Valuead errors/popups, help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Reverend Mediocre, Aug 17, 2004.

  1. Reverend Mediocre

    Reverend Mediocre Private E-2

    Hello,

    I've been using AdMuncher as a general popup blocker, but I started getting popups from ValueAd, so I ran Ad Aware and got rid of a bunch of stuff but it kept coming. So I installed SpyBlocker and Search & Destroy, the good news is the popups seem to be gone.. but I still get an error from time to time with:

    http://cs.valuead.+com/code?pid=12&gid=16&rid=909581142&dom=30&dow=3&hod=2

    .. in it, I have notification disabled in IE so that means the scipt is being run locally, but I can't find it. I have a Hijack This log for anyone who can help me with this. Any help is appreciated, I hate to think theres something malicious sitting in my computer! Thanks!

    aryn//mediocre
     
    Reverend Mediocre, Aug 17, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Aug 18, 2004
    #2
  3. Reverend Mediocre

    Reverend Mediocre Private E-2

    Thanks for the info, I've done all recommended. Scanned with all files readable and no System Restore with Norton Proffesional 2003 with all current updates. I always keep Windows Update running to make sure that I'm as secure as possible, installed all updates recommended before this occured and there are no more available right now. Hijack This log as follows:


    The "O4 - HKCU\..\Run: [Xnmqml] C:\WINDOWS\System32\mceos.exe" line looks suspicious to me, but I don't know much about these things so any advice would be greatly appreciated. The popups are becoming more and more common and every time I run Ad-Aware and visit even one benign web page the cookies come back from ValueAd. Please help! Thanks!
     
    Last edited by a moderator: Aug 20, 2004
    Reverend Mediocre, Aug 20, 2004
    #3
  4. Reverend Mediocre

    Reverend Mediocre Private E-2

    Sorry, I realized just as I submitted it that I forgot I was supposed to put the log in as a file but when I tried to edit the message the system said my time had expired. I'll re-post the log file in case my post gets deleted. Thanks. Again, something tells me that the mceos.exe seems fishy, but I don't know much about these thanks. Thanks for the help!
     

    Attached Files:

    Reverend Mediocre, Aug 20, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now you need to go back and read the HijackThis tutorial again: http://forums.majorgeeks.com/showthread.php?t=38752

    - We did not request this HJT log.
    - You are using the wrong version of HijackThis which would not be the case had you really followed all the guidelines in the 35407 link. It gives you all the links you need to check them.
    - You put HijackThis in a a Temporary folder and you are specifically told not to do that.
    - You were running your browser when you ran HijackThis and you are specically told to shut down all applications and browsers.

    Please follow guidelines we have established, it makes things go smoother and we can get to resolving your problems faster. It also reduces the work load on us.

    At any rate, do the following:

    First get the correct version of HijackThis (1.98.2) and put it its own none temporary folder and not on the Desktop. Also do not run it from the ZIP. Extract the EXE from the ZIP and run the EXE. Do not run it yet.

    Click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:

    regsvr32 /u C:\WINDOWS\System32\pkrjxfus.dll

    then click OK. If a dialog box confirming this action appears, click OK.


    Now run HijackThis and put checks on the following items but do not click Fix until you have exited all browser (Internet Explorer) sessions.
    O2 - BHO: (no name) - {3DAF332A-EB3B-7DCE-D326-165509DE2D6B} - C:\WINDOWS\System32\pkrjxfus.dll
    O4 - HKCU\..\Run: [Xnmqml] C:\WINDOWS\System32\mceos.exe

    Now enable viewing of hidden files and folders: http://forums.majorgeeks.com/showthread.php?t=37650
    Now reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Now run Windows Explorer and locate and delete:
    C:\WINDOWS\System32\pkrjxfus.dll
    C:\WINDOWS\System32\mceos.exe

    Empty your Recyle Bin and then look in C:\windows\Prefetch for any occurrences of the mceos.exe file. If found, delete them. Now reboot in normal mode and let me know if you are still having problems.
     
    Last edited: Aug 20, 2004
    chaslang, Aug 20, 2004
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds