PFSullivan
asked on
Popups Keep On Coming
Hi Again Experts - Hope you can help with this as I will be on this site again today. I have Win98se system which was hijacked by NewNet and about:blank. I ran hijackthis and cleaned up those issues. I ran spybot, noadware, adaware, and cwshredder. All programs report that the system is clean. But when I restart, without even opening a browser, the popups start coming. I tried disconnectiong the network/internet and the system keeps asking me if I want to work offline or retry the connection. I assume that some form of evil is trying to open a browser. Any ideas?
Thanks, Pat
Thanks, Pat
ASKER
OK - Thanks - I'll be at that site in about 2 Hrs.
no problem :)
Start->Run->MSconfig and remove all items from the startup tab. Reboot and if it does not occur again, it can be narrowed down to an item in your startup...
ASKER
Hi Again SheharyaarSaahil
The following is the Hijackthis log file -
And I already cleaned all items from startup and ran a fresh NAV w/ liveupdate - Appreciate the help.
P
Logfile of HijackThis v1.98.2
Scan saved at 10:44:18 AM, on 09/02/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32 .DLL
C:\WINDOWS\SYSTEM\MSGSRV32 .EXE
C:\WINDOWS\SYSTEM\MPREXE.E XE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.t sk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EX E
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2 .0\OPWARES E2.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X DCLA.EXE
C:\UNZIPPED\HIJACKTHIS\HIJ ACKTHIS.EX E
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.msn.com/
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\I ndexSearch .exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2 .0\OpwareS E2.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\x dcla.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - (no file)
O13 - WWW. Prefix: http://
O16 - DPF: AwAgencyIntegrator - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: AgencyWorks - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-A BCDEFFEDCB A} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A 54536C9021 3} (Crystal Report Viewer Control 9) - https://awreports.agencyworks.com/viewer9/activeXViewer/activexviewer.cab
The following is the Hijackthis log file -
And I already cleaned all items from startup and ran a fresh NAV w/ liveupdate - Appreciate the help.
P
Logfile of HijackThis v1.98.2
Scan saved at 10:44:18 AM, on 09/02/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\MPREXE.E
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EX
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X
C:\UNZIPPED\HIJACKTHIS\HIJ
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\I
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\x
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O13 - WWW. Prefix: http://
O16 - DPF: AwAgencyIntegrator - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: AgencyWorks - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-A
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - (no file)
O13 - WWW. Prefix: http://
========================== ========== =
check these lines and click on Fix Checked !!!!!
I really cannot see anything else BAD in ur LOG :-?
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O13 - WWW. Prefix: http://
==========================
check these lines and click on Fix Checked !!!!!
I really cannot see anything else BAD in ur LOG :-?
ASKER
SheharyaarSaahil
I performed that function - Now "about:blank" is opening browsers - I'm getting about 8 or 9 popups in a row.
Any ideas?
Thanks, Pat
I performed that function - Now "about:blank" is opening browsers - I'm getting about 8 or 9 popups in a row.
Any ideas?
Thanks, Pat
are they random popups or from a particular website ??
ASKER
They appear to be random - Casinos, Citibank, Prizes
ur LOG doesn't list anything Bad =|
try uinstalling IE completely >> http://www.litepc.com/ieradicator.html
then Download it again and install a fresh copy, (rememeber to first download the setup and save it to ur hard drive, coz after uninstalling IE, u will be unable to download it :)
Download Full IE2.0 to IE6.0SP1
http://public.planetmirror.com/pub/microsoft/ie/
Download Full IE1.0 to IE6.0
http://browsers.evolt.org/?ie/32bit
try uinstalling IE completely >> http://www.litepc.com/ieradicator.html
then Download it again and install a fresh copy, (rememeber to first download the setup and save it to ur hard drive, coz after uninstalling IE, u will be unable to download it :)
Download Full IE2.0 to IE6.0SP1
http://public.planetmirror.com/pub/microsoft/ie/
Download Full IE1.0 to IE6.0
http://browsers.evolt.org/?ie/32bit
Before uninstalling IE, try installing this overlay for IE that eliminates popups: www.maxthon.com
If it still happens with Maxthon, it's something different going on.
Check your hosts/lmhosts files located in
Start->Run->%systemroot%\s ystem32\dr ivers\etc
for anyt entries other than localhost @ 127.0.0.1
If it still happens with Maxthon, it's something different going on.
Check your hosts/lmhosts files located in
Start->Run->%systemroot%\s
for anyt entries other than localhost @ 127.0.0.1
Also - try booting into safe mode with networking support and post if it still occurs...press f8 before windows loads to get this option...
Hi
Far be it from me to dare add to what SirB and SheharyaarSaahil have written (as these chaps no doubt know their stuff- hi guys ;))), but I would suggest running an online virus scan on it too to check for Trojans etc, (I know you're running Norton, but trust me, even fully updated it's been really useless recently on detecting trojans - hence my suggestion). There may be some hidden process running that for whatever reason isn't getting picked up by the hijackthis logfile (odd I know). If running it in safe mode with networking support as SirB has suggested gets rid of the pop-ups, a hidden process/service etc. is even more likely to be the culprit. Make sure to note the names of any such beasties found,
Trend
http://housecall.trendmicro.com/
Panda
http://www.pandasoftware.com/activescan/
Deb :))
Far be it from me to dare add to what SirB and SheharyaarSaahil have written (as these chaps no doubt know their stuff- hi guys ;))), but I would suggest running an online virus scan on it too to check for Trojans etc, (I know you're running Norton, but trust me, even fully updated it's been really useless recently on detecting trojans - hence my suggestion). There may be some hidden process running that for whatever reason isn't getting picked up by the hijackthis logfile (odd I know). If running it in safe mode with networking support as SirB has suggested gets rid of the pop-ups, a hidden process/service etc. is even more likely to be the culprit. Make sure to note the names of any such beasties found,
Trend
http://housecall.trendmicro.com/
Panda
http://www.pandasoftware.com/activescan/
Deb :))
Try fixing the O16 entries with HJT.
Zee
ASKER
Hi Experts -
To Deb: i tried the Live Scan from Symantec - it said all was clean
To SirBounty - I loaded the Maxthon browserbut the system freezes every time I try to execute the browser. I also removed 3 strange entries from the host file - They are the o16 entries which are shown above in my HJT log.
To SheharyaarSaahil - I have made several attempts at eradicating the IE - The software runs, tells me it must reboot, Then locks and never removes the IE.
Thanks to all for the assist
I'm still pretty much in the same boat except now I am getting fewer popups and the "about:blank" seems to be controlling the popups.
Any other ideas would be greatly appreciated Thanks Pat
To Deb: i tried the Live Scan from Symantec - it said all was clean
To SirBounty - I loaded the Maxthon browserbut the system freezes every time I try to execute the browser. I also removed 3 strange entries from the host file - They are the o16 entries which are shown above in my HJT log.
To SheharyaarSaahil - I have made several attempts at eradicating the IE - The software runs, tells me it must reboot, Then locks and never removes the IE.
Thanks to all for the assist
I'm still pretty much in the same boat except now I am getting fewer popups and the "about:blank" seems to be controlling the popups.
Any other ideas would be greatly appreciated Thanks Pat
>> To SheharyaarSaahil - I have made several attempts at eradicating the IE - The software runs, tells me it must reboot, Then locks and never removes the IE
Did u tried it in Safemode ??
Did u tried it in Safemode ??
Hi
Sorry but am away for the weekend now - will pick this up on Monday if Sheharyaar hasn't got it licked by then ;) - I still suggest you try Trend Online - Really Norton/Symantec has been really useless of late - I've seen one totally paralysed network as a result of it missing stuff that I helped fix up last week - So try Trend Online and Panda as no AV is foolproof - just to keep me quiet?
Make sure that in folder options that you have show hidden files and system files enabled and I also suggest you download startdreck and post your config log for us to have a look at - it's like msconfig but a bit more thorough, you can get it here,
http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/frames.htm?http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/startdreck.htm
let's see if it gives any clues missed by hijackthis?
Deb :))
Sorry but am away for the weekend now - will pick this up on Monday if Sheharyaar hasn't got it licked by then ;) - I still suggest you try Trend Online - Really Norton/Symantec has been really useless of late - I've seen one totally paralysed network as a result of it missing stuff that I helped fix up last week - So try Trend Online and Panda as no AV is foolproof - just to keep me quiet?
Make sure that in folder options that you have show hidden files and system files enabled and I also suggest you download startdreck and post your config log for us to have a look at - it's like msconfig but a bit more thorough, you can get it here,
http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/frames.htm?http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/startdreck.htm
let's see if it gives any clues missed by hijackthis?
Deb :))
ASKER
Hi All - I'm back at this system today - Following Deb's advice, I have run the StartDreck program - I'm not familiar with this one so I'm not sure what I'm seeing - The log follows - Thanks as always - Pat
StartDreck (build 2.1.7 public stable) - 2004-09-06 @ 10:30:09 (GMT -04:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as psullivan at PSULLIVAN
»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*OpwareSE2="C:\Program Files\ScanSoft\OmniPageSE2 .0\OpwareS E2.exe"
*vptray=C:\Program Files\Norton AntiVirus\vptray.exe
*VBouncerDL=C:\Program Files\VBouncer\VBouncerInn er.exe /S
*SESync="C:\PROGRAM FILES\SED\SED.EXE"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*rtvscn95=C:\Program Files\Norton AntiVirus\rtvscn95.exe
*defwatch=C:\Program Files\Norton AntiVirus\defwatch.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C: \PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM \MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INT ERN~1\iexp lore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INT ERN~1\iexp lore.exe" -nohome
+.js
`jsfile= [key or value does not exist]
+.jse
*JSEFile=C:\WINDOWS\WScrip t.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPA D.EXE %1
+.vbs
`vbsfile= [key or value does not exist]
+.vbe
*VBEFile=C:\WINDOWS\WScrip t.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScrip t.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Imag e Retriever.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\WinZ ip Quick Pick.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Imag e Retriever.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\WinZ ip Quick Pick.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.ini
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\hosts
»System/Drivers
»Running Processes
+FF0F750D=C:\WINDOWS\SYSTE M\KERNEL32 .DLL
+FFFFABD1=C:\WINDOWS\SYSTE M\MSGSRV32 .EXE
+FFFFBD41=C:\WINDOWS\SYSTE M\MPREXE.E XE
+FFFE0D29=C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
+FFFEE2B5=C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
+FFFD3CE1=C:\WINDOWS\SYSTE M\mmtask.t sk
+FFFD0BB1=C:\WINDOWS\EXPLO RER.EXE
+FFFDA2BD=C:\WINDOWS\SYSTE M\RPCSS.EX E
+FFFCFA79=C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2 .0\OPWARES E2.EXE
+FFFCDC1D=C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
+FFFB3AA5=C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X DCLA.EXE
+FFFACDF9=C:\WINDOWS\SYSTE M\DDHELP.E XE
+FFF92121=C:\WINDOWS\SYSTE M\PSTORES. EXE
+FFFCABED=C:\PROGRAM FILES\SED\SED.EXE
+FFFA002D=C:\UNZIPPED\WINZ IP32.EXE
+FFF97441=C:\UNZIPPED\WZQK PICK.EXE
+FFFC9B0D=C:\WINDOWS\TEMP\ STARTDRECK .EXE
»NT Services
»Application specific
StartDreck (build 2.1.7 public stable) - 2004-09-06 @ 10:30:09 (GMT -04:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as psullivan at PSULLIVAN
»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*OpwareSE2="C:\Program Files\ScanSoft\OmniPageSE2
*vptray=C:\Program Files\Norton AntiVirus\vptray.exe
*VBouncerDL=C:\Program Files\VBouncer\VBouncerInn
*SESync="C:\PROGRAM FILES\SED\SED.EXE"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*rtvscn95=C:\Program Files\Norton AntiVirus\rtvscn95.exe
*defwatch=C:\Program Files\Norton AntiVirus\defwatch.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM
+.htm
*htmlfile="C:\PROGRA~1\INT
+.html
*htmlfile="C:\PROGRA~1\INT
+.js
`jsfile= [key or value does not exist]
+.jse
*JSEFile=C:\WINDOWS\WScrip
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPA
+.vbs
`vbsfile= [key or value does not exist]
+.vbe
*VBEFile=C:\WINDOWS\WScrip
+.wsf
*WSFFile=C:\WINDOWS\WScrip
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Imag
*C:\WINDOWS\Start Menu\Programs\StartUp\WinZ
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Imag
*C:\WINDOWS\Start Menu\Programs\StartUp\WinZ
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.ini
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\hosts
»System/Drivers
»Running Processes
+FF0F750D=C:\WINDOWS\SYSTE
+FFFFABD1=C:\WINDOWS\SYSTE
+FFFFBD41=C:\WINDOWS\SYSTE
+FFFE0D29=C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
+FFFEE2B5=C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
+FFFD3CE1=C:\WINDOWS\SYSTE
+FFFD0BB1=C:\WINDOWS\EXPLO
+FFFDA2BD=C:\WINDOWS\SYSTE
+FFFCFA79=C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2
+FFFCDC1D=C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
+FFFB3AA5=C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X
+FFFACDF9=C:\WINDOWS\SYSTE
+FFF92121=C:\WINDOWS\SYSTE
+FFFCABED=C:\PROGRAM FILES\SED\SED.EXE
+FFFA002D=C:\UNZIPPED\WINZ
+FFF97441=C:\UNZIPPED\WZQK
+FFFC9B0D=C:\WINDOWS\TEMP\
»NT Services
»Application specific
Hi
These are suspect I think, but didn't show up in your hijack this file.
VBouncerDL=C:\Program Files\VBouncer\VBouncerInn er.exe /S
SESync="C:\PROGRAM FILES\SED\SED.EXE"
Virtual Bouncer
http://www.kephyr.com/spywarescanner/library/virtualbouncer/index.phtml.
If you haven't already done so,
Go to My Computer->Tools->Folder Options->View tab and make sure that show hidden files and folders is enabled,and make sure that system files/folders are also visible.
Then restart in safe mode (hit F8 key on boot up I think till you see the option), Close all browser pages / open programs. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for this if it is still listed,
C:\PROGRAM FILES\SED\SED.EXE
Uninstall VBouncer if is there using add remove programs in control panel. Re-run hijackthis and post the log again - I am hoping that it should show more this time,
Deb :))
These are suspect I think, but didn't show up in your hijack this file.
VBouncerDL=C:\Program Files\VBouncer\VBouncerInn
SESync="C:\PROGRAM FILES\SED\SED.EXE"
Virtual Bouncer
http://www.kephyr.com/spywarescanner/library/virtualbouncer/index.phtml.
If you haven't already done so,
Go to My Computer->Tools->Folder Options->View tab and make sure that show hidden files and folders is enabled,and make sure that system files/folders are also visible.
Then restart in safe mode (hit F8 key on boot up I think till you see the option), Close all browser pages / open programs. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for this if it is still listed,
C:\PROGRAM FILES\SED\SED.EXE
Uninstall VBouncer if is there using add remove programs in control panel. Re-run hijackthis and post the log again - I am hoping that it should show more this time,
Deb :))
ASKER
Hi Deb - I appreciate your working today - I just finished the Micro Trend Scan with the following results - YOU KNOW YOUR STUFF !
Viruses Found By Trend Micro ON-Line House Call Scan:
TROJ ACHUM.A Non Cleanable C:\Program Files\NoAdware\NoAdware Backup\9,1,2004_11,56,33.z ip *Mgmt
TROJ AGENT.EG Non Cleanable C:\Recycled\DC387
TROJ AGENT AE Non Cleanable C:\Recycled\DC388.cab *polmx’
TROJ AGENT AE Non Cleanable C:\Recycled\DC388.cab
TROJ AGENT.BI Non Cleanable C:Recycled\DC392
TROJ AGENT.BI Non Cleanable C:\Windows\System\sqowngn. exe
TROJ IMSERV.C Non Cleanable C:\Windows\Temp\Wupdt.exe
TROJ AGENT.EG Non Cleanable C:\twaintec.cab\ *pollall1m.exe
BKDR RULEDOR.E Non Cleanable C:\Windows\bundles\CSV5P07 0.exe
TROJ AGENT.AE Non Cleanable C:\Windows\POLMX.EXE
I have emptyed the Recycle Bin - Can I just delete the "EXE" files ? Or is there a cleaning procedure - Thanks, Pat
Viruses Found By Trend Micro ON-Line House Call Scan:
TROJ ACHUM.A Non Cleanable C:\Program Files\NoAdware\NoAdware Backup\9,1,2004_11,56,33.z
TROJ AGENT.EG Non Cleanable C:\Recycled\DC387
TROJ AGENT AE Non Cleanable C:\Recycled\DC388.cab *polmx’
TROJ AGENT AE Non Cleanable C:\Recycled\DC388.cab
TROJ AGENT.BI Non Cleanable C:Recycled\DC392
TROJ AGENT.BI Non Cleanable C:\Windows\System\sqowngn.
TROJ IMSERV.C Non Cleanable C:\Windows\Temp\Wupdt.exe
TROJ AGENT.EG Non Cleanable C:\twaintec.cab\ *pollall1m.exe
BKDR RULEDOR.E Non Cleanable C:\Windows\bundles\CSV5P07
TROJ AGENT.AE Non Cleanable C:\Windows\POLMX.EXE
I have emptyed the Recycle Bin - Can I just delete the "EXE" files ? Or is there a cleaning procedure - Thanks, Pat
Hi
First of all let housecall just delete them, then follow my suggestions in my last post - I'll check these out for any manual removal instructions or online removal tools - Told you though, Symantec/Norton is useless with these.........
Deb :))
First of all let housecall just delete them, then follow my suggestions in my last post - I'll check these out for any manual removal instructions or online removal tools - Told you though, Symantec/Norton is useless with these.........
Deb :))
I'd also uninstall NoAdware if you have it - some of these so called anti-spyware programs are as bad as spyware itself,
ASKER
Hi Agaian Deb - Following your instructions:
NoAdware is uninstalled
Vbouncer is removed
SED was not listed as a process
Micro Trend deleted files - (rerunning now)\
This is the new HJT log
Logfile of HijackThis v1.97.7
Scan saved at 12:06:36 PM, on 09/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32 .DLL
C:\WINDOWS\SYSTEM\MSGSRV32 .EXE
C:\WINDOWS\SYSTEM\MPREXE.E XE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.t sk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EX E
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2 .0\OPWARES E2.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X DCLA.EXE
C:\UNZIPPED\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.E XE
C:\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.msn.com/
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2 .0\OpwareS E2.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\x dcla.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\unzipped\WZQKPICK.EXE
O16 - DPF: AwAgencyIntegrator - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: AgencyWorks - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-A BCDEFFEDCB A} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A 54536C9021 3} (Crystal Report Viewer Control 9) - https://awreports.agencyworks.com/viewer9/activeXViewer/activexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\V xD\MSTCP: Domain = Nick
O17 - HKLM\System\CCS\Services\V xD\MSTCP: NameServer = 207.103.0.2,207.103.11.9
I can't believe I'm still getting PopUps !! Thanks, Pat
NoAdware is uninstalled
Vbouncer is removed
SED was not listed as a process
Micro Trend deleted files - (rerunning now)\
This is the new HJT log
Logfile of HijackThis v1.97.7
Scan saved at 12:06:36 PM, on 09/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\MPREXE.E
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EX
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X
C:\UNZIPPED\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.E
C:\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\In
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\x
O4 - Startup: WinZip Quick Pick.lnk = C:\unzipped\WZQKPICK.EXE
O16 - DPF: AwAgencyIntegrator - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: AgencyWorks - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-A
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O17 - HKLM\System\CCS\Services\V
O17 - HKLM\System\CCS\Services\V
I can't believe I'm still getting PopUps !! Thanks, Pat
Hmm - Logfile of HijackThis v1.98.2 - This was your first log-file
Your second is Logfile of HijackThis v1.97.7 - which is an older version of Hijackthis - could you try post again with the newer version - Oh and you definitely changed the folder options to view hidden folders/files system folders etc?
Newer version here
http://www.greyknight17.com/downloads/HijackThis.exe
For whatever reason HJT isn't picking things up that are showing in your Startdreck log,
Will wait for new HJT log (but run this from booting normally, not safe mode)
Deb :))
Your second is Logfile of HijackThis v1.97.7 - which is an older version of Hijackthis - could you try post again with the newer version - Oh and you definitely changed the folder options to view hidden folders/files system folders etc?
Newer version here
http://www.greyknight17.com/downloads/HijackThis.exe
For whatever reason HJT isn't picking things up that are showing in your Startdreck log,
Will wait for new HJT log (but run this from booting normally, not safe mode)
Deb :))
Ah - the top link in this post from Sheharyaar for Hijackthis is fine too
ASKER
Shall do Deb - I forgot that the infected system has an older version - I have the system at home and I am loath to connect it to my network for obvious reasons :) - The Micro Trend is almost finished on the infected system and has found 6 Trojans this time - Once it completes, I will download a fresh HJT and rerun
I did click on the "Show All Files"
Thanks, Pat
I did click on the "Show All Files"
Thanks, Pat
ASKER
Hey Deb !
Latest HJT Log -
Logfile of HijackThis v1.98.2
Scan saved at 12:53:20 PM, on 09/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32 .DLL
C:\WINDOWS\SYSTEM\MSGSRV32 .EXE
C:\WINDOWS\SYSTEM\MPREXE.E XE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
Tnx, Pat
C:\WINDOWS\SYSTEM\mmtask.t sk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EX E
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2 .0\OPWARES E2.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X DCLA.EXE
C:\UNZIPPED\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.E XE
C:\WINDOWS\SYSTEM\PSTORES. EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJ ACKTHIS.EX E
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.msn.com/
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2 .0\OpwareS E2.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\x dcla.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\unzipped\WZQKPICK.EXE
O16 - DPF: AwAgencyIntegrator - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: AgencyWorks - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-A BCDEFFEDCB A} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A 54536C9021 3} (Crystal Report Viewer Control 9) - https://awreports.agencyworks.com/viewer9/activeXViewer/activexviewer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\V xD\MSTCP: Domain = Nick
O17 - HKLM\System\CCS\Services\V xD\MSTCP: NameServer = 207.103.0.2,207.103.11.9
Latest HJT Log -
Logfile of HijackThis v1.98.2
Scan saved at 12:53:20 PM, on 09/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\MPREXE.E
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
Tnx, Pat
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EX
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X
C:\UNZIPPED\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.E
C:\WINDOWS\SYSTEM\PSTORES.
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJ
R0 - HKCU\Software\Microsoft\In
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\x
O4 - Startup: WinZip Quick Pick.lnk = C:\unzipped\WZQKPICK.EXE
O16 - DPF: AwAgencyIntegrator - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: AgencyWorks - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-A
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O17 - HKLM\System\CCS\Services\V
O17 - HKLM\System\CCS\Services\V
Hi
Ok - fix these:
C:\PROGRAM FILES\WEB OFFER\WO.EXE
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
Reboot, try some surfing and see how it goes. If still pop-ups then repost your startdreck log,
Deb
Ok - fix these:
C:\PROGRAM FILES\WEB OFFER\WO.EXE
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
Reboot, try some surfing and see how it goes. If still pop-ups then repost your startdreck log,
Deb
ASKER
Hi Deb - After all your hard work and great insights (which are greatly appreciated), I'm sad to say that the pop-ups are still haunting me.
Latest Startdreck Log:
StartDreck (build 2.1.7 public stable) - 2004-09-06 @ 13:26:07 (GMT -04:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as at PSULLIVAN
»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*OpwareSE2="C:\Program Files\ScanSoft\OmniPageSE2 .0\OpwareS E2.exe"
*vptray=C:\Program Files\Norton AntiVirus\vptray.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*rtvscn95=C:\Program Files\Norton AntiVirus\rtvscn95.exe
*defwatch=C:\Program Files\Norton AntiVirus\defwatch.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C: \PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM \MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INT ERN~1\iexp lore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INT ERN~1\iexp lore.exe" -nohome
+.js
`jsfile= [key or value does not exist]
+.jse
*JSEFile=C:\WINDOWS\WScrip t.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPA D.EXE %1
+.vbs
`vbsfile= [key or value does not exist]
+.vbe
*VBEFile=C:\WINDOWS\WScrip t.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScrip t.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Imag e Retriever.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Imag e Retriever.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.ini
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\hosts
»System/Drivers
»Running Processes
+FF0F7483=C:\WINDOWS\SYSTE M\KERNEL32 .DLL
+FFFFAA5F=C:\WINDOWS\SYSTE M\MSGSRV32 .EXE
+FFFFBCCF=C:\WINDOWS\SYSTE M\MPREXE.E XE
+FFFE0CA7=C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
+FFFEE33B=C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
+FFFD3E47=C:\WINDOWS\SYSTE M\mmtask.t sk
+FFFD1687=C:\WINDOWS\EXPLO RER.EXE
+FFFDA42B=C:\WINDOWS\SYSTE M\RPCSS.EX E
+FFFC234B=C:\WINDOWS\RUNDL L32.EXE
+FFFCF153=C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2 .0\OPWARES E2.EXE
+FFFCCF5B=C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
+FFFB220B=C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X DCLA.EXE
+FFF92E23=C:\WINDOWS\SYSTE M\DDHELP.E XE
+FFFBC13B=C:\UNZIPPED\WINZ IP32.EXE
+FFFAC44F=C:\WINDOWS\TEMP\ STARTDRECK .EXE
»NT Services
»Application specific
Thanks - Pat
Latest Startdreck Log:
StartDreck (build 2.1.7 public stable) - 2004-09-06 @ 13:26:07 (GMT -04:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as at PSULLIVAN
»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*OpwareSE2="C:\Program Files\ScanSoft\OmniPageSE2
*vptray=C:\Program Files\Norton AntiVirus\vptray.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*rtvscn95=C:\Program Files\Norton AntiVirus\rtvscn95.exe
*defwatch=C:\Program Files\Norton AntiVirus\defwatch.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM
+.htm
*htmlfile="C:\PROGRA~1\INT
+.html
*htmlfile="C:\PROGRA~1\INT
+.js
`jsfile= [key or value does not exist]
+.jse
*JSEFile=C:\WINDOWS\WScrip
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPA
+.vbs
`vbsfile= [key or value does not exist]
+.vbe
*VBEFile=C:\WINDOWS\WScrip
+.wsf
*WSFFile=C:\WINDOWS\WScrip
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Imag
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Imag
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.ini
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\hosts
»System/Drivers
»Running Processes
+FF0F7483=C:\WINDOWS\SYSTE
+FFFFAA5F=C:\WINDOWS\SYSTE
+FFFFBCCF=C:\WINDOWS\SYSTE
+FFFE0CA7=C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
+FFFEE33B=C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
+FFFD3E47=C:\WINDOWS\SYSTE
+FFFD1687=C:\WINDOWS\EXPLO
+FFFDA42B=C:\WINDOWS\SYSTE
+FFFC234B=C:\WINDOWS\RUNDL
+FFFCF153=C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2
+FFFCCF5B=C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
+FFFB220B=C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X
+FFF92E23=C:\WINDOWS\SYSTE
+FFFBC13B=C:\UNZIPPED\WINZ
+FFFAC44F=C:\WINDOWS\TEMP\
»NT Services
»Application specific
Thanks - Pat
This is a tricky little sod this isn't it? -
Have a look in Control Panel - add/remove programs - uninstall anything like:
Web Offer etc. - Guaranteed problem
Make sure you have deleted the following folders:
C:\Program Files\VBouncer\
C:\PROGRAM FILES\SED\
C:\PROGRAM FILES\WEB OFFER
Restart - Re-check that show all files in folder options is still checked
Using current hijackthis
1) Re-post log
2) In hijackthis click config - misc tools - open hosts file manager - check and post any, then delete any that aren't either 127.0.0.1, or have not been specifically added by yourself
3) In hijackthis click config - misc tools - Click open process manager - make sure to check the box marked "show dll's" - Click refresh - then click on the litle floppy disk icon, save the text file and post that here too!
Just trying to be thorough now and examine all entries - something must still be there - it's just not showing up right now (or I've missed it!)
Deb :))
Have a look in Control Panel - add/remove programs - uninstall anything like:
Web Offer etc. - Guaranteed problem
Make sure you have deleted the following folders:
C:\Program Files\VBouncer\
C:\PROGRAM FILES\SED\
C:\PROGRAM FILES\WEB OFFER
Restart - Re-check that show all files in folder options is still checked
Using current hijackthis
1) Re-post log
2) In hijackthis click config - misc tools - open hosts file manager - check and post any, then delete any that aren't either 127.0.0.1, or have not been specifically added by yourself
3) In hijackthis click config - misc tools - Click open process manager - make sure to check the box marked "show dll's" - Click refresh - then click on the litle floppy disk icon, save the text file and post that here too!
Just trying to be thorough now and examine all entries - something must still be there - it's just not showing up right now (or I've missed it!)
Deb :))
ASKER
Hi Deb -- You are patient - Thanks - I went through Add/Remove and I find one entry which is unfamiliar - "ChainCast Proxy (Remove Only) - It will no remove, says the DLL can not be found - Mean anything to you?
I am continuing with your other ideas -be back soon - Pat
I am continuing with your other ideas -be back soon - Pat
ASKER
OH - the DLL it can't find was called CCMP392.DLL in the System folder
I'm not familiar with chaincast proxy but it appears to be linked to streaming audio - wouldn't appear to be spyware from what I can tell
http://www.chaincast.com/support/products/vmr_3.0/faq.html
Deb :))
http://www.chaincast.com/support/products/vmr_3.0/faq.html
Deb :))
ASKER
Hi Deb - I have removed anything that I am not sure is a valid install. - The logs follow:
Logfile of HijackThis v1.98.2
Scan saved at 2:31:42 PM, on 09/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32 .DLL
C:\WINDOWS\SYSTEM\MSGSRV32 .EXE
C:\WINDOWS\SYSTEM\MPREXE.E XE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.t sk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EX E
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2 .0\OPWARES E2.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X DCLA.EXE
C:\WINDOWS\SYSTEM\DDHELP.E XE
C:\UNZIPPED\HIJACKTHIS\HIJ ACKTHIS.EX E
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.msn.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2 .0\OpwareS E2.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\x dcla.exe
O16 - DPF: AwAgencyIntegrator - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: AgencyWorks - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-A BCDEFFEDCB A} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A 54536C9021 3} (Crystal Report Viewer Control 9) - https://awreports.agencyworks.com/viewer9/activeXViewer/activexviewer.cab
O17 - HKLM\System\CCS\Services\V xD\MSTCP: Domain = Nick
O17 - HKLM\System\CCS\Services\V xD\MSTCP: NameServer = 207.103.0.2,207.103.11.9
_______
This is the hosts fILE -
I did not enter these
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
The Process List
Process list saved on 2:36:58 PM, on 09/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
[full path to filename] [file version] [company name]
C:\WINDOWS\SYSTEM\KERNEL32 .DLL 4.10.0.2222 Microsoft Corporation
C:\WINDOWS\SYSTEM\MSGSRV32 .EXE 4.10.0.2222 Microsoft Corporation
C:\WINDOWS\SYSTEM\MPREXE.E XE 4.10.0.1998 Microsoft Corporation
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE 7.51.0.847 Symantec Corporation
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE 7.51.0.1 Symantec Corporation
C:\WINDOWS\SYSTEM\mmtask.t sk 4.3.0.1998 Microsoft Corporation
C:\WINDOWS\EXPLORER.EXE 4.72.3110.1 Microsoft Corporation
C:\WINDOWS\SYSTEM\RPCSS.EX E 4.71.2900.0 Microsoft Corporation
C:\WINDOWS\RUNDLL32.EXE 4.10.0.1998 Microsoft Corporation
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2 .0\OPWARES E2.EXE 12.0.0.1 ScanSoft, Inc.
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE 7.51.0.847 Symantec Corporation
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X DCLA.EXE 5.0.0.0 ScanSoft, Inc.
C:\WINDOWS\SYSTEM\DDHELP.E XE 4.9.0.900 Microsoft Corporation
C:\UNZIPPED\HIJACKTHIS\HIJ ACKTHIS.EX E 1.98.0.2 Soeperman Enterprises Ltd.
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE 6.0.2800.1106 Microsoft Corporation
C:\WINDOWS\SYSTEM\PSTORES. EXE 5.0.1877.3 Microsoft Corporation
DLLs loaded by process :
[full path to filename] [file version] [company name]
C:\WINDOWS\SYSTEM\ATIMPPIF .DLL 4.10.1.2251 ATI Technologies Inc.
C:\WINDOWS\SYSTEM\USER32.D LL 4.10.0.2227 Microsoft Corporation
C:\WINDOWS\SYSTEM\GDI32.DL L 4.10.0.1998 Microsoft Corporation
C:\WINDOWS\SYSTEM\ADVAPI32 .DLL 4.80.0.1675 Microsoft Corporation
C:\WINDOWS\SYSTEM\KERNEL32 .DLL 4.10.0.2222 Microsoft Corporation
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch
I hope you see something exciting !! It looks pretty normal to me.
Tnx - Pat
Logfile of HijackThis v1.98.2
Scan saved at 2:31:42 PM, on 09/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\MPREXE.E
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EX
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X
C:\WINDOWS\SYSTEM\DDHELP.E
C:\UNZIPPED\HIJACKTHIS\HIJ
R0 - HKCU\Software\Microsoft\In
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\x
O16 - DPF: AwAgencyIntegrator - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: AgencyWorks - https://ai.agencyworks.com/classes/AGWORKS.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-A
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A
O17 - HKLM\System\CCS\Services\V
O17 - HKLM\System\CCS\Services\V
_______
This is the hosts fILE -
I did not enter these
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
The Process List
Process list saved on 2:36:58 PM, on 09/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
[full path to filename] [file version] [company name]
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\MPREXE.E
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE 7.51.0.847 Symantec Corporation
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE 7.51.0.1 Symantec Corporation
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\EXPLORER.EXE 4.72.3110.1 Microsoft Corporation
C:\WINDOWS\SYSTEM\RPCSS.EX
C:\WINDOWS\RUNDLL32.EXE 4.10.0.1998 Microsoft Corporation
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE 7.51.0.847 Symantec Corporation
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\X
C:\WINDOWS\SYSTEM\DDHELP.E
C:\UNZIPPED\HIJACKTHIS\HIJ
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE 6.0.2800.1106 Microsoft Corporation
C:\WINDOWS\SYSTEM\PSTORES.
DLLs loaded by process :
[full path to filename] [file version] [company name]
C:\WINDOWS\SYSTEM\ATIMPPIF
C:\WINDOWS\SYSTEM\USER32.D
C:\WINDOWS\SYSTEM\GDI32.DL
C:\WINDOWS\SYSTEM\ADVAPI32
C:\WINDOWS\SYSTEM\KERNEL32
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch
I hope you see something exciting !! It looks pretty normal to me.
Tnx - Pat
In hijack this
Check the following and click fix checked
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
Then edit the host file in hijackthis - leave only the following entry
127.0.0.1 localhost
Delete these
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
Reboot and repost the logs - see if it helps any
Deb :))
Check the following and click fix checked
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
Then edit the host file in hijackthis - leave only the following entry
127.0.0.1 localhost
Delete these
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
Reboot and repost the logs - see if it helps any
Deb :))
ASKER
HI
I "Fixed" the entries you mentioned above in the 01 section - They immediately reappeared at the bottom of the list - I deleted those as well - but on reopening the hosts file - they were back - Do you think these are the source of the problem ?
Perhaps at this point I should format the drive. What do you think? (Or as we say in New Jersey, Whaddayathink?)
P
I "Fixed" the entries you mentioned above in the 01 section - They immediately reappeared at the bottom of the list - I deleted those as well - but on reopening the hosts file - they were back - Do you think these are the source of the problem ?
Perhaps at this point I should format the drive. What do you think? (Or as we say in New Jersey, Whaddayathink?)
P
ASKER
Deb - The exact same settings are back in HJT after a full shutdown. I find that if I unplug the internet - I get 15 or more attempts to find the internet. If the internet is connected and I leave the system alone for about 20 mins. I come back to 70 or 80 pop-ups.
While I appreciate your working with me, I'm sure you have a life - If you must abandon me here, Thanks, and I understand - This has been 8 hours of work so far.
best regards, Pat
While I appreciate your working with me, I'm sure you have a life - If you must abandon me here, Thanks, and I understand - This has been 8 hours of work so far.
best regards, Pat
ASKER
Not that I don't appreciate all that you have done - You are the best !!!!!
Hi
No probs - and no I won't be abandoning this! Can't promise I'll sort it - but here's another suggestion, as there is obvious some hidden activity going on that's spawning this little lot, so what you've posted isn't a surprise. However we do need to find it, and the following is a useful little tool that I've used before to get rid of some real nasties,
Download and install this,
http://tds.diamondcs.com.au/
then make sure that you also download the update scanner file from here
http://www.diamondcs.com.au/tds/radius.td3
Make sure you put this file above into the TDS-3 folder - ie C:\Program Files\TDS-3
Then use it to run a full system scan and let us know what it finds. You can re-install but it depends on how easy it is to get your data off and then reload it along with all your applications. I'd maybe give it a bit longer first,
Deb :))
No probs - and no I won't be abandoning this! Can't promise I'll sort it - but here's another suggestion, as there is obvious some hidden activity going on that's spawning this little lot, so what you've posted isn't a surprise. However we do need to find it, and the following is a useful little tool that I've used before to get rid of some real nasties,
Download and install this,
http://tds.diamondcs.com.au/
then make sure that you also download the update scanner file from here
http://www.diamondcs.com.au/tds/radius.td3
Make sure you put this file above into the TDS-3 folder - ie C:\Program Files\TDS-3
Then use it to run a full system scan and let us know what it finds. You can re-install but it depends on how easy it is to get your data off and then reload it along with all your applications. I'd maybe give it a bit longer first,
Deb :))
ASKER
You have heart Deb !! There are more than 120 applications on this system - about 12 hours work to reinstall and about 40Mb of scientific data. I'm going with your plan.
We'll talk soon
regards, Pat
We'll talk soon
regards, Pat
Wondering about these too:
O17 - HKLM\System\CCS\Services\V xD\MSTCP: Domain = Nick
O17 - HKLM\System\CCS\Services\V xD\MSTCP: NameServer = 207.103.0.2,207.103.11.9
Also just checking - are you on a domain and what is agencyintegrator and agencyworks?
Deb :))
O17 - HKLM\System\CCS\Services\V
O17 - HKLM\System\CCS\Services\V
Also just checking - are you on a domain and what is agencyintegrator and agencyworks?
Deb :))
ASKER
Hi Deb
The Domain = Nick I put in to get this system on my local internet carrier from home - The ips 207.103 etc. are my local carrier Gateway (Verizon) domain Ips
The Domain = Nick I put in to get this system on my local internet carrier from home - The ips 207.103 etc. are my local carrier Gateway (Verizon) domain Ips
ASKER
Hi
The TDS-3 scan is still running
Agencyworks/Agencyintegrat or is an internet App the client uses for day-to-day ops.
The TDS-3 scan is still running
Agencyworks/Agencyintegrat
ASKER
News and Update
The TDS-3 scan is still running
One Alarm so far = Adware.MetaDirect.dll - in the recycled bin (DC37.dll)
The TDS-3 scan is still running
One Alarm so far = Adware.MetaDirect.dll - in the recycled bin (DC37.dll)
ASKER
Hi Again Debs - Sadly, this is all we have to report - scan complete - log follows:
18:48:19 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
18:48:19 [Init] Started 06-09-04 18:48:19 Eastern Standard Time (UTC: 5), Internet Time @991.89
18:48:19 [Init] Loading TDS-3 Systems ...
18:48:19 [Init] Token successfully adjusted.
18:48:19 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
18:48:19 [Init] • Plugins : OK. Loaded 13
18:48:19 [Init] • Exec Protection : Not Installed
18:48:19 [Init] WARNING: Your Radius.TD3 database needs to be updated!
18:48:19 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
18:48:19 [Init] Licensed users can use the Update facility from the TDS menu
18:48:19 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
18:48:32 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
18:48:32 [Init] • Systems Initialised [31397 references - 11211 primaries/8986 traces/11200 variants/other]
18:48:32 [Init] Radius Systems loaded. <Databases updated 27-01-2004>
18:48:41 [Init] TDS-3 Ready. <Psullivan@207.103.64.181, 0.0.0.0, 127.0.0.1 - United States>
18:48:41 [Tip Of The Day] If you're suspicious about a certain file, use the String Extractor (from the Utilities menu). This will run through the file and strip out ANSI strings of 5 characters or more in length, enabling you in some cases to get a better 'view' of the file.
18:48:41 [TDS] Good evening Psullivan. What time do you finish work tonight?
18:48:43 [Mutex Memory Scan] Started...
18:48:44 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:48:44 [Trace Scan] Started...
18:49:11 [Trace Scan] Finished.
18:49:11 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
18:51:41 [Screen Text] Saved to C:\PROGRAM FILES\TDS3\scr0.txt
18:51:48 [CRC32] Started - verifying 29 files ...
18:51:49 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe
18:51:51 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat. exe
18:51:51 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson .exe
18:51:53 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32 .exe
18:51:54 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32 .exe
18:51:54 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman. exe
18:51:55 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr. exe
18:51:55 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon .exe
18:51:56 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32 .exe
18:52:09 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.d ll
18:52:10 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock. dll
18:52:14 [CRC32] Test finished.
18:52:35 [Memory Scan] Memory scan started, please wait a moment ...
18:53:00 [Memory Scan] Memory scan complete.
18:53:00 [Mutex Memory Scan] Started...
18:53:02 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:53:02 [Trace Scan] Started...
18:53:29 [Trace Scan] Finished.
18:53:29 [Service\Driver Scan] Scanning for services and drivers ...
18:53:29 [Service\Driver Scan] Scanned 14 services and drivers.
18:53:29 [File Scan] Scanning in A:\ ...
18:53:31 [File Scan] Scanned 0 files: 0 alarms in 2.367188 seconds (Avg 1. files/sec)
18:53:31 [File Scan] Scanning in C:\ ...
19:28:07 [File Scan] Scanned 27852 files: 1 alarms in 2075.188 seconds (Avg 14.42 files/sec)
19:28:07 [File Scan] Scanning in D:\ ...
19:30:22 [File Scan] Scanned 467 files: 1 alarms in 135.2266 seconds (Avg 4.45 files/sec)
19:30:23 [Scan] Finished.
19:31:17 [Screen Text] Saved to C:\PROGRAM FILES\TDS3\scr1.txt
19:31:45 [Screen Text] Saved to C:\PROGRAM FILES\TDS3\scr2.txt
19:32:18 [Text Dump] Saved to C:\PROGRAM FILES\TDS3\scandump.txt
19:32:38 [Quit] Unloading ...
Scan Dump
Scan Control Dumped @ 19:32:18 06-09-04
Positive identification (DLL): Adware.MetaDirect (dll)
File: c:\recycled\dc37.dll
best, Pat
18:48:19 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
18:48:19 [Init] Started 06-09-04 18:48:19 Eastern Standard Time (UTC: 5), Internet Time @991.89
18:48:19 [Init] Loading TDS-3 Systems ...
18:48:19 [Init] Token successfully adjusted.
18:48:19 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
18:48:19 [Init] • Plugins : OK. Loaded 13
18:48:19 [Init] • Exec Protection : Not Installed
18:48:19 [Init] WARNING: Your Radius.TD3 database needs to be updated!
18:48:19 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
18:48:19 [Init] Licensed users can use the Update facility from the TDS menu
18:48:19 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
18:48:32 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
18:48:32 [Init] • Systems Initialised [31397 references - 11211 primaries/8986 traces/11200 variants/other]
18:48:32 [Init] Radius Systems loaded. <Databases updated 27-01-2004>
18:48:41 [Init] TDS-3 Ready. <Psullivan@207.103.64.181,
18:48:41 [Tip Of The Day] If you're suspicious about a certain file, use the String Extractor (from the Utilities menu). This will run through the file and strip out ANSI strings of 5 characters or more in length, enabling you in some cases to get a better 'view' of the file.
18:48:41 [TDS] Good evening Psullivan. What time do you finish work tonight?
18:48:43 [Mutex Memory Scan] Started...
18:48:44 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:48:44 [Trace Scan] Started...
18:49:11 [Trace Scan] Finished.
18:49:11 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
18:51:41 [Screen Text] Saved to C:\PROGRAM FILES\TDS3\scr0.txt
18:51:48 [CRC32] Started - verifying 29 files ...
18:51:49 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe
18:51:51 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.
18:51:51 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson
18:51:53 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32
18:51:54 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32
18:51:54 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.
18:51:55 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.
18:51:55 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon
18:51:56 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32
18:52:09 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.d
18:52:10 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.
18:52:14 [CRC32] Test finished.
18:52:35 [Memory Scan] Memory scan started, please wait a moment ...
18:53:00 [Memory Scan] Memory scan complete.
18:53:00 [Mutex Memory Scan] Started...
18:53:02 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:53:02 [Trace Scan] Started...
18:53:29 [Trace Scan] Finished.
18:53:29 [Service\Driver Scan] Scanning for services and drivers ...
18:53:29 [Service\Driver Scan] Scanned 14 services and drivers.
18:53:29 [File Scan] Scanning in A:\ ...
18:53:31 [File Scan] Scanned 0 files: 0 alarms in 2.367188 seconds (Avg 1. files/sec)
18:53:31 [File Scan] Scanning in C:\ ...
19:28:07 [File Scan] Scanned 27852 files: 1 alarms in 2075.188 seconds (Avg 14.42 files/sec)
19:28:07 [File Scan] Scanning in D:\ ...
19:30:22 [File Scan] Scanned 467 files: 1 alarms in 135.2266 seconds (Avg 4.45 files/sec)
19:30:23 [Scan] Finished.
19:31:17 [Screen Text] Saved to C:\PROGRAM FILES\TDS3\scr1.txt
19:31:45 [Screen Text] Saved to C:\PROGRAM FILES\TDS3\scr2.txt
19:32:18 [Text Dump] Saved to C:\PROGRAM FILES\TDS3\scandump.txt
19:32:38 [Quit] Unloading ...
Scan Dump
Scan Control Dumped @ 19:32:18 06-09-04
Positive identification (DLL): Adware.MetaDirect (dll)
File: c:\recycled\dc37.dll
best, Pat
ASKER
Hi Deb et al - In your absense I reran SpyBot - 159 problems found - fixed - and the pop-ups keep on coming.
I have reached the end of the line - I will plead insanity to the customer and spend tomorrow reinstalling all the software and network links - Thank you for working with me on this - Your help is always appreciated -
I'll check back in a couple of hours in case anyone had a brainstorm while I am backing up all this data
Best Regards, Pat
I have reached the end of the line - I will plead insanity to the customer and spend tomorrow reinstalling all the software and network links - Thank you for working with me on this - Your help is always appreciated -
I'll check back in a couple of hours in case anyone had a brainstorm while I am backing up all this data
Best Regards, Pat
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi
Thanks - did I help at all though?
On second thoughts - XP sp1 is safer - wait until they've fixed sp2 so it works properly and doesn't crash your system!
Deb :))
Thanks - did I help at all though?
On second thoughts - XP sp1 is safer - wait until they've fixed sp2 so it works properly and doesn't crash your system!
Deb :))
See if you can find the file MQTCP.DLL (File will be Hidden, System, and Read-Only) in your System or System32 directory. I'm not sure how you could disable it in a 2K or XP system, but it's a possible cause for the popups and host file being rewritten every 5 seconds.
Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe