Jump to content


Photo

Running Win 98SE infected w/CWSearch.x


  • This topic is locked This topic is locked
9 replies to this topic

#1 PaprTigr

PaprTigr

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 May 2004 - 12:06 AM

I appear to be infected with a version of the CWSearch.x. I'm running Win 98SE and IE 5.5. I thought I had finally found and fixed the problem after running CWShredder only to discover that it resides elsewhere on my computer as many before me have discovered. I am confused however, by the many different "fixes" that have been posted on not only this sight, but others as well.

I'm not a newbie but I'm also not a techie. I have run AVG, Ad-aware, Spy-bot, Spy Sweeper, all obviously to no avail.

I last ran Hijack This and saved a log then ran CWShredder, and ran Hijaack This again so that I could see what Shredder thought it was getting rid of. It found and removed an HPDPA.dll which of course returned only minutes later.

Can someone help me with a step by step for a Win 98SE user?

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 22 May 2004 - 12:18 AM

1.)
GoTo:
Start>run>Type:
msinfo32
*Expand: "Software Environment"
*Expand: "System hooks"
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If So hilite And use edit>copy and post here

2.)
Download: "StartDreck", unzip!
*Don't be f00led by the site's 'unique' interface!!!
http://members.black.../startdreck.htm
DoubleClick: 'StartDreck.exe'
Hit: -config
hit: -Unmark all
Check these boxes only:
Registry->run keys
Registry-> Browser helper objects
System/drivers-> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 PaprTigr

PaprTigr

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 May 2004 - 01:25 AM

Stuck already. Went to: Start>run> Typed: msinfo32
clicked OK and recv'd the following error mssg:

Cannot find the file 'msinfo32' (or one of its compnents). Make sure the path and filename are correct and that all required libraies are available.

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 22 May 2004 - 01:52 AM

Proceed with step #2!

I'd be more concerned about not having
Windows System Information than anything else...

Search here:
Program Files\Common Files\Microsoft Shared\MsInfo....
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 PaprTigr

PaprTigr

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 May 2004 - 02:22 AM

First let me say "Thanks," for your help, freeatlast. I've spent hours on this blasted thing and am Zombie like at this point and I apologize for not thanking you up front. Your volunteerism is greatly appreciated. Especially by those of us who are typically very careful about where we go and what we download! Feels like such a violation!

1. Did as you suggested: Program Files\Common Files\Microsoft Shared\MsInfo32
Expanded: "Software Environment"
but there was nothing to expand for "System hooks"
Rec'vd mssg: There are no items to display in this category.

2. Here is the StarDreck Log:
StartDreck (build 2.1.5 public BETA) - 2004-05-22 @ 00:10:04
Platform: Windows 98 SE (Win 4.10.2222 A)

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*P2P NETWORKING=C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
*Norton CrashGuard Monitor="C:\PROGRAM FILES\NORTON CRASHGUARD\CGMenu.EXE"
舞unOnce
舞unServices
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
翡rowser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*{246AA905-53AA-427B-BE0A-BD45E95FC6D0}
`InprocServer32=C:\WINDOWS\SYSTEM\HPDPA.DLL
肇iles
艋ystem/Drivers
舞unning Processes
*FF8F5FFB=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF6B57=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF142B=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFF3A27=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFFD2FF=C:\WINDOWS\EXPLORER.EXE
*FFFEF307=C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
*FFFEE6B7=C:\PROGRAM FILES\NORTON CRASHGUARD\CGMENU.EXE
*FFFD53A7=C:\PROGRAM FILES\NORTON CRASHGUARD\CG16EH.EXE
*FFFB4C33=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFFC61A3=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFFDFC7B=C:\WINDOWS\SYSTEM\RNAAPP.EXE
*FFFB1177=C:\WINDOWS\SYSTEM\TAPISRV.EXE
*FFFBE6E3=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFFD9C6B=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
*FFFA8B87=C:\WINDOWS\DESKTOP\MY DOWNLOADS\STARDRECK\STARTDRECK.EXE
翠pplication specific

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 22 May 2004 - 02:52 AM

You don't appear to have the same problem!

Only:
C:\WINDOWS\SYSTEM\HPDPA.DLL
(hopefully)

Here is what I suggest:

Download: "Win98Fix.zip", Unzip!
From:
http://www10.brinkst...last/pvtool.htm
-DoubleClick on: 'RunFix.reg' file, hit 'yes'
on the prompt!
-Restart computer!

After restart DoubleClick on the included
"who.bat", file
"Badfile.txt" should be created. Open and post it
(unless *empty)!

Next, Restart computer in Safe mode, Check in
Add/remove and uninstall: "P2P NETWORKING"
If listed.
Delete the entire:
C:\WINDOWS\SYSTEM\P2P NETWORKING< folder.
And the -
C:\WINDOWS\SYSTEM\HPDPA.DLL< file!

Re-run Shredder in safe mode as well

- Download and Install Ad-Aware6!
http://www.lavasoftu...ftware/adaware/
run, update before the scan, select 'customise'
options, select your drive, scan and fix
all found problems.

Couple pointers:
*Norton CrashGuard is well known crash generator by itself,
And was dicontinued in later versions!

So is..*IE5.5!
Go to Windows updates and Apply all
needed, including but not limited to
IE6/SP1+ALL security patches.
Your current version is no longer supported!

--When you have accomplished all the above,
run hijackthis.exe, save the log and post it!
Good luck!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 PaprTigr

PaprTigr

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 May 2004 - 02:58 AM

Will do. Thanks again, freeatlast.

Kat

#8 PaprTigr

PaprTigr

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 May 2004 - 02:05 PM

Greetings,
Good news. The Badfile.txt was blank.

It would appear that I have bigger problems with this machine aside from not being able to run msinfo32 from the start>run window.

Went to Safe Mode and Add/Removed P2P Networking. I've never used Kazaa so have no idea how that got on my machine??

Ran CWShredder in Safe mode but ended up that I had to go to safe mode-command promt to delete the hpdpa.dll - but then the system couldn't find himemsys so it wouldn't let me "exit." Had to Ctrl-Alt-Del to reboot. Probably need to reload windows, not really sure what to do about that yet.

Anyway, Add/Removed Norton CrashGuard and downloaded and installed IE6/SP1.

Updated and ran Ad-Aware and quarantined all the items it found.

Here is the HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 11:31:58 AM, on 5/22/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\LAUNCHER\TASKGUIDE\UPDTRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\MY DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The River Internet Access Co
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Program Files\Netscape\Users\wardbk\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O12 - Plugin for .smil: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab

Appears I've finally licked it. I've decided that I need some sort of firewall type program. I think that Zone Alarm is pretty extreme. I'd like to find something that will just notify me when something is trying to be installed or downloaded with out my specific request. I'm definitely open to suggestions. Got any other resources for "fixing " my other problems? Thanks again for all your help. You guys are doing a teriffic service.

#9 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 22 May 2004 - 06:20 PM

Good work and progress!
I think you're all set!
As for firewall, I guess ZA may not always
be the best choice, in particular on win98!

On one of my boxes Im using Tiny Personal Firewall.
Old versions are still free.
You can search on the net.

One site that has v2.0 is:
http://freeware.it-m...k/?Cat=Security

Every once in a while I had to clear the *fliters, but
it is stable and rock solid!


As for himem.sys, do find files and check whether it exists:
Should be in C:\ windows or both!

And looks like you might have shortcuts problems amiong other things.
You can try running scanreg /fix from command prompt to
rebuild the registry. and try SFC as well.

For Curing Many Problems With 98, Try SCANREG/FIX and SFC 1st

Good luck :)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#10 PaprTigr

PaprTigr

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 May 2004 - 07:55 PM

Thanks again for all your help, freeatlast. Will let you know how I fare.

Kat




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button