Detected SPYware! System error #384

Discussion in 'adware, spyware & hijack cleaning' started by littlegreenguy, Mar 3, 2004.

Thread Status:
Not open for further replies.
  1. littlegreenguy

    littlegreenguy Registered Member

    Joined:
    Mar 3, 2004
    Posts:
    7
    Hiya, I'm new here so am hoping i'm doing everything right :)

    I seem to have this thing that I've noticed on other threads where I get a Detected SPYware! System error #384 page displaying from C:\WINDOWS\secure.html whenever I open up Ie.

    When I try to go to a web page I get hit with: 'Virgin lovers' and a 'Connected via NTLI' warning page trying to sell me some junk to get rid of it!! HA! pirates!!

    I Ad-awared and NAVed in safe mode but it didn't get shot of it...

    Downloaded hijackthis and here is my log:

    Logfile of HijackThis v1.97.7
    Scan saved at 16:47:19, on 03/03/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\DAP\DAP.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\HPZTSB05.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\FIREGRAPHIC\FIREGRAPHIC XP\FIREGRAPHICXP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\REG32.EXE
    C:\PROGRAM FILES\COPERNIC 2001 PRO\COPERNIC.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\HPZSTC05.EXE
    C:\WINDOWS\SYSTEM\HPZSTATX.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.catlist.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.catlist.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.catlist.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.catlist.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.catlist.com/
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
    O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - (no file)
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - (no file)
    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Tabscr] c:\program files\gtablet\gtab.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [media_stub] C:\Program Files\ebkrdr\stub.exe
    O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Copernic (HKLM)
    O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)

    Very much hope that you can help me

    Many thanks,

    Nick
     
    littlegreenguy, Mar 3, 2004
    #1
  2. slammer_JvA

    slammer_JvA Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    1,588
    Location:
    Below sea-level. Safe and sound behind our dikes:
    Hi Nick, welcome at Wilders! :)

    You've come to the right place, it's only a matter of little time/patience and help is on its way. Since I'm a newbie here too, I'll suggest you to wait for the expertadvice from Pieter_Arntz, or any other more experienced member-it wont be long.
    They sure have helped me great.

    In the meantime I feel safe enough to suggest to you 2 things, you might do:

    1) Did you happen to take a look on this thread already:
    http://www.wilderssecurity.com/showthread.php?t=23416
    It may give you some inside in advance for your specific problem.

    2) To start with run cwshreder from http://www.wilderssecurity.com/attachments/cwshredder1521.zip

    and then post a new hjt log when done please.

    These things you can safely do, but if you wanna be absolutely clear, wait for the master :D

    Goodluck and enjoy your stay here!
    *puppy*
    Grtz,
    Slammer
     
    slammer_JvA, Mar 3, 2004
    #2
  3. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi littlegreenguy,

    welcome to wilders :)

    you can visit these two places

    1. http://www.whirlywiryweb.com/removeezula.htm
    (why? O4 - HKCU\..\Run: [media_stub] C:\Program Files\ebkrdr\stub.exe)

    2. http://www.doxdesk.com/parasite/IPInsight.html
    (why? O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL)

    thank you

    EDIT: slammer I dont think he needs to download CWShredder for this.
    Nick just check if you have given the full Hijack log .are there some entries like
    016 -
    017 -
    Unzy has given the answers so I will cease of :)
    removed my incomplete fixes
     
    subratam, Mar 3, 2004
    #3
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Nick :)

    Have only Hijackthis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.catlist.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.catlist.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.catlist.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.catlist.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.catlist.com/

    O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
    O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - (no file)
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - (no file)

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKCU\..\Run: [media_stub] C:\Program Files\ebkrdr\stub.exe
    O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe

    Restart the PC after doing so and remove :

    C:\WINDOWS\REG32.EXE <- this file
    C:\Program Files\ebkrdr <- this folder
    winmain.exe <- this file, search via start -> search -> files / folders

    Hope this helps

    Cheers,
     
    Unzy, Mar 3, 2004
    #4
  5. slammer_JvA

    slammer_JvA Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    1,588
    Location:
    Below sea-level. Safe and sound behind our dikes:
    :oops: ;) There you go, Nick!

    You see: a little 'false' advice (mea culpa-still learning too here :oops:) just speeded the attraction to solve your problem ;)

    @ Subratam: Did I mention alreay you've got the most beautiful :rolleyes:eyes :rolleyes: ?
    hahaha grtz pal!
     
    slammer_JvA, Mar 3, 2004
    #5
  6. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi slammer,

    as the tradition goes on, the knowledge is passed from hand to hand.
    so as pieter said to me, I am saying to u.
    CWShredder eradicates only CoolWebSearch chronicles and not everyone should be adviced to download that but only those who are affected by the CWS variations
    I am sure you will find help from here
    http://www.wilderssecurity.com/showthread.php?t=14086
    Lets not talk here anymore . if you want to continue IM me or any experts as its the thread for Nick's solution and he may get confused.
    see ya soon
    NB: I have spyware eyes :D
     
    subratam, Mar 3, 2004
    #6
  7. littlegreenguy

    littlegreenguy Registered Member

    Joined:
    Mar 3, 2004
    Posts:
    7
    Wow! what a response...I was thining I'd be waiting round days! thanks everyone for your input.

    I did as you say and fixed those things and rebooted. I found the first file and deleted that - but couldn't see the other two.

    The same problem seems to be happening though.

    My latest log reads:

    Logfile of HijackThis v1.97.7
    Scan saved at 21:28:03, on 03/03/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\DAP\DAP.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\HPZTSB05.EXE
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\FIREGRAPHIC\FIREGRAPHIC XP\FIREGRAPHICXP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\REG32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.catlist.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.catlist.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.catlist.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.com/
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Tabscr] c:\program files\gtablet\gtab.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Copernic (HKLM)
    O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)

    Some of the things I fixed seem to have reappeared (grr!!)

    Also, I'm running ad-watch and that is going crazy, stopping reg mods every 2 secs or so!!

    AHHHH!!
     
    littlegreenguy, Mar 3, 2004
    #7
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi littlegreenguy,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

    O4 - HKLM\..\Run: [winmain] winmain.exe

    Then reboot into safe mode
    and delete:
    C:\WINDOWS\REG32.EXE
    winmain.exe

    If you can not find them they may be a hidden file(s).
    To "unhide" hidden files and folders:
    Launch My Computer from the Desktop Icon.
    Select View, Details.
    Select the Folders button.
    Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
    and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
    Like Current Folder (located near the top of the Folder Options box). Then select OK.

    Regards,

    Pieter
     
    Pieter_Arntz, Mar 4, 2004
    #8
  9. littlegreenguy

    littlegreenguy Registered Member

    Joined:
    Mar 3, 2004
    Posts:
    7
    Marvellous!! You guys R legends!!! The nasty pop up thing has gone!! yayyy!! Can't even thankyou enough :eek:D Thankyou heaps! If you ever need any advice on guitars or guitar playing...my services are open to you!

    The Pop ups have gone and the home page is restored, but the smutty stuff still seems to appear in Hijackthis:

    Logfile of HijackThis v1.97.7
    Scan saved at 23:19:11, on 04/03/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\DAP\DAP.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\HPZTSB05.EXE
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\FIREGRAPHIC\FIREGRAPHIC XP\FIREGRAPHICXP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.catlist.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.catlist.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.catlist.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Tabscr] c:\program files\gtablet\gtab.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe
    O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunServices: [media_manager] C:\Program Files\ebkrdr\mediaman.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Copernic (HKLM)
    O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)

    I looked everywhere for winmain.exe and can't find it...all folders set to show n all. Also, can't see ebkrdr folder, just not there! tried in safe mode and with adaware and hijack, but still keep appearing.
     
    littlegreenguy, Mar 4, 2004
    #9
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi littlegreenguy,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php

    O4 - HKLM\..\Run: [winmain] winmain.exe

    O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe

    O4 - HKCU\..\RunServices: [media_manager] C:\Program Files\ebkrdr\mediaman.exe

    Then reboot and post a new log.

    Regards,

    Pieter
     
    Pieter_Arntz, Mar 5, 2004
    #10
  11. littlegreenguy

    littlegreenguy Registered Member

    Joined:
    Mar 3, 2004
    Posts:
    7
    Thanks Peiter,

    Heres what is happening at the moment. I rebooted in safe mode and ran hijack and deleted the files you said,

    This gave me a fresh log of this:

    Logfile of HijackThis v1.97.7
    Scan saved at 14:17:03, on 05/03/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.com/
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Tabscr] c:\program files\gtablet\gtab.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Copernic (HKLM)
    O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

    I then rebooted into normal mode and adwatch warned me about the files wanting to come back. I re-ran hijack before accepting or blocking the warnings and got a similar log...all clean. I then blocked the reg mod requests and ran another scan and got this:

    Logfile of HijackThis v1.97.7
    Scan saved at 14:21:54, on 05/03/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\DAP\DAP.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\HPZTSB05.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\FIREGRAPHIC\FIREGRAPHIC XP\FIREGRAPHICXP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.catlist.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.catlist.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.catlist.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://images.only-virgins.com/secure.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/secure.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/secure.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.com/
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Tabscr] c:\program files\gtablet\gtab.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Ad-watch] C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Copernic (HKLM)
    O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

    With them all back!! Nightmare!

    Nick
     
    littlegreenguy, Mar 5, 2004
    #11
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Aargh, :mad:

    Do me a favor and in HijackThis click Config > Misc Tools > Generate Startuplist
    That will produce a text file. Post the content of that file please.

    Regards,

    Pieter
     
    Pieter_Arntz, Mar 5, 2004
    #12
  13. littlegreenguy

    littlegreenguy Registered Member

    Joined:
    Mar 3, 2004
    Posts:
    7
    here you go:

    StartupList report, 05/03/04, 17:23:16
    StartupList version: 1.52
    Started from : C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v5.00 (5.00.2919.6304)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\DAP\DAP.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\HPZTSB05.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\FIREGRAPHIC\FIREGRAPHIC XP\FIREGRAPHICXP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\POWERTAB\PTEDITOR.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MMJB.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MMDIAG.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    Tabscr = c:\program files\gtablet\gtab.exe
    InCD = C:\Program Files\ahead\InCD\InCD.exe
    DownloadAccelerator = C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    LoadQM = loadqm.exe
    LVComs = C:\WINDOWS\SYSTEM\LVComS.exe
    StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    HPDJ Taskbar Utility = C:\WINDOWS\SYSTEM\hpztsb05.exe
    QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    Ad-watch = C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    winmain = winmain.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    SchedulingAgent = mstask.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    media_manager = C:\Program Files\ebkrdr\mediaman.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 4/3/2004, 15:37:2:cool:

    [Rename]
    NUL=c:\windows\cookies\nick alexander@sextracker[1].txt
    NUL=c:\windows\cookies\nick alexander@counter15.sextracker[1].txt
    NUL=c:\windows\cookies\nick alexander@mediaplex[1].txt
    NUL=c:\windows\cookies\nick alexander@valueclick[1].txt
    NUL=c:\windows\cookies\nick alexander@bfast[2].txt
    NUL=c:\windows\cookies\nick alexander@gator[1].txt
    NUL=c:\windows\cookies\nick alexander@qksrv[1].txt
    NUL=c:\windows\cookies\nick alexander@z1.adserver[1].txt
    NUL=c:\windows\cookies\nick alexander@adviva[2].txt
    NUL=c:\windows\cookies\nick alexander@atdmt[1].txt
    NUL=c:\windows\cookies\nick alexander@doubleclick[1].txt

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
    (no name) - C:\PROGRAM FILES\DAP\DAPBHO.DLL - {0000CC75-ACF3-4cac-A0A9-DD3868E06852}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 5,958 bytes
    Report generated in 0.124 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    many thanks, nick
     
    littlegreenguy, Mar 5, 2004
    #13
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi nick,

    Could you please try this:
    Disable AdWatch, fix all the items I posted a few posts back and immediately reboot into safe mode.
    Run HijackThis and save the log.
    Then boot normally and save the log again.
    Posts the last log, but hang on to the one made in safe mode. I may need to see that.

    Regards,

    Pieter
     
    Pieter_Arntz, Mar 6, 2004
    #14
  15. littlegreenguy

    littlegreenguy Registered Member

    Joined:
    Mar 3, 2004
    Posts:
    7
    nice one!
    here is the log after logging back into real mode:

    Logfile of HijackThis v1.97.7
    Scan saved at 20:22:39, on 06/03/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\DAP\DAP.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\HPZTSB05.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\FIREGRAPHIC\FIREGRAPHIC XP\FIREGRAPHICXP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Tabscr] c:\program files\gtablet\gtab.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Firegraphic XP.lnk = C:\Program Files\Firegraphic\Firegraphic XP\FiregraphicXP.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Copernic (HKLM)
    O9 - Extra 'Tools' menuitem: Launch Copernic 2001 (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

    All looking clear as a bell!

    is the problem with adwatch then?
     
    littlegreenguy, Mar 6, 2004
    #15
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    The problem may be in the settings of AdWatch.
    Re-enable it and read the messages and options it gives you carefully.

    In trying to protect you it reports any change from the old values, so it blocked the removal we were trying to accomplish.

    Did you ever consider installing IE6?
    It would give you some options to block all the tracking cookies and is overall more secure then the version you are using now.

    Regards,

    Pieter
     
    Pieter_Arntz, Mar 6, 2004
    #16
  17. littlegreenguy

    littlegreenguy Registered Member

    Joined:
    Mar 3, 2004
    Posts:
    7
    Thats fantastic Pieter, many many thanks indeed. It's a good service that you are doing :) I will review adwatch.

    I tried Ie6, but didn't get on with it. It crashed more than a microsoft test dummy. But maybe will look at trying it again.

    Thanks again for all your help. Much appreciated.

    Nick
     
    littlegreenguy, Mar 7, 2004
    #17
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    My pleasure. :)

    Pieter
     
    Pieter_Arntz, Mar 7, 2004
    #18
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...