Jump to content
Sign in to follow this  
pcnpbrian

Project1 virus

Recommended Posts

:rofl2:

 

This was firsrt discovered by a pop up blank window titled "MMOV" in top left, later you will get various small windows to click OK. Don't!!!!!

 

A link to http://ran[Dot]popupper[Dot]com takes you to an uninstall program that does not work.

 

If you look in your task manager you will see Project 1 running, end it and the pop ups should stop. Project 1 will start when you start windows. If you end it, there is no indication it will start again.

 

There have been a few posts about this virus, but no solutions. Norton and McAfee appear to be clueless as of yet. Apparently the Beta version of MS Pop Up spyware finds it, but whether it kills it is unknown.

 

It seems to be a tough one!

 

Brian @ PC's in Paradise

Edited by pcnpbrian

Share this post


Link to post
Share on other sites

To remove this Trojan horse from your computer:

 

1.Click Start, and click Run.

2.Type sysedit and click OK.

3.Click the System.ini window.

4.Click Search, and click Find.

5.Type ntsvsrv.dll and then click Next. It should be at the end of the drivers= line.

6.Remove the Ntsvsrv.dll entry.

7.Restart Windows into MS-DOS mode. Restarting to MS-DOS mode ensures that Wsock32.dll is not loaded (Wsock32.dll is used for Internet connections).

8.Type cd \windows\system to change to the \Windows\System folder.

9.Type dir wsock32.dll to check the size of Wsock32.dll.

If the size is 14848 bytes, the Trojan horse program has replaced it with Proclib16.dll. To restore the original Wsock32.dll, type

10.copy nlhvld.dll Wsock32.dll

and then press Enter.

11.Delete the following files from the \Windows\System folder:

Proclib.exe

Proclib.dll

Proclib16.dll

Ntsvsrv.dllL

Nlhvld.dll

 

well, I would get prepared to do a HJT.

I have no clue if there is a solution, but could be it said this came out in Sept. 1999

Share this post


Link to post
Share on other sites

I do not think this is the same problem. I have researched this deeper and there are people all over the globe that are just recently getting this problem.

 

I will try this solution on the infected computer in the AM an post results.

 

Thank you.

 

P.S. Try searching Project1 virus and you'll see many HJT logs.

Edited by pcnpbrian

Share this post


Link to post
Share on other sites

If I have posted incorrect information I apologize.

 

Another search lead me to F-Secure

F-Secure provides detection and removal of Y2KCount trojan with the latest updates that can be downloaded from our ftp site free of charge:

 

 

 

 

 

PS.....I did research Project1 virus

Edited by Juliet

Share this post


Link to post
Share on other sites

Right, followed this......not the same symptoms. I have has no error messages like this, just the pop up MMOV window. Also, other users are now reporting that the propmts, if followed, will promote other sites. "bigoffice.com" etc,

Share this post


Link to post
Share on other sites

Try these links and see if you think we are talking about the same thing

 

http://cyro.cs-territories.com/blog/2005_0...ro_archive.html

 

http://forums.designtechnica.com/archive/i...php/t-8017.html

 

http://forums.designtechnica.com/archive/i...php/t-8057.html

 

I hope the solution is as easy as you say, I will not know until tomorrow AM when I get back to the customer's PC

 

Thanks again

Share this post


Link to post
Share on other sites

What comes to my mind next is windows critical updates...could there had been a missed update?

and

Ad-Aware SE - Scan and clean spyware

http://www.lavasoftusa.com/software/adaware/ - Download

 

Spybot Search & Destroy - Scan and clean spyware

http://www.spybot.info/en/download/index.html - Download

 

and maybe run an online virus scan at trendmicro

Share this post


Link to post
Share on other sites

None of these get it.

 

Actually, this machine was running Win 2K and I ran Spybot S&D V. 1.4 and I thought I got it, but when I upgarded to Win XP it was still there.

Edited by pcnpbrian

Share this post


Link to post
Share on other sites

I did see it's comng from MSN messenger...

I have a firewall that sets rules for messengers....they may have had one to.

I hope someone can come in shortly that can supply more information on this.

Share this post


Link to post
Share on other sites

Messenger may be the culprit.

 

I just talked with my customer and she said that the MMOV window has not popped up, that means that "project1" does not restart and killing it in TM stops the pop up. :mrgreen:

Share this post


Link to post
Share on other sites

Hi pcnpbrian,

 

While I don't know if this would be an actual problem or threat, it is not a good idea to post links that lead into sites and downloads that are connected to Malware threat exposure.

 

Please modify your first post so that it is not a useable "active link"

Something like the following would still communicate your information, but would help safeguard a new or naive guest or member from getting tangled up in this problem....

A link to http  :// ran (DOT) popuppers(DOT)com takes you to an uninstall program that does not work.

Since the "un-installer" does not work, according to your own statement, there is no good reason to go look at it, and plenty of good reason not to provide a "trip wire" that could get a newbie entangled into this bad-guy.

 

Thanks for your information. Hopefully we will all learn from what you have discovered.... and do so safely.

 

***: Guests and members, until this post is reviewed by a Mod/Admin, I recommend that you do not "click" on the active link included in the first post of this thread.

 

Best Regards

Edited by dough

Share this post


Link to post
Share on other sites
Guest Ebriley

I have the same thing. I assume it's a new phenom, as it's not google-able yet or listed on pc hell. I trust that a solution will come soon... Please let me know if you have any luck extricating this beastie.

 

I saw references to an old Project 1 virus. I think this one is different, but previously there was one that tracked passwords and login IDs. I hope this is just an annoyance and not a threat.

 

Until we have the fix, here's hoping we remember the control-alt-delete-end task solution...

Share this post


Link to post
Share on other sites
Guest phat420man

Ok, here's what I get. The Project 1 stems from a file in the c:\windows directory named seli.exe. I ran msconfig under windows XP home and it was in the startup list. I disabled the program from startup and didn't have to ctrl/alt/del to end project 1 after a reboot. Then i went into the windows directory and executed the program and project 1 popped up in my tasklist. I ended task, and deleted the file, then rebooted and it stayed gone. I only deleted file after searching the microsoft database and didn't get any hits back on seli.exe. Hope this info helps everyone.

 

There's also a prefetch file in c:\windows\prefetch...... mine was named SELI.EXE-04EEEAFC.pf

 

Do a registry search in regedit for seli.exe too. I found and deleted 4 registry keys after deleting the 2 files above.

 

:geezer:

Edited by phat420man

Share this post


Link to post
Share on other sites

Thank you phat420man, that opens a new can of worms this morning.

I did a google search for seli.exe ...this is interesting.

From what I have read this is not a easy to get rid of.

Share this post


Link to post
Share on other sites
Guest phat420man

Well, all I can tell ya juliet is to do what i did and i haven't had a pop-up since.

 

:geezer:

Share this post


Link to post
Share on other sites

Was reading the articles from the hjt logs of people at other forums, seems they had other infections that went along with the seli.exe.

Gosh......I hate problems....

Share this post


Link to post
Share on other sites

Thanks guys for all your help! This thing seems to get random, I mean you do not get the same thing on two or more machines. I'll try the "seli" solution and keep tracking....

Share this post


Link to post
Share on other sites

Thanks phat420man, but I couldn't find seli.exe in the startup. Foud the other instances in windows & windows\prefetch. Found one instance in the registry. Funny, the file name in the windows\prefetch was not the same as yours. Maybe I'm missing something here, can you elaborate on the nomenclature of your registry entries that you found....and what exactly showed up in the startup?

 

pcnpbrian

Share this post


Link to post
Share on other sites

When you mention windows prefetch folders...it makes me think of temp files now.

There maybe no connection to this but....there is a good temp deleter and prefetch cleaner....and I use it as well.....

Try this....and set it to standard clean up in the options panel....after using it reboot...

I'm curious and interested...

How to use CleanUp!

CleanUp! by Steven Gould

Share this post


Link to post
Share on other sites
Guest phat420man

Sorry i haven't been up here in awhile. I'm not exactly sure where all the registry keys were or what they were becaue i never logged them. As i said the seli.exe file was in c:\windows. the only root folder that had any mention of it was the prefetch folder. i haven't had a single pop up or problem since doing what i did to get rid of it, and no permanent damage to my operating system was done (for example my box was running slow for a day or two but now is stable and back up to speed). if you can't find the file try the option to view all file types in folder options. if u still can't find it run a windows search for seli and delete it that way, or just msconfig and delete it from startup to stop the pop ups. no spyware or adware software remover that i've heard of detects it, and as far as i know it's unrecognized by any form of antivirus software. i believe that i got it by installing an active x control off a website. it's possible that you may get different symptoms by being infected different ways, different versions of windows, or that the files are in different spots on your box. i hope that i was able to help at least a few of you out there that have this annoyance. i'll check back periodically and if u have any questions you can email me at [email protected] or u can just email me to let me know if this has helped or not.

 

:geezer:

Edited by phat420man

Share this post


Link to post
Share on other sites

Thanks all, I just ended up completely installing a new version of XP on this machine. Glad to hear someone got "rid" of this thing.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...