[9to5ninja]

ok. i'm lost. i ran CLEANUP! first as your site has said. next i ran AD AWARE which removed the large majority of corruption from my computer. the only thing remaining were three COOL WEB SEARCH files. one of them i assume to be the main culprit is the c:/windows/hosts file, which seems to spawn 2 randomly named *.dll files inside of c:windows/system/ e.g. -

COOLWEBSEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=File : c:\WINDOWS\SYSTEM\SOEM0409.DLL
obj[1]=File : c:\WINDOWS\SYSTEM\ppgfilt.dll
obj[2]=File : C:\WINDOWS\hosts

COOLWEBSEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=File : c:\WINDOWS\SYSTEM\RECMQCL.DLL
obj[1]=File : c:\WINDOWS\SYSTEM\OCSLB400.DLL
obj[3]=File : c:\WINDOWS\SYSTEM\pppcgm.exe
obj[5]=File : C:\WINDOWS\hosts

when i tried to remove them using AD AWARE i get the follow runtime error:

MICROSOFT VISUAL C++ RUNTIME LIBRARY
Runtime Error!
Program: C:\WINDOWS\EXPLORER.EXE
This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.

so seeing this, i went and got CWSHREDDER, ran it. and the bloody program didn't even recognize it. i have updated all definitions for all programs on your site. i have ran all the way through SPYBOT and finally got fed up and ran HIJACKTHIS so i could get a little insight from the pros. i assume i may just have to reset my hosts file but thing is their are 3 of them within my windows folder:

hosts.bak 824b
Hosts.sam 736b
hosts.*no file extension* 824b <--- i believe this is the culprit!!!

my HIJACKTHIS log file is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 2:42:50 PM, on 2/20/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\DANTZ\RETROSPECT\WDSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\CREATIVE\SB LIVE! 24-BIT\SURROUND MIXER\CTSYSVOL.EXE
C:\PROGRAM FILES\DISK REMOVAL UTILITY - WD\WD2507MON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R3 - URLSearchHook: (no name) - {69CCB321-DD6A-5642-968D-E62ED7F8A771} - SAPSTR.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WDCBG] C:\WINDOWS\WDCBG.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [WD2507MON] C:\Program Files\Disk Removal Utility - WD\WD2507Mon.exe
O4 - HKLM\..\Run: [gimmygames] C:\\GIMMYGAMES.exe
O4 - HKLM\..\Run: [winsysban] C:\\WINSYSBAN5.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [Retrospect WD Service] C:\PROGRAM FILES\DANTZ\RETROSPECT\WDSVC.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.co...aploader_v5.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

if i have missed anything please let me know so i can more properly inform you. thanks in advance.

-9to5numbskull

[Advertisements]

Welcome to GTG.

Any idea what this program is for?
O4 - HKLM\..\Run: [WD2507MON] C:\Program Files\Disk Removal Utility - WD\WD2507Mon.exe

Did you use a modified HOSTS file to block out bad sites? If not, do this and it will replace your hosts file with a default Windows one:
Download Hoster http://www.greyknigh.../spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Also if you have any programs that may prevent system changes (like Spybot's TeaTimer program, Ad-aware's Ad-Watch, and others), make sure you disable them before doing any of the fixes (or accept the changes for the fix we give you when asked by the programs).

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido (only if you have Windows 2000 or XP). If you didn't, do them now. For more information, go to http://www.greyknigh...com/spyware.htm

You don't seem to have an antivirus program installed. Please download a free one at Grisoft http://free.grisoft.com/freeweb.php. Install it and make sure to check for updates.

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingc...showtutorial=61 ). Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R3 - URLSearchHook: (no name) - {69CCB321-DD6A-5642-968D-E62ED7F8A771} - SAPSTR.dll (file missing)
O4 - HKLM\..\Run: [gimmygames] C:\\GIMMYGAMES.exe
O4 - HKLM\..\Run: [winsysban] C:\\WINSYSBAN5.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

c:\windows\system32\blank.htm
C:\GIMMYGAMES.exe
C:\WINSYSBAN5.exe
c:\WINDOWS\SYSTEM\SOEM0409.DLL
c:\WINDOWS\SYSTEM\ppgfilt.dll
c:\WINDOWS\SYSTEM\RECMQCL.DLL
c:\WINDOWS\SYSTEM\OCSLB400.DLL
c:\WINDOWS\SYSTEM\pppcgm.exe

Restart. Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Please post that log in your next reply along with a new HijackThis log.

[greyknight17]

Welcome to GTG.

Any idea what this program is for?
O4 - HKLM\..\Run: [WD2507MON] C:\Program Files\Disk Removal Utility - WD\WD2507Mon.exe

Did you use a modified HOSTS file to block out bad sites? If not, do this and it will replace your hosts file with a default Windows one:
Download Hoster http://www.greyknigh.../spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Also if you have any programs that may prevent system changes (like Spybot's TeaTimer program, Ad-aware's Ad-Watch, and others), make sure you disable them before doing any of the fixes (or accept the changes for the fix we give you when asked by the programs).

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido (only if you have Windows 2000 or XP). If you didn't, do them now. For more information, go to http://www.greyknigh...com/spyware.htm

You don't seem to have an antivirus program installed. Please download a free one at Grisoft http://free.grisoft.com/freeweb.php. Install it and make sure to check for updates.

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingc...showtutorial=61 ). Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R3 - URLSearchHook: (no name) - {69CCB321-DD6A-5642-968D-E62ED7F8A771} - SAPSTR.dll (file missing)
O4 - HKLM\..\Run: [gimmygames] C:\\GIMMYGAMES.exe
O4 - HKLM\..\Run: [winsysban] C:\\WINSYSBAN5.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

c:\windows\system32\blank.htm
C:\GIMMYGAMES.exe
C:\WINSYSBAN5.exe
c:\WINDOWS\SYSTEM\SOEM0409.DLL
c:\WINDOWS\SYSTEM\ppgfilt.dll
c:\WINDOWS\SYSTEM\RECMQCL.DLL
c:\WINDOWS\SYSTEM\OCSLB400.DLL
c:\WINDOWS\SYSTEM\pppcgm.exe

Restart. Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Please post that log in your next reply along with a new HijackThis log.

[9to5ninja]

well things are going better so far. thanks for the help. here's the rundown:

1- the file WD2507MON is the uninstall utility for my Western Digital external HDD.
2- booted computer normally and ran HOSTER.EXE
3- rebooted into safe mode and ran AD AWARE, found the same 3 files including the hosts file and another two random .dll files. I attempted to delete these with AD AWARE and could not delete the hosts file because the runtime error popped up. AD AWARE offered to delete this upon restarting so i rebooted once again into safe mode. upon startup once my desktop appeared i got the same runtime error and was forced to reboot yet again. i rebooted into safe mode and the runtime error did not pop up this time.
4- ran HOSTER.EXE again. this time I chose to make my hosts file read only after restoring it to defaults.
5- ran AD AWARE again and the same three files: hosts + two random .dll files. I killed off the two .dll files but left the hosts file and there was no runtime error.
6- went and looked in my C:\WINDOWS\ folder and found a defaulted hosts file and a hosts.bak file which was full of 127.0.0.1 addresses. I manually deleted the hosts.bak file and there was no runtime error.
7- ran AD AWARE again targeting C:\WINDOWS\ only and no results popped up.
8- rebooted into safe mode and ran a full scan with AD AWARE, no results showed up.
9- ran SPYBOT and got the following results:
ALEXA RELATED - Link C:\WINDOWS\WEB\Related.htm
PIPAS.A - Settings HKEY_LOCAL_MACHINE\Software\microsoft\windows\current version\ruins
SMITFRAUD-C - Web Page C:\WINDOWS\SYSTEM\winsub.xml
- Settings HKEY_USERS\DEFAULT\windows sub version
- Settings HKEY_LOCAL_MACHINE\software\policies\06849E9F-C8D7-4D59-B870- 784B7D6BE
SPY SHERRIF -Text File C:WINDOWS\SYSTEM\svcp.csv
10- fixed and removed those files then immunized.
11- rebooted normally and downloaded AVG virus scanner. ran it under safe mode with updated definitions.
deleted all files found and rebooted.
12- went to Pandasoft to scan but the it would not work. sometimes it says Active X not allowed and other
times I could get to the screen where you choose to scan My Computer but when i click on it nothing
happens. at the bottom left of the window it says done with errors.
13- gave up on Pandascan and rebooted into safe mode and ran HIJACKTHIS once more. see log file below.

Logfile of HijackThis v1.99.1
Scan saved at 3:45:34 PM, on 2/21/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dmrad.exe] C:\WINDOWS\SYSTEM\dmrad.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WDCBG] C:\WINDOWS\WDCBG.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [WD2507MON] C:\Program Files\Disk Removal Utility - WD\WD2507Mon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [csdat.exe] csdat.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [Retrospect WD Service] C:\PROGRAM FILES\DANTZ\RETROSPECT\WDSVC.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.co...aploader_v5.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

Thank You for the help. I believe I am fairly clean now but if you can see anything I don't let me know, I am bothered by the MPREXE.EXE file a few other files I have found under windows system are:
MSGSRV32.EXE
MMTASK.TSK
MSTASK.EXE
WMI.EXE <-- not sure what these do but maybe worth mention.
DDHELP.EXE
WDCBG.EXE

As a final note I have DivX Player 2.6 and all my codecs are up to date for .avi files. At one point I attempted to view a file and it told my I didn't have my audio codec. Yet today I used it and there was no problem. I assume the file just got temporarily moved or something. Just weird. Thanks in advance!

-9to5

[greyknight17]

Try Kaspersky since Panda is giving you problems:

Run a virus scan using Kaspersky Online Scanner. Just click on the Kaspersky Online Scanner button and read what's posted there - hit Accept once you're done. Download the ActiveX file when prompted. Scanning will begin shortly. When it's done post the log here.

[9to5ninja]

went to Kaspersky, it ran fine and came back clean so I don't believe I get a report to send to you? it said report empty. I hope this means I'm good to go. Let me know. Thanks once again in advance.

-9to5

[greyknight17]

Yeah, you should be good now. Just wanted to have at least one virus scan to confirm it

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

[greyknight17]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.