Solved

Popups Keep On Coming

Posted on 2004-09-02
49
4,007 Views
Last Modified: 2013-12-04
Hi Again Experts - Hope you can help with this as I will be on this site again today. I have Win98se system which was hijacked by NewNet and about:blank. I ran hijackthis and cleaned up those issues. I ran spybot, noadware, adaware, and cwshredder.  All programs report that the system is clean. But when I restart, without even opening a browser, the popups start coming. I tried disconnectiong the network/internet and the system keeps asking me if I want to work offline or retry the connection. I assume that some form of evil is trying to open a browser. Any ideas?  
Thanks,  Pat
0
Comment
Question by:PFSullivan
  • 23
  • 15
  • 6
  • +3
49 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Hello PFSullivan =)

Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe
0
 

Author Comment

by:PFSullivan
Comment Utility
OK - Thanks - I'll be at that site in about 2 Hrs.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
no problem :)
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Start->Run->MSconfig and remove all items from the startup tab.  Reboot and if it does not occur again, it can be narrowed down to an item in your startup...
0
 

Author Comment

by:PFSullivan
Comment Utility
Hi Again  SheharyaarSaahil

The following is the Hijackthis log file -

And I already cleaned all items from startup and ran a fresh NAV w/ liveupdate - Appreciate the help.
P


Logfile of HijackThis v1.98.2
Scan saved at 10:44:18 AM, on 09/02/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\XDCLA.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\xdcla.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O13 - WWW. Prefix: http://
O16 - DPF: AwAgencyIntegrator - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: AgencyWorks - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://awreports.agencyworks.com/viewer9/activeXViewer/activexviewer.cab

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O13 - WWW. Prefix: http://
=====================================

check these lines and click on Fix Checked !!!!!
I really cannot see anything else BAD in ur LOG :-?
0
 

Author Comment

by:PFSullivan
Comment Utility
SheharyaarSaahil

I performed that function - Now "about:blank" is opening browsers - I'm getting about 8 or 9 popups in a row.

Any ideas?
Thanks,  Pat
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
are they random popups or from a particular website ??
0
 

Author Comment

by:PFSullivan
Comment Utility
They appear to be random - Casinos, Citibank, Prizes
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
ur LOG doesn't list anything Bad =|

try uinstalling IE completely >> http://www.litepc.com/ieradicator.html
then Download it again and install a fresh copy, (rememeber to first download the setup and save it to ur hard drive, coz after uninstalling IE, u will be unable to download it :)

Download Full IE2.0 to IE6.0SP1
http://public.planetmirror.com/pub/microsoft/ie/

Download Full IE1.0 to IE6.0
http://browsers.evolt.org/?ie/32bit
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Before uninstalling IE, try installing this overlay for IE that eliminates popups: www.maxthon.com
If it still happens with Maxthon, it's something different going on.
Check your hosts/lmhosts files located in
Start->Run->%systemroot%\system32\drivers\etc
for anyt entries other than localhost @ 127.0.0.1
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Also - try booting into safe mode with networking support and post if it still occurs...press f8 before windows loads to get this option...
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi

Far be it from me to dare add to what SirB and SheharyaarSaahil have written (as these chaps no doubt know their stuff- hi guys ;))), but I would suggest running an online virus scan on it too to check for Trojans etc, (I know you're running Norton, but trust me, even fully updated it's been really useless recently on detecting trojans - hence my suggestion). There may be some hidden process running that for whatever reason isn't getting picked up by the hijackthis logfile (odd I know). If running it in safe mode with networking support as SirB has suggested gets rid of the pop-ups, a hidden process/service etc. is even more likely to be the culprit. Make sure to note the names of any such beasties found,

Trend
http://housecall.trendmicro.com/
Panda
http://www.pandasoftware.com/activescan/


Deb :))
0
 
LVL 29

Expert Comment

by:blue_zee
Comment Utility

Try fixing the O16 entries with HJT.

Zee
0
 

Author Comment

by:PFSullivan
Comment Utility
Hi Experts -

To Deb:  i tried the Live Scan from Symantec - it said all was clean
To SirBounty - I loaded the Maxthon browserbut the system freezes every time I try to execute the browser. I also removed 3 strange entries from the host file - They are the o16 entries which are shown above in my HJT log.
To SheharyaarSaahil - I have made several attempts at eradicating the IE - The software runs, tells me it must reboot, Then locks and never removes the IE.

Thanks to all for the assist

I'm still pretty much in the same boat except now I am getting fewer popups and the "about:blank" seems to be controlling the popups.

Any other ideas would be greatly appreciated   Thanks   Pat
 

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
>> To SheharyaarSaahil - I have made several attempts at eradicating the IE - The software runs, tells me it must reboot, Then locks and never removes the IE

Did u tried it in Safemode ??
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi

Sorry but am away for the weekend now - will pick this up on Monday if Sheharyaar hasn't got it licked by then ;) - I still suggest you try Trend Online - Really Norton/Symantec has been really useless of late - I've seen one totally paralysed network as a result of it missing stuff that I helped fix up last week - So try Trend Online and Panda as no AV is foolproof - just to keep me quiet?

Make sure that in folder options that you have show hidden files and system files enabled and I also suggest you download startdreck and post your config log for us to have a look at - it's like msconfig but a bit more thorough, you can get it here,

http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/frames.htm?http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/startdreck.htm

let's see if it gives any clues missed by hijackthis?

Deb :))

0
 

Author Comment

by:PFSullivan
Comment Utility
Hi All - I'm back at this system today - Following Deb's advice, I have run the StartDreck program - I'm not familiar with this one so I'm not sure what I'm seeing - The log follows - Thanks as always -  Pat

StartDreck (build 2.1.7 public stable) - 2004-09-06 @ 10:30:09 (GMT -04:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as psullivan at PSULLIVAN

»Registry
 »Run Keys
  »Current User
   »Run
   »RunOnce
  »Default User
   »Run
   »RunOnce
  »Local Machine
   »Run
    *OpwareSE2="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    *vptray=C:\Program Files\Norton AntiVirus\vptray.exe
    *VBouncerDL=C:\Program Files\VBouncer\VBouncerInner.exe /S
    *SESync="C:\PROGRAM FILES\SED\SED.EXE"
    +OptionalComponents
     +MSFS
      *Installed=1
     +MAPI
      *Installed=1
      *NoChange=1
     +MAPI
      *Installed=1
      *NoChange=1
   »RunOnce
   »RunServices
    *rtvscn95=C:\Program Files\Norton AntiVirus\rtvscn95.exe
    *defwatch=C:\Program Files\Norton AntiVirus\defwatch.exe
   »RunServicesOnce
   »RunOnceEx
   »RunServicesOnceEx
 »File Associations (CR)
  +.bat
   *batfile="%1" %*
  +.com
   *comfile="%1" %*
  +.disabled
   *SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
  +.exe
   *exefile="%1" %*
  +.hta
   *htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
  +.htm
   *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
  +.html
   *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
  +.js
   `jsfile= [key or value does not exist]
  +.jse
   *JSEFile=C:\WINDOWS\WScript.exe "%1" %*
  +.pif
   *piffile="%1" %*
  +.reg
   *regfile=regedit.exe "%1"
  +.scr
   *scrfile="%1" /S
  +.txt
   *txtfile=C:\WINDOWS\NOTEPAD.EXE %1
  +.vbs
   `vbsfile= [key or value does not exist]
  +.vbe
   *VBEFile=C:\WINDOWS\WScript.exe "%1" %*
  +.wsf
   *WSFFile=C:\WINDOWS\WScript.exe "%1" %*
  +.lnk
   `lnkfile= [key or value does not exist]
 »Browser Helper Objects (LM)
»Files
 »Autostart Folders
  »Current User
   *C:\WINDOWS\Start Menu\Programs\StartUp\Image Retriever.lnk
   *C:\WINDOWS\Start Menu\Programs\StartUp\WinZip Quick Pick.lnk
  »Default User
   *C:\WINDOWS\Start Menu\Programs\StartUp\Image Retriever.lnk
   *C:\WINDOWS\Start Menu\Programs\StartUp\WinZip Quick Pick.lnk
  »Local Machine
 »INI-Files
  »WIN.INI\[windows]
   *LOAD=
   *RUN=
  »SYSTEM.INI\[boot]
   *SHELL=Explorer.exe
 »Text Files
  *C:\msdos.sys
  *C:\config.sys
  *C:\autoexec.bat
  *C:\WINDOWS\wininit.ini
  *C:\WINDOWS\wininit.bak
  *C:\WINDOWS\dosstart.bat
  *C:\WINDOWS\hosts
»System/Drivers
 »Running Processes
  +FF0F750D=C:\WINDOWS\SYSTEM\KERNEL32.DLL
  +FFFFABD1=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
  +FFFFBD41=C:\WINDOWS\SYSTEM\MPREXE.EXE
  +FFFE0D29=C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
  +FFFEE2B5=C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
  +FFFD3CE1=C:\WINDOWS\SYSTEM\mmtask.tsk
  +FFFD0BB1=C:\WINDOWS\EXPLORER.EXE
  +FFFDA2BD=C:\WINDOWS\SYSTEM\RPCSS.EXE
  +FFFCFA79=C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE
  +FFFCDC1D=C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
  +FFFB3AA5=C:\PROGRAM FILES\SCANSOFT\PAPERPORT\XDCLA.EXE
  +FFFACDF9=C:\WINDOWS\SYSTEM\DDHELP.EXE
  +FFF92121=C:\WINDOWS\SYSTEM\PSTORES.EXE
  +FFFCABED=C:\PROGRAM FILES\SED\SED.EXE
  +FFFA002D=C:\UNZIPPED\WINZIP32.EXE
  +FFF97441=C:\UNZIPPED\WZQKPICK.EXE
  +FFFC9B0D=C:\WINDOWS\TEMP\STARTDRECK.EXE
 »NT Services
»Application specific
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi
These are suspect I think, but didn't show up in your hijack this file.

VBouncerDL=C:\Program Files\VBouncer\VBouncerInner.exe /S
SESync="C:\PROGRAM FILES\SED\SED.EXE"

Virtual Bouncer
http://www.kephyr.com/spywarescanner/library/virtualbouncer/index.phtml.
If you haven't already done so,
Go to My Computer->Tools->Folder Options->View tab and make sure that show hidden files and folders is enabled,and make sure that system files/folders are also visible.

Then restart in safe mode (hit F8 key on boot up I think till you see the option), Close all browser pages / open programs. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for this if it is still listed,

C:\PROGRAM FILES\SED\SED.EXE

Uninstall VBouncer if is there using add remove programs in control panel. Re-run hijackthis and post the log again - I am hoping that it should show more this time,

Deb :))
0
 

Author Comment

by:PFSullivan
Comment Utility
Hi Deb - I appreciate your working today - I just finished the Micro Trend Scan with the following results - YOU KNOW YOUR STUFF !

Viruses Found By Trend Micro ON-Line House Call Scan:

TROJ ACHUM.A       Non Cleanable      C:\Program Files\NoAdware\NoAdware Backup\9,1,2004_11,56,33.zip *Mgmt
TROJ AGENT.EG      Non Cleanable      C:\Recycled\DC387
TROJ AGENT AE      Non Cleanable      C:\Recycled\DC388.cab *polmx’
TROJ AGENT AE      Non Cleanable      C:\Recycled\DC388.cab
TROJ AGENT.BI      Non Cleanable      C:Recycled\DC392
TROJ AGENT.BI      Non Cleanable      C:\Windows\System\sqowngn.exe
TROJ IMSERV.C      Non Cleanable      C:\Windows\Temp\Wupdt.exe
TROJ AGENT.EG      Non Cleanable      C:\twaintec.cab\ *pollall1m.exe
BKDR RULEDOR.E      Non Cleanable      C:\Windows\bundles\CSV5P070.exe
TROJ AGENT.AE      Non Cleanable      C:\Windows\POLMX.EXE

I have emptyed the Recycle Bin - Can I just delete the "EXE" files ?  Or is there a cleaning procedure - Thanks,  Pat
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi

First of all let housecall just delete them, then follow my suggestions in my last post - I'll check these out for any manual removal instructions or online removal tools - Told you though, Symantec/Norton is useless with these.........

Deb :))

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
I'd also uninstall NoAdware if you have it - some of these so called anti-spyware programs are as bad as spyware itself,
0
 

Author Comment

by:PFSullivan
Comment Utility
Hi Agaian Deb - Following your instructions:

NoAdware is uninstalled
Vbouncer is removed
SED was not listed as a process
Micro Trend deleted files - (rerunning now)\

This is the new HJT log
Logfile of HijackThis v1.97.7
Scan saved at 12:06:36 PM, on 09/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\XDCLA.EXE
C:\UNZIPPED\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\xdcla.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\unzipped\WZQKPICK.EXE
O16 - DPF: AwAgencyIntegrator - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: AgencyWorks - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://awreports.agencyworks.com/viewer9/activeXViewer/activexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Nick
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.103.0.2,207.103.11.9

I can't believe I'm still getting PopUps !!  Thanks,  Pat


0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hmm - Logfile of HijackThis v1.98.2 - This was your first log-file

Your second is Logfile of HijackThis v1.97.7 - which is an older version of Hijackthis - could you try post again with the newer version - Oh and you definitely changed the folder options to view hidden folders/files system folders etc?
Newer version here
http://www.greyknight17.com/downloads/HijackThis.exe

For whatever reason HJT isn't picking things up that are showing in your Startdreck log,

Will wait for new HJT log (but run this from booting normally, not safe mode)

Deb :))

0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Ah - the top link in this post from Sheharyaar for Hijackthis is fine too
0
 

Author Comment

by:PFSullivan
Comment Utility
Shall do Deb - I forgot that the infected system has an older version - I have the system at home and I am loath to connect it to my network for obvious reasons  :) - The Micro Trend is almost finished on the infected system and has found 6 Trojans this time - Once it completes, I will download a fresh HJT and rerun

I did click on the "Show All Files"

Thanks,  Pat
0
 

Author Comment

by:PFSullivan
Comment Utility
Hey Deb !  

Latest HJT Log -

Logfile of HijackThis v1.98.2
Scan saved at 12:53:20 PM, on 09/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE

Tnx,  Pat
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\XDCLA.EXE
C:\UNZIPPED\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\xdcla.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\unzipped\WZQKPICK.EXE
O16 - DPF: AwAgencyIntegrator - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: AgencyWorks - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://awreports.agencyworks.com/viewer9/activeXViewer/activexviewer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Nick
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.103.0.2,207.103.11.9

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi

Ok - fix these:
C:\PROGRAM FILES\WEB OFFER\WO.EXE
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

Reboot, try some surfing and see how it goes. If still pop-ups then repost your startdreck log,

Deb
0
 

Author Comment

by:PFSullivan
Comment Utility
Hi Deb - After all your hard work and great insights (which are greatly appreciated), I'm sad to say that the pop-ups are still haunting me.

Latest Startdreck Log:

StartDreck (build 2.1.7 public stable) - 2004-09-06 @ 13:26:07 (GMT -04:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as  at PSULLIVAN

»Registry
 »Run Keys
  »Current User
   »Run
   »RunOnce
  »Default User
   »Run
   »RunOnce
  »Local Machine
   »Run
    *OpwareSE2="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    *vptray=C:\Program Files\Norton AntiVirus\vptray.exe
    +OptionalComponents
     +MSFS
      *Installed=1
     +MAPI
      *Installed=1
      *NoChange=1
     +MAPI
      *Installed=1
      *NoChange=1
   »RunOnce
   »RunServices
    *rtvscn95=C:\Program Files\Norton AntiVirus\rtvscn95.exe
    *defwatch=C:\Program Files\Norton AntiVirus\defwatch.exe
   »RunServicesOnce
   »RunOnceEx
   »RunServicesOnceEx
 »File Associations (CR)
  +.bat
   *batfile="%1" %*
  +.com
   *comfile="%1" %*
  +.disabled
   *SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
  +.exe
   *exefile="%1" %*
  +.hta
   *htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
  +.htm
   *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
  +.html
   *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
  +.js
   `jsfile= [key or value does not exist]
  +.jse
   *JSEFile=C:\WINDOWS\WScript.exe "%1" %*
  +.pif
   *piffile="%1" %*
  +.reg
   *regfile=regedit.exe "%1"
  +.scr
   *scrfile="%1" /S
  +.txt
   *txtfile=C:\WINDOWS\NOTEPAD.EXE %1
  +.vbs
   `vbsfile= [key or value does not exist]
  +.vbe
   *VBEFile=C:\WINDOWS\WScript.exe "%1" %*
  +.wsf
   *WSFFile=C:\WINDOWS\WScript.exe "%1" %*
  +.lnk
   `lnkfile= [key or value does not exist]
 »Browser Helper Objects (LM)
»Files
 »Autostart Folders
  »Current User
   *C:\WINDOWS\Start Menu\Programs\StartUp\Image Retriever.lnk
  »Default User
   *C:\WINDOWS\Start Menu\Programs\StartUp\Image Retriever.lnk
  »Local Machine
 »INI-Files
  »WIN.INI\[windows]
   *LOAD=
   *RUN=
  »SYSTEM.INI\[boot]
   *SHELL=Explorer.exe
 »Text Files
  *C:\msdos.sys
  *C:\config.sys
  *C:\autoexec.bat
  *C:\WINDOWS\wininit.ini
  *C:\WINDOWS\wininit.bak
  *C:\WINDOWS\dosstart.bat
  *C:\WINDOWS\hosts
»System/Drivers
 »Running Processes
  +FF0F7483=C:\WINDOWS\SYSTEM\KERNEL32.DLL
  +FFFFAA5F=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
  +FFFFBCCF=C:\WINDOWS\SYSTEM\MPREXE.EXE
  +FFFE0CA7=C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
  +FFFEE33B=C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
  +FFFD3E47=C:\WINDOWS\SYSTEM\mmtask.tsk
  +FFFD1687=C:\WINDOWS\EXPLORER.EXE
  +FFFDA42B=C:\WINDOWS\SYSTEM\RPCSS.EXE
  +FFFC234B=C:\WINDOWS\RUNDLL32.EXE
  +FFFCF153=C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE
  +FFFCCF5B=C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
  +FFFB220B=C:\PROGRAM FILES\SCANSOFT\PAPERPORT\XDCLA.EXE
  +FFF92E23=C:\WINDOWS\SYSTEM\DDHELP.EXE
  +FFFBC13B=C:\UNZIPPED\WINZIP32.EXE
  +FFFAC44F=C:\WINDOWS\TEMP\STARTDRECK.EXE
 »NT Services
»Application specific

Thanks - Pat
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
This is a tricky little sod this isn't it? -

Have a look in Control Panel - add/remove programs - uninstall anything like:

Web Offer etc. - Guaranteed problem
Make sure you have deleted the following folders:

C:\Program Files\VBouncer\
C:\PROGRAM FILES\SED\
C:\PROGRAM FILES\WEB OFFER

Restart - Re-check that show all files in folder options is still checked
Using current hijackthis

1) Re-post log
2) In hijackthis click config - misc tools - open hosts file manager - check and post any, then delete any that aren't either 127.0.0.1, or have not been specifically added by yourself
3) In hijackthis click config - misc tools - Click open process manager - make sure to check the box marked "show dll's" - Click refresh - then click on the litle floppy disk icon, save the text file and post that here too!

Just trying to be thorough now and examine all entries - something must still be there - it's just not showing up right now (or I've missed it!)

Deb :))

0
 

Author Comment

by:PFSullivan
Comment Utility
Hi Deb --  You are patient - Thanks - I went through Add/Remove and I find one entry which is unfamiliar - "ChainCast Proxy (Remove Only)  -  It will no remove, says the DLL can not be found - Mean anything to you?  

I am continuing with your other ideas -be back soon - Pat
0
 

Author Comment

by:PFSullivan
Comment Utility
OH - the DLL it can't find was called CCMP392.DLL in the System folder
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
I'm not familiar with chaincast proxy but it appears to be linked to streaming audio - wouldn't appear to be spyware from what I can tell

http://www.chaincast.com/support/products/vmr_3.0/faq.html

Deb :))
0
 

Author Comment

by:PFSullivan
Comment Utility
Hi Deb - I have removed anything that I am not sure is a valid install. -  The logs follow:


Logfile of HijackThis v1.98.2
Scan saved at 2:31:42 PM, on 09/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\XDCLA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\xdcla.exe
O16 - DPF: AwAgencyIntegrator - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: AgencyWorks - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://awreports.agencyworks.com/viewer9/activeXViewer/activexviewer.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Nick
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.103.0.2,207.103.11.9

_______
This is the hosts fILE -
I did not enter these

127.0.0.1  www.igetnet.com
127.0.0.1  code.ignphrases.com
127.0.0.1  clear-search.com
127.0.0.1  r1.clrsch.com
127.0.0.1  sds.clrsch.com
127.0.0.1  status.clrsch.com
127.0.0.1  www.clrsch.com
127.0.0.1  clr-sch.com
127.0.0.1  sds-qckads.com

The Process List

Process list saved on 2:36:58 PM, on 09/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)

[full path to filename]            [file version]      [company name]
C:\WINDOWS\SYSTEM\KERNEL32.DLL            4.10.0.2222      Microsoft Corporation
C:\WINDOWS\SYSTEM\MSGSRV32.EXE            4.10.0.2222      Microsoft Corporation
C:\WINDOWS\SYSTEM\MPREXE.EXE            4.10.0.1998      Microsoft Corporation
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE            7.51.0.847      Symantec Corporation
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE            7.51.0.1      Symantec Corporation
C:\WINDOWS\SYSTEM\mmtask.tsk            4.3.0.1998      Microsoft Corporation
C:\WINDOWS\EXPLORER.EXE            4.72.3110.1      Microsoft Corporation
C:\WINDOWS\SYSTEM\RPCSS.EXE            4.71.2900.0      Microsoft Corporation
C:\WINDOWS\RUNDLL32.EXE            4.10.0.1998      Microsoft Corporation
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE            12.0.0.1      ScanSoft, Inc.
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE            7.51.0.847      Symantec Corporation
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\XDCLA.EXE            5.0.0.0      ScanSoft, Inc.
C:\WINDOWS\SYSTEM\DDHELP.EXE            4.9.0.900      Microsoft Corporation
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE            1.98.0.2      Soeperman Enterprises Ltd.
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE            6.0.2800.1106      Microsoft Corporation
C:\WINDOWS\SYSTEM\PSTORES.EXE            5.0.1877.3      Microsoft Corporation


DLLs loaded by process :

[full path to filename]            [file version]      [company name]
C:\WINDOWS\SYSTEM\ATIMPPIF.DLL            4.10.1.2251      ATI Technologies Inc.
C:\WINDOWS\SYSTEM\USER32.DLL            4.10.0.2227      Microsoft Corporation
C:\WINDOWS\SYSTEM\GDI32.DLL            4.10.0.1998      Microsoft Corporation
C:\WINDOWS\SYSTEM\ADVAPI32.DLL            4.80.0.1675      Microsoft Corporation
C:\WINDOWS\SYSTEM\KERNEL32.DLL            4.10.0.2222      Microsoft Corporation

127.0.0.1  status.qckads.com
69.20.16.183  auto.search.msn.com
69.20.16.183  search.netscape.com
69.20.16.183  ieautosearch


I hope you see something exciting !!   It looks pretty normal to me.

Tnx - Pat

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
In hijack this
Check the following and click fix checked
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Then edit the host file in hijackthis - leave only the following entry

127.0.0.1       localhost

Delete these
127.0.0.1  www.igetnet.com
127.0.0.1  code.ignphrases.com
127.0.0.1  clear-search.com
127.0.0.1  r1.clrsch.com
127.0.0.1  sds.clrsch.com
127.0.0.1  status.clrsch.com
127.0.0.1  www.clrsch.com
127.0.0.1  clr-sch.com
127.0.0.1  sds-qckads.com

Reboot and repost the logs - see if it helps any

Deb :))

0
 

Author Comment

by:PFSullivan
Comment Utility
HI

I "Fixed" the entries you mentioned above in the 01 section - They immediately reappeared at the bottom of the list - I deleted those as well - but on reopening the hosts file - they were back - Do you think these are the source of the problem ?  

Perhaps at this point I should format the drive. What do you think? (Or as we say in New Jersey, Whaddayathink?)

P
0
 

Author Comment

by:PFSullivan
Comment Utility
Deb - The exact same settings are back in HJT after a full shutdown. I find that if I unplug the internet - I get 15 or more attempts to find the internet. If the internet is connected and I leave the system alone for about 20 mins. I come back to 70 or 80 pop-ups.

While I appreciate your working with me, I'm sure you have a life - If you must abandon me here, Thanks, and I understand - This has been 8 hours of work so far.

best regards,  Pat
0
 

Author Comment

by:PFSullivan
Comment Utility
Not that I don't appreciate all that you have done -   You are the best !!!!!

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi

No probs - and no I won't be abandoning this! Can't promise I'll sort it - but here's another suggestion, as there is obvious some hidden activity going on that's spawning this little lot, so what you've posted isn't a surprise. However we do need to find it, and the following is a useful little tool that I've used before to get rid of some real nasties,
Download and install this,
http://tds.diamondcs.com.au/
then make sure that you also download the update scanner file from here
http://www.diamondcs.com.au/tds/radius.td3
Make sure you put this file above into the TDS-3 folder - ie C:\Program Files\TDS-3

Then use it to run a full system scan and let us know what it finds. You can re-install but it depends on how easy it is to get your data off and then reload it along with all your applications. I'd maybe give it a bit longer first,

Deb :))
0
 

Author Comment

by:PFSullivan
Comment Utility
You have heart Deb !!      There are more than 120 applications on this system - about 12 hours work to reinstall and about 40Mb of scientific data.  I'm going with your plan.

We'll talk soon

regards,  Pat
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Wondering about these too:
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Nick
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.103.0.2,207.103.11.9

Also just checking - are you on a domain and what is agencyintegrator and agencyworks?

Deb :))
0
 

Author Comment

by:PFSullivan
Comment Utility
Hi Deb
The Domain = Nick I put in to get this system on my local internet carrier from home - The ips  207.103 etc. are my local carrier Gateway (Verizon) domain Ips
0
 

Author Comment

by:PFSullivan
Comment Utility
Hi

The TDS-3 scan is still running

Agencyworks/Agencyintegrator is an internet App the client uses for day-to-day ops.

0
 

Author Comment

by:PFSullivan
Comment Utility
News and Update

The TDS-3 scan is still running

One Alarm so far = Adware.MetaDirect.dll - in the recycled bin (DC37.dll)
0
 

Author Comment

by:PFSullivan
Comment Utility
Hi Again Debs -    Sadly, this is all we have to report - scan complete - log follows:

18:48:19 [Init] Trojan Defence Suite v3.2.0  (UNLICENSED)
18:48:19 [Init] Started 06-09-04 18:48:19 Eastern Standard Time (UTC: 5), Internet Time @991.89
18:48:19 [Init] Loading TDS-3 Systems ...
18:48:19 [Init] Token successfully adjusted.
18:48:19 [Init] • TDS Privileges   :   OK.      Adjusted TDS-3 token privileges to maximum
18:48:19 [Init] • Plugins          :   OK.      Loaded 13
18:48:19 [Init] • Exec Protection  :   Not Installed
18:48:19 [Init] WARNING: Your Radius.TD3 database needs to be updated!
18:48:19 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
18:48:19 [Init] Licensed users can use the Update facility from the TDS menu
18:48:19 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
18:48:32 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
18:48:32 [Init] • Systems Initialised [31397 references - 11211 primaries/8986 traces/11200 variants/other]
18:48:32 [Init] Radius Systems loaded. <Databases updated 27-01-2004>
18:48:41 [Init] TDS-3 Ready. <Psullivan@207.103.64.181, 0.0.0.0, 127.0.0.1 - United States>
18:48:41 [Tip Of The Day] If you're suspicious about a certain file, use the String Extractor (from the Utilities menu). This will run through the file and strip out ANSI strings of 5 characters or more in length, enabling you in some cases to get a better 'view' of the file.
18:48:41 [TDS] Good evening Psullivan. What time do you finish work tonight?
18:48:43 [Mutex Memory Scan] Started...
18:48:44 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:48:44 [Trace Scan] Started...
18:49:11 [Trace Scan] Finished.
18:49:11 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
18:51:41 [Screen Text] Saved to C:\PROGRAM FILES\TDS3\scr0.txt
18:51:48 [CRC32] Started - verifying 29 files ...
18:51:49 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe
18:51:51 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe
18:51:51 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe
18:51:53 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe
18:51:54 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe
18:51:54 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe
18:51:55 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe
18:51:55 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe
18:51:56 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe
18:52:09 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll
18:52:10 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll
18:52:14 [CRC32] Test finished.
18:52:35 [Memory Scan] Memory scan started, please wait a moment ...
18:53:00 [Memory Scan] Memory scan complete.
18:53:00 [Mutex Memory Scan] Started...
18:53:02 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:53:02 [Trace Scan] Started...
18:53:29 [Trace Scan] Finished.
18:53:29 [Service\Driver Scan] Scanning for services and drivers ...
18:53:29 [Service\Driver Scan] Scanned 14 services and drivers.
18:53:29 [File Scan] Scanning in A:\ ...
18:53:31 [File Scan] Scanned 0 files: 0 alarms in 2.367188 seconds (Avg 1. files/sec)
18:53:31 [File Scan] Scanning in C:\ ...
19:28:07 [File Scan] Scanned 27852 files: 1 alarms in 2075.188 seconds (Avg 14.42 files/sec)
19:28:07 [File Scan] Scanning in D:\ ...
19:30:22 [File Scan] Scanned 467 files: 1 alarms in 135.2266 seconds (Avg 4.45 files/sec)
19:30:23 [Scan] Finished.
19:31:17 [Screen Text] Saved to C:\PROGRAM FILES\TDS3\scr1.txt
19:31:45 [Screen Text] Saved to C:\PROGRAM FILES\TDS3\scr2.txt
19:32:18 [Text Dump] Saved to C:\PROGRAM FILES\TDS3\scandump.txt
19:32:38 [Quit] Unloading ...


Scan Dump

Scan Control Dumped @ 19:32:18 06-09-04
Positive identification (DLL): Adware.MetaDirect (dll)
  File: c:\recycled\dc37.dll

best,   Pat
0
 

Author Comment

by:PFSullivan
Comment Utility
Hi Deb et al -  In your absense I reran SpyBot - 159 problems found - fixed - and the pop-ups keep on coming.
I have reached the end of the line - I will plead insanity to the customer and spend tomorrow reinstalling all the software and network links - Thank you for working with me on this - Your help is always appreciated -

I'll check back in a couple of hours in case anyone had a brainstorm while I am backing up all this data

Best Regards,  Pat

 

0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 500 total points
Comment Utility
Hi Pat

Sorry - the baffling one on this has been the complete lack of clues and inconsistency of items posted in the logs. There's some little sod of a file somewhere that on boot is repopulating the hosts file amongst other things. The trouble is finding it. I've never seen one quite like this before so sorry I didn't help you fix it.
The only other suggestions I was going to make was to try installing zone alarm - this will tell you what program is trying to access the internet (useful for identifying rogue programs etc), to use msconfig to disable all non microsoft services and start-up items other than the internet connection, reboot and see if that made any difference - if it did we maybe could have narrowed it down, and to empty all temp folders,

Oh well - don't plead insanity - Suggest to the customer that Windows 98 is an extremely insecure operating system, and suggest that he either upgrades to Win XP SP2,  gets some extremely good malware defence utilities, changes the Norton AV to something that works, tightens up the internet security area or stops surfing!

Best wishes

Deb :))

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi
Thanks - did I help at all though?
On second thoughts - XP sp1 is safer - wait until they've fixed sp2 so it works properly and doesn't crash your system!

Deb :))
0
 

Expert Comment

by:ugetab
Comment Utility
See if you can find the file MQTCP.DLL (File will be Hidden, System, and Read-Only) in your System or System32 directory. I'm not sure how you could disable it in a 2K or XP system, but it's a possible cause for the popups and host file being rewritten every 5 seconds.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now