My CrapWare debug History
For 14 long damn days starting on April 30, 2004, I was determined to find the unknown virus/trojan/spyware/adware that had mysteriously infected and disabled my win98 machine while searching the web for info on vacuum tube testers. I ran Ad-Aware and Spybot many dozens of times, as they were highly reguarded on so many websites as well as NOD32. Running HiJackThis helped me to learn what was suppose to be in my system and what wasn't. All of these utilities all picked up something and isolated it, even though the problems persisted, they contributed to the eventual death of the crapware that plagued my machine. Even signed up at Spywareinfo.com. Followed their instructions to the letter before posting in their forum. Got zero response from them!! But they were buried in requests. Here were the symptoms as I kept a written log:
1) There was a file rundll32.dll that would log onto the internet to try and reach 18.104.22.168:DNS according to Zone Alarm, and then slowly start reducing my system resources to the point of system failure. Even if I was not sitting at the computer, the resources would just taper away. Killing rundll32.dll with ctrl-alt-del would make the computer last much longer after it booted, but still require a reboot after 20 minutes or so.
2) Auto reboots every time I tried to update either Zone Alarm or Trend Micro Internet Security.
3) Kept getting "Explorer caused an invalid page fault in Kernel32.dll" errors. Deleting the .pwl files didnt change anything.
4) Kept getting "Explorer caused an invalid page fault in cjgwiz.dll" errors. Not found in any web searches.
5) Kept getting "Explorer caused an invalid page fault in wkock32.dll" errors. Not found in any web searches.
6) Kept getting "Explorer caused an invalid page fault in comctl32.dll" errors. replaced per microsoft 298343 but didnt change anything.
7) Often IE6 browser redirects after reboot to allaboutsearching.com.
8) Often IE6 browser redirects after reboot to aboutblank.
9) Explorer This program has performed an illegal operation and will be shut down.
10) While using Netscape 7, IE was closed, but IE would automatically open to advertise some spyware crap. This shocked me.
11) Many adult themed folders were added to IE favorites.
Early on it was apparent that the spyware was attracted to Trend Micro Internet Security. So after days of debug I bit the bullet an uninstalled Internet Sercurity. It did help calm the machine down, making it slightly easier to debug these hellish problems.
Somehow this shit storm I was in was related to 2 files named yyy2.htm and show_ads.js. Both were located in any of a couple of folders in windows>temorary internet files>Content.IE5. By copying and pasting these 2 files to a desktop folder, I could finally open them to see what destructive code they contained. A simple text editor opened yyy2 and JS Editor opened show_ads. It was clear they were part of the evil that had been haunting my machine. By the way, these files tried to literally escape to another folder if I tried to open them in the Content.IE5 folder. That's why they had to be copied to the desktop for a biopsy.
No amount of security tightening of IE6 or editing of the registry was helping as the problem was already loaded on my drive and would reload itself after every reboot. By using the Windows98 built in Resource Meter, I could see the system resources decay and what app's were effecting it. Rundll32.dll was a hog. I would kill it with ctrl-alt-del and the system resources would increase by 65% !!!
Using a program called Process Viewer gave me a clue as to what happened and from where it occurred during an unsolicited popup. This program lists everthing your computer does in real time. In one second it might show 4 pages of stuff that occured. It created huge text files that I would use to search and find more references to yyy2.htm and show_ads.js. Proving that these 2 evil files were part of the problem.
In fact I was 10 minutes away from format c: when I found pchell.com and the link to the Look2Me Uninstaller. Running the Uninstaller made all the difference. Suddenly Ad-Aware and Spybot found no more issues. All error messages and resource problems stopped!! No more popups or browser redirects. There was an odd folder in windows>program files called "2 Meta Bike". It's now gone. Had ad references in it. Rundll32.dll does not even load any longer much less try and log onto the internet. Also there was a network connection in Zone alarm that insisted on being connected. I wish I had written the IP address down, but it's no longer listed as running in Zone Alarm. I was running Trend Micro Internet Security for months and at the time of this crapware attack. Honestly I don't know what the source was or how it got into my machine, but I feel that it let me down so I am trying Zone Alarm for the forseeable future.
So here is what I did that last fateful hour to get everything running smoothly again with format C: looming in my mind. Remember this was a last ditch effort, after 40+ hours of struggling. So it's not clear what action contributed the most, although I suspect Look2Me Uninstaller did the most good.
1) Removed all .js scripts from the many folders in windows>temorary internet files>Content.IE5.
2) Ran Ad-Aware and Spybot. They removed, for the 1000th time, VX2 stuff in the registry. VX2 stuff would just get reinstalled every reboot.
3) Ran the utility Look2Me Uninstaller.
I hope this page gives someone the help they need. It was a bitch and I don't wish it upon anyone. My next goal is to contact all of the advertising sites that kept poping up and tell them I will definitly not recommend their products to any son of a bitch who participates in adware/spyware activites. I have a baseball bat waiting with some programmers name on it!!! Below is a list of these bastards advertisment url's.
One thing I learned during this crapware bootcamp, is that there are easy ways and hard ways to backup a pc, all mostly stable. The easy way is to use drive imaging software. It takes your entire hard drive and literally duplicates everything bit by bit onto another location. So a restore is really fast as you don't have to reinstall all of your app's. I purchased Acronis True Image 7.0. One important time to make an image backup is right after you get your app's and system installed and working the way you like. Then make another image backup every now and then to keep all of your data, files and app's securely recorded. True Image 7 requires that you backup to another drive as it does not have DVD recording capabilty. I always run two drives in my system to backup stuff quick and easy on a temporary basis.
Always run either a hardware or software firewall.