• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
bramalea

Possible CWS, Continued Re-infection

5 posts in this topic

Hey guys, thanks in advance for looking at my problem.

 

I am running a PII-233 archaic computer on Windows 98. I have Ad-Aware, SpyBot Search & Destroy and AVG Anti-Virus and none of these can eradicate the error.

 

When I run CWShredder, it detects and removes CWS.Yexe. However, this does not clear up the problem. If I restart it immediately after it once again removes CWS.Yexe. If I restart the computer, it once again removes CWS.Yexe.

 

The web page http:// www.casinopalazzo.com / index.php?sourceid=102179 continues to pop up. I use Mozilla Firefox to browse the web and Firefox never gets hijacked. However new IE windows open with that URL in it.

 

It also continues to create a shortcut on my desktop labeled "XXX". This shortcut is linked to the same URL described above. I can delete this short cut but it will reappear shortly after.

 

When I run Ad-Aware and remove the bugs, they seem to be gone. But give it about 20 minutes and they're back again. Restart the computer and the processes Utre.exe and Uzpxthw1.exe restarts itself (even though Ad-Aware stops it and deletes it). No matter how many times I try deleting these files they keep coming back.

 

AVG periodically stops me to tell me that Bridge.dll in C:\Windows\Temp is a trojan and it is trying to copy itself. I click Heal. Then I go to the commandline and deltree everything in Temp, but it seems to fill itself back up at a remarkable rate.

 

I hope I have provided a decent amount of information that is necessary to help. And once again thanks a lot to everyone on this site for continuing to stand up to these browser-hijackings.

 

Finally here is my HijackThis logfile:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:22:38 PM, on 6/22/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\GRISOFT AVG6\AVGSERV9.EXE

C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\GRISOFT AVG6\AVGCC32.EXE

C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE

C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\NOTEPAD.EXE

C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE

C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm

F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOF~1\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [uzpxthw1] C:\WINDOWS\TEMP\UZPXTHW1.EXE

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOF~1\Avgserv9.exe

O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: AIM (HKLM)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8156.0528356481

Share this post


Link to post
Share on other sites

I will be glad to help you with this issue. Before we get started, please let me know if you have posted this same problem on another page, in another forum, or on another website.

That way we can avoid duplicate posts and replies.

 

Please move HJT to its own permanent folder:

Rightclick on an empty space on your desktop and choose New > Folder

Name it HijackThis (HJT, or whatever)

Rightclick HijackThis.exe, choose Cut.

Doubleclick (to open) the folder you created.

Rightclick inside and choose Paste.

 

Make sure your computer is configured to show all folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Please perform an online virus scan at:

Trend Micro HouseCall:

http://housecall.antivirus.com/pc_housecall/

 

Reboot, into safe mode, this way:

Turn on the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

 

Open Task Manager, and end the following processes IF they are listed:

 

UZPXTHW1.EXE

DP-HIM.EXE

MSXMIDI.EXE

 

While in safe mode, run Hijackthis and check to fix the following items:

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL

O4 - HKLM\..\Run: [uzpxthw1] C:\WINDOWS\TEMP\UZPXTHW1.EXE

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE

O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE (both of these)

 

Let HJT fix them.

While still in safemode, look for the following folders and delete the files IF they are found:

C:\WINDOWS\TEMP\UZPXTHW1.EXE

C:\WINDOWS\SYSTEM\DP-HIM.EXE

C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

 

Please delete your temporary files by deleting all files and folders that are in those folders (Do not delete the temp folder itself)

For example:

C:\WINDOWS\Temp\

C:\Temp\

C:\Documents and Settings\username\Local Settings\Temp\

Also delete your Temporary Internet Files, being sure to also select delete all offline content.

 

Then after all this cleaning, please post a fresh HJT log.

Share this post


Link to post
Share on other sites

Hi. Thanks for your quick reply. Sorry I was away for a couple days, busy with work.

 

I have not posted this on any other forum or in any other thread.

 

Anyway, I ran Housecall but it doesn't seem to run on this machine without crashing IE. So I ran AVG, which found one dialer, I had AVG delete it. Then I restarted in safe mode, running HijackThis and removing those entries you asked me to remove. Then, I deleted the files.

 

One thing I thought was weird was the existence of C:\Windows\System\Services. That directory is not part of Windows 98. It would seem to blend in easier with XP. So I DELTREE /Y'd the whole directory. I also DELTREE *.* /Y everything in C:\Windows\Temp and in Temporary Internet Files, and removed all offline content in Internet Explorer.

 

The problem seems to be cleared up but I don't know for sure as I haven't been running the system long enough. But those processes have not started back up again. Here is my new HijackThis log.

 

In case you were wondering Enternet.exe is an Internet connection client for ADSL and other than that looks like everthing else belongs there. Thanks!

 

Logfile of HijackThis v1.97.7

Scan saved at 1:38:46 AM, on 6/25/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\GRISOFT AVG6\AVGSERV9.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\GRISOFT AVG6\AVGCC32.EXE

C:\PROGRAM FILES\AIM\AIM.EXE

C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE

C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE

C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOF~1\avgcc32.exe /STARTUP

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOF~1\Avgserv9.exe

O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\PROGRAM FILES\ICQLITE\ICQLITE.EXE -trayboot

O9 - Extra button: AIM (HKLM)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8156.0528356481

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Share this post


Link to post
Share on other sites

Sorry I just have one more problem. When I open Internet Explorer, my start page is hijacked to www. smartsearch.biz. The URL still displays "about:blank". I use Mozilla all the time, never IE since I don't like it all that much (you know why LOL) but it's still kind of annoying.

 

edit: This isn't a new problem, it just didn't get cleared up. But the processes are already stopped and I'm happy about that. :)

Edited by bramalea

Share this post


Link to post
Share on other sites

Try running Adaware and CWShredder again.

If that does not clear up the problem, it means that there is a hidden file that is reinfecting you. We usually can find that on Win98, so let me know. Thanks.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0