Mean adware problem

I have a mean adware issue. I use Win 98, and have a hijack this log file I can post on request. I am a beginner at this, and am willing to make a donation if my system can be cleaned of this problem from you no where

 

Hello and Welcome To MajorGeeks!

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed,including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Thanks. I am dealing with ad pop ups like crazy! I have downloaded most all the utilities that this novice can, and run them. I even reinstalled HiJack This after reading it needs to be in a unique Program Files folder (previously had on desktop). AdAware and Spybot find issues and resolve them, but they always come back. CXTPLS is not responding with CNTL/ALT/Delete and I've read along the way that is a problem file anyway. Willing to send HiJack This text if needed? May God richly bless the individual that can guide me out of this foxhole

 

hijack this log file attached

 

First, Lets do this, Follow me below:

1) Boot into Safe Mode

2) First make sure you have "Hidden files and folders" checked per the tutorial.
Now, go into the directory C:\WINDOWS and locate the folder called "BUNDLES"

C:\WINDOWS\BUNDLES <--- Delete this whole folder

Same directory C:\WINDOWS locate the file called "wupdt.exe" and delete it.

Now go into the directory C:\PROGRAM FILES and locate the folder called "CXTPLS"

C:\PROGRAM FILES\CXTPLS <--- Delete this whole folder

Also in the same folder, find and locate the folder called WINDOWS CONTROLAD

C:\PROGRAM FILES\WINDOWS CONTROLAD <--- Delete this whole folder

Same directory, find the folder called CSBB

C:\PRGRAM FILES\CSBB\ <--- Delete whole folder

Same directory, find the folder called AutoUpdate

c:\Program Files\AutoUpdate\AutoUpdate.exe <--- Delete this whole folder

3) Now reboot into normal mode, and post new HJT log.

 

thanks, got that done. Before I started the steps, something I may have done has caused Explorer to say "not responding" when I cntl/alt/delete. Had to reboot a couple times. Anyway, here is the new HJT log after following the steps you provided.

 

Ok, Now run HJT againa and have it fix these entries, before fixing anything with HJT please close all browsers.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL
O4 - HKLM\..\Run: [vcmpin] C:\WINDOWS\BUNDLES\ADL_MTESTSTUB.EXE
O4 - HKLM\..\Run: [CSV10P70] \Progra~1\CSBB\CSV10P070.EXE
O4 - HKLM\..\Run: [jglwpy] C:\WINDOWS\SYSTEM\twmimf.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\PROGRAM FILES\WINDOWS CONTROLAD\WINCTLAD.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [o72Q36T] IR3TMLER.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [Zwt4RWf7g] INEMA13N.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/28eaa6f092920bea3d23/netzip/RdxIE601.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

After fixing these entries reboot and post new HJT log. Let me know how things are working as of now. Thanks!

 

heres the log. Didn't see O4 - HKLM\..\Run: [vcmpin] C:\WINDOWS\BUNDLES\ADL_MTESTSTUB.EXE but handled the rest

 

Ok, Lets remove this file, follow below:

C:\WINDOWS\TEMP\THNALL1B.EXE

1) First make sure you have "hidden files and folders" enable per the tutorial, Now go into the directory "C:\WINDOWS\TEMP" and remove everything in this folder.

2) Download and Install CCleaner

3) Run this tool and do all 3 scans.

4) Run HJT again and remove the below entry, please close all browsers before removing anything with HJT.

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Reboot, post new log and let me know how things are running now.

 

I read somewhere (tutorial??) that to get all files displayed that you go into IE options/View tab and click on Show all files. That is checked. Am I on the right track as far as having all files displayed?

 

1) Go into Control Panel

2) Select Folder Options

3) Click the 2nd tab (View)

4) Under "Hidden files and folders" make sure its checked.

 

Generally, it is not recommended to Scan for Issues with CCleaner unless you know what you are doing. If you do Scan for Issues, make sure to create a backup when prompted to do so!

We have seen cases where novices have run into problems doing this.

Please be careful

PP

 

Thanks, I found appropriate tutorial as you were writing.
I'm deleting all in TEMP, and error says "Temporary Internet Files" and "Cookies" etc are system files and Windows may not operate if I delete. Do these rebuild? Should I select the Yes to All and proceed?

 

Yes, it is fine to delete these files.

 

after cc cleaner, I re launch Mozilla (new browser I use) and it errors "the file \home cannot be found". Also, manage attachments won't launch to send you new hjt file. Please help.

 

Did you do the 3rd step using CCleaner? If so did you create backups?

 

a reboot seems to have fixed the home page issue in Mozilla. The CC cleaner did not seem to operate in steps, or prompt for a backup. It just had the 3 categories defaulted and checked with a continue or proceed button, so I went for it... Will now try to send you hjt log.

 

had to send hjt with IE this time. Mozilla manage attachments won't launch.

 

Ok, still a few things I see here that needs to go, follow me below:

1) Boot into safe mode

2) Go into the folder C:\WINDOWS and locate the file

ZSERV.DLL

Delete this file!

3) Also, go into the directory C:\WINDOWS\SYSTEM and find the file TWMIMF.EXE Delele This File!

4) Reboot into normal mode and run HJT again and remove the below entries if they are present. Post new log! after doing this. Let me know how things are running.

O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZSERV.DLL
O4 - HKLM\..\Run: [omvycjsobkikp] C:\WINDOWS\SYSTEM\TWMIMF.EXE

 

I'm no longer getting pop ups with IE. My daughter got a ton signing onto AOL Instant Messenger, but as long as IE is clean, I think I'll live. Ad Aware's ad on for detecting VX2 says I don't have that, but every Ad Aware scan finds "VX2 malware" and cleans it, but it comes back. Dunno if you have any theory on the Manage Attachments not working in Mozilla, but if that is the only issue I have, I think I can let that one go. Attached is my newest hjt file after deleting zserv.dll and twmimf.exe. and the other one you mentioned that was present, deleted.

 

Ok, There is a few Trojans that are loading. So What I want you to do is this.

1) Download and Install TrojanHunter

2) After install it will prompt to update, go ahead and update.

3) Run a full scan on drive C:\
NOTE: Remove all infections found.

4) After TrojanHunter is complete, download and install SpySweeper

5) Update definitions by click "Options" update definitions.

6) Run a full scan and remove all found traces.

7) After these steps are complete, Reboot and post new HJT log.

 

Also for the VX2 problem download the following tools and follow below:

Generic Detection Tool

http://www.downloads.subratam.org/DllCompare.exe

http://www.downloads.subratam.org/VX2Finder.exe

http://www.downloads.subratam.org/KillBox.zip

Now, unzip the Generic Detection Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that to your next post.

Do not reboot after that because that can cause the files to mutate.

NOTE: Complete post #21 before doing this. Thanks!

 

here is hjt file. Now beginning work on instructions in post 22. Thanks for all this help!!

 

reost 22o I run all 4 of those utilities in order, or just download them and run the generic detection tool?

 

the vx2 finder error said "is currently only for NT based systems". I use Win 98

 

here is output.txt from find.exe. When asked if I wanted to "add to registry" I clicked on no each time and closed.

 

These tools do not work with Windows 98 OS. There are others available for this OS. However, it doesn't look like that particular VX2 variant is present in your HJT log.

How many active user accounts are on your machine?

PP

 

I am a home user. If I understand your question correctly, I use only one profile, the one that automatically boots in when I boot up the cpu. I don't use additional profiles.

 

I have run the Generic tool. Am I OK to reboot?

 

So, your daughter doesn't have her own account? A lot of malware gets on family computers via kids' accounts!

Go ahead and reboot if need be - If you need to run that tool, we'll have to set you up with the right one first!

If there is only 1 account on your machine, please send me a fresh HJT log from Normal Windows boot for that account ( Bet you're tired of that!).

ALSO - What problems are you continuing to have? (Sorry, I arrived late to the party!)

PP

 

user bjgarrick has done a great job cleaning up pop ups with IE. I think I'm all set, just concerned that VX2 and VX2/f continue to appear as malware detected by Spybot and AdAware even after those programs have cleaned them up. AOL Instant Messenger continued to have ads pop up, but I think we can live with that as long as I don't have dormant things that can recreate the pop ups. Manage attachments no longer works on this website with Mozilla after running CCleaner. As long as nothing else is affected, I can live with that. Attached is another hjt log, I'll pick back up with your reply tomorrow afternoon. Thanks.

 

Looks like you and BJ got rid of everything - I do not see anything particularly harmful in your log.

It also looks like some critical updates from Windows await you.

If you want to doublecheck fro the VX2 Variant, download this tool:Generic Detection Tool for 9x/ME (just click "Agree" to D/L) and run Findit.bat and attach the log.

Somebody will check back tomorrow!

PP

 

Most of these VX2 infections have been XP thats why I got confused. Sorry about that! Glad everything is working fine!

 

Spysweeper wants to warn me about strings.exe when I clicked on findit9xme.bat. Should I tell it is ok?

 

ok, got the info on strings.exe after I said ok to spysweeper. Now going to run these programs from last night to clean it up. I'll be glad when this is over!!! Any advice appreciated.

 

I'm confused about strings.exe. The link I was sent said it is malicious, but it seems to be working like the other guys said in that it is creating a log file/searching. Do I abort?????

 

I aborted. Trojan Hunter said the following:
Port scan
Port 5180/TCP is open (matches Peeper.120) (Tell me more about port alerts...)
Port 1480/TCP is open (matches RemoteHack.130)

 

ok guys, here is current hjt file. Do I look OK? Spyhunter found many of the same issues as before our fix yesterday(e.g. 2nd thought Trojan, vx2)

 

also, the link to advance to the next news article under the picture on http://comcast.net/chsi.html is another link that doesnt work in Mozilla after ccleaner. any ideas?