[stevegrebowski]

Thanks for the link to that program, I will try it now.

I'd also like to add that it was my error in not being able to locate to C:\WINDOWS\isrvs file. I enabled hidden files on my original username, but created a new one so I could restore my normal desktop. It didn't transfer that setting over to the new username. I deleted the folder and thought everything was fixed (the folder contains the icons that every virus that installs to my desktop uses) but once again that folder was recreated upon rebooting. Maybe this program can find out whats wrong.

[Advertisements]

Unfortunately that program just shows some viruses and doesn't remove them unless you buy it. It said I had some VX2 viruses in .dll files in my /system32 folder, so I deleted them. Everything was clean once again, but I went out and as I return there are all of the old files, back again.

It just opens IE and the popups start flooding in from there. Can I just get rid of IE all together? I'm about ready to give up on this.

[stevegrebowski]

Unfortunately that program just shows some viruses and doesn't remove them unless you buy it. It said I had some VX2 viruses in .dll files in my /system32 folder, so I deleted them. Everything was clean once again, but I went out and as I return there are all of the old files, back again.

It just opens IE and the popups start flooding in from there. Can I just get rid of IE all together? I'm about ready to give up on this.

[Major Payne]

Think thatman mentioned that you had a problem with VX2. Did you try :

Plug-Ins for Ad-Aware (VX2 Cleaner)
Download the free VX2 Cleaner here.here

Close Ad-Aware SE build 1.05 and Ad-Watch (if running)
Install the VX2 Cleaner
Start Ad-Aware SE build 1.05
Go to “Plug-ins”
Select the VX2 Cleaner plug-in and click “Run Plugin”
If your computer isn’t infected, click “Close”.

As for not using IE 6.0, you only need it if you are viewing an IE specific site or downloading stuff from Micro$oft or using the Windows's scan sites. Maybe a few others I can't think of right now. I use Firefox all the time because it has all my Web developer's tools and some neat extensions I like.

Let me know if the above gets it.

Ron

[stevegrebowski]

Yeah, I added in the VX plugin to Ad-Aware earlier today, it said my system was clean. I use firefox all the time, as it has always kept me safe, but the about:blank infection I got was from IE. When one of my anti-virus software updated one day, it opened IE and thus installed all of these new viruses that I can't get rid of. I really just want IE gone, forever.

Here's a new HJT log I just took, and just a few minutes ago I got hit by another virus installation. It happens randomly whether or not firefox is open or if I'm even doing anything at the computer.


Logfile of HijackThis v1.99.0
Scan saved at 7:54:06 PM, on 2/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\crowbar\crowbar.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\system32\boln.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[bleep]ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Intel NCS NetService - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Super Ad Blocker Service - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe




This is what I deleted from that selection:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\system32\boln.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[bleep]ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


I'll explain how it gets infected again one more time to clear it up a little. I go into safe mode disconnected from the internet, and clean everything up. Adaware detects nothing and I restart. Shortly after restarting, as many as 3 "iexplore.exe" programs open in my task manager. Then programs like 3p1.exe (from abetterinternet.com) open and 5 "anti-virus" shortcuts are placed on my desktop. The folder for these icons is always C:\WINDOWS\isrvs and I repeatedly delete this. After these are installed, random .exe files start popping up. Usually 2 files with random numbers like 608846.exe and 608474.exe which are placed in C:\WINDOWS\system32. Then there are 6 additional files which install themselves in random folders, always together. They always have the same name (dddd.exe, dfssdf.exe, eree.exe, htt.exe, sfee.exe,load.exe) but have been installed from places like C:\My Documents to even my Lavasoft AdAware folder itself.

There used to be a program titled dload.exe that would pop up, but that appears to be gone for good now. Once the other files open up, I will reboot into safe mode with no internet connection open and run the 4 steps explained in the beginning of the thread (aboutbuster, adaware, CWShredder, Cleanup). CWShredder has never detected anything even though Adaware repeatedly finds CWS on my system. I then go through my folders to deleted the 5 fake anti-virus applications, the C:\WINDOWS\isrvs folder, the 2 random numbered files, and the 6 additional files. There is also still brew32.dll and brew.dll and wnim.dll that repeatedly re-install. I delete these too, although sometimes they are in use and can't be. But I make sure they are deleted before rebooting.

I've done this about 4 or 5 times alone today, yet every time it ends up doing nothing. Is there anything else I can post to help you guys try and figure this out?

[stevegrebowski]

Well I guess there is no solution to this problem. The virus is now installing stuff like "winsuck.dll" which crashes windows explorer upon startup every time. I guess there is no more hope for this computer.

Thanks for the help anyway..

[soz]

I'm in exactly the same place as Steve. One thing that I've noticed is I still have entries in my registry for ffisearch.exe and desktop.exe that I'm sure are bad, as well as boln.dll that looks bad, too.

They're listed in the registry under:
HKEY_CURRENT_USER/SOFTWARE/MICROSOFT/INTERNET_EXPLORER/Explorer_bars. There are about 6 folders there that I'm inclined (but afraid) to delete. Any suggestions from the team?

My Hijackthis log now reads:

Logfile of HijackThis v1.99.0
Scan saved at 11:07:59 AM on 2/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v.6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\system32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\regedit.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {A2EC4254-A790-E0E7-E9E2-6D5ADB75A2E8} - (no file)
O2 - BHO: (no name) - {AA91B5D9-A132-8491-DE51-1240F90DA76D} - (no file)
O2 - BHO: (no name) - {B0F1FEB6-3542-C810-C8D6-A52412BE7EB6} - (no file)

Also, I can't seem to delete the above 3 O2 items from either hijackthis or regedit...

Any suggestions appreciated. I'm going to try a couple of the items above, but this is bleak...

[soz]

All,

I think I've got it... It looks like they've replaced explorer.exe. I noticed that earlier - my version of explorer. exe is dated Feb 9th!

I've renamed it explorer.old, and replaced it with some freeware (www.explorerxp.com) that I came across (perhaps not smart, but it seems to have worked). Now I just have to figure out where my install cds are, get a clean copy of explorer and go.

Will keep you posted, but see if this works for you. Problem is that all the startup menus etc. go away til we get explorer

[Major Payne]

Now I just have to figure out where my install cds are, get a clean copy of explorer and go.

You can get IE 6.0 at :

Internet Explorer Home

[soz]

Actually, the problem was Explorer.exe, not Internet Explorer!

Ok, for everyone's benefit, this worked! I had to kill Explorer.exe in task manager. Then replace the corrupt explorer.exe file with a clean copy from your install disk (ok, I just used another machine on the same OS that I had handy).

Also had to do all the Cleanup, AboutBuster, AdAware, Spybot S&D, and HijackThis stuff, but it appears that I'm clean now.

Whew!

Dave

[Major Payne]

My mistake. Gonna enroll in Remedial 101.

Ron

[soz]

No problem! I'm just glad you guys are here and helping. Scary Stuff!