Results 1 to 8 of 8
  1. #1
    3 Star Lounger
    Join Date
    Nov 2001
    Location
    Morganville, New Jersey, USA
    Posts
    318
    Thanks
    25
    Thanked 3 Times in 3 Posts

    Win XP Home infected (Win XP SP2)

    This relates to my daughter/son-in-law's Dell running Win XP. They suddenly had major problems with frequent pop-up ads (even when no browser was running), freeze-ups, etc. They use McAfee for virus protection (kept up to date) and the usual others: AdAware and Spybot Search & Destroy. This happened when they were still running SP1.
    I suggested that they run the three programs (done), add MS's beta Antispyware (done), upgrade to SP2 (done), but then things disintegrated. After the SP2 upgrade they could not access their scanner (minor at this point) or find Outlook (they use Office 2003 Small Business). I was able to find and reconnect Outlook. However, the other problems remained. In addition, after upgrading to SP2, Explorer opened only with a note: "This is being run in compatibility mode and not all features are enabled."
    Today I ran McAfee and found ten files infected. One was in Documents & Settings: bp11.exe. One was ceres.dll. There was another file. The others were in SystemVolumeInformation_restore... . The non-adware ones were identified as Trojans Download-YO and Download-YH. I removed all of them, except the ceres.dll would not budge. The symptoms were unchanged.
    I next ran McAfee again in safe mode. The two Download files (-YO and -YH) reappeared, along with one adware (Look2Me) and the ceres.dll file. I was able to remove all of these files in safe mode.
    Re-running the system produced no change in behavior. The other sympton that was consistent since installing SP2 is that entering the Windows Update site froze however I entered it: through IE or the Help & Support site (or from Office Update, which I could and did run, installing Office 2003 SP1). This happened in standard Win XP startups or safe mode w/ networking. [I could navigate to any sites I tried except Windows Update.]
    My son-in-law uses MSN as his standard browser -- it came w/ Verizon's DSL access software. When I tried Windows Update from the MSN browser, the site referenced was different, with "v5." preceding the usual "windowsupdate.com". I ran Windows Update, but the monthly malware search utility was not available.
    Any ideas?

  2. #2
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Win XP Home infected (Win XP SP2)

    You have several issues here and it will take some patience to get through this. First, backup any and all data that you care about or can't replace. Then go here and get the Automatic Removal Tool and run it. Then go through the manual removal steps to be certain that the tool got everything. Next, get a copy of the <img src=/S/free.gif border=0 alt=free width=30 height=15> utility DrDelete and use it to remove the ceres.dll file. The next step is to turn off System Restore, because the problem has gotten into those files ("The others were in SystemVolumeInformation_restore... ") and the only way to clear it is to turnoff the utility and wipe out all the previous restore points by rebooting the system. This will do two things. It will remove the files in the System Restore cach and will allow DrDelete to do it's magic and remove that pesky .dll file. Hopefully this will give you back control of your system.

    Your concern about the v5 in the Windows Update address seem to be unfounded. A Google for v5 turned up 2 links that took me to the Windows Update pages. The bp11.exe took me to a Russian site for "freeware" that I won't post a link to here because of the site's behaviour. See how you make out with these suggestions and post back to let us know if you are clean or still need some fixes and what has changed.

    One last thought to help you in the future. When you find that you have virus or malware problems with an existing installation of a software product, it's almost never a good idea to update the product to solve the issue. SP2 is a major upgrade to the OS and some folks have problems with it when nothing else is wrong. So installing it on top of existing problems could only have complicated the issue. Use Antivirus and malware detection and removal tools and strategies to clean a system before you do any upgrades to the existing software like Windows or Office. Then keep everything updated and patched to help prevent future problems.
    End of lecture. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  3. #3
    3 Star Lounger
    Join Date
    Nov 2001
    Location
    Morganville, New Jersey, USA
    Posts
    318
    Thanks
    25
    Thanked 3 Times in 3 Posts

    Re: Win XP Home infected (Win XP SP2)

    Do,

    Thanks for all of the advice. My son-in-law and I will pursue when he has time.

    Let me comment on some of the points.

    My original McAfee scan allowed me to clean or remove all files (including those in the system restore area) except ceres.dll. When I ran McAfee again in safe mode, there were still four files, including ceres. However, in safe mode McAfee was able to delete all of the files, including ceres. Today McAfee was run again, and this time it only found one adware file. Thus I trust all of the virus/trojan instances are now clear. [Adware will reappear with internet access.]

    Even after all of this cleaning, Windows Update was not accessible through the normal web address. However, it continues to be addressable through the regular site with "v5." attached before the regular web address. And we still have the frequent ads.

    I also would like to run IE in native Win XP mode, unless MSN requires XP to be used in an older format.

    I'll update as we get further along.

    Thanks again!!!

  4. #4
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,572
    Thanks
    5
    Thanked 1,057 Times in 926 Posts

    Re: Win XP Home infected (Win XP SP2)

    For Windows update problems check out the links here: Windows Update. Not sure about MSN Explorer requirements but you should be able to run IE with any IE icon or run Program FilesInternet Exploreriexplore.exe.

    Joe
    Joe

  5. #5
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Win XP Home infected (Win XP SP2)

    I'm pretty sure that you still have some issues with malware. Specifically the Look2Me junk is what is messing with your browser. Download and use the tool from the link I provided in my last post. Update -I just checked the link and it wasn't working correctly, so I went back into my history and found the page from yesterday and checked the link there and it also was not functioning. Here's the Google Search that turned it up. Go to the Cached page for the link to PC Hell: How To Remove Look2Me on the page and then use that to get to the download page. Convoluted I know, but it worked and I got the tool and a Serial Key # that's required to use it. Then take a look at Tutorials & Links to Detection & Removal Tools for more help and instructions on how to use the available tools, programs and utilities, many of them <img src=/S/free.gif border=0 alt=free width=30 height=15> to clean out these troublesome and annoying infections.

    McAffee is a solid AV and system security product, but by itself it's just not enough in today's computing environment. Most of us here in the Lounge recommend using several of the programs in conjunction with one another for more complete (although, sadly, not perfect) protection.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  6. #6
    3 Star Lounger
    Join Date
    Nov 2001
    Location
    Morganville, New Jersey, USA
    Posts
    318
    Thanks
    25
    Thanked 3 Times in 3 Posts

    Re: Win XP Home infected (Win XP SP2)

    Thanks -- will try if son-in-law has time this weekend.

    BTW: Re not updating with virus-like problems: I normally do not. However, I did because (1) Joe had run his virus utility multiple times, as well as adware and spybot programs, (2) SP2 replaces so many routines that I thought it might replace any infected routines, and (3) I'm still feeling the pain from an earlier PC bought with Win ME (before XP came out); that system was a disaster, with ME features disappearing daily -- an XP upgrade (after reformating, of course) produced a PC that is still working today (backup and several specific programs), even though Dell voided the software warranty because of my unauthorized upgrade (whereas they should have given me XP free, as ME (at least at that time) was pure junk). This may be poor logic, but ....

    I will also try to figure out how to get his IE out of its retro mode.

    Thanks again! I appreciate the input from both of you who replied.

  7. #7
    3 Star Lounger
    Join Date
    Nov 2001
    Location
    Morganville, New Jersey, USA
    Posts
    318
    Thanks
    25
    Thanked 3 Times in 3 Posts

    Re: Win XP Home infected (Win XP SP2)

    Today I worked on the PC. I was able to get the "remove Look2Me" tool downloaded, but when I tried running it the message came up: "No version of this application found to uninstall." I suspect my removal of the look2me.exe file a few days ago (through running McAfee in the Windows XP safe mode) removed the linchpin for the tool, even though the other changes made by this trojan were still in place. In addition, I found that the PC sometimes froze when I tried various actions in IE. Also, I could not remove all of the history files (as suggested by an MS notice in response to some of the IE freezes/shutdowns); I first tried in the usual tools/options method, but then tried to do it one by one in Windows Explorer, going to the temp internet files fiolder, in normal or safe mode. These unremovable files had the generic file icon, but otherwise were undecipherable and would change after I tried other things on the internet.

    Given all of these problems, I concluded that the best bet is to backup the files (again) on the D: drive, give them a thorough virus scanning, and then reformat and reinstall everything on the C: drive.

    Incidentally, while I was working on the PC McAfee gave an alert that it had spotted and cleaned Exploit - MbtRedir.gen in the temporary internet file folder.

    Thanks for your advice and counsel. I DO appreciate it.

  8. #8
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Win XP Home infected (Win XP SP2)

    Sorry I haven't been back to you earlier. Somebody has to do the yardwork around here. <img src=/S/yep.gif border=0 alt=yep width=15 height=15>

    If you're game for one more go at Look2Me before you reformat and reinstall, go back to that page where you got the tool and print out the manual removal instructions and then roll up your sleeves and have at it. The instructions are good, but if you have something else besides Look2Me it will still be there and need to be identified and removed too, so it's a tossup as to which will be more work. The format will give you back a nice clean environment to work in and if it's been over a year since your last reinstall, it might not be a bad idea anyway. Wish we could have been more help, but working from a distance sometimes it's just not within our power to see what you are seeing or know how all the various software that someone has on a system is interacting. Best of luck, whatever you choose to do. <img src=/S/yep.gif border=0 alt=yep width=15 height=15>
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •