IE crashes due to ad??

Hi everyone. Am new to site and would appreciate any help with my problem. I am running XP Home. Shortly after starting IE, one of two (so far) ads come in in a new window and they freeze and then crash my IE. The ads are either for Stopguard or WinFireWall2004. Even if I get to a site without getting these ads, if I click on a link within the site to open an additional IE page and then try to close the additional page, IE crashes (like the original web page is connected to the second page that opened?). If I don't close the additonal page but just try and click to bring to the front the original web page, there is nothing on the original page and everything freezes and crashes.

I have run Norton Anti-Virus, CW Shredder, SpyDoctor and Ad-Aware which all found things but I still have this problem. Unfortunately, in my new job I MUST use a program that is written around IE so I can't use Netscape or other browser for the information I need to get for work. I am not real technical so if you are kind enough to respond please keep that in mind.

Susan

 

Hi Susan,

Stopguard is a rogue (read FAKE or MALICIOUS) anti-spyware prog. It does more harm than good. I suspect the same of WinFireWall.

To clean your computer, start with this tutorial: READ ME FIRST: Basic Spyware, Trojan And Virus Removal

Follow the instructions as best you can - I realize you may have trouble with some of the steps if your computer continues to be uncooperative. Try not to skip any, though. Note the ones that you are able to do and the ones that give you trouble and we will talk you through the process

Best luck,

PP

 

Hi PP,

Okay, I followed all the instructions as follows:
Item 1: Only upgrade was service pack 2 which I didn't do.
"2: Disabled system restore
"3: Neither of these items showed up, but there was a listing for just "Workstation" which I didn't stop.
"4: Enabled viewing hidden files
"5: Downloaded ALL the software listed

Item 1: Went into safe mode. * Please note I did not run any updates to the software I downloaded above because I don't have internet connection in safe mode.... Whole other question I need to ask you later..
"2-6: Ran ALL the software programs in safe mode then ran a full system scan using my Norton Anti-Virus.

I rebooted, turned on system restore and created a restore point, then tried to use IE and I still have the same problem. A 2nd IE page opens up with this stupid ad and when I try to close it, all of IE crashes.

(**Question about safe mode & internet: We installed a wireless from 2Wire to share internet access on DSL throughout the house when I had Windows ME. I then upgraded to XP using upgrade software (not full XP install) and those old ME files I think are still on my computer and this is what 2Wire is using (?) because when I was in safe mode running XP and tried to open the 2Wire program, I got a message saying this was not the operating system 2Wire was installed on and I needed to reload from install disk. When I am not in safe mode 2Wire works fine on XP. Should I/can I dump old ME operating system and do you think I will lose 2Wire?

Whew, sorry for so much stuff. Anyway, any further suggestions as to how I can get rid of this ad so I can use IE? Thanks for all your help so far!!

 

Hi Susan,

This Stopguard is looking like it is a real piece of work. It is relatively new and the good guys haven't been able to collect much information on it yet. From what I can surmise, it installs a bad Browser Helper Object (BHO) as well as a number of files in temporary internet folders - But I'm sure that there is more to it. The experts are still trying to figure out how it gets on your computer in the first place.

I am afraid that it may be beyond my expertise! But, not to fear There are many people more knowledgable than I in this forum who will undoubtedly be able to help!

Perhaps an administrator can ask you for a HijackThis log to give us a better idea of what this bugger looks like on your computer. If they do ask for a log, follow these instructions:Hijack This Tutorial And How To Post Your Log File
Follow the instructions in bold print.

Regarding your 2Wire question, I'm not sure of an answer (a lot of help I am, huh? ) However, if you post that in the Software Forum, I'm sure somebody will be able to address it!

I'm sorry I can't be of more assistance. Hang in there

PP

 

@ chaslang or M.A.

I have compiled some info regarding Stopguard and have attached it below. It about exceeds the capacity of my tiny brain , but should help with a fix for Susan.

PP

 

Thanks M.A. I can still navigate a HJT log pretty well, even though it is hard to keep up with the new malware threats. I didn't want to break protocol and ask for a log.
Stopguard looks like a problem that you guys may see a lot more of. Hope the info helps.

PP

 

Hi everyone. Can someone please tell me where to go to download the Hijack This file? The links I have tried (including the one on this site's Hijack This tutorial page) go to a page that says something like: www.spywareinfo.com will be ready soon. Trouble at one of the data centers. We manage our zone at zoneedit.

PP: Thanks so much for everything! I think you are wonderful.

Susan

 

Hi Susan,

Spywareinfo's site is often the victim of DDOS attacks by malware purveyors. They basically tie it up so that people looking for help come up empty! Nasty, huh?

By the way, you can get merijn.org here:

http://www.richardthelionhearted.com/?url=merijn.richardthelionhearted.com

M.A. - I took your comment as a joke. I know my limitations I Just try to help as best I can since I know firsthand how frustrating these things can be.

Hang in there, Susan!

PP

 

Thanks for emailing me the program M A. I am attaching the scan information.

Thank you so much for checking this for me. PP sent information on Stopguard (because he is so helpful!) but every now and then the ad will be for WinFireWall 2004 - just FYI.

Susan

 

now dont take my word for it untill somebody else
has confirmed
I try to help

I (me) would download and update
Ad-Aware SE Personal
SpyBot-Search & Destroy


close your web browser
delete all your cookies and temp files(including offline content) and your history
and run them
AdAware will tell you what is bad with a spider thing, critical(check all the boxes)
there will be another tab negligble those also
SBS&D? most of the stuff you probably don't want

close all applications before running HJT
and repost
I see you have alot of stuff running

and in the tutorial for HJT: http://forums.majorgeeks.com/showthread.php?t=38752
will help you to understand why and how


but read my sig
I want to try to give something back to MG

 

Hi jarcher. thanks for the suggestions. I have already run those programs but maybe you could help me with something 'cause I am not very technical.

You mentioned I had a lot of stuff running when I ran hijack this. I closed everything I could (programs I opened from icons on my screen and a few things in the (?) quick launch stuff at the bottom of the screen. I know there seems to always be stuff running in the background that I didn't open and doesn't show up under running programs on Task Manager. How do I find this stuff and stop it and is there anything I shouldn't stop?

Thanks,
Susan

 

Hi Susan,

You need to move HijackThis to its own folder where its backups will be safe. You will likely be flushing your temp folders again. Something like C:\Program Files\HijackThis is good. Run a fresh scan and attach it as a .txt file. You need a fresh scan so the backups will be saved + it looks like Stopguard changes each time you reboot.

Just glancing at your log, it looks like it may have changed once already. I also noted an (nwiz) entry that, if it is not Norton, could be a GAOBOT virus. I doubt it though, because the tutorial steps should have flushed it out if that were the case. M.A. will know better than I.

If you have trouble creating a safe folder for HJT, post back. I'm heading out the door, but will check back late this evening. Of course, M.A. may have you completely fixed up by then

Good luck,

PP

 

Okay, I deleted everything you said and it is in a backup folder....but there is something strange but you can probably explain.

You had me delete 04-HKLM\..\Run:[dvdkey]:\WINDOWS\system32\CatRoot\dvdkey.exe which I did, but I noticed a few lines below it was:
04-HKLM\..\RunOnce: [*dvdkey] C:\WINDOWS\system32\CatRoot\dvdkey.exe rerun

I decided to delete that also cause I didn't know what it was and if you don't then I figured I didn't need it. Anyway, it will not delete. It shows up in the backup log as deleted, but it is always still there when I rescan. So I went into TaskManager and told it to stop the process on that program (dvdkey.exe) and it won't stop - just jumps to another place on the running process list.

I have run searches and looked myself in different places but I can't find
C:\WINDOWS\system32\CatRoot\dvdkey.exe anywhere. When I searched just on DVD among legit files I found these two that I couldn't ID so I just deleted them also. They are:
TAPIDVD.EXE -08c0c787.fp Created 9/10/04 in C:\Windows\Prefetch
DVDKEY.EXE -1Fc5B7C5.pf " 9/7/04 " " "
Should I put these back?

I am attaching copy of my new scan after deleting everything you said - hope that is okay.

 

Hi Susan, M.A.

C:\WINDOWS\system32\CatRoot\dvdkey.exe is definitely bad. Note that the bad BHO without the files missing is dvdkey spelled backwards. This is consistant with the info I collected. There were probably Stopguard files titled taskms at one time as well. There must be something on Susan's computer responsible for creating these files.

Susan, you were right to try to delete the other 04 entry. Obviously, something bad is reinstalling it. If I find more info, I'll post back. Otherwise, I'll stay out of Major Attitude's way from here on out, so I don't confuse things

Good luck, Susan
PP

 

PP: you are so observant to notice the BHO entry was indeed dvdkey spelled backwards. I have the two odd files I found in dvd file search in my recycle bin and all the stuff I deleted on Hijack this are in backup folder but not permanently deleted. I guess I just leave everything this way until I hear further from ya'll (clue to my geographic location!) One other odd thing, when I tried to print this page from Netscape (to have M A instructions) I got an error message that something was wrong with IE and IE would have to close. Then Netscape crashed. Geez... I ended up having to copy and paste his instructions into word... Anyway, please keep a check on me. Thanks!!

 

Hey, since PP noticed one entry with dvdkey spelled backwards, I did a search on yekdvd and found: yekdvd.dat C:\Documents & settings\Administrator\Local settings\Temp. Just FYI

 

Re: IE crashes due to ad? M A where are you?

I am not sure what to do next. I can't seem to get rid of that dvdkey program if that might be causing my problem. Please read the message I sent with new log attached after following your instructions and advise.

Thanks,
Susan

 

this link is your
recent logfile discriptions
I had it analyzed

here: http://hijackthis.de/logfiles/4aecc67586c6d1465bb9f7786b7f41dc.html
but it will only be there for five days

and the reason you can't delete the dvdkey thing is because it is running
notice in red (in your log)
it may be an installed program
uninstall it
half of it(the running process) can be closed
or just put it in safe mode and run HJT
then restart and close what you can and run
easy cleaner and search for unnecessary files

 

When I open task manager and go to processes, I find the dvdkey program and click stop, but it just jumps to another area in the lineup of running processes and keeps running. It even does this when I am in safe mode.

I can't find the program to uninstall it... Have looked under C: program files and through the control panel/add-remove programs options and through the search function.

I guess since I can't figure out where it is to uninstall it, and I can't get it to stop running as a process, it won't allow itself to be deleted through Hijack This... However, I don't know what this really is - am just assuming it may be causing my problem...

Any help would be appreciated. Thanks so much.

Susan

 

Hi Susan,

I’ve been really busy lately, but I thought I’d check in and see how you are doing. It looks as though M.A. must have a lot on his plate right now as well, so I’ve got a few suggestions and a possible fix. Before we start, try looking for these files on your computer:

1) Make sure you have enabled Show All Files as per M.A.'s Basic Spyware Removal tutorial.

Click MY COMPUTER > Right-click LOCAL DISK ( C: ) > PROPERTIES and look where it says File System to see if you are Fat32 or NTFS.
Now look for these files:

If your computer is Fat32:

C:\WINDOWS\Registration\anticmd.exe
C:\WINDOWS\Registration\ftpdb.exe
C:\WINDOWS\AppPatch\ftpas.exe
C:\WINDOWS\Web\dvdutil.exe
C:\WINDOWS\Tasks\inetole.exe
C:\WINDOWS\Fonts\bakanti.exe
C:\WINDOWS\Microsoft.NET\winmsvc.exe

If your computer is NTFS:

C:\WINNT\inf\nutbas.exe
C:\WINNT\inf\urlplay.exe
C:\WINNT\inf\maindll.exe
NOTE:These may be located somewhere besides \inf\ so you may have to search for them.

If any of these files are there, you will probably have to delete them for the fix to work. These files are made to look legitimate, so you don’t want to make a mistake and delete the wrong one! I’d even go so far as to suggest backing them up on a floppy or CD before deleting them. This is one of the reasons I usually only offer basic advice and encouragement in this forum – I’m not comfortable telling people to delete unknown files.

That said, here is my take on a fix for your problem in 9 easy steps:
You should print this out before you start. . . . . OK, here we go:

1) Again, make sure you have enabled Show All Files and System Restore is OFF as per the tutorial.

2) Fire up HijackThis and in the lower right-hand box where it says “Other stuff,” select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\system32\CatRoot\dvdkey.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

3) Run a new HijackThis scan. Check the boxes for the following items and have HJT fix them:

O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\Susan\LOCALS~1\Temp\smksat.dat (file missing)

O2 - BHO: CATLEvents Object - {BF755B85-EA69-4F58-9A59-D85F384A15FF} - C:\DOCUME~1\Susan\LOCALS~1\Temp\yekdvd.dat

O4 - HKLM\..\RunOnce: [*dvdkey] C:\WINDOWS\system32\CatRoot\dvdkey.exe rerun

If you did not set the following 06 entry, then have HJT fix it (most likely it is Spybot SD):
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

4) Search for or navigate to this file: C:\WINDOWS\system32\CatRoot\dvdkey.exe and DELETE it if it still exists.

5)Run C Cleaner – This should flush a bunch of things, but we’ll doublecheck them anyway in the next few steps.

6) Open Internet Explorer. Click TOOLS > INTERNET OPTIONS and Click DELETE COOKIES. Then, Click DELETE FILES and Check the box for ALL OFFLINE CONTENT and Click OK.

7) Now Open the C>WINDOWS>TEMP folder and delete all files and sub-folders if any remain.

8) Make sure Recycle bin is empty. CCleaner should have done all of this, but it doesn’t hurt to check.

9) Reboot to normal Windows and attach a fresh HijackThis Log and we’ll see if this did the trick. I'll try to check back when I get a chance.

Good luck

PP

 

Hi Susan,

I'm not a tech person to offer advice but am also suffering the same problem as you. I've just discovered your postings and have the identical trouble deleting the BHO: Catlevents, run, and runonce files. I might have some information that may be of help to M.A. or PhillePhan that I didn't see in your postings. My files are named accurl and lrucca rather than dvdkey and yekdvd. When I did a search I found the following:

lrucca.dat in C:\Documents and Settings\...\Temp
lrucca.ini in C:\Windows
accurl.exe in C:\Windows
Accurl.exe in C:\Windows\Prefetch

Did the procedure that PhilliePhan outline work?
Good luck (to both of us)

Buzz

 

what about BHO demon?

MA?

 

Hi PP & Buzz:

I am sorry but have not been here so I haven't tried PP's suggestion yet. I will try to this weekend. I still have the problem with Stopguard freezing my IE but it is strange. I used to see dvdkey under running processes and it would not stop, but now I don't see it there. I wonder if it does/can change names..??

Buzz: So sorry to hear you have this problem. It is causing me major headaches! I would gladly use Netscape or something else, but the website I need to access for business only works using IE. Have you tried PP's suggestion?

PP: How are you - thanks so much for checking on me (I need a guardian angel with technical expertise!). Please check back when you are able. Thank you so very much.

Susans

 

Hi Susan,

I'm neither an angel nor a computer expert - just someone with an (some would say disturbing) interest in malware! I still know my way around a HJT log pretty well, but malware changes every day as does legitimate software and these days I am too busy to look up the entries with which I am not familiar! That is why, when you consider the help that M.A. and chaslang (who volunteers his time, as do many other malware fighters on the net) provide as a free service here at MG's, you develop a healthy respect for their dedication and ability.

With regard to Stopguard, because it is so new and so little is known about it as yet, you and Buzz are like test subjects; tools like Ad-Aware and Spybot haven't caught up with it yet, so malware fighters must learn on the fly how to get it off your machine!

I agree, Susan, that it probably changes with every reboot. Attach a new log and let's see what it looks like now.

Best,

PP

 

Glad you are still around! Okay, I am attaching another Hijack This log so please let me know which entries are NOW the bad guys. Also, as you read I have not tried your solution yet, but since I think the file names have changed I will wait for you to tell me to go ahead with your instructions but which files to now look for..

Thanks!
Susans

PS: Buzz, are your bad file names changing after several reboots?

 

Hi Susan,

Sorry I couldn’t get back to you sooner. But, hey, it’s Saturday night!

The more I read about Stopguard , the more I think that there is something to it beyond what is being shown in the logs. It DOES mutate every time you reboot your computer, so it will be extremely hard to catch. This time, Stopguard has mutated to C:\WINDOWS\msagent\CHARS\wmsutil.exe , but I suspect you noticed this! If it keeps changing, we may be running in circles.

Also, there are a lot of things on your log that I would dump on principle including replacing Norton, but now is not the time, so let’s just concentrate on Stopguard.

You should print this out before you start. . .

1) Again, make sure you have enabled Show All Files and System Restore is off as per M.A.’s tutorial.

2) With this step, we hope to set this known Stopguard file to be deleted upon reboot. Otherwise, you won’t be able to delete it because the process will be running and it likely won’t let you disable it. Soooo…:
Fire up HijackThis and in the lower right-hand box where it says “Other stuff,” select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\msagent\CHARS\wmsutil.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.


3) Run a new HijackThis scan. Check the boxes and have HJT fix the following items:

O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\Susan\LOCALS~1\Temp\smksat.dat (file missing)

O2 - BHO: CATLEvents Object - {77849D67-5672-4B68-93E2-CCEFF1E3949E} - C:\DOCUME~1\Susan\LOCALS~1\Temp\litusmw.dat

O4 - HKLM\..\Run: [*wmsutil] C:\WINDOWS\msagent\CHARS\wmsutil.exe

O4 - HKLM\..\RunOnce: [*wmsutil] C:\WINDOWS\msagent\CHARS\wmsutil.exe rerun

O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\repair\javabak.exe ren

If you did not set the following 06 entry, then have HJT fix it (most likely it is Spybot SD):
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

4) Search for or navigate to this file: C:\WINDOWS\msagent\CHARS\wmsutil.exe DELETE it if it still exists.

5) Run C Cleaner – This should flush a bunch of things, but we’ll doublecheck them anyway in the next step.

6) Open Internet Explorer. Click TOOLS > INTERNET OPTIONS and Click DELETE COOKIES. Then, Click DELETE FILES and Check the box for ALL OFFLINE CONTENT and Click OK.

7) Now Open the C>WINDOWS>TEMP folder and delete all files and sub-folders if any remain.

8) Make sure Recycle bin is empty. CCleaner should have done all of this, but it doesn’t hurt to check.

9) Reboot to normal Windows and attach a fresh HijackThis Log and we’ll see if this does the trick. If it doesn’t, I suspect we may have to call in chaslang and the big guns!

Good luck

PP

 

Susan,

In addition to this step

also look for and DELETE C:\WINDOWS\repair\javabak.exe if you can find it.

PP

 

Okay. I think I followed all the instructions & here are specifics.

First time I tried to delete the file on reboot, I got an error message after I had rebooted that said Windows cannot find C:\XXXX
wmsutil.exe. So I went through process again and this time on reboot I didn't get that message. Ran a new hijack this to fix the things you told me but the only two items there were the 02-BHO Catlevents....All the 04 & 06 stuff had disappeared. Did everything else you said including finding and deleting C:\WINDOWS\repair\javabak.exe.
(Also, whenever I searched trying to find C:\WINDOWS\msagent\CHARS\wmsutil.exe nothing would come up except after trying seaches on just wmsutil I got the prefetch file which I deleted.

Here is the new log. Thanks!!

 

Hi Susan

Well, as I feared, Stopguard mutated again. Now it is C:\WINDOWS\Help\TOUR\docfax.exe. The new bad HJT entries are:

O2 - BHO: CATLEvents Object - {77849D67-5672-4B68-93E2-CCEFF1E3949E} - C:\DOCUME~1\Susan\LOCALS~1\Temp\xafcod.dat

O4 - HKLM\..\RunOnce: [*docfax] C:\WINDOWS\Help\TOUR\docfax.exe rerun

O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\security\templates\svrvga.exe ren

This is also bad: C:\WINDOWS\security\templates\svrvga.exe

Obviously, there is something on your computer that is spawning this stuff. I don’t want to waste your time running in circles after this - I’ll post a thread to try to get Chaslang’s attention. With any luck, he'll be able to help!

I suspect you’ll have to use some sort of process explorer to get to the root of this. Also, you have to find a way to shut this thing down on reboot - my idea to delete it via HJT didn’t work. The only other way I’ve seen was to use the CACLS command to refuse permission for the file to run and this is after narrowing down the source of the problem. It is a complicated process, and I would not be able to talk you through it.

Sorry I couldn’t be of more assistance!

pp

I noticed you said you rebooted after it didn't the file - that might have allowed it to mutate and could be why we missed it. Just a thought.

 

Hi Susan,

Success. I've gotten rid of the problem as far as I can tell. Spybot, Ad-Aware and HJT no longer detect my versions of dvdkey or docfax. And yes the file had mutated or renamed itself. I've had this problem since the beginning of September. Accurl.exe was actually the second renamed file and HJT detected a third new renamed file - bkinst.exe. This is how I did it:

1)I ran HJT and deleted everything except accurl.exe (it wouldn't let me).
2)I deleted accurl.exe in the prefetch file.
3)I used PP's procedure and marked accurl.exe to be deleted on reboot. I received an error message on reboot that Windows could not find accurl.exe.
4)However, instead of rebooting again, I deleted lrucca.ini and lrucca.dat. These files would correspond to xafcod.ini and xafcod.dat in your case. (You have to uncheck Hide protected operating system files under Folder Options-View to see the .ini and .dat files.)
5)I rebooted in normal mode and received no error message. I did a search for the .dat and .ini files and did not find them. I ran HJT and accurl.exe and bkinst.exe were gone.

As far as I can tell, I seem to be OK after approximately 5 or 6 restarts and/or shutdown and reboots. Hopefully, this may work for you. Good luck.

Buzz

 

Hi Buzz & Susan,

I'm glad you worked this out, Buzz! As you note, the error message is actually GOOD, because it shows that the file has been deleted and Windows can't find it to run it. The registry entries are still there, but there is no corresponding file - the next step of fixing with HijackThis removes these registry entries. I am beginning to think that might have been where Susan went wrong in rebooting before finishing the cleaning job.
Buzz - Did you run C Cleaner or clean out all of the temp files?

Susan, it might be worthwhile to give my procedure one more try with the new files. Also, UPDATE (there is a recent update) Spybot SD and run it again in safe mode to see if it flags the BHOs and removes them. If you need help running the procedure with the new files, post back. As far as I can see, the key is still to delete the bad process before it can start via HJT's delete on reboot option. If it worked for Buzz, then there is hope that it will work for you as well!

Thanks again for posting back, Buzz! This welcome feedback. I figured I had exhausted what little knowledge I had in the first place. (I am definitely not a tech guy!) At least I could be of some help Hang in there, Susan. It is going to be a busy week for me, but I'll check up on you as best I can.

Best luck,

PP

 

Susan,

This is a good step as well (thanks BUZZ ) - Search for and delete the .ini and .dat files. If I can find the time, I'll try to combine Buzz's steps and mine to form some sort of Stopguard removal procedure. I'd still like to get chaslang to look at this, for good measure.

PP

 

PP/Buzz: I think you did it!!!!!!!!!!!!!!!!! Between the two of you you figured it out. I think I am back in business because for the first time in weeks I was able to use IE and it didn't lock up or crash no matter what I did. Also, I don't see any of those nasty entries in the hijack this log now. I am posting my log so you can check it. I tried IE right after doing everything and it opened to my webpage but wouldn't go to another site...just hung forever on loading a page. So I updated Spybot went into safe mode & ran it. It found 5 things which I deleted. Then I went back into normal mode and tried IE and it worked fine.

Okay, now two BIG questions:

1. How do I best protect myself in the future? What stuff should I maybe get rid of or remove from start-up or whatever. PP, I think you had some suggestions for me (when you get a minute I know you are busy).

2. What can I do to thank you guys??

MAJOR ATTITUDE: PP definitely deserves a promotion in rank!

Susans

 

That's GREAT news, Susan! One thing that you can do for me is post the steps you did as best as you can remember them, while they are fresh in your mind. There are others in this forum who can benefit from this! I hope to finetune my removal procedure and integrate some of BUZZ's steps as well.

By the way, your HJT log looks good. I'd get rid of a few minor things that are really matters of personal preference like Norton, which many think is a resource hog (replace with AVG, Avast, or another free antivirus found here at MG's), dump the Real Player, and the like.

Regarding ways to safeguard your computer, I strongly recommend SpywareBlaster 3.2 It is FREE here: http://majorgeeks.com/download2859.html
Use it in conjunction with Spybot SD and remember to internet update them every couple of weeks.

I also recommend: Ad-Aware SE Personal 1.05

You might also want to look at:

SpywareGuard 2.2

and

BHODemon 2.0.0.18

Also:
You've probably forgotten, but your original post had a question about 2Wire that could probably be answered in the Software Specific Forum.


CONGRATULATIONS, Susan, on stopping Stopguard!

Regards,

PhilliePhan

Another thing you can do for me: Pray for my Phillies - Lord knows they need all the help they can get!

 

You better believe the Phillies will be in my prayers! Okay, these are the steps I went through to get rid of the Stopguard ad in IE.

1. Follow & do all the steps in the Basic Spyware, Trojan & Virus Removal because they clean a lot of stuff out. Be sure and get any updates to these programs first.

2. Run hijack this and WHEN ASKED attach a copy of the log as a .txt file and post. Some wonderful person will then look over the entries and reply telling you which entries need to be deleted. Then...

3. Turn off system restore. Under folder options uncheck Hide Protected Operating System Files, uncheck Hide File Extensions for Known Types, and check to show hidden files and folders.

4. Find and delete the prefetch file for the bad program.

5. Run Hijack This again and check to fix everything they (the geeks!) told you to. Click fix. Then still in HijackThis go to Config\Misc. Tools\ and select Delete A File On Reboot and put in the exact address of the bad file and click Open. Click Yes to reboot now and reboot into Safe Mode by tapping the F8 key.

6. You should receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DON'T REBOOT AGAIN. Stay in safe mode and delete the associated .ini and .dat files for the bad program.

7. Run CC Cleaner and Spybot again. And just to be safe: Open IE and under Tools\Internet Options\ click to delete cookies, check the box for all off-line content and click to delete files. Open any temp folders under C: and delete all files and sub-folders. Make sure Recycle Bin is empty.

8. Reboot into Normal mode, run Hijack This again, save the log. Check to see that what you deleted is really gone and post new log. Also, since my problem seemed to be fixed I turned System Restore back on at this point and made a manuel restore point cause I really don't know what I am doing and this gives me a glimmer of hope that it could save me somewhere down the road!

* If this doesn't work the first time, I would try again. Be sure you find and delete everything they tell you - some files (like the prefetch file) you will have to search for and delete manually. Example: When I searched for C:\WINDOWS\system32\CatRoot\dvdkey.exe no files were found. But when I did a less specific search on just "dvd" the dvdkey.exe prefetch file came up among others.

Also, since this thing changes names after rebooting here are at least the ones I know about: (All C:WINDOWS\) system32\CatRoot\dvdkey.exe; yekdvd.dat; prefetch\TAPIDVD.exe; msagent\CHARS\wmsutil.exe; repair\javabak.exe ren; Help\TOUR\docfax.exe; security\templates\svrvga.exe; accurl.exe

PP: Hope this isn't too long but maybe it will help other non-technical folks if you can identify all the bad files they need to delete.

 

Hey Susan,

This is fantastic! I should probably leave it like it is Feedback like this is great because I can see the steps that worked and what needs to be adjusted. This should help a lot of people.

I should also say that, looking at my last post and what you can do to safeguard your computer, I forgot to mention that you should be running a good Firewall. It should have been my first suggestion. People here seem to like ZoneAlarm Free 5.1.011 .

Best,

PP

 

PP:

Thanks for the thanks but you may want to clean up those steps to be sure they make good sense to other people. It was Buzz who reminded me that you have to allow viewing of system files under folder options to be able to find and delete the .ini and .dat files.

One concern/confusion I have (among many) that many other people probably have is the potential conflict among different firewalls. As I mentioned I have a 2Wire wireless router that has a firewall, I think XP has a built-in firewall. Will you run into conflict problems by installing more firewalls? This would be a great issue for some helpful, smart geek to address for us non-technical folks!

Thanks,
Susan

 

Hi Susan,

Looks like things are still OK!

Regarding viewing of system files - I thought I covered that in my step 1 when I asked you to enable SHOW ALL FILES as per M.A.'s Tutorial. Does the tutorial not ask you to show hidden system files? This is another reason feedback is important. Much of the help here is predicated upon people working through the tutorial first. I’ll double-check this.

That said, it was a pleasure to work through this with you You made the process easy with good descriptions and feedback. I usually just like to give people basic advice and point them to the tutorial. But, when I saw M.A. was busy, I didn’t want to leave you hanging!

Regarding your Firewall situation, you are correct - You don't need to install more firewalls. You should leave that the way it is. My tiny brain must have been full when I remembered you had 2Wire and didn't remember the router

I’d go ahead an KEEP Norton, at least for now. It can be a real pain to uninstall! But, you should definitely look at SpywareBlaster and run it along with Spybot SD. Ad-Aware is also good. Remember, you need to internet update them regularly for them to be effective! You should also take a peek at the Frequently Asked Questions area here at MGs if you haven’t already - Very educational!

Best Regards,

PP

 

Hi PP:

I looked back at the tutorial & it says to show hidden files and show extensions but not also, specifically, to show the operating files. I am sorry - tried to follow instructions but unless told every detail, lack imagination when dealing with the unknown!

I will read through the FAQs - I know I have a lot to learn. Wish I knew enough to be helpful in this forum to repay everyone who helped me.

Keep in touch!

Susan

 

Good catch, Susan! M.A. and Chaslang have been tweaking the tutorial lately. I should probably take another look at it. Also, M.A. has another pinned post about viewing system files. I must have been thinking of that.

About lacking imagination, I think you did fine. You fixed your problem, right?

Cheers,

PP

 

Hi Susan/PP

Congratulations. I know the feeling of exhilaration I had when I finally got rid of the problem. A lot of credit should go to PP who started me on the proper path. I read PP’s posting #42 and was going to point out that unchecking hide protected operating system files was not explicitly mentioned in the tutorial but you beat me to the punch.

One other thing that I didn’t bring up regarded system restore. The information might be of interest to people more computer savvy than me. I had the problem since the beginning of September. The day I noticed the new files, I thought I would use system restore. To my dismay, all previous restore points had been deleted. Each day a restore point would be created but would be gone the next day/reboot. When I looked at Event Viewer, it stated system restore was suspended because of insufficient space (<200 MB) on drive \\?\Volume... although I had over 7 GB free space. Now that my system is clean again I have 3 restore points starting from the time of the file deletions. I’m making the assumption that somehow the 2 problems were related. Could the offending files somehow have disabled system restore so you couldn’t go back to a time before their infection? Just a thought.

I have a question for PP. You recommended SpywareBlaster. I've used immunization in Spybot. Is this equivalent protection?

I, also, like Susan am grateful for the help I received. Thanks again.

Buzz

 

No PP, actually YOU fixed the problem. I just followed your able lead. You know, when you check to show operating system files you get one of those messages that is really saying between the lines: "Do you know what you are doing? If you continue, the world may end as you know it." Just sort of gives you pause...Of course my favorite message so far is on Hijack This if you go to delete the backup file. By the way, is it okay to delete this file? I am actually afraid those files might somehow sneak out of quarantine and reattack - this thing is sneaky!

Hey Buzz! I wish I had also checked to see if I had restore points because if this thing stopped the computer from making restore points, that is really scary! Maybe someone else who is having the same problem can check this before they fix it. There was someone else here that PP was talking with that I think did have the same problem...

Susan

 

Hi Susan & Buzz,

You're welcome to both of you. I am not a tech guy, so I really enjoyed the challenge. One of the many things I like about this forum is that it is open to any and all who have problems or ideas to help. Because of this openness, Buzz was able to come here with a problem, find Susan's similar thread and contribute to the solution. Indeed, Buzz deserves a lot of credit for the fix - You both do.

Susan - Go ahead and delete the backups. You know they are bad

Buzz - Good catch W/ System Restore! I can assure you that this is not the first time, nor will it be the last, that a piece of crapware has messed with System Restore.
Long ago, when I had my first experience with malware, I was denied access to all manner of things on my computer - System Restore, the Control Panel, the "Run" Command Prompt, among others. Nothing I see out of malware surprises me any more.

I wish I had known about MajorGeeks back then! At the time, I didn't know what to do. Through Googling and research, I found Merijn.org and his wonderful tools CWShredder & HijackThis, among others, and in about 2 weeks I was able to solve my own problem. I've been intrigued by malware ever since. And, knowing how frustrating it can be, I try to offer whatever help I can in this forum - whenever I can find the time.

With regard to your SpywareBlaster question, I would run (in fact, I do!) BOTH it and SpybotSD. They compliment each other well. SpywareBlaster works differently than Spybot in that it prevents ActiveX installs.
It is a good idea to use Ad-Aware SE also. It will catch some things that Spybot might miss and vice-versa. You will find that these FREE tools are better than just about all of the "for pay" tools out there! Just remember to keep them updated. The same goes for your Windows Priority Updates - They are the first line of defense!

Good luck & safe surfing to you both

PP