?
Solved

XP Popups won't die

Posted on 2005-03-24
54
Medium Priority
?
974 Views
Last Modified: 2013-12-04
This is a Dell laptop with XP, SP2, dialup modem, and gobs of spywayre/adware. Have done the usual routines - Spyware S&D, Adaware, updated Norton and scanned, Crap Cleaner, Hijack - fixed the items I knew for sure. Deleted ALL temp files on the system. But as soon as I think I have it done, IE tries to access the net, and if I am on line and allow it, the popups start jamming the system. Right now I've got Zonealarm controlling access so I can download things via Firebird, etc. Here is the logfile from HJT:

Logfile of HijackThis v1.98.2
Scan saved at 2:38:53 PM, on 3/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteamg32.exe
O4 - HKLM\..\Run: [rctxdtr] c:\windows\system32\rctxdtr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Fay
0
Comment
Question by:hoody
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 25
  • 14
  • 6
  • +5
54 Comments
 
LVL 21

Expert Comment

by:marc_nivens
ID: 13626070
Sounds like the spyware isn't completely gone.  I've used all of the ones you mention, and for a free spyware removal none of them come close to Microsoft's Beta Antispyware program.  Not only does it detect spyware, but it runs in the background to prevent spyware from being installed in the future.  You should install it and check for any lingering spyware.

http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13626155
Hi!

Disable Messenger Service
C:\Program Files\Messenger\msmsgs.exe
Info on it here:
http://www.blackviper.com/WinXP/service411.htm#Messenger

Also, you're running an outdated version of HijackThis
The latest ver. is 1.99.1 - get it here:
http://www.gatesofdelirium.com/ee/tools/

RF
0
 
LVL 6

Expert Comment

by:caza13
ID: 13627509
The following items look suspicious.  Check to see if you can find the indicated files on your hard disk and check the properties to see if there is any information about where they came from.

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteamg32.exe
O4 - HKLM\..\Run: [rctxdtr] c:\windows\system32\rctxdtr.exe
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 37

Expert Comment

by:Harisha M G
ID: 13628365
Hi hoody,

Submit that logfile to http://www.hijackthis.de
The logfile will automatically be analysed.

It is saying that the file is out of date.
Download a newer version of HijackThis
http://tools.radiosplace.com/HijackThis.exe



Bye
---
Harish
0
 

Author Comment

by:hoody
ID: 13631786
Ok, the Microsoft's Beta Antispyware program seemed to do a good job - I had to run it three times though, in normal, safe mode, and again in normal mode, and each time it found more stuff. I did the deep scan. I finally got it working good enough to go to Trend Micro and do a scan, and it did find a trojan, which I deleted - it was in the quarantine from MS's Antispyware. Better safe than sorry. By the way, I did disable the XP restore long ago. This morning I honestly thought I had it licked. Went online with it to get the new version of HJT, and danged if it didn't start again. Here's the current HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:48:13 AM, on 3/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteamg32.exe
O4 - HKLM\..\Run: [rctxdtr] c:\windows\system32\rctxdtr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

I can see some obvious stuff here, but I won't do anything til I hear from the pros!

0
 
LVL 6

Expert Comment

by:caza13
ID: 13631867
Make sure that you have the latest security updates for the OS.  Use Windows Update ( http://v4.windowsupdate.microsoft.com/en/default.asp ) to download and install them.  It looks like two of the items that I mentioned above are still there.
0
 

Author Comment

by:hoody
ID: 13631936
I *think* it has all updates - I've done quite a few the last couple of days. Will check as soon as my phone line is free. Before I went back on line, I checked the system thoroughly for those items you listed above - they were GONE, totally, even HJT. But now they are back. So there is something else. I also did a search for searchmiracle (the titlebar on the popups) and found info at Symantec on cleaning the registry - NONE of what they listed was on the system. But it's back. I'm going t go use the log analyzer for HJT and then check for updates at MS. WIll let you know.
0
 

Author Comment

by:hoody
ID: 13632077
Argh! I'm going insane. Yes, it has all updates from MS. Went to the analyzer, it recommended 4 entries be removed. Did that. Rebooted. Connected to net. Gave IE the ok with ZoneAlarm, then let it sit there at Google. Five minutes later, I've got popups like crazy again.

banners. pennyweb.com
searchmiracle.com
adserver.com

HELP!
0
 
LVL 6

Expert Comment

by:caza13
ID: 13632111
It seems that either someone is exploiting a security vulnerability in the OS, or there is a Trojan on the inside that is downloading the files.  Is Zone Alarm indicating that something is trying to access the internet?
0
 
LVL 6

Expert Comment

by:caza13
ID: 13632143
Check again to make sure that all TEMP folders are empty, and clear the Cookies and Temporary Internet Files.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13632188
Hi!

Download and run DLLCompare from:
http://www.gatesofdelirium.com/ee/tools/
This may show if there's something hiding on your system.
Let us know if it turns up anything.
Be careful with what you remove, based on what it finds - can "flag" valid files!

RF
0
 
LVL 6

Expert Comment

by:caza13
ID: 13632192
You might try this link:

Remove Home Search Assistant
http://www.short-media.com/review.php?r=259
0
 

Author Comment

by:hoody
ID: 13632195
That's what I'm figuring - something on this system is bring it back in. I had this happen once years ago, and ZoneAlarm was what I used to track it down - it had modified an other innocuous file. Initially, Zonealarm did alert me to a file that was trying to get out, one with a random filename like tkhldwoiu, or something like that. But that was two days ago. Since then, the only thing it shows trying to get out is IE. Nothing else. It's been online now for about 15 minutes, and after closing the first 6 popup windows, nothing more has come up. Now what?
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13632230
HI!

I don't think it's HSA - don't see any "tell-tale" signs in the HJT log!?!

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13632249
Run DLLCompare - run on the system32 folder (default)
then run it for exe files
Might turn up something.
0
 

Author Comment

by:hoody
ID: 13632301
Hmmm, not sure I"m getting this DLL Compare. I run it, it's default is to windows/system32, check dlls, and include subdirectories is unchecked. Nothing is listed in the two white boxes. If I click on Run Locate.com, I get an error message on the autoexec.nt file. If I click on Compare, nothing happens (but then there isn't anything listed TO compare?) If I click on Escape, it changes to Scan Aborted. I did try changing it to exe files, and I tried checking the subdir's, but should there be a SCAN button?
0
 

Author Comment

by:hoody
ID: 13632377
Sheesh, one thing I've learned about XP - and do not like - in all this, what with having to use floppy disks, if you reboot and forget  to take the disk out, instead of getting "Invalid system disk" like the old days you get "Cannot load MS-DOS" which is quite scary at first!
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13632384
Hi!

Download and run this fix for XP - it will get rid of that error message concerning autoexec.nt -
http://www.visualtour.com/downloads/xp_fix.exe

You have to be logged on with Administrative privileges to run it.
When you run DLLCompare, check the box to include subdirectories.
Hit the button "Run Locate.com" - the scan may take a while.
Then, hit the "Compare" button - notice the "Make log of what was found" button.

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13632451
Also, make sure that locate.com is in the same folder as DLLCompare.exe.
I"m pretty sure the folder can be anywhere on your computer -
I run it out of a sub-folder on my I: drive - works fine.

RF
0
 

Author Comment

by:hoody
ID: 13632464
Ok, the xp_fix did the trick, NOW DLLcompare makes sense! But it didn't find anything. Tried dll's, exe's, and even *.*. All under the system32 folder. Nothing. Next idea?
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13632593
Well, you still have Messenger running?!
Hope you read the info on it at Blackviper's site.

You could try running this scanner:
Escan-mwav - http://www.mwti.net/antivirus/free_utilities.asp
(free version finds things - pay ver. also fixes them)

RF
0
 

Author Comment

by:hoody
ID: 13632697
Read the info on Blackviper's and it didn't show I had any vulnerabilities there... I *THINK* it may be fixed, it's online again, and no popups yet...will let it sit there for a half hour and let you know!
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13632816
Did you run this command at a command prompt:
net send 127.0.0.1 hi
What is/was the result.
0
 
LVL 15

Expert Comment

by:davidis99
ID: 13635865
Aside from disabling the messenger service (which you should do now - just go to Control Panel, Administrative Tools, Services, and disable it) you may also want to empty out your java cache and browser cache.

http://fxtrade.oanda.com/help/clear_cache.shtml.  

"# Click Start | Settings | Control Panel
 # Click the Java Plugin Icon
 # Click the Cache tab
 # Click the Clear button and click OK to confirm
 # Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel"
0
 

Author Comment

by:hoody
ID: 13636283
I did run the net send command, and got back the error message. Actually had it on line for over an hour with NO popups. So I sent it home. They called me within 15 minutes and said it was worse than ever! Grrr. So... today I'm setting up another computer she can use for classes on monday, then will bring the laptop back and try the rest of the suggestions. After that, I'm seriously thinking wipe and restore. But I sure hate giving in - I've never had one whip me (us - including all of you) before.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13636383
Hi!

When you get the laptop back; could you run HijackThis on it again -
then run it through the Automatic Analysis site
and post a link to the log back here.

http://www.hijackthis.de/en

I'm wondering about what sites this person is visiting (or has visited)?!
Have you considered employing the following:
(sorry if there's any duplcation on anything that's been discussed above - just trying "to cover the bases")

    * Spywareblaster <= SpywareBlaster will prevent spyware from being installed -
      http://www.javacoolsoftware.com/spywareblaster.html
    * Spywareguard <= SpywareGuard offers realtime protection
      from spyware installation attempts.
      http://www.wilderssecurity.net/spywareguard.html
    * How to use Ad-Aware to remove Spyware
      <= If you suspect that you have spyware installed on your computer,
      here are instructions on how to download, install and then use Ad-Aware.
      http://www.bleepingcomputer.com/forums/index.php?showtutorial=48
    * Run CWShredder - to remove numerous variants of {KoolWebSearch}
        {CWShredder - "stand-alone"} - http://cwshredder.net/bin/CWShredder.exe

To protect yourself further:

    * IE/Spyad <= IE/Spyad places over 4000 websites and domains
      in the IE Restricted list
      which will severely impair attempts to infect your system.
      It basically prevents any downloads (Cookies etc) from the sites listed,
      although you will still be able to connect to the sites.
      https://netfiles.uiuc.edu/ehowes/www/resource.htm
    * MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file
      with one containing well know ad sites etc.
      Basically, this prevents your computer from connecting to those sites
      by redirecting them to 127.0.0.1 which is your local computer
      http://mvps.org/winhelp2002/hosts.htm
    * Google Toolbar <= Get the free google toolbar to help stop pop up windows.
      http://toolbar.google.com/

I seem to recall you mentioned that IE trys to access the Internet on it's own -
I'd run the MWAV scanner on it; and, also try these (free):
Silent Runners from:    http://www.aaronoff.com/silent_runners/
rkfiles from:   http://skads.org/special/rkfiles.zip (this scan can take a while - try to have as little else running)
Rootkit Revealer from:   http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
Startdreck:   http://www.niksoft.at/_data/startdreck.zip

Maybe one of these will reveal something running on it's own.
I hate to have one of these "nasties" defeat me, too!!!  :)
Let us know!

RF
0
 

Author Comment

by:hoody
ID: 13636827
Ok, laptop's back. I've done nothing but run HJT, took the log file to the analyzer, it shows the elitemgr is back again and nothing else. You can see the actual logfile here:

http://www.the-grizz.com/hijackthis.log

I'm going to start with the various suggestions above that I have not tried - including messenger - and then see what happens.

0
 

Author Comment

by:hoody
ID: 13636840
Interesting. About 2 minutes after I had HJT remove the entry for elitemgr, MS's Antispyware popped up and said Elite Manager was trying to add itself to the startup list items. I chose to block it.  I've not yet run any scans, just getting to that next.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13636866
Yeah, other then elitemgr - don't see anything else that stands out as bad.
When you're checking the system - probably should turn off System Restore (sorry, if this was mentioned above!)
Also, check the dllcache and the Prefetch folders, for anything suspicious.

Remember -"Endeavor to persevere" !  :)

Good luck!

RF
0
 

Author Comment

by:hoody
ID: 13637814
dllcache?
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13637995
Yes, it's "Hidden" and it's "system" - it's on win  2000 and win XP -
I"m running both of those it's under system32 - take a look at it.
Also, look at the "prefetch" folder.

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13638019
one question -
dllcache? you are asking me about that - as if it doesn't exist?
Oh - oh
Did you find it yet?
0
 

Author Comment

by:hoody
ID: 13638024
Ok, prefetch I knew. Dllcache was a new one for me! Am scanning  right now with MicroWorld, when it's done will check the dllcache. Thanks!
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13638031
I don't want any points here  - give them to someone else!
"dllcache"  - yeah - right!

Regards...
RF
0
 

Author Comment

by:hoody
ID: 13638044
Well, Microworld did identify some, maybe these will help. Already found some info on the one, so will start the cleanup process for each and see what happens. Here's what it found:

C:\windows\system32\eliteamg32.exe infect = trojan.win32.startpage.nk
c:\windows\system32\psis80ex.ax  infect = not-a-virus:AdWare.BargainBuddy.I
c:\windows\system32\temperror32.dat infect = trojan.win32.startpage.nk

Will get back to you after I do the clean up on these two.
0
 

Author Comment

by:hoody
ID: 13638061
Couple more questions. On the messenger service, it shows to be disabled - yet it is running when I go to task manager. Why can't I get it shut off?

Also, even though Microworld shows eliteamg32.exe to be infected, I cannot find it anywhere on the system. Did a search as well as manually looking through the files, and yes, hidden and system files are showing, but this file is not to be found. The other two I did find and was able to delete. According to

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453089444

There should also have been a program on the system of winflf32.exe, but it's not on here anywhere either.

I couldn't find any details on the other one - bargain buddy. I'm going to run Stinger on it next just for giggles. I swear I'm getting more confused by the minute!
0
 

Author Comment

by:hoody
ID: 13638198
Ran stinger - nothing found. I'm heading to bed. Will take it online tomorrow.

HAPPY EASTER EVERYONE!
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13638218
Happy Easter!
0
 
LVL 6

Expert Comment

by:caza13
ID: 13638244
That file (eliteamg32.exe) is a sneaky one.  Although it is listed in the startup group, it doesn't appear in the list of running services.  Maybe it does its work when Windows is booting, then kills itself until the next time Windows is started.  It could also copy itself with a different name, and be renamed durring the shutdown sequence so that it can run the next time the computer is started.  It may be that the only way to catch it is to kill the power without shutting down normally.
0
 
LVL 15

Expert Comment

by:greyknight17
ID: 13638404
This is a leftover trojan most likely from a vx2 infection.  I'm not sure if EE allows us to post long and tedious logs, but it's most likely required here.  If it's now allowed, the mods should remove them.  If not, we'll see which files are responsible for this.  You have to kill the file in two locations (system32 and startup folder) including the registry run entries.  The logs requested below will show us this and more:

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.  Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it.  Do not run it yet.

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed).  This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so).  If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready.  With that said (when ready):

Open up HijackThis and go to Config->Misc Tools and check the first two boxes there.  Now click on the 'Generate StartupList log' button.  Post that log in your next post.

Right click on http://www.greyknight17.com/spy/Silent%20Runners.vbs and choose Save As...Save it to your Desktop.  Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.).  Double click on 'Silent Runners' to run it.  This will take a few minutes.  It will create a file called 'Startup Programs' followed by your computer name and current date.  Open up that file and post all the contents here in your next post.

Download Find-qoologic http://www.greyknight17.com/spy/Find-qoologic.zip.  Unzip the files to your Desktop.  Open the qoologic folder and run the 'qoologic.bat' file.  Wait a few minutes for it to finish.  When the dos window disappears, go to your C: drive and open up the 'log.txt' file.  Copy and paste the whole log in your next post.

Download DllCompare http://www.greyknight17.com/spy/DllCompare.exe and run it.  Click on the 'Locate.com' button.  Wait a few seconds and then click on the 'Compare' button.  Let it run, then click on 'Make a log of what was found'.  Post that log here.  Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.

Download 'Find It NT-2K-XP' at http://www.greyknight17.com/spy/Find%20It%20NT-2K-XP.zip for Windows NT/2000/XP.  For those with Windows 98/ME, get FindIt9xME at http://www.greyknight17.com/spy/FindIt9xME.zip instead. Once downloaded, unzip it.  Open up the folder and double click on the find.bat or FindIt9xMe.bat (for Windows 98/ME users) file.  Let it run for a while.  After it's finished, open up file.  Copy and paste the contents to the forums.

Post all of the logs in your next post.  We need all of them to get a fix for this infection.
0
 
LVL 37

Expert Comment

by:Harisha M G
ID: 13638730
If you don't mind changing the browser,
Get Firefox
www.getfirefox.com
0
 

Author Comment

by:hoody
ID: 13647566
Since I had to get TDS-3 for another computer I'm working on, I put it on this one and ran the scan. It found quite a bit:

adware.toolbar.elitebar.z2  sideb.exe   windows/
trojan.win32.startpage.nk8                  win/sys32/temperror32.dat
trojan.downloader.win32.wintool.e       win/syst32/cache/adl_ibis_as2.exe
trojandownloader.win32.small.abd       win/sys32/cache/edow_as2.exe
adware.winad.ab2                              win/sys32/cache/popp.exe
adware.purityscan.ap                         docs/karen/app data/eetue.exe
adware.winad.ac1                              prog/mediapass/mediapssc.dll

Yes, those are abbreviated locations - I'm getting tired or lazy, you pick!

I deleted all of those. Now I'll give greyknight's list of things a shot.... just wanted to pass this on in the meantime.
0
 

Author Comment

by:hoody
ID: 13647622
I just HJT, and have created a startuplist log file, I loaded it to my server out of respect to the community. You can access it at:

http://www.the-grizz.com/startuplist.txt

On to the next step.
0
 

Author Comment

by:hoody
ID: 13647669
Next log file, from Silent Runners, is available at:

http://www.the-grizz.com/startupprograms_silentrunners.txt
0
 

Author Comment

by:hoody
ID: 13647792
Next up, the log file from qoologic:

http://www.the-grizz.com/log.txt

Not much there actually....
0
 

Author Comment

by:hoody
ID: 13647946
Ok, here are the last two.

http://www.the-grizz.com/dllcomparelog.txt

and

http://www.the-grizz.com/output.txt (From the 'Find It NT-2K-XP' prog)

Enjoy! Think I'll go do some really easy web design stuff for a while!
0
 
LVL 12

Expert Comment

by:David Wall
ID: 13661666
I have had similar problems with mal ware returning time and time again.

This is not guaranteed to be the answer but may help getting rid of the issues.

Start be going to the folders options icon in control panel and in the view tab select show hidden files and folders.and unhide proteceted operetaing files.

Update your antivirus and malware pacakges.

Then reboot the machine in to safe mode (press the f8 key as the machine boots up) and log in as administartor.

Run your antivirus scanner and note all suspect files there locations and the type of virus they are infected with. Liewise with any adaware package you have.

 check when the scans are complete that the infected files have actually gone,This is where in the past I have had problems often the av cannot delete the files and you have to go and manually delete them and any associated directories.

Once you have done all the above (or if you have access to another computer) check the manual removals for the specific virus's which may advise removal options.

Hopefully that should cure the problem.

Also one other area that may be worth checking is add remove applications are there any apps that you dont know and can you remove them, if they wont remove find out where they are and delete the directory i.e. c:\program files\ coolweb toolbar.

Also if you are using IE in ie or internet options in control panel  go to tools >  internet options > settings >view objects and make sure there are that you know what the objects listed there do typically shockwave flash object and java runtime are ok  any thing that doesnt kosher should be deleted.  
0
 
LVL 12

Expert Comment

by:David Wall
ID: 13661807
Sorry I should have looked at the reports first the entry that stands out for me is C:\Program Files\Messenger\msmsgs.exe in the startup list this would be one that I would definitely treat  as suspicious it may be infected with the agobot worm
0
 
LVL 15

Accepted Solution

by:
greyknight17 earned 2000 total points
ID: 13666975
Go to Start->Run and type in regedit and hit OK.  Go to File->Export and save the registry somewhere as a backup.  While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete [b]etbrun[/b]

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions.  Then click on the Advanced button.  Make sure the first box (Inherit from parent...) is checked.  Click OK and OK.  Then try deleting the entry again.  Once you're done, close the Registry Editor.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.  Run KillBox and check the box that says 'End Explorer Shell While Killing File'.  Next click on 'Delete on Reboot'.  For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out.  Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\windows\system32\eliteamg32.exe

Let's use a program to scan for any trojans that may exist.  Download TDS-3 (http://tds.diamondcs.com.au/index.php?page=download).  Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse.  Make sure to update it after you installed it.  You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update.  When you launch the program, it will scan your memory for running processes.  This will take less than 30 seconds.  Next go to 'System Testing' on the menu and choose 'Full System Scan'.  After that's finished, see if any alarms are found.  If so, see what they are.  If they are positive identified as trojans or other malware, you may remove it.  If you recognize any of them, you may leave it alone.  To remove, I think you can right click and delete them from the program itself.
0
 

Author Comment

by:hoody
ID: 13667238
Made the registry edit ok. Seconds later, the MS Antispyware popped up saying it had blocked Elitemgr from modifying the registry. I've seen it do this before whenever I remove it from the registry. Just FYI. Moving on...
0
 

Author Comment

by:hoody
ID: 13671786
Well, I followed your instructions to a T. Mind, I have done each of these things before, several times on a few, including running TDS-3, to no avail. But maybe it was the order in which I did them this time, it SEEMS to be ok. I ran it for about 10 minutes last night, surfed all over the place, and didn't get a single popup... so maybe. I don't have time to test it further right now, but I'll get back in here tomorrow and let you know for sure how it went. If this doesn't do it, I quit. I've already told them they'll have to wipe it and start fresh. But maybe....
0
 
LVL 37

Expert Comment

by:Harisha M G
ID: 13674264
hoody, What is the result you got when you submit the HJT logfile to
http://www.hijackthis.de

That is an automatic analysis...
0
 

Author Comment

by:hoody
ID: 13676856
Ok, been on line now for about 10 minutes, no popups - but I can see that stinking elitemgr in the hjt again. Grrr. Here's a link to the hjt analysis (didn't know I could do that).

http://www.hijackthis.de/logfiles/fa9fbfc52392b6f343c5175b6e7527cc.html

They are coming to pick it up in about 2 1/2 hours. Fixed or not! If not fixed, they'll be wiping and reinstalling. At least it's behaving. For the moment.
0
 

Author Comment

by:hoody
ID: 13763669
Well, not sure what to say on this one. Greyknight was wonderfully helpful - but after I sent it home, they reported back that they did have further problems with the bugs coming back, and have decided to do a restore on it. Thanks all!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses
Course of the Month13 days, 10 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question