Results 1 to 8 of 8

Thread: "Blackworm" conversionfeed popunder

  1. #1
    Junior Member
    Join Date
    Mar 2006
    Location
    Southern Kentucky
    Posts
    3

    Arrow "Blackworm" conversionfeed popunder

    I'm Glenn. In advance, please know that I really appreciate you all and the help you are giving folks. You're saving us untold misery and time.

    Terribly sorry: No idea what monster has infected my system, so I'll list some symptoms, my remaining virii results, and my log.
    -------------------------------
    I'm getting pop-ups from the following sources, for example:
    shop2deal
    ecommerce
    conversionfeed
    pogo
    uniqueoffers
    popunder.paypopup
    realcoupon-s.com
    adserver.sharewareonlin
    "blackworm" cleaner
    inqwire
    count3.exitexchange
    smashits
    fossil.com
    hug-ediscounts.com (et al.)


    -------------------------------------------
    Here are the files BitDefender could neither fix nor delete, if it helps:

    C:\Documents and Settings\Glenn\Local Settings\Temporary Internet Files\Content.IE5\6L8RAPQR\AppWrap[1].exe

    C:\Documents and Settings\Glenn\Local Settings\Temporary Internet Files\Content.IE5\EROHCDOD\AppWrap[2].exe

    C:\Documents and Settings\Glenn\Local Settings\Temporary Internet Files\Content.IE5\RY43F1SH\targ[1].chm

    C:\Documents and Settings\Glenn\Local Settings\Temporary Internet Files\Content.IE5\RY43F1SH\targ[1].chm

    C:\WINDOWS\system32\batmeter.exe

    C:\WINDOWS\system32\guard.tmp

    C:\WINDOWS\system32\O

    -=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-

    ***And my log after BitDefender, SpyBot, Ad-Aware, and several other programs had run.***


    Logfile of HijackThis v1.99.1
    Scan saved at 10:50:36 PM, on 3/22/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunServices: [ms-update] scvhost.exe
    O4 - Startup: PowerReg Scheduler.exe
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://v5.windowsupdate.microsoft.co...?1095960309233
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133848121180
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.pattayalivecam.com/AxisCamControl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} - http://upload.facebook.com/controls/...toUploader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = asbury.edu
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\k626lgfs1626.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    ==================================
    Eagerly waiting and appreciative of your response,
    Glenn

  2. #2
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    Hi Glenn,

    Sorry for the late reply here in getting to your post, we've been swamped.

    You've got the Look2me pest. We'll need to use a special tool to remove it
    Please download Look2Me-Destroyer.exe to your desktop.
    • Close all windows before continuing.
    • Double-click Look2Me-Destroyer.exe to run it.
    • Put a check next to Run this program as a task.
    • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
    • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    • Once it's done scanning, click the Remove L2M button.
    • You will receive a Done Scanning message, click OK.
    • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    • Your computer will then shutdown.
    • Turn your computer back on.
    • Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.
    If Look2Me-Destroyer does not reopen automatically, reboot and try again.

    ....................
    You also have an entry that suggest you may have had a SDbot worm on there:
    O4 - HKLM\..\RunServices: [ms-update] scvhost.exe

    I would recommend you get a free online AV scan just to be sure if Bit Defender did not get this worm.

    Trend Micro (PC-cillin) - Free on-line Scan
    http://housecall.antivirus.com

    Panda's Active Scan
    http://www.pandasoftware.com/products/activescan.htm
    Microsoft MVP 2003-2009
    Windows-Security

  3. #3
    Junior Member
    Join Date
    Mar 2006
    Location
    Southern Kentucky
    Posts
    3

    Red face Mil gracias

    Thanks a million, Calamity Jane.

    You helped save my term-paper writing for the end of the semester.

    I love you.

    En route to the donation page (and a couple more scans...)
    Glenn

  4. #4
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    Hi glenn,

    When you are done scanning I need to see these two logs please

    Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log
    Microsoft MVP 2003-2009
    Windows-Security

  5. #5
    Junior Member
    Join Date
    Mar 2006
    Location
    Southern Kentucky
    Posts
    3

    Default New Scan Log

    Logfile of HijackThis v1.99.1
    Scan saved at 3:04:40 PM, on 3/29/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\RunServices: [ms-update] scvhost.exe
    O4 - Startup: PowerReg Scheduler.exe
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://v5.windowsupdate.microsoft.co...?1095960309233
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133848121180
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.pattayalivecam.com/AxisCamControl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} - http://upload.facebook.com/controls/...toUploader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = asbury.edu
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    Thank you again, Jane.
    Glenn :D

  6. #6
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    Hi again,

    I still need this other log from Look2Me-Destroyer:
    Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe)
    ......................................
    You also are still showing that worm (did you run an online scan? What were the results?)

    Let's do this
    Please download Brute Force Uninstaller.
    Unzip it to it’s own folder (c:\BFU)

    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

    Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

    In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
    Press execute and let it do it’s job.

    Wait for the complete script execution box to pop up and press OK.

    click "save"

    IN "filename" enter log.txt

    click exit to exit the BFU program.

    Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder ...
    Microsoft MVP 2003-2009
    Windows-Security

  7. #7
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    glennjackson how is it going?
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  8. #8
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    As the log requested has not been provided, this topic will be archived.

    If you need it re-opened please send me a pm and provide a link to the thread.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •