Please help: ad-w-a-r-e popups

LanceW · Jan 15, 2006

Hi,

My PC got infected with a load of malware a few days ago, and while I've managed to remove most of it with SpyBot, Adaware and HJT, I still have one recurring nightmare. I keep getting IE popup windows (and extra tabs in Mozilla)
advertising US Green cards, dating services and - of course - anti-spyware software.

I followed your generic instructions in http://forum.majorgeeks.com/announcement.php?f=35
and this is what happened:
1. System restore is enabled
1. Ran ccleaner
2. Microsoft Malicious Software removal tool - found nothing.
3. Ad-aware SE personal - found vulnerabilities in notepad, logfile attached:
4: Spybot Search & Destroy
Found nothing
5. Microsoft AntiSpyWare found nothing
5. cwshredder found nothing
6. Kill2Me found nothing
6. FXSpl2Me found nothing
7. ewido anti-malware 3.5 found C:\windows\system32\jr4025hmg.dll (Spyware.Look2Me), C:\windows\system32\wxerror.dll (Spyware.Look2Me) and removed them, but couldn't remove C:\windows\system32\ddmonlang12.dll (Spyware.Look2Me) - manual delete also doesn't work, saying file is in use by another program, even in safe mode.
8. Symantec Spyware.Look2Me removal tool found nothing.
On restart - couldn't restart in safe mode with Networking
ewido found C:\windows\system32\ddmonlang12.dll (Spyware.Look2Me) again and also C:\windows\system32\idnathlp.dll (Spyware.Look2Me). Deleted idnanthlp.dll but not ddmonlang12.dll (when I tried to delee manually, got my first ad-w-a-r-e popup - coincidence?)
9.Managed to start in safe mode with Networking. Got ad-w-a-r-e popups again.
10. Ran bitDefender - it found nothing
11. Tried to run Panda ActivScan "An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are: Not allowing the application's ActiveX control to be downloaded. Problems with the Internet connection. The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... "
12. Next reboot : An exception occurred while trying to run C:\windows\system32\tWpisrv.dll",DllGetVersion"
13. Another thing: when I try to add the domains of some of these popups to my hosts file (e.g. www.ad-w-a-r-e.com, they get overwritten almost immediately with www.context-plus.net).
14. My HJT log looks pretty clean, but attached here:

15. Also, dllcompare finds some problems:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\i042la~1.dll Sun 15 Jan 2006 17:55:02 ..S.R 236,085 230.55 K
C:\WINDOWS\SYSTEM32\jtr007~1.dll Sun 15 Jan 2006 21:54:02 ..S.R 234,845 229.34 K
________________________________________________
1,470 items found: 1,470 files (2 H/S), 0 directories.
Total of file sizes: 302,496,291 bytes 288.48 M
Administrator Account = True
--------------------End log---------------------

That's it - apologies for length of post, but trying to remove this thing has been a weekend's work so far...

Please let me know if you can help.

Cheers, Lance

chaslang · Jan 15, 2006

Welcome to MGs!

Please follow step 7 of the READ ME and do not use msconfig to control startups.

Did you look in Add/Remove programs for Context Plus?

Also HijackThis logs must be posted from Normal boot mode. Yours appears to be from safe mode.

Why are the below running? They should not be running when using HijackThis.
C:\temp\dl\aswclnr.exe
C:\temp\dl\asw1.tmp
C:\windows\regedit.exe

Are the below two lines something you installed? What are they?
O4 - HKLM\..\Run: [CData] C:\PROGRAM FILES\ADMINTOOLS\Userreg\XPLocLog.VBS
O4 - HKLM\..\Run: [OneDesk_Popup] C:\Program Files\OneDesk-Popup\OneDesk.exe

The below is reported to be a worm. See http://www.bleepingcomputer.com/startups/netmon.exe-3645.html Did you install this?
O23 - Service: Network Monitor - Unknown - C:\Program Files\Network Monitor\netmon.exe (file missing)

LanceW · Jan 15, 2006

Hi,

Thanks for your reply. I used msconfig and managed to reboot in safe mode with network support, but still couldn't manage to get Panda activscan to work.

O4 - HKLM\..\Run: [CData] C:\PROGRAM FILES\ADMINTOOLS\Userreg\XPLocLog.VBS
O4 - HKLM\..\Run: [OneDesk_Popup] C:\Program Files\OneDesk-Popup\OneDesk.exe

are both part of the standard installation for the company I work for - both have been there for years.

The C:\Program Files\Network Monitor folder is currently empty. netmon.exe isn't there.

Here is my latest hijack this log, run in normal mode with no other apps running:

Thanks,

Lance

chaslang · Jan 15, 2006

You still are using msconfig to control startups.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Please do what was requested in the step 7 of the READ ME and in my previous message. You must select Normal Startup and attach a log from that mode.

chaslang · Jan 15, 2006

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Network Monitor ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Network Monitor

Now exit HJT but do not reboot when it tells you it needs to.

You have a Look 2 Me infection that must be fixed.

Please run the steps in this link: Look2Me VX2 Removal and attach both logs.

LanceW · Jan 15, 2006

Hi chaslanf,

Current status is that I have't had a popup since (finally) restarting in normal mode after your reply at 10:05.

The Network Monitor service was already stopped, but I disabled and then removed as instructed.

I ran options 1 and 2 from l2mfix - the logfiles are attached here:

Thanks,

Lance

chaslang · Jan 15, 2006

If you have selected Normal Startup in msconfig then attach a new HJT log now.
Otherwise select Normal Startup and then attach a new HJT log.

LanceW · Jan 15, 2006

Hi,

New HJT log, from Normal boot:

Cheers,

Lance

chaslang · Jan 15, 2006

Okay! Have HJT fix the below line and make sure it stays gone after a reboot.

O20 - Winlogon Notify: App Management - C:\windows\system32\enr0l19m1.dll (file missing)

Just tell me the results.

Other than that, your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

LanceW · Jan 22, 2006

Hi,

Sorry for taking so long to respond. That last entry is gone permanently, and have rebooted with a new restore point.

Thanks very much for all your help.

Lance

Log in or Sign up

Please help: ad-w-a-r-e popups

LanceW Private E-2

Attached Files:

ad-aware_log.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

LanceW Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

LanceW Private E-2

Attached Files:

l2mereport.txt

log.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

LanceW Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

LanceW Private E-2