Desperate

I am having pop up problems despite having a pop up blocker. I ran Spy Sweeper and it said that I had the following adware problems: apropos, gator(GAIN), IeDriver, searchbar.html hijack, and wildmedia. in addition, it listed a number of cookies.

Before going to the steps on the DO NOT POST page, I detected that I had Peper Trojan (with Spy Sweeper) and downloaded the two different versions of the Peper Trojan. It hasn't seemed to come back in my subsequent scans.

I went through all the steps on your DO NOT POST UNTIL YOU HAVE READ THIS page, to no avail. here are the results of some of the things i've done--maybe it will help diagnose. (I ran these all in safe mode, after disabling the system restore)

1) Trend Micro: JS DIalogarg.A, Java Bytever.A and .A-1, Troj Krepper.Q, Troj Stilen.A. All told, there were 59 instances.

2) McAfee Stinger: said that I had all clean files.

3) Symantec similarly did not detect anything wrong.

4) Adaware quarantined 65 files the first time I ran it.

5) spybot found Kazaa.Irc.SpyBot12.Roy Lomag and DSO Exploit. I removed both of those, and ran another scan. It again fround DSO Exploit after I had supposedly removed it, and when I tried to remove it again and ran the program again, it was still there.

6) CwShredder: when I first opened this program, a screen came up saying that I had coolwebsearch which was trying to disable cwshredder. It started it anyway, and when I ran it, it said that I was clean.

7) Kill2Me said that it found nothing wrong.

After all these steps, I still have pop ups and my computer is running a bit slower.

I’m very concerned because each scanning program I run seems to diagnose different problems. There are so many that I don’t know what to look in terms of working on the registry, or searching for specific programs to get rid of this stuff.

So, maybe someone can help before I’m forced to pour gasoline over my laptop and set it ablaze.

 

Hi MirBelleJardin,

The DSO Exploit is a bug in Spybot. Ignore it for now.

I suggest you run a-squared .

Also download and run http://downloads.subratam.org/PeperFix.exe

Then, read this on how to properly scan with HijackThis:
http://forums.majorgeeks.com/showthread.php?t=38752

Please save your log as a .txt file and ATTACH it via the "Manage Attachments" tool in the Additional Options section when you post.

I am not in this forum that often these days, but somebody should be able to look at your log.

Best luck

PP

 

I ran the peper fix, and it didn't catch anything.

I ran a squared, and here are the three files it named as problematic:

C:\!PeperFix\Lzkoqfy.exe
C:\!PeperFix\MvuD1.exe
C:\!PeperFix\Yfk8.exe

I ran hijack this, and my log is attached.

Thanks for responding!

 

Hi MirBelleJardin,

Your HijackThis is out of date. Please download a new one HERE:HijackThis 1.98.2
and extract it to C:\Program Files\HijackThis

Please turn System Restore OFF and Enable the Viewing of Hidden Files as per the instructions in the tutorial.

Run HijackThis and Check the Boxes for the following:
O2 - BHO: (no name) - {4CDC317B-E667-7C98-D550-155578837F3F} - C:\WINDOWS\System32\kwtao.dll (file missing)

O4 - HKLM\..\Run: [jnRSqr] C:\documents and settings\aj\local settings\temp\jnRSqr.exe

O4 - HKLM\..\Run: [FHZNuU3] C:\documents and settings\aj\local settings\temp\FHZNuU3.exe

O4 - HKLM\..\Run: [e33ae7a8c5e3] C:\WINDOWS\System32\ADSLDPC3.exe

O4 - HKLM\..\Run: [q3sk3sQ] icmxpand.exe

O4 - HKLM\..\Run: [FHZNuU3.exe] C:\documents and settings\aj\local settings\temp\FHZNuU3.exe

O4 - HKCU\..\Run: [b03qRicEQ] dos32.exe

O4 - HKCU\..\Run: [Thx] C:\WINDOWS\System32\l?ass.exe

Make sure ALL browser windows are CLOSED and click FIX.

Now, reboot into SAFE MODE and DELETE the following (if found):
C:\WINDOWS\System32\ADSLDPC3.exe
C:\WINDOWS\System32\icmxpand.exe
C:\WINDOWS\System32\l?ass.exe

Now, navigate to C:\documents and settings\aj\local settings\temp and DELETE (if found):
FHZNuU3.exe
jnRSqr.exe

Boot to Normal Windows and attach a new HJT log. Let us know if you ran into any problems along the way.

NOTE: I was not sure about this one. DO NOT FIX it until somebody verifies that it is bad.
O4 - HKLM\..\Run: [41fb7d05fd5e] C:\WINDOWS\System32\BATMETER.exe

C:\WINDOWS\System32\BATMETER.exe

Good luck! I will try to check back when & if I get a chance.

Best,
PP

 

Thanks PP--

I followed all of your instructions without incident. The only changes were:

O4 - HKLM\..\Run: [q3sk3sQ] icmxpand.exe

and

O4 - HKCU\..\Run: [b03qRicEQ] dos32.exe

were not present when I ran the new version of HJT. there were similar ones [info in brackets the same], but i did not delete these.

when i rebooted, i couldn't find

C:\WINDOWS\System32\icmxpand.exe

and

C:\WINDOWS\System32\l?ass.exe.

Attached is a copy of my newest log. Thanks so much!!!!

 

I don't like these entries

C:\WINDOWS\System32\BATMETER.exe
C:\WINDOWS\System32\redpfs35.exe
O4 - HKCU\..\Run: [b03qRicEQ] encro.exe
do they belong to any programs you are aware of?

 

Kodo--

If you're asking me, I have no idea. Not too knowledgeable about what goes on in my computer.

i've noticed today, though, that there has been a lot of instability--things freezing, shutting off, lots of "not responding" programs and things taking a while to load.

SOrry i can't help more.

 

then I would boot to safe mode. and delete all three of those files
and remove this from HiJackThis scan

O4 - HKCU\..\Run: [b03qRicEQ] encro.exe

you have to do a system search for encro.exe

 

Ok, I've done all you've suggested.

Here's my most recent HJT log.

In addition, I've been running a couple of programs that come up with clean records. The one that keeps flagging things is Spy Sweeper, which keeps bringing up Apropos and AutoUpdate, in addition to a couple of cookies.

Thanks again!

 

Kodo - Thanks for jumping in - Any advice or help is ALWAYS welcome!

Hi MirBelleJardin,

Did you find encro.exe ?

Try looking in Add or Remove Programs for Apropos Media or AutoUpdate and remove them if found. Note any other suspicious entries.

Also note that IE should not be running when you scan with HJT.

Now, run Hijack This and check these boxes:
O4 - HKLM\..\Run: [41fb7d05fd5e] C:\WINDOWS\System32\BATMETER.exe
O4 - HKLM\..\Run: [q3sk3sQ] redpfs35.exe

Make sure ALL browser windows are CLOSED when you click FIX.

Reboot to Safe Mode with the viewing of hidden files Enabled and DELETE:
C:\WINDOWS\System32\BATMETER.exe

Run a search of your computer for redpfs35.exe & Delete it.

Boot Normal Windows and scan w/HJT and please attach the log.
Let us know how things are running.

PP

 

Thanks guys.

Here are my results

<<Did you find encro.exe ? >>

No, but there is a file named encro.exe-02536D94.pf that I found when searching the system for encro.exe. I didn't delete it.

<<Try looking in Add or Remove Programs for Apropos Media or AutoUpdate and remove them if found. Note any other suspicious entries. >>

Neither of these were present in the add/remove programs, but the following programs were (and I didn't know what they were): IE Host, WildArcade, WildTangent Multiplayer Library. Additionally, when I went to the control panel, there was an icon for Wild Tangent Control Panel that I don't recall seeing before.

<<Also note that IE should not be running when you scan with HJT. >>

OK.

<<Now, run Hijack This and check these boxes:
O4 - HKLM\..\Run: [41fb7d05fd5e] C:\WINDOWS\System32\BATMETER.exe
O4 - HKLM\..\Run: [q3sk3sQ] redpfs35.exe

Make sure ALL browser windows are CLOSED when you click FIX. >>

OK

<<Reboot to Safe Mode with the viewing of hidden files Enabled and DELETE:
C:\WINDOWS\System32\BATMETER.exe

Run a search of your computer for redpfs35.exe & Delete it. >>

OK. There was no BATMETER.exe present when i rebooted, but i did delete redpfs35.exe. I noticed that there remains on my computer a file named redpfs35.exe-042c5EOB.pf. Also, there remains a file called Batmeter.dll. I didn't delete either of these.

One last thing--every time I shut down or restart from safe mode, there is a program that "doesn't respond" called Sample. I have to End It Now to shut the computer down. i don't know if that's important.

As for my functioning--the pop-ups seem to have gone. i was doing some significant surfing last night to test it and didn't have a problem. However, my start up and shut down are a lot slower than they used to be. Also, my computer seems to get "confused" a lot if i am doing more than a couple of things at a time. perhaps it was because i was running some scans last night, but i had to do a couple of Ctrl+Alt+Deletes and once or twice just had to shut the computer off manually because it had completely stopped responding.

I really appreciate your quick responses and your patience! I may be posting again this week for my boss, whose computer is apparently totally infected with something so that it is uploading constantly. My boyfriend also got the shop.nav thing this week, and I've turned him onto your site (the self-help pages, at any rate. i think it cleared up). I will definitely recommend to anyone who's experiencing trouble!

 

Thanks Chaslang!

Ok--I hadn't been searching the hidden files, so I changed that and re-searched. the only things i found were the redpfs35.exe-042c5EOB.pf (which i deleted), the Batmeter.dll (which I left), and the encro.exe-02536D94.pf (which I deleted).

I also uninstalled WildTangent , WildArcade, and IEHost from my Add/Remove program.

I also searched for autoupdate and apropos. The only Autoupdate files are in connection with Spywareblaster, and there aren't any apropos files (other than those in quarantine on my different spy removal programs).

my computer seems to be getting worse, although the pop-ups have gone completely. I've had to restart my computer numerous times (by manually shutting it down due to a complete lack of response). It seems to get “confused” very easily if I’m doing more than one thing or if I’m online. It sounds like it’s running at odd times, and then it will freeze up and get progressively worse until nothing works. My Task Manager even stopped responding at one point, so I couldn’t do a Ctrl+Alt+Delete. Then it couldn’t find my Control panel (was doing a flashlight thing for a minute before halting response). I noticed the CPU usage seems to go from 1% to 50% back to 2%. I don’t know if that’s normal, however.

It’s also a bit slower starting up and shutting down. What have I got, and will it go back to normal?

I ran NoAdware on my computer, and it detected 6 serious problems, two of which appeared to be Trojan horses. None of the other programs I’ve been running picked those up. I’m curious—do these programs say that they find viruses etc. on your computer (even when they’re not there) to try and get you to buy their product?

I also wonder whether I should be running these different programs—SpySweeper, Spybot, Adaware, CWShredder, etc.mmShould I be periodically running these while we’re trying to figure this out, or is it detrimental to your analysis of the situation?

Thanks again for all your help.

 

Hi All,

Just popping in to say the BATMETER bothered me the way it came up in the HJT log. However, Batmeter.dll is likely legitimate and needed for the laptop. Just a thought.

PP

 

it's a good thought. Battery meter maybe? I couldn't think of anything when I first saw it in the log. In which case the exe was probably ok too.

 

My computer seems to be behaving itself fairly well today. At least, so far.

Thank you for the references towards my processes list--i always have wondered what i can shut down without affecting performance.

I have several questions:

1) Do you think that my computer is fairly virus/malware/spyware free now?

2) What would you recommend for maintenance for the future? I was thinking McAfee (which i have been subscribing to) + Adaware run periodically.

Thanks!