Cry for help!

[J. S. Greenfield]

My win2k pro system is infected. Tried running adaware, spybot
search&destroy and spyware blaster -- found a bunch of stuff: result
screwed up seti@home (encounters an error trying to upload results), and
temporary relief, only to be followed a few days later by reinfection.
Then tried free download of spy sweeper. No help there. They all find
things, but have no impact on the symptoms.

Currently, I'm being plagued by pills.com popups whenever I use IE.
Ring any bells? Anybody know what this is, or how to kill it?

I'm dreading the prospect of having to do a total rebuild in order to
restore this machine....

Thanks in advance for any help you can provide....


--
J. S. Greenfield

I represent nobody but myself. The opinions expressed --
especially any particularly stupid ones -- are mine, and
mine, alone.

[-=ô;ö=-]

Sounds more like you have Windows Messenger running....

"J. S. Greenfield" <jsg-news@xfields.net> wrote in message
news:Lffrb.13$si2.89094@news4.srv.hcvlny.cv.net...
| My win2k pro system is infected. Tried running adaware, spybot
| search&destroy and spyware blaster -- found a bunch of stuff: result
| screwed up seti@home (encounters an error trying to upload results), and
| temporary relief, only to be followed a few days later by reinfection.
| Then tried free download of spy sweeper. No help there. They all find
| things, but have no impact on the symptoms.
|
| Currently, I'm being plagued by pills.com popups whenever I use IE.
| Ring any bells? Anybody know what this is, or how to kill it?
|
| I'm dreading the prospect of having to do a total rebuild in order to
| restore this machine....
|
| Thanks in advance for any help you can provide....
|
|
| --
| J. S. Greenfield
|
| I represent nobody but myself. The opinions expressed --
| especially any particularly stupid ones -- are mine, and
| mine, alone.
|

[Chuck]

On Sat, 08 Nov 2003 23:46:51 GMT, "J. S. Greenfield"
<jsg-news@xfields.net> wrote:

>My win2k pro system is infected. Tried running adaware, spybot
>search&destroy and spyware blaster -- found a bunch of stuff: result
>screwed up seti@home (encounters an error trying to upload results), and
>temporary relief, only to be followed a few days later by reinfection.
>Then tried free download of spy sweeper. No help there. They all find
>things, but have no impact on the symptoms.
>
>Currently, I'm being plagued by pills.com popups whenever I use IE.
>Ring any bells? Anybody know what this is, or how to kill it?
>
>I'm dreading the prospect of having to do a total rebuild in order to
>restore this machine....
>
>Thanks in advance for any help you can provide....

HijackThis. Run Spybot S&D immediately before, run HJT, post HJT log
to SWI Forums for expert interpretation. Start here:
http://forums.spywareinfo.com/index.php?showtopic=5187


Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

[J. S. Greenfield]

Windows Messaging Service, you mean? I don't believe so. Also, my box
is behind NAT/router and is running black ice, so it seems unlikely an
attack from the outside in would work.

Besides, it was coincident with installation of file sharing apps that
definitely had adware/spyware. I uninstalled them, and have attempted
to remove the remnants as per the description below...but to no avail....


-=ô;ö=- wrote:
> Sounds more like you have Windows Messenger running....
>
> "J. S. Greenfield" <jsg-news@xfields.net> wrote in message
> news:Lffrb.13$si2.89094@news4.srv.hcvlny.cv.net...
> | My win2k pro system is infected. Tried running adaware, spybot
> | search&destroy and spyware blaster -- found a bunch of stuff: result
> | screwed up seti@home (encounters an error trying to upload results), and
> | temporary relief, only to be followed a few days later by reinfection.
> | Then tried free download of spy sweeper. No help there. They all find
> | things, but have no impact on the symptoms.
> |
> | Currently, I'm being plagued by pills.com popups whenever I use IE.
> | Ring any bells? Anybody know what this is, or how to kill it?
> |
> | I'm dreading the prospect of having to do a total rebuild in order to
> | restore this machine....
> |
> | Thanks in advance for any help you can provide....
> |
> |
> | --
> | J. S. Greenfield
> |
> | I represent nobody but myself. The opinions expressed --
> | especially any particularly stupid ones -- are mine, and
> | mine, alone.
> |
>
>

--
J. S. Greenfield

I represent nobody but myself. The opinions expressed --
especially any particularly stupid ones -- are mine, and
mine, alone.

[J. S. Greenfield]

Thanks. Here's a link to the post:

<http://forums.spywareinfo.com/index.php?showtopic=16371>

Chuck wrote:

> HijackThis. Run Spybot S&D immediately before, run HJT, post HJT log
> to SWI Forums for expert interpretation. Start here:
> http://forums.spywareinfo.com/index.php?showtopic=5187
>
>
> Chuck
> I hate spam - PLEASE get rid of the spam before emailing me!
> Paranoia comes from experience - and is not necessarily a bad thing.

--
J. S. Greenfield

I represent nobody but myself. The opinions expressed --
especially any particularly stupid ones -- are mine, and
mine, alone.

[-=ô;ö=-]

Mine was on too for a few days and unless you block the specific port in BI then it see's
that service as beniegn and allows it thru..since Windows Messaging is a legit service of
the O/S...you may need to run HiJackThis...


"J. S. Greenfield" <jsg-news@xfields.net> wrote in message
newsvhrb.794$si2.620412@news4.srv.hcvlny.cv.net...
| Windows Messaging Service, you mean? I don't believe so. Also, my box
| is behind NAT/router and is running black ice, so it seems unlikely an
| attack from the outside in would work.
|
| Besides, it was coincident with installation of file sharing apps that
| definitely had adware/spyware. I uninstalled them, and have attempted
| to remove the remnants as per the description below...but to no avail....
|
|
| -=ô;ö=- wrote:
| > Sounds more like you have Windows Messenger running....
| >
| > "J. S. Greenfield" <jsg-news@xfields.net> wrote in message
| > news:Lffrb.13$si2.89094@news4.srv.hcvlny.cv.net...
| > | My win2k pro system is infected. Tried running adaware, spybot
| > | search&destroy and spyware blaster -- found a bunch of stuff: result
| > | screwed up seti@home (encounters an error trying to upload results), and
| > | temporary relief, only to be followed a few days later by reinfection.
| > | Then tried free download of spy sweeper. No help there. They all find
| > | things, but have no impact on the symptoms.
| > |
| > | Currently, I'm being plagued by pills.com popups whenever I use IE.
| > | Ring any bells? Anybody know what this is, or how to kill it?
| > |
| > | I'm dreading the prospect of having to do a total rebuild in order to
| > | restore this machine....
| > |
| > | Thanks in advance for any help you can provide....
| > |
| > |
| > | --
| > | J. S. Greenfield
| > |
| > | I represent nobody but myself. The opinions expressed --
| > | especially any particularly stupid ones -- are mine, and
| > | mine, alone.
| > |
| >
| >
|
| --
| J. S. Greenfield
|
| I represent nobody but myself. The opinions expressed --
| especially any particularly stupid ones -- are mine, and
| mine, alone.
|

[-=ô;ö=-]

one other thing..maybe a trojan scan is in order, if you have not run one...


"J. S. Greenfield" <jsg-news@xfields.net> wrote in message
news:RMirb.1148$si2.967378@news4.srv.hcvlny.cv.net ...
| Thanks. Here's a link to the post:
|
| <http://forums.spywareinfo.com/index.php?showtopic=16371>
|
| Chuck wrote:
|
| > HijackThis. Run Spybot S&D immediately before, run HJT, post HJT log
| > to SWI Forums for expert interpretation. Start here:
| > http://forums.spywareinfo.com/index.php?showtopic=5187
| >
| >
| > Chuck
| > I hate spam - PLEASE get rid of the spam before emailing me!
| > Paranoia comes from experience - and is not necessarily a bad thing.
|
| --
| J. S. Greenfield
|
| I represent nobody but myself. The opinions expressed --
| especially any particularly stupid ones -- are mine, and
| mine, alone.
|

[Tom R.]

"J. S. Greenfield" <jsg-news@xfields.net> wrote in message
news:RMirb.1148$si2.967378@news4.srv.hcvlny.cv.net ...
> Thanks. Here's a link to the post:
>
> <http://forums.spywareinfo.com/index.php?showtopic=16371>
>
> Chuck wrote:
>
> > HijackThis. Run Spybot S&D immediately before, run HJT, post HJT log
> > to SWI Forums for expert interpretation. Start here:
> > http://forums.spywareinfo.com/index.php?showtopic=5187
> >
> >
> > Chuck
> > I hate spam - PLEASE get rid of the spam before emailing me!
> > Paranoia comes from experience - and is not necessarily a bad thing.
>
> --
> J. S. Greenfield
>
> I represent nobody but myself. The opinions expressed --
> especially any particularly stupid ones -- are mine, and
> mine, alone.
>

I'm no expert so maybe someone else has the answer but
I read your log and I would question this:

O2 - BHO: (no name) - {0D49D952-6AD8-4B76-BF04-BAFEF961E9BD} -
C:\WINNT\system32\tvrlykjg.dll

Good Luck,
Tom

[J. S. Greenfield]

My experience with BI has been that it blocks essentially everything,
unless you tell it not to. I have often spent a little while trying to
figure out whiy something is failing, only to remeber to check BI and
see, sure enough, it was blocking the service.

Also, as I said, running behind a NAT, with no port forwarding
configured, I don't think an outside in attack is viable.

Anyway, somebody posted a response to my hijackthis log int he
spywareinfo forum, I fixed the three items suggested, and it seemed to
have fixed the problem. It does appear to have been adware/spyware
attached to IE.

Thanks for the replies.


--
J. S. Greenfield

I represent nobody but myself. The opinions expressed --
especially any particularly stupid ones -- are mine, and
mine, alone.

[J. S. Greenfield]

I fixed the three items mentioned by someone in that thread. Seems to
have done the trick. That particular file didn't come up.

Thanks for the response.


Tom R. wrote:

> I'm no expert so maybe someone else has the answer but
> I read your log and I would question this:
>
> O2 - BHO: (no name) - {0D49D952-6AD8-4B76-BF04-BAFEF961E9BD} -
> C:\WINNT\system32\tvrlykjg.dll
>
> Good Luck,
> Tom
>
>

--
J. S. Greenfield

I represent nobody but myself. The opinions expressed --
especially any particularly stupid ones -- are mine, and
mine, alone.