[Armodeluxe]

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Now try deleting cisctfrm.dll in safe mode..

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

[Advertisements]

Log of AproposFix v1

************
Running from directory:
C:\Documents and Settings\robert\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CrTOFAHFfl79]
@="488.i41CDDCDDED43IxyrCDDCSFDmYdTemiID4A45u.JIDt3y7u34D:u5.q31sE4A4"
"Device"="\\\\.\\sr2hib"
"DriverPath"="C:\\WINDOWS2\\system32\\drivers\\netmarpc.sys"
"DriverName"="swwmSsp"
"HideUninstallerName"="C:\\Program Files\\Vieudios\\patc32gt.exe"
"UninstallerPath"="C:\\WINDOWS2\\system32\\fpjnetsh.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{038D977F-6B70-451E-AA34-A10D415EE6E9}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS2\\system32\\cisctfrm.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.con...onbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X902adf1-c757-5aca-2304-a9037db5743f}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Vieudios\\rpciplat.exe"

************

Removing hidden service:
Service swwmSsp removed.

Removing hidden folder:
Deletion of folder Vieudios succeeded!

Deleting files:

Deletion of file C:\WINDOWS2\system32\drivers\netmarpc.sys succeeded!
Deletion of file C:\WINDOWS2\system32\msrrccsp.exe succeeded!
Deletion of file C:\WINDOWS2\system32\cisctfrm.dll succeeded!
Deletion of file C:\WINDOWS2\system32\fpjnetsh.exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CrTOFAHFfl79]
[-HKEY_LOCAL_MACHINE\Software\CrTOFAHFfl79]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{038D977F-6B70-451E-AA34-A10D415EE6E9}]

Done!

Finished!



Highjack log
Logfile of HijackThis v1.99.1
Scan saved at 4:11:44 PM, on 12/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\LEXBCES.EXE
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\system32\LEXPPS.EXE
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\system32\cisvc.exe
C:\Program Files\Common Files\AOL\1124230273\ee\AOLHostManager.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Common Files\AOL\1124230273\ee\AOLServiceHost.exe
C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1124230273\ee\AOLServiceHost.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS2\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS2\system32\LEXBCES.EXE
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pure Networks Router Manager (pnrouter) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

[gmcube]

Log of AproposFix v1

************
Running from directory:
C:\Documents and Settings\robert\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CrTOFAHFfl79]
@="488.i41CDDCDDED43IxyrCDDCSFDmYdTemiID4A45u.JIDt3y7u34D:u5.q31sE4A4"
"Device"="\\\\.\\sr2hib"
"DriverPath"="C:\\WINDOWS2\\system32\\drivers\\netmarpc.sys"
"DriverName"="swwmSsp"
"HideUninstallerName"="C:\\Program Files\\Vieudios\\patc32gt.exe"
"UninstallerPath"="C:\\WINDOWS2\\system32\\fpjnetsh.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{038D977F-6B70-451E-AA34-A10D415EE6E9}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS2\\system32\\cisctfrm.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.con...onbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X902adf1-c757-5aca-2304-a9037db5743f}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Vieudios\\rpciplat.exe"

************

Removing hidden service:
Service swwmSsp removed.

Removing hidden folder:
Deletion of folder Vieudios succeeded!

Deleting files:

Deletion of file C:\WINDOWS2\system32\drivers\netmarpc.sys succeeded!
Deletion of file C:\WINDOWS2\system32\msrrccsp.exe succeeded!
Deletion of file C:\WINDOWS2\system32\cisctfrm.dll succeeded!
Deletion of file C:\WINDOWS2\system32\fpjnetsh.exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CrTOFAHFfl79]
[-HKEY_LOCAL_MACHINE\Software\CrTOFAHFfl79]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{038D977F-6B70-451E-AA34-A10D415EE6E9}]

Done!

Finished!



Highjack log
Logfile of HijackThis v1.99.1
Scan saved at 4:11:44 PM, on 12/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\LEXBCES.EXE
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\system32\LEXPPS.EXE
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\system32\cisvc.exe
C:\Program Files\Common Files\AOL\1124230273\ee\AOLHostManager.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Common Files\AOL\1124230273\ee\AOLServiceHost.exe
C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1124230273\ee\AOLServiceHost.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS2\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS2\system32\LEXBCES.EXE
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pure Networks Router Manager (pnrouter) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

[Armodeluxe]

Everything looks good, do you have any problems left now?

[gmcube]

yes actually. though its very minor, and doesnt happin too often. everything else seems pretty good so far.

occasionally, my web browser randomly redirects to a page in my history.
it doesnt even have to be a real site that would have advertising on.
for example, a pic in my photobucket. no advertising one so ever, just my own image.

Im not even sure this has anything to do with my ititial problem, but I just assumned it was.

[Armodeluxe]

If that redirect is in Internet Explorer, go to Tools>Reset Web Settings and see if that helps..

If it is in Firefox, the problem may lie with one of the extensions you are using..you may have to uninstall the extensions one by one to find which one is buggy..

Now let's reset your restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Please take the following into consideration to maintain a clean computer.

I'll also recommend you to install a monitoring software which will monitor certain areas on your computer and will place alerts when those are being modified. One such software I'll recommend is Prevx, but it's for advanced users as the messages it displays can be hard to decipher. One other similar but more user friendly software is Winpatrol. Both are free programs.
Winpatrol
Prevx

Visit Windows Update regularly to get the latest security updates.You can also enable automatic updates.Your antivirus software and antispyware programs should also be updated regularly. Make a habit of running scans on a timely basis. Be careful about what you download, scan every file before clicking on it.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
Spywareguard An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
IE/Spyad
Adds a list of malicious sites to your Restricted Sites Zone.
Firefox An alternate browser safer than IE

A good article to read:
So how did I get infected in the first place?

Regards,

Armodeluxe

[gmcube]

yeah the redirecting happens in firefox.
Ive recently realised a lot of the time, the redirect is bassed on what I have copied to my clipboard (or had recently).

it will bring me to a random page about that word.
if its a whole phrase, sometimes it does a google search on it.

I guess I will try the uninstalling of the plug ins and see if that helps.

[Armodeluxe]

On second thought, you may want to clear browser cache and history first and see if that helps..

1. Run Mozilla Firefox.
2. Open the Tools menu.
3. Choose Options.
4. Choose Privacy on the left.
5. Click an individual Clear button or the Clear All button.
For example, if you want to keep the cookies, don't use Clear All.
6. Confirm that you want to clear the items.
7. Click OK.

[gmcube]

ok, I tried that, and it still does it occasionally.
but Im thiking its a FF issue though, and not spyware. so I guess you can consider this topic's issue solved.

[Armodeluxe]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.