\mcpbde40.dll (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\imrdbs.dll (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\DZSCRIPT.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\wlnetmgr.dll (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\ASICAP32.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\igfxrplk.lrc (440 KB, 8/8/00 2:09:46 PM)
C:\WINDOWS\SYSTEM\DPVMGR32.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\NJNDS.DLL (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\mwc71.dll (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\nrjD313.dll (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\jlmd400.dll (222 KB, 4/24/05 7:52:04 PM)
C:\WINDOWS\SYSTEM\Rzched32.dll (222 KB, 4/24/05 7:52:04 PM)

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:17 AM

Posted 05 May 2005 - 06:49 PM

Hi sobeflyer. Thanks for that information. I need a new HijackThis log also.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 sobeflyer

sobeflyer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 06 May 2005 - 06:56 AM

I have also been running several .exe files that are in my c:\\windows folder through VirusTotal. Several of the recently dated items are showing up positive under one or two of their search databases. I have been deleting them.
Here's HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 6:53:00 AM, on 5/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\PALMONE\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\APPLICATION DATA\IODR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Rwsb] C:\WINDOWS\Application Data\iodr.exe
O4 - HKCU\..\RunServices: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\RunServices: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\RunServices: [Rwsb] C:\WINDOWS\Application Data\iodr.exe
O4 - Startup: Canon MultiPASS Server.lnk = c:\Program Files\Canon\MultiPASS\monitr32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\PalmOne\hotsync.exe
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\fdaie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: eCrew Delta Technology V14141 - http://ecrew.delta-air.com/eCrew14141.cab
O16 - DPF: eCrew Delta Technology V14169 - http://ecrew.delta-air.com/eCrew14169.cab
O16 - DPF: eCrew Delta Technology V14170 - http://ecrew.delta-air.com/eCrew14170.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: eCrew Delta Technology V14180 - http://ecrew.delta-air.com/eCrew14180.cab
O16 - DPF: eCrew Delta Technology V14200 - http://ecrew.delta-air.com/eCrew14200.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:17 AM

Posted 06 May 2005 - 03:36 PM

Hi sobeflyer. Let's try this.
  • Download VX2Finder9x(126).exe to your desktop.
  • Locate the VX2Finder9x(126).exe file on your desktop and double-click on it to start the program.
  • Click on the Click to find VX2.BetterInternet button.
  • When the scan is done click the Make Log button.
Notepad should open up with the information in it. Please copy/paste that information back here and I will review it when it comes in.

DO NOT click any of the other buttons until I have had a chance to review the information and instruct you to do so. Doing so can harm your computer and cause it to quit functioning.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 sobeflyer

sobeflyer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 06 May 2005 - 08:00 PM

Old Timer,

When I clicked Find, the following displayed in the status after only a few seconds:

Files Found---


User Agent String---
{DFDEF84C-6B03-01D7-8AC4-E51F20B1C643}


When I clicked "Make Log" nothing happened. I had to cut and paste it here.

-SobeFlyer

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:17 AM

Posted 07 May 2005 - 12:32 PM

Hi sobeflyer. It looks like you have an older version of the VX2 infection. Let's get a tool for finding that version.
  • Download VX2Finder9x.exe to your desktop.
  • Locate the VX2Finder9x.exe file on your desktop and double-click on it to start the program.
  • Click on the Click to find VX2.BetterInternet button.
  • When the scan is done click the Make Log button.
Notepad should open up with the information in it. Please copy/paste that information back here and I will review it when it comes in.

DO NOT click any of the other buttons until I have had a chance to review the information and instruct you to do so. Doing so can harm your computer and cause it to quit functioning.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 sobeflyer

sobeflyer
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 07 May 2005 - 02:01 PM

Old Timer,
This version produces exact same results as the other. When it runs, it quickly displays:

Files Found---


User Agent String---
{DFDEF84C-6B03-01D7-8AC4-E51F20B1C643}

And clicking Log File button does nothing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users