Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

can't get rid of malware, adaware not working


  • Please log in to reply

#1
portillos

portillos

    Member

  • Member
  • PipPip
  • 28 posts
I'm all out of ideas. I cannot get this crappy spyware off my computer. I'm running WIN98SE (I know, I know). I've been trying to fix this for two weeks, and among the things I've tried:

Run programs from safe mode whenever possible:
Norton full virus scan, trial version
Zone alarm currently running full (trial) version and it's blocking most popups
CWshredder
Adaware SE personal edition w/VX2 tool (free)
Spybot
sfc (I think that's what it's called, windows util, to replace damaged system files)
disk cleanup to get rid of temp internet files and recycle bin stuff
trendmicro scan
bitdefender scan
zone alarm's online pest control scan

Some things I've noticed: My adaware scan shows some VX2 stuff, but when I try to quarantine everything, it hangs on the delete screen. If I try and run the VX2 tool, it says "system clean."

There is a file called rundll32.exe that tries to access the internet at startup. Zone alarm warns me and I deny it. I never used to see rundll32.exe when I would hit ctrl+alt+dlt to look at what's running.

It seems I can clear up a bunch of crap if I run the cleaning programs from safe mode, but eventually it comes back.

PLEASE HELP! I'm going crazy! I would really appreciate any ideas you have. You can assume I know a little bit about computers in your response but I'm definitely not good at fixing this sort of stuff. I posted my hijackthis log below. I did run this several times and delete some stuff, but I didn't know what I was doing (I only deleted stuff I knew to be bogus spy-ware type junk).

Logfile of HijackThis v1.97.7
Scan saved at 12:19:29 PM, on 12/14/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\marcyandmatt\prefs.js)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Welcome to Geeks to Go portillos. Nothing wrong with Win98SE. :tazz:

You have a new variation of a VX2 infection, identified by these entries:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

This fix is still a work in progress, but seems to be working well.
1. Download VX2Finder here: http://www.geekstogo...=download&id=37
Run Vx2Finder and click on the Click to find VX2.BetterInternet button.

Click the Make Log button.

Save the log some place convenient like My Documents. Include the contents of the log in your next reply here.

2. Download this ZIP file: http://www.geekstogo...=download&id=36
and unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.

3. Please download DllCompare from here: http://www.geekstogo...=download&id=38

When it has downloaded, run the program and click on the Run Locate.com button. When that has completed, click on the Compare button. When that completed click on the Make Log of What Was Found button. Then post the contents of that log as a reply to this post.

Only if you get an error after pressing Run Locate.com:
copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder.

4. Please also open the c:\Windows\System32 folder and see if there's a file there called Guard.tmp visible and report that here as well.
  • 0

#3
portillos

portillos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Thanks for responding! Here are the results:

1. VX2 finder will not run. I get the message: This Finder is currently only forNT based systems

2. Got a few warnings about registry files when running find.bat. I clicked "OK" or "YES" several times. Here is output.txt:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------


Volume in drive C is WALSH
Volume Serial Number is 176B-15ED
Directory of C:\WINDOWS\SYSTEM32

5,368.86 MB free

------- Hidden Files in System32 Directory -------


Volume in drive C is WALSH
Volume Serial Number is 176B-15ED
Directory of C:\WINDOWS\SYSTEM32

FOLDER HTT 13,122 12-18-99 2:48p folder.htt
DESKTOP INI 266 12-18-99 2:48p desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 5,368.84 MB free

---------- Files Named "Guard" -------------


Volume in drive C is WALSH
Volume Serial Number is 176B-15ED
Directory of C:\WINDOWS\SYSTEM32

5,368.83 MB free

--------- Temp Files in System32 Directory --------


Volume in drive C is WALSH
Volume Serial Number is 176B-15ED
Directory of C:\WINDOWS\SYSTEM32

5,368.81 MB free

---------------- User Agent ------------


------------ Keys Under Notify ------------


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------


No matches found.





3. Here is the output file from locate.com:

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\mcajt200.dll Sun Dec 5 2004 6:10:06p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\hlfmrl11.dll Sun Dec 5 2004 6:10:06p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\sjoolss.dll Sun Dec 5 2004 6:10:06p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\umbui.dll Sun Dec 5 2004 6:10:06p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\nddmcpl.dll Sun Dec 5 2004 6:10:06p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mcjeto~1.dll Sun Dec 5 2004 6:10:06p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mqrd2x40.dll Sun Dec 5 2004 6:10:06p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mcoeacct.dll Sun Dec 5 2004 6:10:06p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\hofmon11.dll Sun Dec 5 2004 6:10:06p ..S.R 217,088 212.00 K
________________________________________________

955 items found: 955 files (9 H/S), 0 directories.
Total of file sizes: 193,307,254 bytes 184.35 M

--------------------End log---------------------



4. I do not see Guard.tmp in the c:\windows\system32 folder. I have "show all files" chosen in tools -> folder options -> view.
  • 0

#4
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Here's a version of FindIt for Windows98:
http://www.geekstogo...=download&id=42

Disconnect from the internet.

Download the Killbox here.

Start Killbox and click on Tools --> Select Delete Temp Files. Click OK.

When that finishes, copy and paste each of the following lines into the Full Path of File to Delete box in Killbox, and click the red button with the white X on it after each.

After each file press the Delete button (the button that looks like a red circle with a white X in it).

Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\WINDOWS\SYSTEM\mcajt200.dll
C:\WINDOWS\SYSTEM\hlfmrl11.dll
C:\WINDOWS\SYSTEM\sjoolss.dll
C:\WINDOWS\SYSTEM\umbui.dll
C:\WINDOWS\SYSTEM\nddmcpl.dll
C:\WINDOWS\SYSTEM\mcjeto~1.dll
C:\WINDOWS\SYSTEM\mqrd2x40.dll
C:\WINDOWS\SYSTEM\mcoeacct.dll
C:\WINDOWS\SYSTEM\hofmon11.dll
C:\WINDOWS\System32\guard.tmp


For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

Run again FindIt98.bat, DLLCompare and HijackThis and post the logs please.
  • 0

#5
portillos

portillos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Couple things:

sjoolss.dll would not delete, and when I tried, it made the desktop disappear. I still went ahead and deleted the rest (except for hofmon11 and guard, which didn't seem to exist), but I rebooted to get my desktop back. Then I went in and selected delete on reboot for sjoolss.dll (which it originally said "could not delete"), and hofmon11.dll and guard.tmp, which it said didn't seem to exist.

then I rebooted again.

after deleting files, here is what findit, dllcompare, and hijack this gave me. Findit would not give me a log file, so I copy and pasted what was on the application window:

Files Found---


User Agent String---
{512A6020-4D59-11D9-A882-CB2D96B6ED3F}


* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\sjoolss.dll Sun Dec 5 2004 6:10:06p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mmvcrt20.dll Sun Dec 5 2004 6:10:06p ..S.R 217,088 212.00 K
________________________________________________

949 items found: 949 files (2 H/S), 0 directories.
Total of file sizes: 192,004,726 bytes 183.11 M

--------------------End log---------------------



Logfile of HijackThis v1.97.7
Scan saved at 7:29:39 AM, on 12/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\marcyandmatt\prefs.js)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
  • 0

#6
portillos

portillos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I wanted to thank you for your help. I think the "vx2 variant" is finally gone!

I re-ran dllcompare and it brought up three files. This time, I deleted them all at reboot. After rebooting, I deleted "ieautosearch" and the other two things you listed above from HijackThis, and they didn't come back after another reboot. I ran a final ad-aware scan, deleted everything, and now I've been running for a few hours with no problems. Dllcompare, Vx2finder, & ad-aware don't bring anything up anymore! Thanks a million! :tazz:

Here's my latest hijackthis scan:

Logfile of HijackThis v1.99.0
Scan saved at 8:58:50 PM, on 12/17/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\marcyandmatt\prefs.js)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
  • 0

#7
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP