Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Pop-ups & Redirects


  • Please log in to reply
18 replies to this topic

#1 jimmystep

jimmystep

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 30 December 2005 - 06:54 AM

OK, ran through the preparation guide and everything reports as clean but no doubt there is something still hidden.
When running CwShredder, it reported finding a "CWS.hiddenDll", which it fixed.
When running AdAware it spotted 20 malwares but hung up when deleting.
Ran again in safe mode and this deleted all 20.
At the moment, nothing is reported.

This is the logfile, thanks for your help;

Logfile of HijackThis v1.99.1
Scan saved at 11:44:58, on 30/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\REALVNC\WINVNC\WINVNC.EXE
C:\WINDOWS.000\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS.000\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS.000\EXPLORER.EXE
C:\WINDOWS.000\TASKMON.EXE
C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
C:\WINDOWS.000\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS.000\SYSTEM\HKCMD.EXE
C:\WINDOWS.000\SYSTEM\PRINTRAY.EXE
C:\WINDOWS.000\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\STAROFFICE6.0\PROGRAM\SOFFICE.EXE
C:\WINDOWS.000\SYSTEM\DDHELP.EXE
C:\WINDOWS.000\SYSTEM\LEXBCES.EXE
C:\WINDOWS.000\SYSTEM\RPCSS.EXE
C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
C:\WINDOWS.000\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ANTIMALWARE\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.nolcom.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS.000\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS.000\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [8XJdA2] "C:\WINDOWS.000\TEMP\CXTPLS_LOADER.EXE" /PC=CP.IST2 /SHUN /UNAR="/CTUN"
O4 - HKLM\..\Run: [576i39U] INLOADER.EXE
O4 - HKLM\..\RunServices: [WinVNC] "C:\PROGRAM FILES\REALVNC\WINVNC\WINVNC.EXE" -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS.000\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [KwpsRVYpT] ICMCUI.EXE
O4 - Startup: StarOffice 6.0.lnk = C:\Program Files\StarOffice6.0\program\quickstart.exe
O4 - Startup: NetTerm.lnk = C:\Program Files\netterm\netterm.exe
O4 - Startup: live update.lnk = C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 172.30.10.251,172.30.10.201

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:43 PM

Posted 06 January 2006 - 01:27 PM

Hi There! :thumbsup:

I am currently working on your log and am checking it with a teacher.

I will get back to you as soon as possible.

David :flowers:


#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:43 PM

Posted 07 January 2006 - 12:47 PM

Hi jimmystep and welcome to BleepingComputer.

Sorry about the wait - everything has gotten a bit busy here!

Run Ad-Aware with the latest update.
  • Download the latest version of Ad-Aware (Ad-Aware SE Build 1.06r1) from here.
  • If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
  • After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
  • Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
  • Once the definitions have been updated:
  • Reconfigure Ad-Aware for Full Scan as per the following instructions:
    • Launch the program, and click on the Gear at the top of the start screen.
    • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • "Automatically save logfile"
      • Automatically quarantine objects prior to removal"
      • Safe Mode (always request confirmation)
      • Prompt to update outdated confirmation) - Change to 7 days.
    • Click the "Scanning" button (On the left side).
    • Under Drives & Folders, select "Scan within Archives"
    • Click "Click here to select Drives + folders" and select your installed hard drives.
    • Under Memory & Registry, select all options.
    • Click the "Advanced" button (On the left hand side).
    • Under "Shell Integration", select "Move deleted files to Recycle Bin".
    • Under "Log-file detail", select all options.
    • Click on the "Defaults" button on the left.
    • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
    • Click the "Tweak" button (Again, on the left hand side).
    • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
      • "Unload recognized processes during scanning."
      • "Obtain command line of scanned processes"
      • "Scan registry for all users instead of current user only"
    • Under "Cleaning Engine", select the following:
      • "Automatically try to unregister objects prior to deletion."
      • "During removal, unload explorer and IE if necessary"
      • "Let Windows remove files in use at next reboot."
      • "Delete quarrantined objects after restoring"
    • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
    • Click on "Proceed" to save these Preferences.
    • Click on the "Scan Now" button on the left.
    • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
  • Close all programs except ad-aware.
  • Click on "Next" in the bottom right corner to start the scan.
  • Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
  • After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
___________________

Please download Spybot - Search and Destroy
  • (If Spybot - S&D 1.4 is already installed on your system, skip to “Update Spybot - S&D before using it”.)
  • When you have down-loaded the program, double-click on it to start the installation. Follow the default selections, pressing the “Next” button until you get to the “Select Additional Tasks” screen.
  • Under “Permanent protection”, make sure to uncheck the following items for now:
    • • “Use Internet Explorer Protection
      • “Use system settings Protection (TeaTimer)
  • Press the “Next” button and then the “Install” button.
  • When the installation process is complete, make sure that “Run Teatimer” is unchecked.

Launch Spybot - S&D
  • If you told Spybot to launch when it was done installing, the program should now be open. Otherwise, find the icon on your Desktop and double-click on it.
  • When you use Spybot - S&D for the first time, it will prompt you for certain tasks to complete. Skip all tasks for now by pressing the “Next” button.
  • Click on the button labelled “Start using this program” to begin using Spybot - Search & Destroy.

Update Spybot - S&D before using it
  • Click on the “Search for Updates” button. If there are available updates, they will be listed.
  • Check/tick the boxes beside each update.
  • Click on the “Download Updates” button and Spybot - S&D will download the updates and install them.
  • Close the program.

Run Spybot - S&D
  • Click on the “Check for Problems” button.
  • When Spybot has finished running, it may be showing RED entries, BLACK entries and GREEN entries in the window.
  • Make sure that there is a check-mark beside all of the RED entries ONLY.
  • Choose “Fix Selected Problems” and allow Spybot to fix the RED entries.
  • If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply “Yes” to this.
  • At this point you will be presented with the list of found entries again, but now there will be large green check-marks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next re-boot of Windows.
  • The next time you start Windows, Spybot will run automatically and fix anything that it could not fix previously.
___________________

After running both scans please reboot and post a new HijackThis log
Thanks
David

#4 jimmystep

jimmystep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 09 January 2006 - 06:40 AM

OK will do that this afternoon and post logs later. Thanks for your help.

Cheers...Jimmy

#5 jimmystep

jimmystep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 09 January 2006 - 11:17 AM

Hi David, managed to do as directed. Had to run AdAware in safe mode the first time as when running normally a "RUNDLL32" error box appeared and although adAware continued running it didn't remove the 36 critical objects. When run in safe mode it did the job. Spy bot found another 3.
Re ran both afterwards and all clear. The hijack log is as follows and no doubt contains a few nasty entries!

Thanks again for the help.
Cheers...Jimmy

Logfile of HijackThis v1.99.1
Scan saved at 15:50:59, on 09/01/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\WINDOWS.000\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS.000\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS.000\EXPLORER.EXE
C:\WINDOWS.000\TASKMON.EXE
C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
C:\WINDOWS.000\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS.000\SYSTEM\HKCMD.EXE
C:\WINDOWS.000\SYSTEM\PRINTRAY.EXE
C:\WINDOWS.000\SYSTEM\DDHELP.EXE
C:\WINDOWS.000\SYSTEM\SPOOL32.EXE
C:\WINDOWS.000\SYSTEM\LEXBCES.EXE
C:\WINDOWS.000\SYSTEM\RPCSS.EXE
C:\WINDOWS.000\SYSTEM\PSTORES.EXE
C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
C:\WINDOWS.000\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\ANTIMALWARE\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.nolcom.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {31A0A125-8123-11DA-8776-000BB29DE236} - C:\WINDOWS.000\SYSTEM\IEAP.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS.000\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS.000\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [8XJdA2] "C:\WINDOWS.000\TEMP\CXTPLS_LOADER.EXE" /PC=CP.IST2 /SHUN /UNAR="/CTUN"
O4 - HKLM\..\Run: [576i39U] INLOADER.EXE
O4 - HKLM\..\RunServices: [WinVNC] "C:\PROGRAM FILES\REALVNC\WINVNC\WINVNC.EXE" -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS.000\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [KwpsRVYpT] ICMCUI.EXE
O4 - Startup: StarOffice 6.0.lnk = C:\Program Files\StarOffice6.0\program\quickstart.exe
O4 - Startup: NetTerm.lnk = C:\Program Files\netterm\netterm.exe
O4 - Startup: Outlook Express (2).lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Startup: live update.lnk = C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 172.30.10.251,172.30.10.201

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:43 PM

Posted 10 January 2006 - 12:00 PM

Hi there! :thumbsup:

We need to check out the status of a few files to determine whether they are good or bad!
______________
Make sure that you can see hidden files (Windows XP).
  • Click "Start".
  • Click "My Computer".
  • Select the "Tools" menu and click "Folder Options".
  • Select the "View" tab.
  • Under the "Hidden files and folders" heading, select "Show hidden files and folders".
  • Uncheck the "Hide protected operating system files (recommended)" option.
  • Click "Yes" to confirm.
  • Uncheck the "Hide file extensions for known file types".
  • Click "OK".
______________
Please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following file:
C:\WINDOWS.000\SYSTEM\INLOADER.EXE
Click Open.
Please save the results for that file. Please repeat this process for the following files also.

C:\WINDOWS.000\SYSTEM\ICMCUI.EXE
C:\WINDOWS.000\INLOADER.EXE
C:\WINDOWS.000\ICMCUI.EXE


There is a strong possibility that some of the files will not be found. Also there is a possibility that you will not be able to find any of them! If that's the case don't worry about it at all, just let me know!
____________
Please post back with the Jotti logs (probably two).
David

#7 jimmystep

jimmystep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 11 January 2006 - 04:38 AM

____________________________________________

C:\WINDOWS.000\SYSTEM\INLOADER.EXE
Click Open.
Please save the results for that file. Please repeat this process for the following files also.

C:\WINDOWS.000\SYSTEM\ICMCUI.EXE
C:\WINDOWS.000\INLOADER.EXE
C:\WINDOWS.000\ICMCUI.EXE

__________________________________________

David, checked for the above didn't find any of the above. There was a INLOADER.DLL & ICMCUI.DLL but no exe files.

Redirects & pop-ups still appearing.

Cheers....Jimmy

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:43 PM

Posted 12 January 2006 - 06:03 AM

Hi again! :thumbsup:

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
_____________________

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked" (if present!):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {31A0A125-8123-11DA-8776-000BB29DE236} - C:\WINDOWS.000\SYSTEM\IEAP.DLL (file missing)
O4 - HKLM\..\Run: [8XJdA2] "C:\WINDOWS.000\TEMP\CXTPLS_LOADER.EXE" /PC=CP.IST2 /SHUN /UNAR="/CTUN"
O4 - HKLM\..\Run: [576i39U] INLOADER.EXE
O4 - HKCU\..\Run: [KwpsRVYpT] ICMCUI.EXE

_____________________

Boot into Safe Mode
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

Please open "Mycomputer" and navigate to the following files/folders. Please delete them all (if you can't find one do not worry):

C:\WINDOWS.000\TEMP\CXTPLS_LOADER.EXE
_____________________

Please Navigate to the C:\WINDOWS.000\TEMP folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. (if you cannot delete some items it's fine!)

Finally go to Control Panel > Internet Options. m
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.
_____________________

Empty the Recycle Bin.
_____________________

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log

David

#9 jimmystep

jimmystep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 12 January 2006 - 10:27 AM

Hi David, did as requested.

This is the active scan report;


Incident Status Location

Adware:Adware/Gator Not disinfected C:\WINDOWS.000\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS.000\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N56M0311NetInstaller.exe
Adware:Adware/Gator Not disinfected C:\WINDOWS.000\Downloaded Program Files\HDPlugin1101.dll
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS.000\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS.000\Downloaded Program Files\UERS_0001_NI57M1124NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS.000\Downloaded Program Files\UWFX5_0001_N57M2811NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS.000\Downloaded Program Files\UWFX5_0001_N57M2911NetInstaller.exe
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS.000\Cookies\robertsons@com[2].txt
Spyware:Cookie/2o7.net Not disinfected C:\WINDOWS.000\Cookies\robertsons@112.2o7[2].txt
Spyware:Cookie/Xmts Not disinfected C:\WINDOWS.000\Cookies\robertsons@xmts[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS.000\Cookies\robertsons@www.myaffiliateprogram[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS.000\Cookies\robertsons@myaffiliateprogram[1].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\WINDOWS.000\Cookies\robertsons@spywarestormer[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS.000\Cookies\robertsons@burstnet[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\WINDOWS.000\Cookies\robertsons@rightmedia[2].txt
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\ace.dll
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\CxtPls.dll
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\CxtPls.exe
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\ProxyStub.dll
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\WinGenerics.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\AntiMalware\smitRem.exe[Process.exe]
And this is the HijackThis log;

Logfile of HijackThis v1.99.1
Scan saved at 15:21:02, on 12/01/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\REALVNC\WINVNC\WINVNC.EXE
C:\WINDOWS.000\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS.000\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS.000\EXPLORER.EXE
C:\WINDOWS.000\TASKMON.EXE
C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
C:\WINDOWS.000\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS.000\SYSTEM\HKCMD.EXE
C:\WINDOWS.000\SYSTEM\PRINTRAY.EXE
C:\WINDOWS.000\SYSTEM\LEXBCES.EXE
C:\WINDOWS.000\SYSTEM\SPOOL32.EXE
C:\WINDOWS.000\SYSTEM\RPCSS.EXE
C:\WINDOWS.000\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\STAROFFICE6.0\PROGRAM\SOFFICE.EXE
C:\WINDOWS.000\SYSTEM\PSTORES.EXE
C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
C:\WINDOWS.000\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\ANTIMALWARE\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.nolcom.com:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS.000\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS.000\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WinVNC] "C:\PROGRAM FILES\REALVNC\WINVNC\WINVNC.EXE" -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS.000\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: StarOffice 6.0.lnk = C:\Program Files\StarOffice6.0\program\quickstart.exe
O4 - Startup: NetTerm.lnk = C:\Program Files\netterm\netterm.exe
O4 - Startup: Outlook Express (2).lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Startup: live update.lnk = C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 172.30.10.251,172.30.10.201

Still some work for us to do :-)

Cheers....Jimmy

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:43 PM

Posted 14 January 2006 - 03:59 AM

Sorry for the delay Jimmy. I'm in the process of checking my next reply.
David :thumbsup:

#11 jimmystep

jimmystep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 14 January 2006 - 06:19 PM

Hey, No problem David. You're the one helping me out and I am most greatful.

Thanks again for your time and effort.

Cheers...Jimmy

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:43 PM

Posted 16 January 2006 - 11:27 AM

Hi there JimmyStep.

*It is a good idea to print off these intructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the folowing instructions in the correct order, and also that you don't miss anything out! :thumbsup:
_________________

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

HDPlugin1101 <-- (or something similar)
UWFX5 <-- (or something similar)
NetInstaller
_________________

Please click start > run > and type "regsvr32 /u occache.dll" (without quotes).
_________________

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
_____________

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.
_______________

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\Aprps <--folder

* Whilst still in explorer, please naviagte to the following files. For each right click on them and click "remove", then after doing so you may right click and "delete" them:

C:\WINDOWS.000\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll <---file
C:\WINDOWS.000\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N56M0311NetInstaller.exe<---file
C:\WINDOWS.000\Downloaded Program Files\HDPlugin1101.dll<---file
C:\WINDOWS.000\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe<---file
C:\WINDOWS.000\Downloaded Program Files\UERS_0001_NI57M1124NetInstaller.exe <---file
C:\WINDOWS.000\Downloaded Program Files\UWFX5_0001_N57M2811NetInstaller.exe<---file
C:\WINDOWS.000\Downloaded Program Files\UWFX5_0001_N57M2811NetInstaller.exe<---file
________________

Boot back to normal mode.

Please click start > run > and type "regsvr32 occache.dll" (without quotes).
________________

The logs are looking much better and after you have completed the above. How do you feel the computer is running? If you are still getting pop-ups just let me know! We will then be able to think about looking deeper into your computer! :flowers:

David

Edited by D-Trojanator, 16 January 2006 - 11:29 AM.


#13 jimmystep

jimmystep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 17 January 2006 - 07:35 AM

Hi David, did as above, except couldn't use ATF cleaner as win98 not supported. Cleaned out;
HDPlugin1101
UWFX5
NetInstaller

So far, no pop-ups. Will see how it is for the rest of the day. Will get back to you in a couple of days. Unless you have something else for me to do.

Cheers...Jimmy

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:43 PM

Posted 18 January 2006 - 05:25 AM

Hi jimmystep :thumbsup:

Sorry about ATF Cleaner. My fault, i didn't realize until afterwards that the program wasn't compatible on 98 :flowers:

On a brighter note i would now image that your computer is well on its way to being clean; you mention you haven't seen any pop-ups so far - hopefully it should stay like this! If you happen to find any don't hesitate to let me know! I would like you to run Panda scan once more so that we can determine whether the bad plugins/files have actually gone. Please follow the instructions from my previous posts to complete the scan.

David :huh:

#15 jimmystep

jimmystep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 19 January 2006 - 06:28 AM

Hi David, bad news. Still redirects on IE and pop ups. Here is the latest Panda scan;


Incident Status Location

Adware:Adware/CWS.Aboutblank Not disinfected C:\WINDOWS.000\SYSTEM\hclpmbb.dll
Adware:Adware/SearchExe Not disinfected C:\WINDOWS.000\TEMP\se.dll
Spyware:Cookie/Qsrch Not disinfected C:\WINDOWS.000\Cookies\robertsons@qsrch[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS.000\Cookies\robertsons@doubleclick[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS.000\Cookies\robertsons@atdmt[2].txt
Spyware:Cookie/Adviva Not disinfected C:\WINDOWS.000\Cookies\robertsons@adviva[2].txt
Spyware:Cookie/2o7.net Not disinfected C:\WINDOWS.000\Cookies\robertsons@2o7[1].txt
Adware:Adware/Gator Not disinfected C:\RECYCLED\DC0.DLL
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\RECYCLED\DC2.EXE
Adware:Adware/Gator Not disinfected C:\RECYCLED\DC3.DLL
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\RECYCLED\DC6.EXE
Spyware:Spyware/Apropos Not disinfected C:\RECYCLED\DC7.DLL
Spyware:Spyware/Apropos Not disinfected C:\RECYCLED\DC13.DLL
Spyware:Spyware/Apropos Not disinfected C:\RECYCLED\DC14.EXE
Spyware:Spyware/Apropos Not disinfected C:\RECYCLED\DC16.DLL
Spyware:Spyware/Apropos Not disinfected C:\RECYCLED\DC18.DLL
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLED\DC20.EXE[Process.exe]




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users