dloader.ot virus enables constant IE popups

Hi there! Got the dloader.ot virus the other day while browsing for free 4th of July graphics. What a nasty little thing this is....keeps opening browser windows automatically, giving popups all day long, even with IE closed. Causes auto reboots as well - have to save docs frequently to prevent lost data. Ironic since I'm the CIO, constantly cautioning against unfamiliar websites Running Dell Dimension P4 1.66ghz with 512ram. Win2kPro OS on tcp/ip network with TrendMicro Corp Edition and their scanmail product as well. Have done all that majorgeeks requires: Prep, downloading all tools/programs. Ran SpywareBlaster. Booted to safe mode and did online scan @ TrendMicro. 139 spyware pieces found. Removed them all. Ran Symantec Security Check. Hacker exposure, windows vulnerability and trojan horse check all returned as "safe". Antivirus product check showed "at risk" - note: on my network, rend does not start up in Safe Mode. Ran McAfee's AVERT Stinger. # of clean files 165,432. Nothing else listed. Ran CCleaner - instructions confusing - only cleaned temporary internet files. May need some help choosing other items here. Ran Ad-Aware SE. It found LOTs of critical issues (138!). Deleted them all. Ran Spybot S&D. Found 10 problems; fixed them all. (Note error during botcheck: "Zwax, ungultiger dutentyp fur") Immunized. It sent me to Spyware Blaster to enable all protection, which I had already done. Also set recommended IE values re: ActiveX. Did not run CWShredder, About:Buster or HSremove - no symptoms. Kill2Me showed no signs of infection. Emptied recycle bin as final step before restarting to normal mode. Note, somewhere along the last of these scans, (adAware perhaps) popups were gone. FINALLY! But it did not last. Upon reboot to normal mode, pop-ups began again - something missed in registry files?? Downloaded hijackthis and ran/saved log. Can post upon request. Stuck and going crazy - do not know what to try next. Help Please. Thanks, Sheri

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thanks for the quick reply bjgarrick! Okay.......I've downloaded HijackThis, unzipping it to a folder that holds all my spyware/anti-virus/maleware/etc programs. It IS located in C:\Program Files (not in any of the unauthorized locations mentioned below), where I've unzipped and extracted it. I then closed ALL running programs and ran it as requested from the .exe placed by the extraction within the program file. I've dated the log file with today's date and attached it to this reply. Continued help will be much appreciated. The popups are driving me crazy, but at least I haven't had to suffer through any auto-reboots yet today

 

Download the following items:

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

Pocket KillBox


Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log along with a fresh HJT log.

Please don't run any other files in the L2MFix folder.

 

Bjgarrick,
Downloaded all as requested. Ran l2mfix.bat with option #2. Log spit out as you promised. Attached that lm2fixlog071405.txt and a new HJT log run from the .exe contained within my spyware program as required yesterday: hijackthis071405. Awaitng next reply. Please note that I did not receive an email informing me of this reply, though I did with your first reply. Thanks, Sheri

 

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post along with a fresh HJT log.

 

Bjgarrick, Unzipped and ran the find.bat from the Generic Detection Tool. Did get the error message, but it kept going. About 10 minutes later, it generated the text file as promised. It and a fresh HJT log are attached. Note that the popups have been almost nonexistent today - a total of 3 or 4, so we seem to be on the right track. This is my network computer, so it's always on - we just log off and back in each day. I've avoided any rebooting. You haven't requested any, and a reboot is what triggered the popups to return after following the initial 4 point steps prior to posting my first HJT log. If you have time, it would be interesting to know what it is that the original and subsequent HJT logs have shown and what running each of these programs accomplish. Thanks, Sheri

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\System32\vidctrl ←–– Delete this whole folder if it exist!

C:\WINNT\System32\nsvsvc ←–– Delete this whole folder if it exist!


NOW:
Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINNT\System32\l8r00i9me8.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\System32\chkdsk.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\System32\fxxttpcl.tmp into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete ALL of the above, reboot and attach a new log from the Generic Detection Tool and a fresh HJT log.

 

bjgarrick,
Booted into safemode, but had to do it with networking - there is no local user set up on this system and it would not allow a logon otherwise. Assume no harm was done as this was the direction given the first safe mode go-round. Found and deleted both the vidctrl and nsvsvc files and emptied recycle bin. Opened PocketKillbox. Note that the copy and past feature into the Path box did not work - tried it with other files besides those listed. Again, I assume no harm done by manually typing full path directly into the box....saw blue on each and after checking the option to delete on reboot for the fxxttpcl.tmp file, I rebooted my PC. I did not receive any error messages and it rebooted just fine. Ran Find.bat and then HJT. Both logs are attached. Additional notes for your information: Folder called vidctrl still exists in c:\Documents and Settings\All Users\Application Data, with vidctrl.inf in the same location, within the vidctrl folder. There is also an .exe and several files with a .VIR extension quarantined within my Trend anti-virus folder. The nsvsvc, l8r00i9me8.dll & fxxttpcl.tmp files no longer exist anywhere on my c:\ drive. chkdsk.exe is still sitting in c:\Winnt\System32. Thanks, Sheri

 

Are you familiar with RemoteScopeClient?


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Nsv] C:\WINNT\system32\nsvsvc\nsvsvc.exe

O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) - http://invite.mshow.com/(n2uuqr2ghwq54rrfar244p55)/ShowSetup5.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwnc.ops.placeware.com/etc/place/NOVEMBER/SCNpws-c2/5.1.8.511/lib/quick silver.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://confsql1.centra.com/bestsoftware/Install/en/US/CentraDownloader.cab
O20 - Winlogon Notify: WebCheck - C:\WINNT\system32\l8r00i9me8.dll (file missing)

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Documents and Settings\All Users\Application Data\vidctrl ←–– Delete this whole folder if it exist!

C:\WINNT\system32\nsvsvc ←–– Delete this whole folder if it exist!

C:\WINNT\TEMP ←–– Delete everything in this folder!

C:\WINNT\System32\hkdsk~1.exe
(There will be 2 of these files, so look for the one that looks suspicious. Check the file size, date modified and delete the bad one)

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log along with a new log from the Generic Detection Tool.

 

bjgarrick: Yes, I am familiar with Remote Scope Client. It is a valid, authorized program on our network. I booted to Safe Mode with networking and did as you requested. Found the vidctrl file in docs/settings/all users and deleted it. There was no nsvsvc folder in Winnt/system/32. I deleted everything in the winnt/temp folder. The only problem I ran into was with the chkdsk file. There was only one. I did a full search of my entire "c" drive to be sure. It's 13kb and was loaded 7/22/02. I left it since it was the only one. I ran CCleaner and let it delete all IE cookies and temp files. There was a system check box for temp files as well, but I left it as you didn't specify. Did full scans with Ad-Aware SE & Spybot S & D after updating both. I allowed them both to fix what they found (Ad-Aware 8 items, Spybot 1). Also ran cleanmgr for temporary files, temporary internet files and recycle bin. Rebooted to normal windows, ran find.bat and then HJT. Both logs are attached. Note: Not one popup or auto-reboot since last Friday! Woo-hoo! Thanks, Sheri

 

Chaslang, I finally found the second chkdsk.exe - it was hanging out at the very bottom of my list, not in alphabetical order due to the "?" unprintable character at the beginning. When I did a search, it showed up and so I finally found it, deleted it and emptied the recycle bin.

I had already deleted both 023 lines as required by bjgarrick in the previous thread. I do use WinVNC and could not log on remotely last night. I've gone in to HJT and found the backup/restore feature and restored both lines. Please let me know if that will not be sufficient.

Note that HJT is exactly where I want it - Spybot was my first anti-spyware download a couple years ago. Now I've simply put ALL my spyware etc., programs within it - I don't have to remember specific names of each program and I know right where it all is. I suppose I should rename it something more appropriate at this point, but it works for me

I am having no further problems and am so very relieved to hear my HJT log is now finally clean. Many, many thanks to bjgarrick, who really knows his/her stuff - not one problem following any instructions, and not one problem created as a result of trying to clean my dloader trojan up. Many thanks also to all at Major Geeks; where would we be without all of you???

I have to say that I'm NOT happy with my TrendMicro Enterprise edition, which announced that I had picked up this nasty trojan, but failed to capture all the pieces. I would love to hear any suggestions for a network replacement?

Thanks again, Sheri