plus18 adware

Discussion in 'privacy problems' started by Detox, Aug 11, 2004.

Thread Status:
Not open for further replies.
  1. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Anyone have more info on this one?

    Friend of a friend - in Europe lol - has it - they've cleaned it, but I think only this reg entry

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Plus18Point/Portal/portal.html

    and not the 3 others that seems associated according to what I've been able to find with google. Anyone know more that might be helpful? Of course, if they use Hijack this and clean the 4 entries likely associated, it might not come back.
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Still looking but I did find one link that I'm attempting to translate.

    This link---> http://users.telenet.be/marcvn/spyware/1017921.htm

     
  3. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    That's the one I had found where I saw the 4 entries - luckily enough the guys are Dutch - so it doesn't need translater ;-)

    Just kinda hoped maybe someone would be familiar with this one :D
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
  5. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    ah - very good, thanks! I'll send that along also. Think they oughta have it under control from here :cool:
     
  6. Cas

    Cas Guest

    Plus18Point Switchdialer:

    Items in register installed by Plus18Point:

    HKEY_CLASSES_ROOT\.cxq
    HKEY_CLASSES_ROOT\.mxq
    HKEY_CLASSES_ROOT\Applications\srv2.exe
    HKEY_CLASSES_ROOT\Applications\srv2.exe\shell
    HKEY_CLASSES_ROOT\Classes
    HKEY_CLASSES_ROOT\Classes\shell
    HKEY_CLASSES_ROOT\Classes\shell\open
    HKEY_CLASSES_ROOT\Classes\shell\open\command
    HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-callswitch
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5CBF8C22-E9A6-11D7-90FE-000AE4012DB4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/run.cxq
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/srv2.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Classes"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Switch
    HKEY_LOCAL_MACHINE\SOFTWARE\Plus18Point
    HKEY_LOCAL_MACHINE\SOFTWARE\SwitchDialer

    In File-systeem has been installed :

    c:\Documents and Settings\Gebruikersnaam\Local Settings\Temp\$Plus18Point
    c:\Program Files\Plus18Point
    c:\Documents and Settings\Gebruikersnaam\Bureaublad\More Games .lnk
    c:\WINDOWS\run.cxq
    c:\WINDOWS\srv2.exe
    c:\WINDOWS\Downloaded Program Files\srv2.inf
    c:\WINDOWS\system32\srv2.exe
    c:\WINDOWS\system32\CatRoot2\tmp.edb

    How to delete:

    Restart in Safe mode (press F8 due restart)
    Make hidden files visible in all maps:

    Start -> configurationsreen -> mapoptions -> view
    Undo check in "secure systemfiles hidden"
    buttom check "rev. system files" press OK.

    Remove these files:

    searche for:
    run.cxq, cxq, mxq, srv2.inf, srv2.exe, switchdialer, x-callswitch, Plus18Point,

    aswell for file-systeem in register (regedit)
    Clear Temp, history en Content.ie5.

    Temp -> C:\Documents and Settings\username\Local Settings\Temp
    Geschiedenis -> C:\Documents and Settings\username\Local Settings\history
    Content.ie5 -> C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5

    Reset your home startpage and reboot in normale mode.

    greets,

    Cas
     
  7. 4MOTION

    4MOTION Guest


    Well i did use hijackthis and delete the lines that included pluspoint18
    deleted the main plus18point folder.
    After i did that everything was ok untill the reboot, everything was back.
    What i didnt know is that it uses srv2.exe as a system resource, since im using Radmin on 1 of the infected machines, i thought it was the radmin server program running.

    Note: the srv2.exe file has no icon, and can be found very quickly using the search option.

    The computer that was infected is clean now, i have installed several stuff like spywareblaster and guard, Ad-aware, Spybot incl teatimer.
    Im wondering how long it will take until that puter is full of "****" again since the owner practicly doesnt know bullocks bout puters...but getting tired of fixing it everytime :doubt:
     
  8. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    In case anyone was wondering - 4MOTION is my friend in Holland cleaning the PC of a friend of his. Gets complicated, don't it :D
     
Thread Status:
Not open for further replies.