Detected SPYware! System error #384

[littlegreenguy]

Hiya, I'm new here so am hoping i'm doing everything right

I seem to have this thing that I've noticed on other threads where I get a Detected SPYware! System error #384 page displaying from C:\WINDOWS\secure.html whenever I open up Ie.

When I try to go to a web page I get hit with: 'Virgin lovers' and a 'Connected via NTLI' warning page trying to sell me some junk to get rid of it!! HA! pirates!!

I Ad-awared and NAVed in safe mode but it didn't get shot of it...

Downloaded hijackthis and here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 16:47:19, on 03/03/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\FIREGRAPHIC\FIREGRAPHIC XP\FIREGRAPHICXP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\REG32.EXE
C:\PROGRAM FILES\COPERNIC 2001 PRO\COPERNIC.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\HPZSTC05.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.catlist.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.catlist.com/
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - (no file)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - (no file)
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tabscr] c:\program files\gtablet\gtab.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [media_stub] C:\Program Files\ebkrdr\stub.exe
O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)

Very much hope that you can help me

Many thanks,

Nick

[slammer_JvA]

Hi Nick, welcome at Wilders!

You've come to the right place, it's only a matter of little time/patience and help is on its way. Since I'm a newbie here too, I'll suggest you to wait for the expertadvice from Pieter_Arntz, or any other more experienced member-it wont be long.
They sure have helped me great.

In the meantime I feel safe enough to suggest to you 2 things, you might do:

1) Did you happen to take a look on this thread already:
http://www.wilderssecurity.com/showthread.php?t=23416
It may give you some inside in advance for your specific problem.

2) To start with run cwshreder from http://www.wilderssecurity.com/attachments/cwshredder1521.zip

and then post a new hjt log when done please.

These things you can safely do, but if you wanna be absolutely clear, wait for the master

Goodluck and enjoy your stay here!

Grtz,
Slammer

[subratam]

Hi littlegreenguy,

welcome to wilders

you can visit these two places

1. http://www.whirlywiryweb.com/removeezula.htm
(why? O4 - HKCU\..\Run: [media_stub] C:\Program Files\ebkrdr\stub.exe)

2. http://www.doxdesk.com/parasite/IPInsight.html
(why? O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL)

thank you

EDIT: slammer I dont think he needs to download CWShredder for this.
Nick just check if you have given the full Hijack log .are there some entries like
016 -
017 -
Unzy has given the answers so I will cease of
removed my incomplete fixes

[Unzy]

Hi Nick

Have only Hijackthis running and fix :

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.catlist.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.catlist.com/

O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - (no file)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - (no file)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKCU\..\Run: [media_stub] C:\Program Files\ebkrdr\stub.exe
O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe

Restart the PC after doing so and remove :

C:\WINDOWS\REG32.EXE <- this file
C:\Program Files\ebkrdr <- this folder
winmain.exe <- this file, search via start -> search -> files / folders

Hope this helps

Cheers,

[slammer_JvA]

Quote:

quoting: subratam link=board=17;threadid=23526;start=0#msg139145 date=1078334972]

EDIT: slammer I dont think he needs to download CWShredder for this.

There you go, Nick!

You see: a little 'false' advice (mea culpa-still learning too here ) just speeded the attraction to solve your problem

@ Subratam: Did I mention alreay you've got the most beautiful eyes ?
hahaha grtz pal!

[subratam]

Hi slammer,

as the tradition goes on, the knowledge is passed from hand to hand.
so as pieter said to me, I am saying to u.
CWShredder eradicates only CoolWebSearch chronicles and not everyone should be adviced to download that but only those who are affected by the CWS variations
I am sure you will find help from here
http://www.wilderssecurity.com/showthread.php?t=14086
Lets not talk here anymore . if you want to continue IM me or any experts as its the thread for Nick's solution and he may get confused.
see ya soon
NB: I have spyware eyes

[littlegreenguy]

Wow! what a response...I was thining I'd be waiting round days! thanks everyone for your input.

I did as you say and fixed those things and rebooted. I found the first file and deleted that - but couldn't see the other two.

The same problem seems to be happening though.

My latest log reads:

Logfile of HijackThis v1.97.7
Scan saved at 21:28:03, on 03/03/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\FIREGRAPHIC\FIREGRAPHIC XP\FIREGRAPHICXP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\REG32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.catlist.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.com/
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tabscr] c:\program files\gtablet\gtab.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)

Some of the things I fixed seem to have reappeared (grr!!)

Also, I'm running ad-watch and that is going crazy, stopping reg mods every 2 secs or so!!

AHHHH!!

[Pieter_Arntz]

Hi littlegreenguy,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

O4 - HKLM\..\Run: [winmain] winmain.exe

Then reboot into safe mode
and delete:
C:\WINDOWS\REG32.EXE
winmain.exe

If you can not find them they may be a hidden file(s).
To "unhide" hidden files and folders:
Launch My Computer from the Desktop Icon.
Select View, Details.
Select the Folders button.
Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
Like Current Folder (located near the top of the Folder Options box). Then select OK.

Regards,

Pieter

[littlegreenguy]

Marvellous!! You guys R legends!!! The nasty pop up thing has gone!! yayyy!! Can't even thankyou enough D Thankyou heaps! If you ever need any advice on guitars or guitar playing...my services are open to you!

The Pop ups have gone and the home page is restored, but the smutty stuff still seems to appear in Hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 23:19:11, on 04/03/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\FIREGRAPHIC\FIREGRAPHIC XP\FIREGRAPHICXP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.catlist.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tabscr] c:\program files\gtablet\gtab.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [media_manager] C:\Program Files\ebkrdr\mediaman.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)

I looked everywhere for winmain.exe and can't find it...all folders set to show n all. Also, can't see ebkrdr folder, just not there! tried in safe mode and with adaware and hijack, but still keep appearing.

[Pieter_Arntz]

Hi littlegreenguy,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php

O4 - HKLM\..\Run: [winmain] winmain.exe

O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe

O4 - HKCU\..\RunServices: [media_manager] C:\Program Files\ebkrdr\mediaman.exe

Then reboot and post a new log.

Regards,

Pieter

[littlegreenguy]

Thanks Peiter,

Heres what is happening at the moment. I rebooted in safe mode and ran hijack and deleted the files you said,

This gave me a fresh log of this:

Logfile of HijackThis v1.97.7
Scan saved at 14:17:03, on 05/03/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.com/
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tabscr] c:\program files\gtablet\gtab.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

I then rebooted into normal mode and adwatch warned me about the files wanting to come back. I re-ran hijack before accepting or blocking the warnings and got a similar log...all clean. I then blocked the reg mod requests and ran another scan and got this:

Logfile of HijackThis v1.97.7
Scan saved at 14:21:54, on 05/03/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\FIREGRAPHIC\FIREGRAPHIC XP\FIREGRAPHICXP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.catlist.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.com/
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tabscr] c:\program files\gtablet\gtab.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

With them all back!! Nightmare!

Nick

[Pieter_Arntz]

Aargh,

Do me a favor and in HijackThis click Config > Misc Tools > Generate Startuplist
That will produce a text file. Post the content of that file please.

Regards,

Pieter

[littlegreenguy]

here you go:

StartupList report, 05/03/04, 17:23:16
StartupList version: 1.52
Started from : C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.00 (5.00.2919.6304)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\FIREGRAPHIC\FIREGRAPHIC XP\FIREGRAPHICXP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\POWERTAB\PTEDITOR.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MMJB.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MMDIAG.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Tabscr = c:\program files\gtablet\gtab.exe
InCD = C:\Program Files\ahead\InCD\InCD.exe
DownloadAccelerator = C:\PROGRA~1\DAP\DAP.EXE /STARTUP
LoadQM = loadqm.exe
LVComs = C:\WINDOWS\SYSTEM\LVComS.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
HPDJ Taskbar Utility = C:\WINDOWS\SYSTEM\hpztsb05.exe
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
Ad-watch = C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
winmain = winmain.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
SchedulingAgent = mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
media_manager = C:\Program Files\ebkrdr\mediaman.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 4/3/2004, 15:37:28)

[Rename]
NUL=c:\windows\cookies\nick alexander@sextracker[1].txt
NUL=c:\windows\cookies\nick alexander@counter15.sextracker[1].txt
NUL=c:\windows\cookies\nick alexander@mediaplex[1].txt
NUL=c:\windows\cookies\nick alexander@valueclick[1].txt
NUL=c:\windows\cookies\nick alexander@bfast[2].txt
NUL=c:\windows\cookies\nick alexander@gator[1].txt
NUL=c:\windows\cookies\nick alexander@qksrv[1].txt
NUL=c:\windows\cookies\nick alexander@z1.adserver[1].txt
NUL=c:\windows\cookies\nick alexander@adviva[2].txt
NUL=c:\windows\cookies\nick alexander@atdmt[1].txt
NUL=c:\windows\cookies\nick alexander@doubleclick[1].txt

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\PROGRAM FILES\DAP\DAPBHO.DLL - {0000CC75-ACF3-4cac-A0A9-DD3868E06852}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 5,958 bytes
Report generated in 0.124 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


many thanks, nick

[Pieter_Arntz]

Hi nick,

Could you please try this:
Disable AdWatch, fix all the items I posted a few posts back and immediately reboot into safe mode.
Run HijackThis and save the log.
Then boot normally and save the log again.
Posts the last log, but hang on to the one made in safe mode. I may need to see that.

Regards,

Pieter

[littlegreenguy]

nice one!
here is the log after logging back into real mode:

Logfile of HijackThis v1.97.7
Scan saved at 20:22:39, on 06/03/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\FIREGRAPHIC\FIREGRAPHIC XP\FIREGRAPHICXP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tabscr] c:\program files\gtablet\gtab.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

All looking clear as a bell!

is the problem with adwatch then?

[Pieter_Arntz]

The problem may be in the settings of AdWatch.
Re-enable it and read the messages and options it gives you carefully.

In trying to protect you it reports any change from the old values, so it blocked the removal we were trying to accomplish.

Did you ever consider installing IE6?
It would give you some options to block all the tracking cookies and is overall more secure then the version you are using now.

Regards,

Pieter

[littlegreenguy]

Thats fantastic Pieter, many many thanks indeed. It's a good service that you are doing I will review adwatch.

I tried Ie6, but didn't get on with it. It crashed more than a microsoft test dummy. But maybe will look at trying it again.

Thanks again for all your help. Much appreciated.

Nick

[Pieter_Arntz]

My pleasure.

Pieter