I'm running Win98 SE. At the moment Ad Aware SE Personal V1.05 does find the "processes" CJMMDLG.DLL and TMP3216S.DLL, but can't remove them. The CJMMDLG.DLL is permanent, the other dll is exchanged for a "new" one after any restart. There also is another file (not under processes) called sfsthunk.dll, and there are several "redirected hostfile entries".
Any help would be very appreciated.

Here is my HijackThis log:
Logfile of HijackThis v1.99.0
Scan saved at 04:02:30, on 20.12.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN\SYSTEM\KERNEL32.DLL
C:\WIN\SYSTEM\MSGSRV32.EXE
C:\WIN\SYSTEM\MPREXE.EXE
C:\WIN\SYSTEM\mmtask.tsk
C:\WIN\EXPLORER.EXE
C:\WIN\RUNDLL32.EXE
C:\WIN\SYSTEM\ATIPTAXX.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\WIN\SYSTEM\STIMON.EXE
C:\SBPCI\CTMIX32.EXE
C:\WIN\SYSTEM\DDHELP.EXE
C:\WIN\SYSTEM\PSTORES.EXE
C:\EIGENE DATEIEN\SEC\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WIN\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\SBPCI\ctmix32.exe /T
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE

First:
Download DLLCompare from here:
http://www.downloads.subratam.org/DllCompare.exe

Copy the program to its own folder and double click on it.
Press the 'Run Locate.com' button

That should finish quickly, then:
Press the 'Compare' button.

That will run for a while longer.

When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.

Press 'Exit' to quit program.


Second:
Download the attached archive and unzip it to your Desktop. Open the FindIt folder and double click on Find.bat.

Copy the Notepad document that opens (output.txt) and paste it contents in this thread.


Last:
Your posted HJT log appears to be incomplete. Entries should go through O23. Post the complete log when you post the above.

Hi, thanks!

1) DLLCompare Log

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WIN\SYSTEM\cjmmdlg.dll Tue 14 Dec 2004 23:58:18 ..S.R 217.088 212,00 K
C:\WIN\SYSTEM\cwetcfg.dll Tue 14 Dec 2004 23:58:18 ..S.R 217.088 212,00 K
________________________________________________

865 items found: 865 files (2 H/S), 0 directories.
Total of file sizes: 171.133.469 bytes 163,20 M

--------------------End log---------------------

2) Does FindIt work in Win 98 (the filename doesn't imply that)?
This is what I got anyway:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System32 Directory -------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System32 Directory -------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System32 Directory -------

Datentr„ger in Laufwerk C: hat keine Bezeichnung
Seriennummer des Datentr„gers: 0E69-16EF
Verzeichnis von C:\WIN\SYSTEM32

6.725,09 MB frei

------- Hidden Files in System32 Directory -------


Datentr„ger in Laufwerk C: hat keine Bezeichnung
Seriennummer des Datentr„gers: 0E69-16EF
Verzeichnis von C:\WIN\SYSTEM32

FOLDER HTT 13.085 14.12.03 0:34 folder.htt
DESKTOP INI 266 14.12.03 0:34 desktop.ini
2 Datei(en) 13.351 Bytes
0 Verzeichnis(se) 6.725,09 MB frei

---------- Files Named "Guard" -------------


Datentr„ger in Laufwerk C: hat keine Bezeichnung
Seriennummer des Datentr„gers: 0E69-16EF
Verzeichnis von C:\WIN\SYSTEM32

6.725,09 MB frei

--------- Temp Files in System32 Directory --------


Datentr„ger in Laufwerk C: hat keine Bezeichnung
Seriennummer des Datentr„gers: 0E69-16EF
Verzeichnis von C:\WIN\SYSTEM32

6.725,09 MB frei

---------------- User Agent ------------


------------ Keys Under Notify ------------


------------ Keys Under Notify ------------


------------ Keys Under Notify ------------


------------------ Locate.com Results ------------------

------------------ Locate.com Results ------------------

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------


No matches found.

------------ Strings.exe Qoologic Results ------------


No matches found.

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


-------------- Strings.exe Aspack Results -------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------


----------------- HKLM Run Key ------------------


----------------- HKLM Run Key ------------------



3) Sorry, but the posted logfile is the complete one I get from HJT.

Find-It returns limited information of 9x systems and occasionally I use it. DllCOmpare gave me the info so Find-It will not be needed.

First:
Download Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Run Killbox.exe and be sure that 'Replace on Reboot' is selected and check 'Use Dummy'

Select the Folder Icon to the Right of the right of the Address Area and find the following file(s) one at a time:
C:\WIN\SYSTEM\cjmmdlg.dll
C:\WIN\SYSTEM\cwetcfg.dll
C:\Win\System\guard.tmp
C:\Wn\System\desktop.ini

Note: You can also cut and paste the files listed above if the full path and file name has been specified. Files in DOS format, denoted by use of the tilde ('~') character in the file name, *must* be searched for using the 'Folder' icon. Also, files specified by name only must also be searched for.
Most files are located in C:\Windows\ or C:\Windows\System32\

After each one, press the delete button on the far right of the address bar

Each time you will get a dialog box asking if you want to reboot
Press 'No' for all but the last file
After the last file has been entered, press 'Yes'
Your computer will reboot and delete the files

Verify that all the files have actually been deleted.


Second:
Download the following tool and install it in its own folder:
http://www.downloads.subratam.org/VX2Finder9x(126).exe

Run vx2finder9x(126).exe
Press 'Click to Find VX2.BetterInternet'
Press 'Make Log' and post it in this thread for review

Ok, I'm having two problems now:

1) I can't find "guard.tmp". Not in system, not in system32, not when I do a search for it on the whole c drive.

2) In Pocket Killbox (when I found one of the files) I only get a dialog box asking me, if the file should be replaced after reboot, then it's ready to get a new file. There is no dialog asking me, if I actually want to reboot. Is this a problem?

If guard.tmp is not there then no need to pursue it any further. I .ist it becasue it is known to be a part of this exploit in many cases.

As for Killbox, if there is no reboot option then reboot once the last file is added. I have not used the option myself to know what it does.

Well, unfortunately Killbox doesn't seem to work properly on my system.
I tried replacing/deleting an ordinary textfile just as a test. It was still there and unchanged after rebooting. Only the standard file kill option worked.
Any idea what I can do?

Try using HiJackThis. Config -> Misc Tools -> Delete on Reboot

The "delete a file on reboot" option is not chooseable. (I can see it, but that's it)
Could there be something wrong with my windows settings?

THere is another simple solution.

Create a Boot Diskette, boot from it and delete the files.

I'm almost losing hope. Both dlls couldn't be found in dos.
I tried to just type "del c:\win\system\cjmmdlg.dll" or "del c:\win\system\cwetcfg.dll" (-> file not found) and I looked through the whole system directory.
It seems that the dlls are created (copied or moved to the system folder) on every windows startup.
Oh, now cwetcfg.dll is gone, Mynetobj.dll is in the system folder now.

Boot normal..

Download DLLCompare from here:
http://www.downloads.subratam.org/DllCompare.exe

Copy the program to its own folder and double click on it.
Press the 'Run Locate.com' button

That should finish quickly, then:
Press the 'Compare' button.

That will run for a while longer.

When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.

Press 'Exit' to quit program.

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WIN\SYSTEM\ndnds.dll Tue 14 Dec 2004 23:58:18 ..S.. 217.088 212,00 K
C:\WIN\SYSTEM\cjmmdlg.dll Tue 14 Dec 2004 23:58:18 ..S.R 217.088 212,00 K
________________________________________________

864 items found: 864 files (2 H/S), 0 directories.
Total of file sizes: 171.082.781 bytes 163,16 M

--------------------End log---------------------

OK, Now we have the two files we need to delete, along with guard.tmp, if it exists.

First, boot from your diskette again

First thing will be to run dir and see if the names are still the same.

at the prompt dir c:\win\system\*.dll /P /OD

That will display all the dll's in C:\WIN\SYSTEM\ in date order, most recent first.

We want to verify that these two are here:
C:\WIN\SYSTEM\ndnds.dll
C:\WIN\SYSTEM\cjmmdlg.dll

If they they are then delelet both,

THen delete c:\Win\System\guard.tmp

While you are it it you can also delete any other dll files with a date of 12.14 and a size odf 217,088,

FInally, reboot normally, run HiJackThis and post the log in this thread.

I did everything as you told me.
The two dlls were not listed. There was no dll with a date after 08/04/2004.
There were 862 dlls, two less than what DllCompare found before.
There was no guard.tmp or any newer tempfile.

New DllCompare Log:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WIN\SYSTEM\ndnds.dll Tue 14 Dec 2004 23:58:18 ..S.. 217.088 212,00 K
C:\WIN\SYSTEM\cjmmdlg.dll Tue 14 Dec 2004 23:58:18 ..S.R 217.088 212,00 K
C:\WIN\SYSTEM\prpwprop.dll Tue 14 Dec 2004 23:58:18 ..S.R 217.088 212,00 K
________________________________________________

865 items found: 865 files (3 H/S), 0 directories.
Total of file sizes: 171.299.869 bytes 163,36 M

--------------------End log---------------------

New HJT log:
Logfile of HijackThis v1.99.0
Scan saved at 17:33:59, on 22.12.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN\SYSTEM\KERNEL32.DLL
C:\WIN\SYSTEM\MSGSRV32.EXE
C:\WIN\SYSTEM\MPREXE.EXE
C:\WIN\SYSTEM\mmtask.tsk
C:\WIN\EXPLORER.EXE
C:\WIN\RUNDLL32.EXE
C:\WIN\SYSTEM\ATIPTAXX.EXE
C:\WIN\SYSTEM\STIMON.EXE
C:\SBPCI\CTMIX32.EXE
C:\EIGENE DATEIEN\SEC\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WIN\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\SBPCI\ctmix32.exe /T
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE

First:
Download Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Boot in Safe Mode!!!

Run Killbox.exe and be sure that 'Delete on Reboot' is selected

Select the Folder Icon to the Right of the right of the Address Area and find the following file(s) one at a time:
C:\WIN\SYSTEM\ndnds.dll
C:\WIN\SYSTEM\cjmmdlg.dll
C:\WIN\SYSTEM\prpwprop.dll

Note: You can also cut and paste the files listed above if the full path and file name has been specified. Files in DOS format, denoted by use of the tilde ('~') character in the file name, *must* be searched for using the 'Folder' icon. Also, files specified by name only must also be searched for.
Most files are located in C:\Windows\ or C:\Windows\System32\

After each one, press the delete button on the far right of the address bar

Each time you will get a dialog box asking if you want to reboot
Press 'No' for all but the last file
After the last file has been entered, press 'Yes'
Your computer will reboot and delete the files


Second:
Hoster Instructions:
1.Download the Hoster from here:
http://members.aol.com/toadbee/hoster.zip
2. Install the program and run it.
3. Press 'Restore Original Hosts' and press 'OK'
4. Exit Program.

Note: This program also has a Hosts file backup facility that may want to use if you have added custom entries to the Hosts file.


Last:
Run HiJackThis and post a new log in this thread

No luck again. I booted in safe mode, ran Killbox, searched for the files. Again, there only was ONE dialog box for each file saying "File will be deleted on reboot - ok/cancel". I clicked ok for each file then rebooted "manually" (because there was no dialog box asking me, if I wanted to reboot).
The files are still there plus one new one: C:\WIN\SYSTEM\Wm5inf16.dll Tue 14 Dec 2004 23:58:18 ..S.R 217.088 212,00 K

THis certainly does present some issues that have me baffled.

The files should show up when you boot from a Diskette.

Try a dir command again but use this:

dir c:\win\system\*.dll /P /A:RHS /OD

That will show read only, system and hidden files as well.

Those Dll's are there and should show up.

When you see them then you can delete them wilh del or erase
del /A:RHS <file name>

Hey, great!!!

I was able to see the files using your command.
The del command gave me errors. But finally I found out that it was possible to use "attrib -s -r cjmmdlg.dll", then delete.

I rebooted, ran DllCompare, then Hoster, then HJT.
Everything seems clean (at least regarding the Vx2 infection).

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

862 items found: 862 files, 0 directories.
Total of file sizes: 170.648.605 bytes 162,74 M

--------------------End log---------------------


Logfile of HijackThis v1.99.0
Scan saved at 05:13:51, on 23.12.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN\SYSTEM\KERNEL32.DLL
C:\WIN\SYSTEM\MSGSRV32.EXE
C:\WIN\SYSTEM\MPREXE.EXE
C:\WIN\SYSTEM\mmtask.tsk
C:\WIN\EXPLORER.EXE
C:\WIN\SYSTEM\ATIPTAXX.EXE
C:\WIN\SYSTEM\STIMON.EXE
C:\SBPCI\CTMIX32.EXE
C:\WIN\SYSTEM\DDHELP.EXE
C:\EIGENE DATEIEN\SEC\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WIN\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\SBPCI\ctmix32.exe /T
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE

Is there something else I have to do now?

Nope, you are clean!!!

Thanks for the patience to work through this with me. This is a new exploit and you are among the few Win 98/Me systems infected. Some clean with Killbox without difficulty while others will follow the path you have helped develop.

The attrib command was the final piece to this puzzle, thanks!!

Here is some info on helping you to avoid most of hte garbage out there. Of alll, I consider the most important to be IE/Spyad if you use Internet Explorer as your browser. It will put almost 5,000 sites in the restricted zone and they will be unable to infect your computer.




At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v5.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK. Now press "Custom Level."
In the ActiveX section:
Set the first option, 'Download signed controls', to 'Prompt.
Set the second option, 'Download unsigned controls', to 'Disable'.
Finally, set 'Initialize and Script ActiveX controls not marked as safe to 'Disable'.

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
d. Bugoff: http://tools.zerosrealm.com/bugoff.zip

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/]http://www.lavasoft.de/
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware". You will find the list here: http://www.spywarewarrior.com/rogue_anti-spyware,htm

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.

7. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www/spywarewarrior.com/rogue_anti-spyware.htm

8. Anti-Spyware Programs Compared
Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://spywarewarrior.com/asw-test-guide.htm

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

"It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned."

Good luck, and thanks for coming to our forums for help with your security and malware issues.

I felt quite bad for you, when I could only tell you all the time, that nothing worked as it was supposed to do. So thank YOU for YOUR patience!!!
I'm glad if I could help you in a way.

It feels great to get no unwanted Internet Explorer windows, pop-ups and new desktop items anymore. So I want to keep it that way and already downloaded the programs you suggested.

Thanks again, you do a great job here! :thumb: