Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

MenaceOfMen

9 Posts

5905

January 30th, 2005 18:00

Repetitive Virus called: Win32.SillyDLCS Please Help

 
This virus keeps poping up about every 20 minutes and will not go away. I have tried numerous virus scans and it will not go away. Also, I keep getting popups from (Update - Internet Explorer) and other various advertisements like Monster.com and especially search.offeroptimizer.com, Can someone please help?

Message Edited by MenaceOfMen on 01-30-2005 02:26 PM

Midnight Star

4.8K Posts

January 30th, 2005 19:00

MenaceOfMen,

Let's start with this...


Go to www.trendmicro.com, and then:

1. Click " Free Online Scan".
2. Click " Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) " Auto Clean".
3. Click " Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.


Download mwav.exe from MicroWorld, then:

1. Double-click the mwav.exe icon to run it ( it'll self extract).
2. Click " Scan".
3. When it completes, post back the results.

Let's see what's running on that system; post up a HiJackThis log for analysis.


Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.0. Now, let's do the following:

1. Click " Scan"
2. Click " Save log"

Notepad will pop-up with a copy of your system long, then:

1. " Edit | Select all"
2. " Edit | Copy"

Next, let's " Reply" back to this post, then:

1. Right-click on the message body.
2. Select " Paste"

Then just " Post" the message, and we'll analyze your log shortly, then post back any recommendation(s).


Mike.

MenaceOfMen

9 Posts

January 30th, 2005 19:00

 

Also, I would like to know what a VX2 file is and how to keep them off my computer because of their high threat

MenaceOfMen

9 Posts

January 31st, 2005 13:00

House Call:

HijackThis:
 
Logfile of HijackThis v1.99.0
Scan saved at 2:43:29 AM, on 01/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mtv.com/community/messages/inbox.jhtml?_DARGS=/community/messages/inbox.jhtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://registernet.passport.net/reg.srf?xpwiz=true&lc=1033&langid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://www.classlink2000.com/sites/FILES/wfica.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe

MenaceOfMen

9 Posts

January 31st, 2005 14:00

eScan Antivirus:

File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\dsktrf.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.b" Virus. Action Taken: No

File C:\WINDOWS\system32\randreco.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Joshua\LOCALS~1\Temp\DrTemp\wupdsnff.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No

File C:\DOCUME~1\Joshua\LOCALS~1\Temp\THI11C2.tmp\wupdt.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\Documents and Settings\Joshua\Desktop\Menace\My Software\Fraps.exe infected by "TrojanSpy.Win32.Agent.ar" Virus. Action Taken: No

File C:\Documents and Settings\Joshua\Desktop\Menace\My Software\Halo\Halo 2 Screensaver.exe infected by "not-a-virus:AdWare.ToolBar.Quick.a" Virus. Action Taken: No

File C:\Documents and Settings\Joshua\Local Settings\Temp\DrTemp\wupdsnff.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No

File C:\Documents and Settings\Joshua\Local Settings\Temp\THI11C2.tmp\wupdt.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Desktop\blasterball2drm3-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temp\5Va01152\enhupdt.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temp\DrTemp\wupdsnff.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temp\mynut2.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GQW0WP94\blasterball2drm3-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GQW0WP94\otto-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GQW0WP94\slyderdrm3-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IDERKLMN\blasterball2holidays-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IDERKLMN\grooveomatic-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NRSTBENQ\overball-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NRSTBENQ\supergranny-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VP3KYO67\blasterball2remix-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VP3KYO67\orbital-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\My Documents\Vikki\My Documents\My Videos\GoldMinerSetup-dm.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\Documents and Settings\Owner\My Documents\Vikki\My Documents\My Videos\slyderdrm3-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\My Documents\Vikki\My Documents\My Videos\Yahtzee-dm.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\Program Files\WildTangent\blasterball2drm3-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Program Files\WildTangent\blasterball2remix-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Program Files\WildTangent\orbital-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\RECYCLER\S-1-5-21-484763869-1425521274-725345543-1003\Dc1.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\RECYCLER\S-1-5-21-484763869-1425521274-725345543-1003\Dc4.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP107\A0023650.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP107\A0023652.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP107\A0023653.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP109\A0023852.exe infected by "not-a-virus:AdWare.Beginto.a" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP110\A0024867.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP110\A0024869.dll infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP110\A0024940.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP110\A0024955.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP110\A0024989.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP110\A0025187.exe infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP112\A0027253.exe infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP119\A0027529.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP124\A0027689.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP124\A0027725.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP124\A0027774.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP124\A0027789.exe infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP125\A0027842.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP125\snapshot\MFEX-25.DAT infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP126\A0027908.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP126\A0027923.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP126\A0027977.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP126\snapshot\MFEX-25.DAT infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP127\A0028024.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP132\A0028116.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP132\A0028158.exe infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP135\A0028302.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP135\A0029000.exe infected by "TrojanDownloader.Win32.Stubby.c" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP139\A0029185.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP140\A0029296.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP141\A0029993.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP141\snapshot\MFEX-15.DAT infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP145\A0030272.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP152\A0030504.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP152\A0030539.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP63\A0010245.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP65\A0011463.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP65\A0012489.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP65\A0012504.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP67\A0012988.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP68\A0013072.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP68\A0013086.dll infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP68\A0013102.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP73\A0014471.DLL infected by "not-a-virus:AdWare.FunWeb.a" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP73\A0014483.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP73\A0014518.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014596.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014600.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014605.EXE infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014606.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014610.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014625.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014640.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP77\A0014909.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP77\A0014922.dll infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP77\A0015471.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP78\A0015549.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP78\A0016524.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP79\A0016597.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP79\A0016614.dll infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP80\A0017478.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP80\A0017479.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP80\A0017480.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP80\A0017482.dll infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP80\A0017556.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP80\A0017571.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP82\A0017678.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP83\A0017752.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP83\A0017789.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP86\A0018805.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP90\A0022923.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP90\A0022941.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP90\A0022944.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP90\A0022945.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\WINDOWS\system32\dsktrf.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.b" Virus. Action Taken: No

File C:\WINDOWS\system32\randreco.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No

File C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

 

Thanks a lot Mike!

Message Edited by MenaceOfMen on 01-31-2005 10:05 AM

Midnight Star

4.8K Posts

January 31st, 2005 16:00

MenaceOfMen,

First, let's get rid of the viruses in your system restore and temp folder(s), just in case we need to use it for any reason:

  1. Run "Disk Cleanup" and allow it to remove everything it finds.
  2. Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system point manually.
     


Download, unzip to your desktop CWShredder and run it, then:

 
1.  Click " Check For Update"
 
   ( If an update isn't available, skip to step #4.)
 
2.  Click " Click here to Download the upate".
3.  When the new version has been downloaded, click " Save".
4.  Click " Fix ->"
 

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
 
regsvr32  /u  BTGrab.dll
regsvr32  /u  systb.dll
 
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.


Run HiJackThis and click " Scan", then check(tick) the following, if present:
 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
 
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
 
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
 
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
 

Now, with all windows closed except HiJackThis, click " Fix checked".
 

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
 
files...
 
    C:\WINDOWS\BTGrab.dll
    C:\WINDOWS\systb.dll
    C:\WINDOWS\farmmext.exe
    C:\WINDOWS\wupdt.exe
 

Post back a new log.
 
-
 
Mike.
 
Edits: Added an additional cleanup item; pre-hijackthis.

Message Edited by Midnight Star on 01-31-2005 12:37 PM

Midnight Star

4.8K Posts

January 31st, 2005 21:00

MenaceOfMen,

Good work! Try this from a command prompt, entering each line one at a time. To save typing, you can use the mouse to drag-select then copy/paste the text into the command prompt.


attrib -r C:\WINDOWS\BTGrab.dll

del C:\WINDOWS\BTGrab.dll

attrib -r C:\WINDOWS\systb.dll

del C:\WINDOWS\systb.dll


Be sure to post back a new log.

-

Mike.

MenaceOfMen

9 Posts

January 31st, 2005 21:00

Everything checked out good except I couldn't delete C:\WINDOWS\BTGrab.dll or C:\WINDOWS\systb.dll because of their write protection and I'm not sure how to get rid of that.

Thanks a bunch:smileyhappy:

Message Edited by MenaceOfMen on 01-31-2005 05:50 PM

MenaceOfMen

9 Posts

January 31st, 2005 23:00

Everything you told me to do worked so far. Now I just have to go on the internet and look out for popups and if they don't show it would have worked. Thanks a lot Mike! I haven't seen the Win32.SillyDI.CS virus either! but could I ask what a VX2 file is, what they do, and how to keep them away? If you look at my second post it shows I had 33 of them and their threat is 10 out of 10.

MenaceOfMen

9 Posts

January 31st, 2005 23:00

NO POPUPS! Thanks Mike, they were making me go Insane!

Midnight Star

4.8K Posts

February 1st, 2005 00:00

MenaceOfMen,

Your welcome! Now let's make sure there nothing else on there that HiJackThis couldn't see, then we'll need to do some final cleanup, to clean-out the recycle bin and reset your system restore points.


Download mwav.exe from MicroWorld, then:
 
1.  Double-click the mwav.exe icon to run it ( it'll self extract).
2.  Click " Scan".
3.  When it completes, post back the results.
 
 
Mike.
 

Midnight Star

4.8K Posts

February 1st, 2005 11:00

MenaceOfMen,

I use Norton's myself, and recommend AVG 7.x since it's free. Many 'Agents of Malware Destruction' do recommend AVG 7.x since it seems to find some of the more prevalent problems that other anti-virus programs don't address. I really haven't had the time to research anti-virus programs yet (hopefully, that'll come later this year when I pick up a testbed system).

I ran the results you posted through a new tool i've just developed. It allows 'picking' out the 'bad' enties and let's you delete them with a single click. It's not released yet since it needs to pass through the beta-test phase to see if it's 'bug' free. But here are the file names, in a more readable fashion:
 
-
 
C:\Documents and Settings\Joshua\Desktop\Menace\My Software\Fraps.exe
C:\Documents and Settings\Joshua\Desktop\Menace\My Software\Halo\Halo 2 Screensaver.exe
C:\Documents and Settings\Owner\Desktop\blasterball2drm3-drm3.exe
 
 
C:\Documents and Settings\Owner\My Documents\Vikki\My Documents\My Videos\GoldMinerSetup-dm.exe
C:\Documents and Settings\Owner\My Documents\Vikki\My Documents\My Videos\slyderdrm3-drm3.exe
C:\Documents and Settings\Owner\My Documents\Vikki\My Documents\My Videos\Yahtzee-dm.exe
 
 
C:\Program Files\WildTangent\blasterball2drm3-drm3.exe
C:\Program Files\WildTangent\blasterball2remix-drm3.exe
C:\Program Files\WildTangent\orbital-drm3.exe
 
C:\RECYCLER\S-1-5-21-484763869-1425521274-725345543-1003\Dc1.exe
C:\RECYCLER\S-1-5-21-484763869-1425521274-725345543-1003\Dc4.exe
 
 
C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP1\A0000007.dll
C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP1\A0000009.exe
C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP1\A0000012.dll
 
 
C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtvh.dll
 
 
Mike.
 

MenaceOfMen

9 Posts

February 1st, 2005 11:00

I did, there was one virus, and the rest was just adware. I will try to get rid of the adware myself, but the virus... well I got eTrust EZ Antivirus and its not the best I've ever had lol. Could you reccomend me a free virus program? Heres the list of stuff on my computer:

File C:\Documents and Settings\Joshua\Desktop\Menace\My Software\Fraps.exe infected by "TrojanSpy.Win32.Agent.ar" Virus

. Action Taken: No Action Taken.

File C:\Documents and Settings\Joshua\Desktop\Menace\My Software\Halo\Halo 2 Screensaver.exe infected by "not-a-virus:AdWare.ToolBar.Quick.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Owner\Desktop\blasterball2drm3-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Owner\My Documents\Vikki\My Documents\My Videos\GoldMinerSetup-dm.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Owner\My Documents\Vikki\My Documents\My Videos\slyderdrm3-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Owner\My Documents\Vikki\My Documents\My Videos\Yahtzee-dm.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No Action Taken.

File C:\Program Files\WildTangent\blasterball2drm3-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\Program Files\WildTangent\blasterball2remix-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\Program Files\WildTangent\orbital-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-484763869-1425521274-725345543-1003\Dc1.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-484763869-1425521274-725345543-1003\Dc4.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP1\A0000007.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP1\A0000009.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP1\A0000012.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

Message Edited by MenaceOfMen on 02-01-2005 07:37 AM

Midnight Star

4.8K Posts

February 1st, 2005 12:00

MenaceOfMen,

I believe this was your VX2 transponder: C:\WINDOWS\BTGrab.dll . Here's, some info on VX2:

As far as modes of infection, there can be quite a few; yours may have came in with the CWS. Later on, when I have more research time, i'll delve into the internals of that 'garbageware' more.

-

Mike.

 

MenaceOfMen

9 Posts

February 1st, 2005 17:00

Thanks for the info about VX2. I'm cleaning the rest out as we speak. Thanks a lot man. You helped me out a lot and even taught me some new tricks for viruses. But there is one problem, I can see all my folders (including hidden) but there is no System Volume Information folder on my hard drive. I even did a search for one and nothing showed up. But what do I do about the files in the recycler that are infected? I can't find that folder either.

Message Edited by MenaceOfMen on 02-01-2005 01:38 PM

View More

View All

No Events found!

Top