Surprise - another spyware frustration

I'll try to be brief:

I've followed the instructions in “READ ME FIRST: Basic Spyware, Trojan And Virus Removal” and the Hijack This instruction post but to no avail.

I've got issues with VX2/e, DSO Exploit and ATLEvents.ATLEvents. N-case pops up once in a while.

Spybot will find these items and let me fix most of them. It is unable to fix two registry keys affected by VX2/e. The keys are F1.Organizer and F1.Organizer.1. Even when I run RegEdit, I cannot delete these keys.

With the other spywares, they just keep reloading and being picked up by Spybot. I've identified a BHO using Hijack This that appears to be some version of ATLEvents - it's listed as CATLEvents and puts a hidden .dat file labeled bacsm in my Local Settings/Temp folder that I cannot delete.

Mostly, I've been getting a lot of pop up ads for browser protection software and every once in a while, my browser window will hang as if some other process is running on top of it. Of course, it's also running really slow, and I do get the uneasy feeling I'm being "watched."

Thanks for any help!

 

if u go to properties in the file u can remove the target that it has. if u delete them then it shouldnt come back. but this wont really rid urself of the problem.


if u want to get rid of it u can try is to download the program avast. if u turn on protection and delete the icon u should get a notice from avast locating the problem when it tires to reload it back up. if u cant delete the reload program go into avast and set a boot scan time for the file in which the loader is in. restart ur computer and it should b able to delete it then. if u cant find the loader then just do a boot scan of the entire c drive. note it will take a while to do but worth it if u no u have more then just that one problem.

I hope that helps. and good luck!

 

Thanks in advance for your help.

Again, the item that appears as a BHO is automatically reloading somehow.

 

I posted my hijackthis file as requested (see below post) several days ago. Any ideas of what I can do?

Thanks again for your help.

 

OK - color me embarassed. I posted the wrong hijackthis file, and I apologize though I assure you your time wasn't totally wasted. I won't go into how pissed I am at myself for wasting my own time!

This log file was captured after the full cleaning and in regular mode as opposed to safe mode. I did go back and redo everything from the READ ME FIRST post. I caught some trojans using the Trend Micro tool that I hadn't seen before. I removed the bad chain in the LSP file. However, everything else is reporting that I'm clean.

I'm still having the same issues as in my original post with the same items popping up in Spybot and BHOs associated with CATLEvents.

 

That HJT file was taken from regular mode, not safe mode.

I checked the files you listed. All three of the ones labeled "most likely bad" did not have a version tab.

Of the "not sure about" items, mscab was there and did not have a version tab. However, SED.exe and playmc.exe were not there. I used both explorer and search to look for the files. And I do have hidden file view turned on.

Though I'm pretty sure these files are bad (I don't recognize them as being anything important for my purposes) I haven't deleted them yet.

Next steps?

 

I've followed all the instructions and it looks like there's still some problems. I also noticed some new HJT O4 items that look suspect. I've also left in the BHO - you'll notice that it's the backwards spelling of the O4 items.

Attached is the new HJT file.

 

Hi everidle,

You are in excellent hands here with chaslang. I don't want to step on his toes - just add a bit of info.

It looks like you have a Stopguard related problem. You should take a look at this thread: http://forums.majorgeeks.com/showthread.php?t=42005 . It will give you an idea what you are dealing with. NOTE that the problem files mutate on reboot and the key is to shut down the troublesome running process before deleting the files. In your case, that file is:

C:\WINNT\ServicePackFiles\faxmain.exe

C:\WINNT\inf\odbccmd.exe is also bad.

Your bad HJT entries are:

O2 - BHO: CATLEvents Object - {44E5B409-35A2-4E8D-BF94-344222323A53} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\niamxaf.dat

O4 - HKLM\..\Run: [*odbccmd] C:\WINNT\inf\odbccmd.exe

O4 - HKLM\..\Run: [*faxmain] C:\WINNT\ServicePackFiles\faxmain.exe

O4 - HKLM\..\RunOnce: [*faxmain] C:\WINNT\ServicePackFiles\faxmain.exe rerun

Hope this helps you and chas work this out! Note that I only looked for the Stopguard entries in your log. Didn't want to get in the way too much

PP

 

I should have added that, as you can see from your previous HJT log posts, these bad files have already mutated a number of times. They may already be different! No fear, though - They have an obvious pattern and you guys should have no trouble picking them out!

Regards,

PP

 

Hi Chas, everidle:

Happy to help out. I, too, expect to be very busy the rest of the week, but will check on this thread regularly.

Everidle – please take a look at the thread I linked earlier to get an idea of the cleanup procedure. The later posts are good, particularly Susan’s outline of the steps she used.

Then, attach a fresh HJT log. Note that you must not reboot after posting the log due to the files changing.

Also, using START>RUN>MSCONFIG> select Startup Tab, check and see if this process is there:

[*faxmain] C:\WINNT\ServicePackFiles\faxmain.exe

If it is there, UNCHECK it and select APPLY. Then navigate to C:\WINNT\ServicePackFiles\faxmain.exe and see if you are able to DELETE it. It may already have changed. If so, don't worry - It'll be in your log.

Best

PP

 

Good news, bad news.

The good news is that last night I went ahead and got rid of all faxmain and odbccmd files and their anagram relatives. My browser is working again - no pop ups or anything. It was definitely the same thing susan had - same ads and everything. When I ran HJT again today, the BHO did not appear nor did any of the related O4 items.

The bad news is that when running Spybot, I'm still getting the same items VX2/e, DSO Exploit, ATLEvents.ATLEvents and N-Case.

The VX2/e files cannot be fixed.

Thanks again for all your help....if you still need the HJT file, I can post it, but I think the case is closed on the Stopguard problem.

 

Glad to hear it! Looks like chaslang is back on the case - probably a good thing since he is more familiar with your other problems than I am.

Good luck,

PP

 

I've run both Spybot and Ad Aware SE with the VX2 cleaner in safe mode. After an initial fix in both and a rerun of both, everything seems to be cleared up except the VX2. The only two files Ad Aware repeatedly picks up now are the same two registry keys that Spybot cannot fix.

After rebooting, I ran HJT. Here's the log.

 

Well, cvss.exe has disappeared - but not by my doing. When I went to terminate the process, it wasn't listed under the processes tab nor was it in the System32 folder.

Anyhow, the two files associated with VX2 are in the registry at the following locations:

HKEY_CLASSES_ROOT\F1.Organizer
HKEY_CLASSES_ROOT\F1.Organizer.1

The good news is that, aside from cookies, these are the only files Spybot and Ad-Aware are picking up now.

 

Unfortunately, as mentioned in my original post, I cannot delete these two registry keys at all. Spybot and Ad-Aware won't take care of them, and I get an error message when trying to delete them in regedit. I've tried deleting them from the registry in regular mode and in safe mode but to no avail.