Can't solve this one alone...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by sleogue, Dec 12, 2004.

  1. sleogue

    sleogue Private E-2

    Here's my sad story: I am inundated with pop-ups, and can't identify a source!

    I've run through the instructions on the "do not post until you have read this" tutorial. I'm running Windows 98, so I couldn't do steps 1& 2, and the online scan at Symantec was a bad link, but otherwise everything has been done, including the optional step of running a-squared.

    As of today, things are slightly improved, but still unbearable. Spy Sweeper and Spybot both congratulate me for having no problems. PCPitStop doesn't identify any major problems. Ad-Aware will barely run, as it seems to trigger so many pop-ups, but if I sit here and close them all, it eventually runs and also finds nothing beyond a few cookies. I have spent quite sometime looking around, in safe mode as well as regular,and can't figure out where the problem is. I am comfortable with troubleshooting, but probably not the most advanced computer geek you'll meet (for instance, I draw the line at editing the registry without explicit instructions), and I usually manage to solve these things, but some 21 hours of work later I've had no success.

    When I boot up, I get several error messages relating to programs that have been disabled due to my adware cleaning that I haven't bothered fixing yet (like Real Player). Internet Explorer immediately launches and starts throwing popups. IE never launched automatically before this problem.

    The most recent cookies deleted today are for clkoptimizer (this one keeps coming back) and elite bar (ditto), and also adfarm, humanclick, specific click, revenue.net and e.rn11. A new popup today was from Viewpoint media, and the popup could not be moved or closed in any way that I could figure out. I finally rebooted in safe mode and removed the program manually for Viewpoint. The most prevalent popups all say "Search results for Poker online".

    Spybot and Ad-aware have worked so well for me for so long, but this problem is beyond my scope. Can anyone help me? Any suggestions are welcome.
     
  2. yukon98

    yukon98 Specialist

  3. PhilliePhan

    PhilliePhan Guest

    Hi Sleogue,

    It looks like you have exhausted the options in the tutorial. Please go ahead and send us a HijackThis Log. Be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

    If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    I’ve been pretty busy with work lately, but somebody will try to take a look when they get a chance.

    Best luck :)
    PP
     
  4. sleogue

    sleogue Private E-2

    Okay, I downloaded the specified version of HJT,extracted it to it's own directory, and closed every running program I could identify. Hope that did the trick- let me know if this doesn't look right and I'll try again. It seems to me that there a bunch of weird things there (all those alphabet soup files), but I never know when those are legitimate.

    Just a reminder, I am running Win 98.

    Thanks for having a look- I appreciate the help.
     

    Attached Files:

  5. spacedustM

    spacedustM Private E-2

    You will need to repost that as a .txt file. I've made the same mistake. take another read of PhilliePhan's post. mine is a 98 as well you can take a look at what we ended up doing with mine if it helps any it's the Where to begin? post Granted it's messy and I kept misreading some key points.
     
  6. PhilliePhan

    PhilliePhan Guest

    This one is Ok - No need to repost. You can save as .txt or .log.

    I'll try to take a look at the log tonight if time permits.

    PP :)
     
  7. spacedustM

    spacedustM Private E-2

    Ah my appolgies. I checked back to when I made that mistake and I'd corrected myself for that mistake not someone correcting me so I'd thought .log wasn't as easily viewable.

    edit _Ah I see notpad can still view it, nice. I'm no expert but I want to put money down on the O4 - Startup: hkhhkf.exe line being one of the things you will suggest to axe
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL. Look for the below process(es) and if found, End them:
    C:\WINDOWS\WVWWVQ.EXE


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [bqurxc] C:\WINDOWS\SYSTEM\bqurxc.exe
    O4 - HKLM\..\Run: [npcloz] C:\WINDOWS\SYSTEM\gwfisw.exe
    O4 - HKLM\..\Run: [gdtsoc] C:\WINDOWS\SYSTEM\gdtsoc.exe
    O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVZHI32.EXE
    O4 - HKLM\..\Run: [C:\WINDOWS\vtayppmcd.exe] C:\WINDOWS\vtayppmcd.exe
    O4 - HKLM\..\Run: [Desire] c:\program files\dialers\desire\desire.exe /noconnect
    O4 - HKCU\..\Run: [Ucee] C:\WINDOWS\Application Data\eimr.exe
    O4 - HKCU\..\RunServices: [Ucee] C:\WINDOWS\Application Data\eimr.exe
    O4 - Startup: hkhhkf.exe
    O4 - Startup: TRAMS License Manager.lnk = C:\Program Files\Trams\Common Files\tlmgrconsole.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Dell Home - {0D2F6CC0-91CE-11D5-BC58-00B0D0067FF8} - http://smbusiness.dellnet.com/ (file missing) (HKCU)
    O16 - DPF: {60F0F0D5-ADE2-4571-B1FF-B3F1087A448A} (ADial Class) - http://www.freshmanxxx.com/password/adial.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/088f57ec31de79bcac19/netzip/RdxIE601.cab


    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\WVWWVQ.EXE
    C:\WINDOWS\SYSTEM\bqurxc.exe
    C:\WINDOWS\SYSTEM\gwfisw.exe
    C:\WINDOWS\SYSTEM\gdtsoc.exe
    C:\WINDOWS\SYSTEM\KALVZHI32.EXE
    C:\WINDOWS\vtayppmcd.exe
    c:\program files\dialers <----- the whole directory
    C:\WINDOWS\Application Data\eimr.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    I'm also concerned about the below process but I'm not sure what it is. See if you can get some Properties info on it by rght clicking on it and selection Properties and then the Version tab (if there is one).
    C:\WINDOWS\SYSTEM\HPFBKG13.EXE
     
  9. sleogue

    sleogue Private E-2

    As per your instructions, I fixed or deleted the specified files, except that I did not find gwfisw.exe, gdtsoc.exe, or the dialers folder. I also deleted the EliteSearchbar, which had installed two new folders.

    I noticed a number of similar files to the KALVZHI32.exe. All are in the Wondows/SYstem folder and are exe files that start with kalv... (...vvi32, yzs32, doy32, eon32, kgk32, kij32, vfv32, bzg32). No info is on the properties tab. SHould I delete them?

    The other file that you mentioned was the HPFBK13.exe- that's the "background exe for HP deskjet", which is my printer.

    Just out of curiosity, what were the files I deleted? Anything I would recognize, or some obvious source?

    I rebooted, and so far have not had any popups, so things have certainly improved. I'm posting a new logfile. There seem to be a couple new, odd things on it (miracle search bar?), aso I may still have some fixing to do.

    Thanks again,
    Serena
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I did not see EliteSearchbar in you previous log when I made up my fixes.

    The files you deleted were a variety of trojans. Some fit into the category of unknow trojans. Some mutate and have different names at various times.

    You now need to get the currentHijackThis 1.99 and use it from now on.

    Print these instructions or save locally. You must not be connected to the internet during this. After read this sentence physically disconnect (unplug your cable) from the internet and exit all browsers and other running applications.

    Please download the following tool: Pocket KillBox

    Run Pocket Killbox and choose the Delete on Reboot option. Navigate to

    Make sure to close all open programs, windows and browsers and run Killbox. Enter each of the following filenames into the box for Full Path of File to Delete. Select Delete on Reboot and End Explorer Shell before deleting then press the Delete button (red X) , when it says reboot now, say no and continue to paste the lines for each of the filenames and follow the above procedure every time, DO NOT let it reboot yet.
    C:\WINDOWS\vtayppmcd.exe
    C:\WINDOWS\wvwwvq.exe
    C:\WINDOWS\SYSTEM\KALVZHI32.EXE

    Now exit Killbox (we are still not rebooting yet).

    Make sure you have viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found (you probably will not find them), End them:
    vtayppmcd
    wvwwvq
    KALVZHI32

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
    O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll (file missing)
    O2 - BHO: BHO Class - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\ELITES~1\ELITES~1.DLL (file missing)
    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll (file missing)
    O4 - HKLM\..\Run: [C:\WINDOWS\vtayppmcd.exe] C:\WINDOWS\vtayppmcd.exe
    O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wvwwvq.exe
    O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVZHI32.EXE

    Delete the C:\WINDOWS\EliteToolBar folder if it still exists

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    Last edited: Dec 18, 2004
  11. sleogue

    sleogue Private E-2

    Have downloaded new HJT and the Pocket Killbox, disconnected the dsl cable and ran killbox as per instructions, deleting specified files. New HJT file posted.

    What about the extra KALV... files in the WINDOWS/SYSTEM folder that I mentioned? Are they mutants that should be zapped?
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay your new log looks clean! Yes those are most likely bad files. I would begin by moving them to a temporary holding directory outside the Windows folders. Like c:\junk
    Then after rebooting and running for awhile to get a comfortable feeling that none of them are needed, you can delete that folder.

    How are things working?
     
  13. sleogue

    sleogue Private E-2

    Things are much better! I am no longer getting popups every 10 seconds, and there are no funny new program files appearing at random. In fact, it seems like we're back to normal- although I hardly dare say it out loud.

    Thanks again for your help. I was so frustrated that I was almost ready to throw the PC away and start fresh. Only the knowledge that this could happen on the replacement PC stopped me. My husband thanks you, too. One might almost think that this problem was making me grumpy...

    Happy Holidays,
    Serena
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds