[Lonesome_dove989]

Ugh! I have some yuckware on my puter. Adaware SE, Spybot S&D, and AVG all find nothing at all. However, Internet Explorer takes a long time to open. I get delayed text when typing in message forums (even this forum), And getting links to open in a new window takes forever to load.

Like I said, Adaware SE, Spybot S&D (new version), and AVG do not find anything at all. And I ran a HJT, and didn't see anything suspicious, either. However, Panda ActiveScan DID find yuckware, My Way and My Web Search. I still have the log saved from the ActiveScan, if you need it. And I can post a HJT if you need it.


Thank you for your time!

Shelia M.

[Advertisements]

Hi Sheilia, yes please post both logs here.

[greyknight17]

Hi Sheilia, yes please post both logs here.

[Lonesome_dove989]

Hi GreyKnight... Kevin, is it? That's my brother's name, lol ! Thanks for replying so quickly.


Here are the logs that I have.

First, the HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 3:50:03 PM, on 9/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MS HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\skullman\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .swt: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .WAV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.game...og/y/fs10_x.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.game...nts/y/vto_x.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct4_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://presence.game...og/y/ks12_x.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab


And the log from Panda ActiveScan:


Incident Status Location

Adware:adware/ezula No disinfected C:\WINDOWS\SYSTEM\sysfile.dll
Adware:adware/favoriteman No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
Adware:adware/funweb No disinfected Windows Registry
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware/Wnad No disinfected C:\WINDOWS\wnad.dn






Okay, it was my mistake. My Way, and Mywebsearch were not the culprits. I saw those listed on an older panda-scan, and I never deleted the older log. But still, my virus and spyware scanners are not picking up any of the above, and they are all telling me that my system is clean. I'm pretty sure where the funweb came from, I've asked people many times not to be sending me those stupid "Smiley Central" smilies. But, I want to get this junkware out if possible. My puter's running slower than usual lately, and I keep getting disconnected from my dialup way too often.


Thanks for any help you can give me.

[greyknight17]

Yep, Kevin

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\SYSTEM\sysfile.dll
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\Downloaded Program Files\popcaploader.inf
C:\WINDOWS\Downloaded Program Files\ATPartners.inf
C:\WINDOWS\wnad.dn

Restart and run another Panda scan. Post the log here.

[Lonesome_dove989]

Okay, I did all of that, and here is the new ActiveScan:


Incident Status Location

Adware:adware/funweb No disinfected Windows Registry
Adware:Adware/Wnad No disinfected C:\!Submit\wnad.dn
Adware:Adware/NetPals No disinfected C:\!Submit\ATPartners.inf


I await your further instruction.

[greyknight17]

Delete this folder -> C:\!Submit\

You're all clear

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

[Lonesome_dove989]

Well, That took care of everything except Funweb. Should I follow the same instructions to get rid of that?

Latest ActiveScan:


Incident Status Location

Adware:adware/funweb No disinfected Windows Registry

[greyknight17]

It's a minor problem there and that's why I just left it. It's basically harmless, so unless you really want to remove it, we'll leave it

Any problems now?

[Lonesome_dove989]

Nope, I have been maintaining connection since yesterday. Seems to be running fine as of now.

Thank you very much, Kevin!

[Lonesome_dove989]

Lemme take that back, sorry! I'm still getting popup attempts on website where I have popup immunity for being a moderator of a message forum. I have a popup blocker, but I shouldn't even see it working on this particular forum. The admins of the forum say there is nothing wrong on their end.

Any ideas?

[greyknight17]

Does this site have popups itself? If so, it's probably not spyware related then. You have to check your browser settings (or popup blocker settings) to make sure they are set up correctly to block them.

[Lonesome_dove989]

The site does have popups for members/guests who are not moderators. As a moderator, I shouldn't be getting any popups or popup attempts. I've talked to the other moderators of the forum, and no one else is getting popups, so it's just me.

Any ideas?

[greyknight17]

I'm not sure what to say here because it seems that it is a problem on their side then. If you say you are a moderator also and you still get popups on their site, then you know it's not your computer. Make sure you still have moderator status on that site.

Are these popups from this site only? Any popups from any other sites (that shouldn't have them)?

I suggest talking to them again.

[Lonesome_dove989]

Yes, I still have moderator status. I don't do a lot of general "surfing", so I don't really know what sites have popups or whatnot. I just know that in this forum, I'm not supposed to have any. And, I'm the only moderator on this forum who is having any popups on the site.

Oh, well. I give up. It's only occaisionally that I get them now, anyway.

Thanks for the help!

[greyknight17]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.