LoadingWebsite.com

LoveTechForums · 03-17-2005, 05:47 PM

First off, THANK YOU to the creators of this forum!

My issue is pop-ups (and many of them) - the source seems to be from "loadingwebsite.com"? I've tried ad-aware and bazooka - with no luck. The problem started about 4 days ago.

Any suggestions on how to fix this? Also, is there a way to defeat this bug without going into SafeMode? Thanks in advance for your help!!!

Logfile of HijackThis v1.99.1
Scan saved at 7:40:27 PM, on 3/17/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\rundll32.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\Compaq\COMPAQ~3\CHKADMIN.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\icasServ.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HijackThis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~3\CHKADMIN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [icasServ] C:\WINNT\System32\icasServ.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://sctcdoma/iNotes.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF} (JInitiator 1.3.1.9) - http://worroap.jmsmucker.com/jinitiator/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.jmsmucker.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.jmsmucker.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jmsmucker.com,na.jmsmucker.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.jmsmucker.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = jmsmucker.com,na.jmsmucker.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jmsmucker.com,na.jmsmucker.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O21 - SSODL: AHumCMuGH - {780329F6-D2A9-835C-3510-57CC859797CD} - C:\WINNT\System32\dvwv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~3\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~3\CPQWEB~1\WebDmi.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

CTSNKY · 03-17-2005, 06:30 PM

Hi there.....to answer your question, no this cannot be cleaned without Safe Mode, is that a problem? You really should be talking to your IT staff about this infection, as this is obviously a work PC. (How much jam will we get for helping?)

===========

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Please download the following programs required for the removal process:

Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe
PV http://www.greyknight17.com/spy/pv.zip
VX2Finder(126) http://www.greyknight17.com/spy/VX2Finder(126).exe
Hoster http://www.greyknight17.com/spy/Hoster.exe
CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe
KillBox http://www.greyknight17.com/spy/KillBox.exe
notify.bat - right click on this link http://www.greyknight17.com/spy/notify.bat and choose Save As...Save it.

Please follow the steps below:

1. Download/run the following uninstallers:

Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller
IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip
ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip

2. Run Kill2Me.

3. Unzip the pv.zip files contents to your Desktop (NOTE: It MUST be on your Desktop!).
a) Open that folder on your Desktop and double click on the runme.bat file.
b) Type in 3 and hit your Enter key. Save the log file.
c) Type in 5 and hit your Enter key. Save the log file.
d) Remember to copy and paste both of these log files in the forum AFTER you are finished with the rest of the steps below.

4. Run notify.bat and it should open up a notify.txt Notepad file. Copy and paste this in the forum later.

5. Run VX2Finder(126) and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum later.

We also need a list of files in the following folders:

C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here.
C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious.

Post all of the logs in your next post. We need them all to get a fix for this infection.

LoveTechForums · 03-17-2005, 07:05 PM

Thanks, CTSNKY. I'll check with my IT Dept...SafeMode is only available for MetaAdmin? It requires a special password (I guess).

Thanks anyway!

PS I'm in Bowling Green, KY!

03-17-2005, 05:47 PM	#1 (permalink)
LoveTechForums Registered User Join Date: Mar 2005 Posts: 2 OS: Win2000	LoadingWebsite.com First off, THANK YOU to the creators of this forum! My issue is pop-ups (and many of them) - the source seems to be from "loadingwebsite.com"? I've tried ad-aware and bazooka - with no luck. The problem started about 4 days ago. Any suggestions on how to fix this? Also, is there a way to defeat this bug without going into SafeMode? Thanks in advance for your help!!! Logfile of HijackThis v1.99.1 Scan saved at 7:40:27 PM, on 3/17/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\MsgSys.EXE C:\WINNT\Explorer.EXE C:\WINNT\System32\rundll32.exe C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe C:\Program Files\Compaq\Hotkey Software\hkss.exe C:\PROGRA~1\Compaq\COMPAQ~3\CHKADMIN.EXE C:\Program Files\NavNT\vptray.exe C:\WINNT\System32\icasServ.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\HijackThis\HijackThis.exe O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~3\CHKADMIN.EXE O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [icasServ] C:\WINNT\System32\icasServ.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://sctcdoma/iNotes.cab O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - O16 - DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF} (JInitiator 1.3.1.9) - http://worroap.jmsmucker.com/jinitiator/oajinit.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.jmsmucker.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.jmsmucker.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jmsmucker.com,na.jmsmucker.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.jmsmucker.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = jmsmucker.com,na.jmsmucker.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jmsmucker.com,na.jmsmucker.com O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll O21 - SSODL: AHumCMuGH - {780329F6-D2A9-835C-3510-57CC859797CD} - C:\WINNT\System32\dvwv.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\Cpqdiag\Cpqdfwag.exe O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~3\cpqdmi.exe O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~3\CPQWEB~1\WebDmi.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

03-17-2005, 06:30 PM	#2 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Hi there.....to answer your question, no this cannot be cleaned without Safe Mode, is that a problem? You really should be talking to your IT staff about this infection, as this is obviously a work PC. (How much jam will we get for helping?) =========== Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready): Please download the following programs required for the removal process: Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe PV http://www.greyknight17.com/spy/pv.zip VX2Finder(126) http://www.greyknight17.com/spy/VX2Finder(126).exe Hoster http://www.greyknight17.com/spy/Hoster.exe CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe KillBox http://www.greyknight17.com/spy/KillBox.exe notify.bat - right click on this link http://www.greyknight17.com/spy/notify.bat and choose Save As...Save it. Please follow the steps below: 1. Download/run the following uninstallers: Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip 2. Run Kill2Me. 3. Unzip the pv.zip files contents to your Desktop (NOTE: It MUST be on your Desktop!). a) Open that folder on your Desktop and double click on the runme.bat file. b) Type in 3 and hit your Enter key. Save the log file. c) Type in 5 and hit your Enter key. Save the log file. d) Remember to copy and paste both of these log files in the forum AFTER you are finished with the rest of the steps below. 4. Run notify.bat and it should open up a notify.txt Notepad file. Copy and paste this in the forum later. 5. Run VX2Finder(126) and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum later. We also need a list of files in the following folders: C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here. C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious. Post all of the logs in your next post. We need them all to get a fix for this infection. __________________ GO BIG BLUE!!

03-17-2005, 07:05 PM	#3 (permalink)
LoveTechForums Registered User Join Date: Mar 2005 Posts: 2 OS: Win2000	Thanks, CTSNKY. I'll check with my IT Dept...SafeMode is only available for MetaAdmin? It requires a special password (I guess). Thanks anyway! PS I'm in Bowling Green, KY!