Help please with VX2, IGETNET, ugroup and popups

[Mctabish]

I somehow have somehow become infected. with VX2, IGETNET, ugroup and popup.
I seem to have made progress with igetnet, but not the others.

I have ran the latest mcafee, spybot and adware. I have used ad awares VX2
removal tool but it reports "system clean" yet ad aware continues to find
VX2 files. I try to delete, but always atleast ONE file is in use. I have
rebooted to COMMAND PROMT and deleted what files I could find that were
trying to be deleted, but one or two I have not been able to find.

I keep getting POPup every several moment, the usually want to sell me
either a spyware package, or a performace package (can you spell BLACKMAIL?)

Please help! I am afraid to send or recieve email, and being on the WEB is a
real pain. (even though the popup come when I am not on the web, they come
much higher rate when I am.

also, on boot up, I get a rundll error "An exception occured while trying to
run ""c:\windows\system32\filename.dll",UMonitor"

TIA
Mc

 

[David H. Lipman]

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt297.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* * * Please report back your results * * *

Dave




| I somehow have somehow become infected. with VX2, IGETNET, ugroup and popup.
| I seem to have made progress with igetnet, but not the others.
|
| I have ran the latest mcafee, spybot and adware. I have used ad awares VX2
| removal tool but it reports "system clean" yet ad aware continues to find
| VX2 files. I try to delete, but always atleast ONE file is in use. I have
| rebooted to COMMAND PROMT and deleted what files I could find that were
| trying to be deleted, but one or two I have not been able to find.
|
| I keep getting POPup every several moment, the usually want to sell me
| either a spyware package, or a performace package (can you spell BLACKMAIL?)
|
| Please help! I am afraid to send or recieve email, and being on the WEB is a
| real pain. (even though the popup come when I am not on the web, they come
| much higher rate when I am.
|
| also, on boot up, I get a rundll error "An exception occured while trying to
| run ""c:\windows\system32\filename.dll",UMonitor"
|
| TIA
| Mc
|
|

 

[Mctabish]

Downloaded trend (alread had ad aware 1.05)
Trend could not open all files (access denied) it did not find anything with
the files it opened.
Log attached below.
AD Aware still found critical, but could not remove one of the
files -C:\WINDOWS\system32\ennql1551.dll (one that trend could not access)

I DID do this in SAFE MODE.
What else can I do?

Thanks
Mc

Log file for Trend


/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2004-12-14, 19:00:04, Auto-clean mode specified.
2004-12-14, 19:00:04, Running scanner "C:\virus\TSC.BIN"...
2004-12-14, 19:02:40, Scanner "C:\virus\TSC.BIN" has finished running.
2004-12-14, 19:02:40, TSC Log:

2004-12-14, 19:54:10, An error occurred while scanning file "C:\Documents
and Settings\Bruce.LAPPIE\NTUSER.DAT": Access is denied.
2004-12-14, 19:54:10, An error occurred while scanning file "C:\Documents
and Settings\Bruce.LAPPIE\ntuser.dat.LOG": Access is denied.
2004-12-14, 20:35:03, An error occurred while scanning file "C:\Documents
and Settings\Bruce.LAPPIE\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2004-12-14, 20:35:03, An error occurred while scanning file "C:\Documents
and Settings\Bruce.LAPPIE\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2004-12-14, 20:51:37, An error occurred while scanning file "C:\Documents
and Settings\NetworkService\NTUSER.DAT": Access is denied.
2004-12-14, 20:51:37, An error occurred while scanning file "C:\Documents
and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
2004-12-14, 20:51:37, An error occurred while scanning file "C:\Documents
and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2004-12-14, 20:51:37, An error occurred while scanning file "C:\Documents
and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\AD-AWARE.EXE-2ED3360E.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\CNMSM56.EXE-04173B48.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\DRWTSN32.EXE-2B4B52AC.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\DW.EXE-227292CF.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\EXCEL.EXE-2C971FD7.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\HELPCTR.EXE-3862B6F5.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\HH.EXE-2D1A70B3.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\HPGS2WNF.EXE-0E86C34B.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\IEDW.EXE-1880380E.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\KILLBOX.EXE-191EF7AF.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCAGENT.EXE-168D195B.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCAPPINS.EXE-08FD5359.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCDASH.EXE-26506D96.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCINFO.EXE-35A0A279.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCMNHDLR.EXE-25682BF9.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCSHIELD.EXE-15F93AD5.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCUPDATE.EXE-19916285.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCUPDMGR.EXE-2963FAB2.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCUPDUI.EXE-27129637.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCVSESCN.EXE-093F0C5C.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCVSFTSN.EXE-28693C17.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCVSMAP.EXE-155ED7D3.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCVSRTE.EXE-3391F051.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MCVSSHLD.EXE-2D6751F9.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MGHTML.EXE-31D79FA5.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MSIMN.EXE-38BA891D.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MSOHELP.EXE-06826F09.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MSPAINT.EXE-11CBB631.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\MSPUB.EXE-3934B7B4.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\NTVDM.EXE-1A10A423.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\OUTLOOK.EXE-27D5965C.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\PHOTOED.EXE-0F3CAA01.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\QW.EXE-1F6051DF.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RASAUTOU.EXE-18B88A68.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\REALPLAY.EXE-1BF219BD.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\REALSCHED.EXE-3282FD31.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RUNDLL32.EXE-12CFC0CD.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RUNDLL32.EXE-15FD705A.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RUNDLL32.EXE-1985E989.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RUNDLL32.EXE-1A8A4565.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RUNDLL32.EXE-20332B33.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RUNDLL32.EXE-29486132.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RUNDLL32.EXE-2AE445C7.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RUNDLL32.EXE-2FABF9D3.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RUNDLL32.EXE-307B5698.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RUNDLL32.EXE-3D64C4BA.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\SPYBOTSD.EXE-1344276B.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\WINWORD.EXE-29F5CB89.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf": Access is denied.
2004-12-15, 00:10:55, Could not set file for reading on
"C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf": Access is denied.
2004-12-15, 00:12:46, An error occurred while scanning file
"C:\WINDOWS\system32\ennql1551.dll": Access is denied.
2004-12-15, 00:13:08, An error occurred while scanning file
"C:\WINDOWS\system32\l0r0la9m1d.dll": Access is denied.
2004-12-15, 00:14:49, An error occurred while scanning file
"C:\WINDOWS\system32\wbsdmoe.dll": Access is denied.
2004-12-15, 00:15:21, An error occurred while scanning file
"C:\WINDOWS\system32\config\DEFAULT": Access is denied.
2004-12-15, 00:15:21, An error occurred while scanning file
"C:\WINDOWS\system32\config\default.LOG": Access is denied.
2004-12-15, 00:15:21, An error occurred while scanning file
"C:\WINDOWS\system32\config\SAM": Access is denied.
2004-12-15, 00:15:21, An error occurred while scanning file
"C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2004-12-15, 00:15:21, An error occurred while scanning file
"C:\WINDOWS\system32\config\SECURITY": Access is denied.
2004-12-15, 00:15:21, An error occurred while scanning file
"C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2004-12-15, 00:15:21, An error occurred while scanning file
"C:\WINDOWS\system32\config\SOFTWARE": Access is denied.
2004-12-15, 00:15:21, An error occurred while scanning file
"C:\WINDOWS\system32\config\software.LOG": Access is denied.
2004-12-15, 00:15:22, An error occurred while scanning file
"C:\WINDOWS\system32\config\SYSTEM": Access is denied.
2004-12-15, 00:15:22, An error occurred while scanning file
"C:\WINDOWS\system32\config\system.LOG": Access is denied.
2004-12-15, 00:17:17, Running scanner "C:\virus\VSCANTM.BIN"...
2004-12-15, 03:47:16, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/15/2004 00:17:18
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 297 (81045 Patterns) (2004/12/14) (229700)
Command Line: C:\virus\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF
/NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\virus

257155 files have been read.
257155 files have been checked.
132570 files have been scanned.
214621 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/15/2004 03:47:16
---------*---------*---------*---------*---------*---------*---------*---------*
2004-12-15, 03:47:16, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/15/2004 00:17:17
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 297 (81045 Patterns) (2004/12/14) (229700)
Command Line: C:\virus\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF
/NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\virus

257155 files have been read.
257155 files have been checked.
132570 files have been scanned.
214621 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/15/2004 03:47:16 3 hours 29 minutes 53 seconds (12592.47
seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2004-12-15, 03:47:16, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/15/2004 00:17:17
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 297 (81045 Patterns) (2004/12/14) (229700)
Command Line: C:\virus\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF
/NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\virus

257155 files have been read.
257155 files have been checked.
132570 files have been scanned.
214621 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 12/15/2004 03:47:16 3 hours 29 minutes 53 seconds (12592.47
seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2004-12-15, 03:47:16, Scanner "C:\virus\VSCANTM.BIN" has finished running.

 

[rjdriver]

I somehow have somehow become infected. with VX2, IGETNET, ugroup and popup.
I seem to have made progress with igetnet, but not the others.

I have ran the latest mcafee, spybot and adware. I have used ad awares VX2
removal tool but it reports "system clean" yet ad aware continues to find
VX2 files. I try to delete, but always atleast ONE file is in use. I have
rebooted to COMMAND PROMT and deleted what files I could find that were
trying to be deleted, but one or two I have not been able to find.

I keep getting POPup every several moment, the usually want to sell me
either a spyware package, or a performace package (can you spell BLACKMAIL?)

Please help! I am afraid to send or recieve email, and being on the WEB is a
real pain. (even though the popup come when I am not on the web, they come
much higher rate when I am.

also, on boot up, I get a rundll error "An exception occured while trying to
run ""c:\windows\system32\filename.dll",UMonitor"

TIA
Mc

I'm not familair with what you call "ugroup", but you can get a VX2 removal
tool here:
http://subratam.org/?page=removal


Bob