0

Hello:

I have a red circle with a white cross in the icontray, and when I click on it with the right or left mouse button, it's autoopened the internet explorer with the following address:

http://antispy.specialgoods.info/index.php?qq=popup+blocker&id=30777&said=ad0271

I also get the Error #317 windows message, regarding the ports 8080 and 3128.

This is the log reported by Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 12:41:14, on 12/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\SCARDSVR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\TCWIN45\PIPELINE\REMIND.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT FIREWALL CLIENT\ISATRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OUTLOOK\OFFICE\OUTLOOK.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MAPI\3082\95\MAPISP32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OUTLOOK\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARCHIVOS DE PROGRAMA\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0271/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = servidor:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = VĂ­nculos
F1 - win.ini: load=C:\TCWIN45\PIPELINE\remind.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AvxIni] c:\archivos de programa\softwin\avx professional\avxinit.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SCardSvr] C:\WINDOWS\SYSTEM\SCardSvr.exe
O4 - HKCU\..\Run: [ArGoSoftMailServer] C:\PROGRAM FILES\ARGO SOFTWARE DESIGN\MAILSERVER.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Monitor de conectividad del cliente del servidor de seguridad.LNK = C:\Archivos de programa\Microsoft Firewall Client\ISATRAY.EXE
O12 - Plugin for .exe: C:\ARCHIV~1\INTERN~1\PLUGINS\NpAvx.dll
O12 - Plugin for .zip: C:\ARCHIV~1\INTERN~1\PLUGINS\NpAvx.dll
O12 - Plugin for .com: C:\ARCHIV~1\INTERN~1\PLUGINS\NpAvx.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://apuc.cert.fnmt.es/cabs/capicom.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = madrid.intersoftinf.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.10

Please could you help me?

Best regards,

Rafa

4
Contributors
7
Replies
8
Views
12 Years
Discussion Span
Last Post by crunchie
0

Hi DoctorTracker, welcome to DaniWeb :D

Get the PocketKillbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run the PocketKillbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Reboot normally and delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Scan with hijackthis, and have it fix the following entry:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0271/

Be sure all windows are closed, other then hijackthis, before hitting Fix checked

Reboot, close any open browser windows, scan with hijackthis, post a new log, and let us know if you're still having problems.

0

Thanks a lot. I have done the actions you have suggested, and everything goes well.

Thank you very much again.

Regards,

0

Glad to hear things are working well :), but can you post a fresh hijackthis log just to make sure?

0

Of course I can.

Here you have the log file...

Thank you again for your help.

Logfile of HijackThis v1.99.1
Scan saved at 9:00:03, on 13/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\SCARDSVR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\TCWIN45\PIPELINE\REMIND.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT FIREWALL CLIENT\ISATRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\ARCHIVOS DE PROGRAMA\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = servidor:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = VĂ­nculos
F1 - win.ini: load=C:\TCWIN45\PIPELINE\remind.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AvxIni] c:\archivos de programa\softwin\avx professional\avxinit.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SCardSvr] C:\WINDOWS\SYSTEM\SCardSvr.exe
O4 - HKCU\..\Run: [ArGoSoftMailServer] C:\PROGRAM FILES\ARGO SOFTWARE DESIGN\MAILSERVER.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Monitor de conectividad del cliente del servidor de seguridad.LNK = C:\Archivos de programa\Microsoft Firewall Client\ISATRAY.EXE
O12 - Plugin for .exe: C:\ARCHIV~1\INTERN~1\PLUGINS\NpAvx.dll
O12 - Plugin for .zip: C:\ARCHIV~1\INTERN~1\PLUGINS\NpAvx.dll
O12 - Plugin for .com: C:\ARCHIV~1\INTERN~1\PLUGINS\NpAvx.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://apuc.cert.fnmt.es/cabs/capicom.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = madrid.intersoftinf.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.10

0

i have the same problem with the red circle and the x in the middle i saw what you said to do but when i do it it asks me to open with . i dont know anything about computers. how do i do this (unzip) in dummies terms ? pleae help me !!!!!!!!

0

ernestine725. You need a utility to unzip the file that dlh6213 advised. If you have XP, then there will be that ability onboard already. If another system, you will need to download winzip or some such.
You also need to start your own thread in order to get the best help.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.