MenaceOfMen
1 Nickel

Repetitive Virus called: Win32.SillyDLCS Please Help

 
This virus keeps poping up about every 20 minutes and will not go away. I have tried numerous virus scans and it will not go away. Also, I keep getting popups from (Update - Internet Explorer) and other various advertisements like Monster.com and especially search.offeroptimizer.com, Can someone please help?

Message Edited by MenaceOfMen on 01-30-2005 02:26 PM

0 Kudos
MenaceOfMen
1 Nickel

Re: Repetitive Virus called: Win32.SillyDLCS Please Help

 

Also, I would like to know what a VX2 file is and how to keep them off my computer because of their high threat

0 Kudos
Midnight Star
4 Ruthenium

Re: Repetitive Virus called: Win32.SillyDLCS Please Help

MenaceOfMen,

Let's start with this...



Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.



Download mwav.exe from MicroWorld, then:

1. Double-click the mwav.exe icon to run it (it'll self extract).
2. Click "Scan".
3. When it completes, post back the results.

Let's see what's running on that system; post up a HiJackThis log for analysis.



Download, then unzip to "C:\HJT", the newest version of HiJackThis; version 1.99.0. Now, let's do the following:

1. Click "Scan"
2. Click "Save log"

Notepad will pop-up with a copy of your system long, then:

1. "Edit | Select all"
2. "Edit | Copy"

Next, let's "Reply" back to this post, then:

1. Right-click on the message body.
2. Select "Paste"

Then just "Post" the message, and we'll analyze your log shortly, then post back any recommendation(s).



Mike.
0 Kudos
MenaceOfMen
1 Nickel

Re: Repetitive Virus called: Win32.SillyDLCS Please Help

House Call:

HijackThis:
 
Logfile of HijackThis v1.99.0
Scan saved at 2:43:29 AM, on 01/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mtv.com/community/messages/inbox.jhtml?_DARGS=/community/messages/inbox.jhtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://registernet.passport.net/reg.srf?xpwiz=true&lc=1033&langid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://www.classlink2000.com/sites/FILES/wfica.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
0 Kudos
MenaceOfMen
1 Nickel

Re: Repetitive Virus called: Win32.SillyDLCS Please Help

eScan Antivirus:

File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\dsktrf.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.b" Virus. Action Taken: No

File C:\WINDOWS\system32\randreco.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\Joshua\LOCALS~1\Temp\DrTemp\wupdsnff.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No

File C:\DOCUME~1\Joshua\LOCALS~1\Temp\THI11C2.tmp\wupdt.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\Documents and Settings\Joshua\Desktop\Menace\My Software\Fraps.exe infected by "TrojanSpy.Win32.Agent.ar" Virus. Action Taken: No

File C:\Documents and Settings\Joshua\Desktop\Menace\My Software\Halo\Halo 2 Screensaver.exe infected by "not-a-virus:AdWare.ToolBar.Quick.a" Virus. Action Taken: No

File C:\Documents and Settings\Joshua\Local Settings\Temp\DrTemp\wupdsnff.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No

File C:\Documents and Settings\Joshua\Local Settings\Temp\THI11C2.tmp\wupdt.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Desktop\blasterball2drm3-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temp\5Va01152\enhupdt.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temp\DrTemp\wupdsnff.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temp\mynut2.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GQW0WP94\blasterball2drm3-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GQW0WP94\otto-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GQW0WP94\slyderdrm3-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IDERKLMN\blasterball2holidays-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IDERKLMN\grooveomatic-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NRSTBENQ\overball-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NRSTBENQ\supergranny-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VP3KYO67\blasterball2remix-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VP3KYO67\orbital-drm3[1].exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\My Documents\Vikki\My Documents\My Videos\GoldMinerSetup-dm.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\Documents and Settings\Owner\My Documents\Vikki\My Documents\My Videos\slyderdrm3-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Documents and Settings\Owner\My Documents\Vikki\My Documents\My Videos\Yahtzee-dm.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\Program Files\WildTangent\blasterball2drm3-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Program Files\WildTangent\blasterball2remix-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\Program Files\WildTangent\orbital-drm3.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\RECYCLER\S-1-5-21-484763869-1425521274-725345543-1003\Dc1.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\RECYCLER\S-1-5-21-484763869-1425521274-725345543-1003\Dc4.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP107\A0023650.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP107\A0023652.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP107\A0023653.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP109\A0023852.exe infected by "not-a-virus:AdWare.Beginto.a" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP110\A0024867.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP110\A0024869.dll infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP110\A0024940.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP110\A0024955.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP110\A0024989.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP110\A0025187.exe infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP112\A0027253.exe infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP119\A0027529.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP124\A0027689.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP124\A0027725.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP124\A0027774.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP124\A0027789.exe infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP125\A0027842.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP125\snapshot\MFEX-25.DAT infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP126\A0027908.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP126\A0027923.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP126\A0027977.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP126\snapshot\MFEX-25.DAT infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP127\A0028024.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP132\A0028116.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP132\A0028158.exe infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP135\A0028302.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP135\A0029000.exe infected by "TrojanDownloader.Win32.Stubby.c" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP139\A0029185.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP140\A0029296.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP141\A0029993.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP141\snapshot\MFEX-15.DAT infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP145\A0030272.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP152\A0030504.exe infected by "Trojan-Downloader.Win32.OneClickNetSearch.h" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP152\A0030539.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP63\A0010245.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP65\A0011463.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP65\A0012489.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP65\A0012504.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP67\A0012988.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP68\A0013072.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP68\A0013086.dll infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP68\A0013102.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP73\A0014471.DLL infected by "not-a-virus:AdWare.FunWeb.a" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP73\A0014483.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP73\A0014518.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014596.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014600.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014605.EXE infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014606.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014610.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014625.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP74\A0014640.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP77\A0014909.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP77\A0014922.dll infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP77\A0015471.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP78\A0015549.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP78\A0016524.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP79\A0016597.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP79\A0016614.dll infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP80\A0017478.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP80\A0017479.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP80\A0017480.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP80\A0017482.dll infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP80\A0017556.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP80\A0017571.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP82\A0017678.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP83\A0017752.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP83\A0017789.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP86\A0018805.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP90\A0022923.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP90\A0022941.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP90\A0022944.exe infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\System Volume Information\_restore{0F9666E4-A69B-4387-9927-01C3E413C4C6}\RP90\A0022945.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No

File C:\WINDOWS\system32\dsktrf.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.b" Virus. Action Taken: No

File C:\WINDOWS\system32\randreco.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No

File C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No

 

Thanks a lot Mike!

Message Edited by MenaceOfMen on 01-31-2005 10:05 AM

0 Kudos
Midnight Star
4 Ruthenium

Re: Repetitive Virus called: Win32.SillyDLCS Please Help

MenaceOfMen,

First, let's get rid of the viruses in your system restore and temp folder(s), just in case we need to use it for any reason:

  1. Run "Disk Cleanup" and allow it to remove everything it finds.
  2. Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system point manually.
     



Download, unzip to your desktop CWShredder and run it, then:

 
1.  Click "Check For Update"
 
   (If an update isn't available, skip to step #4.)
 
2.  Click "Click here to Download the upate".
3.  When the new version has been downloaded, click "Save".
4.  Click "Fix ->"
 


Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
 
regsvr32  /u  BTGrab.dll
regsvr32  /u  systb.dll
 
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.



Run HiJackThis and click "Scan", then check(tick) the following, if present:
 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
 
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
 
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
 
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
 

Now, with all windows closed except HiJackThis, click "Fix checked".
 


Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
 
files...
 
   C:\WINDOWS\BTGrab.dll
    C:\WINDOWS\systb.dll
    C:\WINDOWS\farmmext.exe
    C:\WINDOWS\wupdt.exe
 


Post back a new log.
 
-
 
Mike.
 
Edits: Added an additional cleanup item; pre-hijackthis.

Message Edited by Midnight Star on 01-31-2005 12:37 PM

0 Kudos
MenaceOfMen
1 Nickel

Re: Repetitive Virus called: Win32.SillyDLCS Please Help

Everything checked out good except I couldn't delete C:\WINDOWS\BTGrab.dll or C:\WINDOWS\systb.dll because of their write protection and I'm not sure how to get rid of that.

Thanks a bunchSmiley Happy

Message Edited by MenaceOfMen on 01-31-2005 05:50 PM

0 Kudos
Midnight Star
4 Ruthenium

Re: Repetitive Virus called: Win32.SillyDLCS Please Help

MenaceOfMen,

Good work! Try this from a command prompt, entering each line one at a time. To save typing, you can use the mouse to drag-select then copy/paste the text into the command prompt.



attrib -r C:\WINDOWS\BTGrab.dll

del C:\WINDOWS\BTGrab.dll

attrib -r C:\WINDOWS\systb.dll

del C:\WINDOWS\systb.dll




Be sure to post back a new log.

-

Mike.
0 Kudos
MenaceOfMen
1 Nickel

Re: Repetitive Virus called: Win32.SillyDI.CS Please Help

Everything you told me to do worked so far. Now I just have to go on the internet and look out for popups and if they don't show it would have worked. Thanks a lot Mike! I haven't seen the Win32.SillyDI.CS virus either! but could I ask what a VX2 file is, what they do, and how to keep them away? If you look at my second post it shows I had 33 of them and their threat is 10 out of 10.

0 Kudos
MenaceOfMen
1 Nickel

Re: Repetitive Virus called: Win32.SillyDI.CS Please Help

NO POPUPS! Thanks Mike, they were making me go Insane!
0 Kudos