[Chiotty]

Hey there, I've got a problem with a website always popping up, either something of loadingwebsite eg
http://www.loadingwe...rmal/yyy23.html
or http://www.loadingwe...al/belgium.html
or some other vague website:
http://www.9ringtone.com/be/index.php

This is my dad's computer, so I guess he clicked on a link when he shouldn't have, but I can't seem to get rid of it.
ran spybot, adaware, deleted every startup program except my volume control, checked a dozen of websites for a fix, but I'm out of options :/
Any help is appreciated, it's quite annoying, even when I'm typing this, it's popping up.

Using internet explorer 6 on windows 98 SE. I think I did all the windows security updates and deleted all temporary files etc etc.

Posting my hjt: (v1.99.1)

Logfile of HijackThis v1.99.1
Scan saved at 19:19:59, on 15/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.pandora.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://h2om.dipmap.c...hecker_6100.cab
O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://h2om.dipmap.c...adFile_6100.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

[Advertisements]

Alright, some new evidence which might help you*admin

I recently installed a firewall to try and stop the pop ups and it seems I achieved some kind of solution, but only a temporary one.
I blocked explorer.exe from connecting to the website www.ad-w-a-r-e.com, but now I can't use internet explorer anymore to browse, so atm I'm using firefox.

The blocked mssg I get from my firewall is:
Outgoing TCP www.ad-w-a-r-e.com [213.61.6.3]
or: Outgoing TCP www.ad-w-a-r-e.com [213.41.76.68]
The ip could be my provider tho, not sure, but the url does not really sound good.

And the fact that it does this automatically in the same frequency that the website used to pop up makes me believe it somehow imported itself into explorer.exe?

I did an antivirus scan yet it didn't show anything there.
Another odd thing is when I start up word, it usually gave me an internet explorer pop up with the loadingwebsite, but now it seems when I start up word spool32.exe is trying to reach the internet??? I thought it was used for printing jobs only and I was not printing anything, I just started MS word.

I blocked this too and the pop up never showed anymore.
So I'm betting the problem lies there somewhere?

Sygate also told me:
Application Hijacking has been detected
The application: C:\Program Files\Microsoft Office\Office\WINWORD.EXE try to launch another application: C:\WINDOWS\SYSTEM\SPOOL32.EXE

Any advice would be nice of you

[Chiotty]

Alright, some new evidence which might help you*admin

I recently installed a firewall to try and stop the pop ups and it seems I achieved some kind of solution, but only a temporary one.
I blocked explorer.exe from connecting to the website www.ad-w-a-r-e.com, but now I can't use internet explorer anymore to browse, so atm I'm using firefox.

The blocked mssg I get from my firewall is:
Outgoing TCP www.ad-w-a-r-e.com [213.61.6.3]
or: Outgoing TCP www.ad-w-a-r-e.com [213.41.76.68]
The ip could be my provider tho, not sure, but the url does not really sound good.

And the fact that it does this automatically in the same frequency that the website used to pop up makes me believe it somehow imported itself into explorer.exe?

I did an antivirus scan yet it didn't show anything there.
Another odd thing is when I start up word, it usually gave me an internet explorer pop up with the loadingwebsite, but now it seems when I start up word spool32.exe is trying to reach the internet??? I thought it was used for printing jobs only and I was not printing anything, I just started MS word.

I blocked this too and the pop up never showed anymore.
So I'm betting the problem lies there somewhere?

Sygate also told me:
Application Hijacking has been detected
The application: C:\Program Files\Microsoft Office\Office\WINWORD.EXE try to launch another application: C:\WINDOWS\SYSTEM\SPOOL32.EXE

Any advice would be nice of you

[Metallica]

First download winsockxpfix from http://www.snapfiles...nsockxpfix.html
Only use it if the follwoing backfires.

Download LSPfix here: http://www.cexx.org/lspfix.htm
Launch the application, and click the "I know what I'm doing" checkbox.
Check all instances of aklsp.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish.

Then reboot and post a new HijackThis log
If you put any items on the ignore list, could you put them bak please?

Regards,

[Chiotty]

Alright, thx for taking some time to read this

First of all, I'm using windows 98SE, the winsockxpfix is for windows XP only, so it does not work under windows 98.

I have been busy since the last time I posted here, unfortunately without success.
I already ran lspfix to remove the aklsp.dll to no avail. I left all the other dll's alone.

The only file -atm- I see that's causing a problem is the vwb32.dll in my windows\system folder that cannot be removed because it's in use by windows. Not with killbox, not with moveonboot, it's not even there when I boot up with a bootdisk in DOS, so I'm assuming it's constantly being created during windows startup (not sure tho).

Also my host file is constantly being cluttered -even though I use "hoster" to restore my original host- with:

127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.qoolaid.com
127.0.0.1 www.qoologic.com
127.0.0.1 www.CLKPrecision.com
127.0.0.1 www.urllogic.com
127.0.0.1 www.clkoptimizer.com
127.0.0.1 www.isearch.com
127.0.0.1 isearch.com
127.0.0.1 www.idownload.com
127.0.0.1 idownload.com
127.0.0.1 www.mytotalsearch.com
127.0.0.1 mytotalsearch.com
127.0.0.1 www.lop.com
127.0.0.1 lop.com
127.0.0.1 www.websearch.com
127.0.0.1 websearch.com
127.0.0.1 www.page-not-found.net
127.0.0.1 page-not-found.net
127.0.0.1 www.isearchhere.com
127.0.0.1 isearchhere.com
127.0.0.1 xads.offeroptimizer.comm
127.0.0.1 search.offeroptimizer.com
127.0.0.1 ximages.offeroptimizer.com
127.0.0.1 xlime.offeroptimizer.com
127.0.0.1 xadsj-o.offeroptimizer.com
127.0.0.1 xadsj.offeroptimizer.com
127.0.0.1 www.offeroptimizer.com
127.0.0.1 as.adwave.com
127.0.0.1 sr.adwave.com
127.0.0.1 www.adwave.com
127.0.0.1 adwave.com
127.0.0.1 adwave.com


HJT
***

Logfile of HijackThis v1.99.1
Scan saved at 17:20:25, on 27/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.pandora.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\RunServices: [kavsvc] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://h2om.dipmap.c...hecker_6100.cab
O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://h2om.dipmap.c...adFile_6100.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

***

Furthermore, every day when I scan my computer with an av program, there's another look2me file created somehow on the hard drive that has to be deleted.
Unfortunately the vwb32.dll is not being detected by the av program (tried kaspersky and panda av) and not by Spybot S&D/Adaware.

I think that's about it.

A similar case to my case:

http://www.annoyance...n98/t1112979433

ello, Just wanted to thank the three of you for responding to my problem, I tried all three,the spyware thingie didn't shift them, thought the favourites thing was going to work, but alas the webpages returned, then I downloaded the new version of zone alarm firewall, and they stopped, so for 15 days I was freeeeeeee, then they took off all the good bits and just left the firewall, so the pages are back. I think I better call a tech, because I am useless, many thanks though guys

I didn't use ZA, but sygate personal firewall, but the effect was the same.
The popup disappeared for 2-3 days, but then it just reappeared.

Any thoughts?

NN

[Metallica]

Nothing wrong with that hosts file. It blocks bad sites.

Download and install: Process Explorer
http://www.sysintern...e/procexp.shtml

You can use it to find which process is holding vwb32.dll

Let me know,

[Chiotty]

Your approach seemed like it would have worked out, but I think I found a cure
The pop up is not appearing anymore (for the moment, let's hope it stays that way )
The resisting dll that just wouldn't let me delete it (vwb32.dll) has been removed
I couldn't see the file in DOS because it was hidden and although I could see it in windows (because I have the option "Show hidden files" always on), it was just not there in DOS.
So in the future I'd recommend letting people reboot with a bootdisk!
Then you have two options:

1) On the bootdisk you should have the following command activated: "ren"
it's a basic command in DOS to rename files. Although DOS cannot see the files, when you know the exact filename you just execute the command (in my case):
ren vwb32.dll vwb32.old
in the right folder of course (c:\windows\system\ in my case) and the extension is of less importance. (eg vwb32.bak, blabla.bla, vwb32.tmp etc etc)
Just remember the file name.
Then reboot back into windows and let killbox delete the file (which will not be in use anymore, because the program calling for it will not find the dll)

2) I haven't tested this method, but it should work too, if my basic knowledge of DOS commands suffices
This time you should have the file attrib.exe on the bootdisk and the ability to delete a file (internal command del normally, not available with every bootdisk).
In the prompt of your floppy (a:\> usually) you type (in my case):
attrib -r -s -h c:\windows\system\vwb32.dll
This will remove the readonly, system AND HIDDEN attribute from a file.
Then you should delete the file (eg: del c:\windows\system\vwb32.dll)
Reboot and the file is gone and the problem should be too. (if this file was the only problem)

I prefer method 1 because I know this one works, heh

Unfortunately I had done this before I read your post about the process explorer, so I didn't see what file was calling for vwb32.dll, so I probably still have a reference to the vwb32.dll, somewhere during startup or so, but I had this problem about 2 weeks, so I'm glad I'm not getting any more popups

You can close this topic if you want, if it looks like the problem was not dealt with, I'll make another post, with the details, but I think the problem is solved now.

And although I solved the problem already, I'm still grateful for your effort, I think you would have found it in time

Kudos to you and everybody fighting spyware. Keep up the good work

NN

[Metallica]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.