too many popups

I still receiving popup on my IE and I’m seeing attempts made to add programs to my started. I did go thru the “READ ME FIRST BEFORE ASKING FOR SUPPORT”. Here’s what I got so far.

OS : Windows 2000 Professional Service Pack 4
Build : 5.0.2195
IE Version : 6.0.2800

I download and install all the tools stated on the threat in my normal windows mode. I rebooted and went into “safe mode w/ network”. However I could get into the internet and I don’t know why but continue w/ the process anyway. Everything ran successfully except Ad-Aware SE. When it attempt to remove the problems it could not delete “jtr4079qe.dll”. In the past I notice this file changes after every reboot.

I rebooted and went into my normal windows mode. The popup still continued. Also went I first log in, a run dll error occurs (again the fiule changes after every reboot). Here an example: “An exception occurred while trying to run “”C;\WINNt\system32\moltus40.dll”,UMonitor””. I reran all of the tools again. Again Ad-Aware could not remove the dll file. I rebooted and still have the same problems.

I did download HIGHJACKTHIS and ran it. I’ll wait for you to ask for it. Also this problem occasionally cause memory problems with my winlogin app and boots me off the system.

I’m currently running “Trend Micro Internet Security” and “MS Antispyware (Beta)”. That is why I know attempts are being made to change my system.

What do I do next?

 

Hi jmarmo,

Sounds like you may have the VX2 variant that is going around - as well as other issues..

For the time being, I suggest uninstalling M$ Anti-Spyware as it is a bit buggy.

Go ahead and send us a HijackThis Log so that we can see exactly what we are dealing with. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

PP

 

Thanks for the quick response. Included is my highjackthis log file.

 

Hi Jmarmo,

Looks like you've got the baddie I suspected. Please go ahead and download FRESH downloads of the following tools:

Pocket KillBox
VX2.BetterInternet Finder XP/2k - Version Msg126
Generic Detection Tool - NT/2000/XP
LSP - Fix


NOW:
Please run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the dolsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move dolsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.


Now, Reboot and then scan with HijackThis and attach that log.

Also, unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that log along with the HJT log.

NOTE: After scanning with Find.bat, you MUST NOT REBOOT or the baddies will mutate!!

I will try to check back when time permits - Am very busy these days.

PP

 

Phillie,
I did as you stated and here are the results.
Jmarmo

 

FYI - the doc contain a window I occasionally receive. If I click OK, an option to use VB debugger appears. If I click any option the system automatically reboots. Is this the same problem?

 

Do not think related - Will post fix this evening when free time. Just wanted to let you know - Hang in there!

PP

 

Hi jmarmo,

Sorry for the wait - Free time hard to come by these days. ANYHOO. . . .


Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Before you start, look in C:\WINNT\System32 for guard.tmp and make sure that the correct path is C:\WINNT\System32\guard.tmp – Viewing of hidden files as per the tutorial may be needed. This needs to be verified so that you can enter the correct path below. If you do not find this, please continue with the other instructions & ENTER IT ANYWAY as directed.

Be very careful to select the correct settings on Pocket KillBox. Note to REPLACE and not Delete on reboot.


Here is Step 1:

Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINNT\System32\irp4l57q1.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINNT\System32\n28o0cl3efq.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\System32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .


NEXT:
Doublecheck to make sure that guard.tmp has been removed. If it remains, feed it to Pocket KillBox and Delete it using Standard File Kill.

C:\WINNT\System32\guard.tmp


AnyHoo, once guard.tmp is gone, run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.


NEXT:
Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the UserAgent from the registry

Guardian.reg

Restore Policy

Allow Machine to Reboot.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg


REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{36C9AD25-D384-4F8F-AE64-488205C448AD}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ExtShellViews]


Now:
Click on the fixvx2.reg file you made and allow it to merge the registry entries into the registry.


Finally, attach another Find.bat log and a Fresh HJT log and we'll finish this up!

I will try to check back when time permits.

PP

 

Phillie,
I had to leave for awhilke and when I can back my system was dead and I had to reboot. I did do everything you stated and here are the files you requested. The only problem I had w/ your instructions was when to reconnect my system to the internet. I hope I did everything correctly.
Jmarmo

 

Pressed for time, so I'll copy and paste.

Please run Pocket Killbox.
Select the option to Replace on Reboot.

Now, Copy and Paste C:\WINNT\System32\irnul5591.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Next, Copy and Paste C:\WINNT\System32\n28o0cl3efq.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\System32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it 2fixvx2.reg


REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls]


Now:
Click on the 2fixvx2.reg file you made and allow it to merge the registry entries into the registry.


Attach another Find.bat log and a Fresh HJT log .
I will try to check back when time permits. Likely Saturday evening.

PP

 

I did what was stated on the last 2 threads and I used FindIt for W2K. The results are enclosed.

 

Dr C,
Here are the log files after the deletions yu ask m,e to do. Also I do not know what "O4 - Global Startup: VTAgentReboot.exe" is!

When I rebooted I received 2 command windows that failed. Is this part of the problem? Here is what they look like.

Window 1:
Cannot load VDM IPX/SPX support
Cannot execute C:\WINNT\SYSTEM32\WQRQIO.EXE

Memory allocation error
Cannot load COMMAND, system halted

Window 2:
Cannot load VDM IPX/SPX support
Cannot execute C:\WINNT\SYSTEM32\HFTFOP.EXE

Memory allocation error
Cannot load COMMAND, system halted

Thanks for all they work you and Phillie have done!

 

Hi Jmarmo,

VT Agent is VirtualTruck, I think. Not sure if it's harmful, but can be a pain if it is giving you error messages. Let us know what you want to do with it.

EDIT PP: Last again! Oh well . . . Back to plumbing for me!!

PP

 

Ok ... I did everything you said. As for the registry issue, o my 1st attempt I ran it as a 2 line file w/ "Narrator" on line 2. To me it looks like that line was a wrap-around display.. This time I ran as a 3 line command.

When I ran HijackThis the following lines did not appear so I could not fix them:
O4 - HKLM\..\Run: [Narrator] C:\WINNT\system32\wqrqio.exe
O4 - Global Startup: hftfup.exe
O4 - Global Startup: VTAgentReboot.exe

Enclosed are my log files you asked for.

Thanks
Jmarmo

 

Dr C/Phillie

As of right know, everything is working perfectly. Thank you! If I see any problems I'll let you know.

In order to prevent this again, what can I do?

Jmarmo