ad.yieldmanager, inqwire, & clickandtrack popups - Page 2

LeftieLouie · 12-08-2005, 10:35 PM

MicroBell, Thanks again for the quick responses!

The registry had no instances of random directories or "Aprop". I searched the registry in normal mode and in safe mode.

RootKitRevealer doesn't seem to run under Win98SE. I get the following messages:

Error starting program
PSAPI.DLL file is linked to missing export NTDLL.DLL:NtCreateProfile

Then
C:\RootKitRevealer\RootkitRevealer.exe
System is not functioning

RootKitRevealer is cool technology, is there a way to get it to run under Win98SE? Also, I have the ability to remove the hard drive and/or create an alternate boot partition. Wouldn't it be better to scan the drive when there's nothing executing on it? I understand why you asked me to run the DOS scan - would it be better to boot from a CD or floppy and run the DOS scanners?

Here are the log files...

====
File: TV_ENG32.DLL
Status:
OK
MD5 795cd4315d99c6bbb8a9f3fd778f7c6c
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

====
File: imscan.dll
Status:
POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 a4ad1144cbf87cfcc4c2f811b87fd44c
Packers detected:
UPX
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:CTX
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

MicroBell · 12-09-2005, 01:06 PM

Sorry....I do so many logs I thought you had XP. Anyway RootkitRevealer only works on NT based systems (Win 2000/XP/2003). As for removing the drive..I don't think it being active is the problem.

Did you do some research regarding what I asked about in Step 3? Again..since the logs are clean and I can't find any suspious entrys I see no program installed that would generate these popups. That leaves a problem with either your browser or popup blocker that mey be malfunctioning.

Try installing another 3rd party popup blocker and see if they stop.

LeftieLouie · 12-10-2005, 01:01 PM

MicroBell: this is the third attempt to post a quick reply. I don't know why my messages aren't taking. I'm going to save this one in notepad in case I have to repost it a fourth time. If my reply seems terse or testy it's because I've retyped it twice before, please forgive the presentation.

1. Firefox 1.07 is my popup blocker. It works.
2. You seem to be out of gas on this. Are you throwing in the towel on this? If so, that's OK just let me know so we can close the thread and I can pick up the topic on a different forum.
3. Some research led me to ContextPlus, who seems to be associated with the URLs that have been popping up. It turned up the following links:

http://www.spywareguide.com/product_show.php?id=2289
http://apropos-spyware-removal.noadwar.info/
http://forums.spybot.info/archive/index.php/t-199.html

I have not yet had time to follow the instructions. Do you want the results posted here?

Also, if this thing is using stealth techniques then it still makes sense to me to scan the drive from MS-DOS where it can't possibly be executing. The folks who normally ferret these things out have ways of digging out stealth ad-ware, why can't I do that here? What tools do they use?

There has to be some kind of debugger or profiler that tells me what's launching, what files are being opened and what sites it's polling? How is it getting out past Zonealarm?

ContextPlus.com has an email address that says they'll send an uninstall program within 24 hours - do I trust it? Do you want a copy to dissect? The only other options I see is to send an invoice to the domains issuing the popups and send bill them for advertising on my computer or spend my Christmas break reinstalling windows and all my engineering applications.

What do you advise?
Best Regards,
Lou

MicroBell · 12-10-2005, 03:16 PM

Lou,

Just running low on Ideas...buddy. This thing acts like the ContextPlus/Apros infection...and the tool we use to discover it and clean it off is only for XP/2000 systems. That said...it still leaves traces on a Windows 98 system..which you seam to be void of. It uses a 'Rootkit' to hide itself...but can't do that on your system as it's not NT based.

I'm going to ask another analyst to take a peek here just to make sure I'm not missing something. In the meantime lets check for a Java infection.....

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

LeftieLouie · 12-10-2005, 10:17 PM

MicroBell: I'm heading out of town on business, let's use the time to think. From DOS I did an ATTRIB -h *.*/s to unhide anything. ATTRIB did list some files that it couldn't -h because they were +s system files. None of the system files matched the filenames in the ContextPlus removal link I posted earlier. I then did a DIR /S for those files and came up empty. I also looked for $SYS$ files since somebody exploited the Sony rootkit malware. Again, no hits.

How can I take advantage of two systems, one that has popups and one that doesn't?

I'll check in probably on Wednesday but no promises.
Best Regards,
Lou

Kaspersky Scan results:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, December 10, 2005 21:27:39
Operating System: Microsoft Windows 98 SE
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 11/12/2005
Kaspersky Anti-Virus database records: 164368
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\
e:\
r:\

Scan Statistics:
Total number of scanned objects: 14691
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 7065 sec

Infected Object Name - Virus Name
c:\WINDOWS\Desktop\USBMemory\WindowsTools\keyfinder.exe/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a
c:\WINDOWS\Desktop\USBMemory\WindowsTools\keyfinder.exe/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a
c:\WINDOWS\Desktop\USBMemory\WindowsTools\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a

Scan process completed.

MicroBell · 12-13-2005, 12:42 AM

Lou,

I was going back over your thread and want to try another Spysweeper scan. Please make sure it has the latest database and Then configure it as followed:

From the left pane, click Options
Select the Sweep Options tab & ensure the following are ticked:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All Users accounts
- Do Not Sweep System Restore Folder
- Enable Direct Disk Sweeping
- Sweep For Rootkits
After that's done, select Sweep from the left pane & click on the Start button
Allow Spysweeper to reboot your machine to remove the infected files.

After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that log in your next reply.

LeftieLouie · 12-14-2005, 01:50 PM

MicroBell:
Thanks for the input, I'll run another SpySweeper exam. In the meantime, I received this reply from ContextPlus. Perhaps someone would like to examine this code to see what it's doing - I have NOT run it.

Also, not knowing the best choice for an alternate popup blocker, I realized that the Firefox team has version 1.5 released. I installed it, and I am no longer getting the popups. I still don't know if or what the difference is or was but the popups no longer happen - your hunch about the blocker function was apparently correct. It's very confusing because I know that Firefox was in fact blocking popups from other sites. Is it possible to have an exception and have it be hidden in Firefox?

I will run the SpySweeper scan anyway, per your suggestion.
Here is the full text of the message from ContextPlus.
====
Dear User:

Be advised that the attached uninstaller is FOR USERS WITH WINDOWS 2000 AND WINDOWS XP OPERATING SYSTEMS ONLY. See below for instructions on how to use it.

IF YOUR OPERATING SYSTEM IS WINDOWS MILLENIUM OR WINDOWS 98 OR BEFORE, the attached uninstaller will not work. You should instead go to http://download.contextplus.net/apro...ninstaller.exe and "Open" or "Run" the uninstaller file at this URL to remove ContextPlus completely from your older operating system. When the uninstaller runs, your mouse cursor may change to an hourglass for a moment to indicate it is running. Once the cursor returns to normal, the uninstallation process will be complete. There is no need to restart your computer.

WINDOWS XP AND 2000 USERS
Be advised that the attached uninstaller will only work once, on one computer. If you need to uninstall ContextPlus from more than one computer, please contact support@contextplus.com to request another uninstaller.

To uninstall ContextPlus using the Attached uninstaller for XP and Win2000, please follow these instructions:

1. Double-click and Open the attached zip file which should unzip the ContextPlus uninstaller and allow you to run it.

2. Double-click the uninstaller file to run it.

3. Your Windows Operating System may ask if you wish to Open or Run the uninstaller. To begin uninstallation, click "OK".

4. When you run the uninstaller, your mouse cursor may change to an hourglass for a moment.

5. Once the cursor returns to normal, the uninstallation process will be complete. There is no need to restart your computer.

6. If for some reason, you believe that the uninstallation was unsuccessful for your XP or Win2000 computer, you may have an older version of our software on your computer (or you are receiving ads from some other web site or software program.) To be sure you have removed us completely, please follow the instructions above for older Operating Systems and Run the installer at http://download.contextplus.net/apro...ninstaller.exe. This uninstaller will work for older versions of our software on any operating sytem.

We apologize for any inconvenience this may have caused you.

Sincerely,

The ContextPlus Support Team
ContextPlusUninstaller.gz
====

MicroBell · 12-14-2005, 03:50 PM

Lou,

I'll take that uninstaller apart later tonight.....but If it was me..I would not use it if the popups have stopped. As I said before....the Apros/ContextPlus infection leaves behind entrys...that you were void of so I doubt it was your orginal issue since every log you posted was void of these entrys.

Anyway..please post that Spysweeper log so I can see if anything else is floating around. Hopefully...these popups stay gone. I would still recommend a 3rd party popup blocker besides what your using.

Google toolar
Popup Stopper (Panicware)
StopZilla

I use the FREE version of Popup Stopper (Panicware) and haven't seen a popup in ages.

Quote:

Is it possible to have an exception and have it be hidden in Firefox?

I doubt it...but I would ask this question in the Firefox/Browser forum. I don't use Firefox much so I'm not 100% sure. I've poked around in FF and can't find an option as you stated.

LeftieLouie · 12-16-2005, 09:18 AM

MicroBell:
It appears that the unregistered version of Spysweeper doesn't produce a hardcopy log, however, no malware was detected - so it came up clean again. That's good news.

Firefox 1.5 seemes to be successfully blocking the yieldmanager popups. We may be able to wrap this thread up pretty soon. I feel badly about wasting so much of your time, but I probably have one of the cleanest systems around. I DO appreciate your help! Thank You!

I have a couple of questions. In the course of this search I have the following packages installed on my computer:
Ad-Aware
AVG Virus scan
Spyguard
Spyblaster
Spysweeper
Spybot SD 1.4
Teatimer (broken OK box)
IESpyad
ZoneAlarm

How much was for investigative purposes? How much is redundant? The irony is that malware compromises system responsinveness but so does all the protection software! In your opinion, which of these should I keep and which should I uninstall?

Best Regards,
Lou

MicroBell · 12-16-2005, 02:54 PM

Lou,

You need to break the programs done..

Realtime Protection:

AVG Virus scan
Spyguard
Spyblaster
IESpyad
ZoneAlarm

Spyware Cleaners:

AdwareSE
Spysweeper
Spybot SD 1.4
Teatimer (broken OK box)
Cleanup

The realtime stuff must be used all the time and run in the background. Leave Spybot's teatimer disabled...since SpywareBlaster does the same job but better.

As for the others...run them once a week to keep the system clean. These programs are NOT running and taking up resources and your only use them to scan for the bad guys.

For example...on my system I use....

AVG
ZoneAlarm
Popup Stopper
CookieWall
Spywareblaster
Spywareguard
IESpyad

Haven't had a virus or adware/spyware in years...yes years.

LeftieLouie · 12-16-2005, 06:58 PM

MicroBell,
Thanks for all the help, what did you find out by dissecting the ContextPlus stuff?
Lou

MicroBell · 12-17-2005, 12:56 AM

Don't trust it....lol. That infection is one nasty mother. If you could see all the garbage this thing installs it's unreal. The uninstaller leaves a tag in the system which looks like it contacts the Context servers for some reason. So lets consider this solved unless you have another issue...

Your logs are clean. Any more issues? If not you should be good to go. We still have a few more items to address so please follow the instructions below.

Reset hidden/system files and folders

Windows XP
===============

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Windows 2000
===============

Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Select the Advanced settings box option.
Select the Hidden files Folders.
Deselect the Show all files option.
Click Yes to confirm.
Click OK.

Windows ME
===============

Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Windows 95/98/98SE
===============

Open My Computer.
Select the View
Select the Folder Options option.
Select the View tab. option.
Select the Advance Advanced settings box option.
Select the Hidden files folder.
Deselect the Show all files option
Click Apply to confirm.
Click OK.

Create a new System Restore point

Windows XP
===============

Click Start >> Run - type SYSDM.CPL & press Enter
Select the System Restore Tab
Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
Then untick the same checkbox & click OK
This deletes ALL restore points that had the infection and creates a clean one

Windows ME
===============

Click the Start tab.
Select the Settings option.
Select the Control Panel option.
Double Click the System icon Performance tab option.
Select File System
Select the Troubleshooting tab
Check the Disable System Restore box
Click Apply to confirm.
Click OK.

Reboot the PC and repeat the above procedure again
When you get to this option

Uncheck the Disable System Restore box

For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below.

Click the Start button.
Point to Programs, point to Accessories, point to System Tools, and then click System Restore.
Choose Create a restore point, and then click Next.
In the Restore point description box, type a name for your restore point, and then click Next.
Click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
Tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system.

Recommended Protection Programs

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
WinPatrol to monitor any changes that programs make to the registry.

If you do not have a firewall, here are 4 free ones available for personal use:

In today’s world you MUST have an Antivirus program. If you do not have one, here are 3 FREE ones available for personal use:

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place.

Please respond to this thread one more time so we can mark this thread as resolved.

LeftieLouie · 12-20-2005, 11:46 PM

MicroBell:
Sorry about the delay in responding - we had a power outage in the middle of my last attempt to reply...

Again, thanks for your input. FYI I always run with show extensions and show all files. I don't like an OS to decide what I should and shouldn't see, and Microsoft certainly has no reasonable or secure perspective on this.

There is no system restore point for Win98SE, should I take a snapshot of the registry? Also, from time to time, I use WinZip to make a compresed copy of my system disk (minus the swap file and cache files), I use

Question: I have been unable to actually uninstall Teatimer. I have opted to disable it from startup using MSCONFIG. Is there a better way?

Question: I purchased SpySweeper, I like it's thoroughness. It appears that SpySweeper and Ad-Aware are redundant, should I keep both installed? Also, Spysweeper complains of corrupted installation under my Win98SE systems but seems robust and happy under my wife's WinXP system. Are you aware of SpySweeper compatibility issues with Win98SE?

I dread the prospect of upgrading to WinME or XP, I have thousands of dollars of engineering tools that would break. The cost of conversion is prohibitive, yet I expect the sophistication of these infections may require upgrades.

Best Regards,
Lou

MicroBell · 12-21-2005, 02:33 AM

Lou,

Quote:

There is no system restore point for Win98SE, should I take a snapshot of the registry?

That wont hurt. The speech I posted covers all OS's...so as you stated 98 has no "Restore Point" option. That said..it's smart to back up your registry every now and then. Right now...would be good time since we got you clean.

Quote:

I have been unable to actually uninstall Teatimer. I have opted to disable it from startup using MSCONFIG. Is there a better way?

Yes. Through the program itself. Open Spybot. Click on "Mode" and make sure your in "Advanced" mode. Then click on "Tools" and then "Resident" and uncheck the box that says "Resident Teatimer" This stops Spybot from loading Teatimer when Windows starts up.

Quote:

It appears that SpySweeper and Ad-Aware are redundant, should I keep both installed?

Yes. Remember some programs are active while others are passive. When scanning for adware/spyware you always want to use more then scanner as each will pick up...what the other may miss. Here's an example of what I use and when I use it.

Weekly Scans:

AdawareSE
Spybot
SpySweeper

Bi Weekly:

AVG (Antivirus)
Cleanup/CCleaner
Reg Cleaner
CWShredder

*Note* Remember to update the databases each time before you run them.

Using this method and those protection programs I listed for you...I haven't had a virus or spyware (other then a tracking cookie) on my system in well over 2 years.

Quote:

Also, Spysweeper complains of corrupted installation under my Win98SE systems but seems robust and happy under my wife's WinXP system. Are you aware of SpySweeper compatibility issues with Win98SE?

Not really a "compatibility issue" but can be what I call "Grumpy". The program, like the Ewido scanner is designed for NT based systems. Though it works on others...at times it can give you errors and simply refuse to work. Most of the problems can be corrected...but you would have to contact Webroot.

As for your Windows 98 comment....you'er correct. To put it bluntly....your Operating System is outdated and easily exploitable. The programs I listed will protect you somewhat...but the system could stand to be upgraded to a more secure Operating System.

12-09-2005, 01:06 PM	#22 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,962 OS: Windows 7	Sorry....I do so many logs I thought you had XP. Anyway RootkitRevealer only works on NT based systems (Win 2000/XP/2003). As for removing the drive..I don't think it being active is the problem. Did you do some research regarding what I asked about in Step 3? Again..since the logs are clean and I can't find any suspious entrys I see no program installed that would generate these popups. That leaves a problem with either your browser or popup blocker that mey be malfunctioning. Try installing another 3rd party popup blocker and see if they stop. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

12-10-2005, 03:16 PM	#24 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,962 OS: Windows 7	Lou, Just running low on Ideas...buddy. This thing acts like the ContextPlus/Apros infection...and the tool we use to discover it and clean it off is only for XP/2000 systems. That said...it still leaves traces on a Windows 98 system..which you seam to be void of. It uses a 'Rootkit' to hide itself...but can't do that on your system as it's not NT based. I'm going to ask another analyst to take a peek here just to make sure I'm not missing something. In the meantime lets check for a Java infection..... Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell; 12-10-2005 at 04:17 PM.

12-10-2005, 10:17 PM	#25 (permalink)
LeftieLouie Registered User Join Date: Nov 2005 Location: Oregon Posts: 17 OS: Win98SE	MicroBell: I'm heading out of town on business, let's use the time to think. From DOS I did an ATTRIB -h ./s to unhide anything. ATTRIB did list some files that it couldn't -h because they were +s system files. None of the system files matched the filenames in the ContextPlus removal link I posted earlier. I then did a DIR /S for those files and came up empty. I also looked for $SYS$ files since somebody exploited the Sony rootkit malware. Again, no hits. How can I take advantage of two systems, one that has popups and one that doesn't? I'll check in probably on Wednesday but no promises. Best Regards, Lou Kaspersky Scan results: ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Saturday, December 10, 2005 21:27:39 Operating System: Microsoft Windows 98 SE Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 11/12/2005 Kaspersky Anti-Virus database records: 164368 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: a:\ c:\ d:\ e:\ r:\ Scan Statistics: Total number of scanned objects: 14691 Number of viruses found: 1 Number of infected objects: 3 Number of suspicious objects: 0 Duration of the scan process: 7065 sec Infected Object Name - Virus Name c:\WINDOWS\Desktop\USBMemory\WindowsTools\keyfinder.exe/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a c:\WINDOWS\Desktop\USBMemory\WindowsTools\keyfinder.exe/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a c:\WINDOWS\Desktop\USBMemory\WindowsTools\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a Scan process completed. Last edited by LeftieLouie; 12-10-2005 at 10:33 PM. Reason: added scan results

12-13-2005, 12:42 AM	#26 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,962 OS: Windows 7	Lou, I was going back over your thread and want to try another Spysweeper scan. Please make sure it has the latest database and Then configure it as followed: From the left pane, click Options Select the Sweep Options tab & ensure the following are ticked: Sweep Memory Sweep Registry Sweep Cookies Sweep All Users accounts Do Not Sweep System Restore Folder Enable Direct Disk Sweeping Sweep For Rootkits After that's done, select Sweep from the left pane & click on the Start button Allow Spysweeper to reboot your machine to remove the infected files. After rebooting, launch SpySweeper & select Results from the left pane Click the 'Session Log' tab & choose Save to File to create a log. Post that log in your next reply. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

12-16-2005, 02:54 PM	#30 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,962 OS: Windows 7	Lou, You need to break the programs done.. Realtime Protection: AVG Virus scan Spyguard Spyblaster IESpyad ZoneAlarm Spyware Cleaners: AdwareSE Spysweeper Spybot SD 1.4 Teatimer (broken OK box) Cleanup The realtime stuff must be used all the time and run in the background. Leave Spybot's teatimer disabled...since SpywareBlaster does the same job but better. As for the others...run them once a week to keep the system clean. These programs are NOT running and taking up resources and your only use them to scan for the bad guys. For example...on my system I use.... AVG ZoneAlarm Popup Stopper CookieWall Spywareblaster Spywareguard IESpyad Haven't had a virus or adware/spyware in years...yes years. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

12-08-2005, 10:35 PM	#21 (permalink)
LeftieLouie Registered User Join Date: Nov 2005 Location: Oregon Posts: 17 OS: Win98SE	MicroBell, Thanks again for the quick responses! The registry had no instances of random directories or "Aprop". I searched the registry in normal mode and in safe mode. RootKitRevealer doesn't seem to run under Win98SE. I get the following messages: Error starting program PSAPI.DLL file is linked to missing export NTDLL.DLL:NtCreateProfile Then C:\RootKitRevealer\RootkitRevealer.exe System is not functioning RootKitRevealer is cool technology, is there a way to get it to run under Win98SE? Also, I have the ability to remove the hard drive and/or create an alternate boot partition. Wouldn't it be better to scan the drive when there's nothing executing on it? I understand why you asked me to run the DOS scan - would it be better to boot from a CD or floppy and run the DOS scanners? Here are the log files... ==== File: TV_ENG32.DLL Status: OK MD5 795cd4315d99c6bbb8a9f3fd778f7c6c Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VBA32 Found nothing ==== File: imscan.dll Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.) MD5 a4ad1144cbf87cfcc4c2f811b87fd44c Packers detected: UPX Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found Win32:CTX AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VBA32 Found nothing

12-10-2005, 01:01 PM	#23 (permalink)
LeftieLouie Registered User Join Date: Nov 2005 Location: Oregon Posts: 17 OS: Win98SE	MicroBell: this is the third attempt to post a quick reply. I don't know why my messages aren't taking. I'm going to save this one in notepad in case I have to repost it a fourth time. If my reply seems terse or testy it's because I've retyped it twice before, please forgive the presentation. 1. Firefox 1.07 is my popup blocker. It works. 2. You seem to be out of gas on this. Are you throwing in the towel on this? If so, that's OK just let me know so we can close the thread and I can pick up the topic on a different forum. 3. Some research led me to ContextPlus, who seems to be associated with the URLs that have been popping up. It turned up the following links: http://www.spywareguide.com/product_show.php?id=2289 http://apropos-spyware-removal.noadwar.info/ http://forums.spybot.info/archive/index.php/t-199.html I have not yet had time to follow the instructions. Do you want the results posted here? Also, if this thing is using stealth techniques then it still makes sense to me to scan the drive from MS-DOS where it can't possibly be executing. The folks who normally ferret these things out have ways of digging out stealth ad-ware, why can't I do that here? What tools do they use? There has to be some kind of debugger or profiler that tells me what's launching, what files are being opened and what sites it's polling? How is it getting out past Zonealarm? ContextPlus.com has an email address that says they'll send an uninstall program within 24 hours - do I trust it? Do you want a copy to dissect? The only other options I see is to send an invoice to the domains issuing the popups and send bill them for advertising on my computer or spend my Christmas break reinstalling windows and all my engineering applications. What do you advise? Best Regards, Lou

12-14-2005, 01:50 PM	#27 (permalink)
LeftieLouie Registered User Join Date: Nov 2005 Location: Oregon Posts: 17 OS: Win98SE	MicroBell: Thanks for the input, I'll run another SpySweeper exam. In the meantime, I received this reply from ContextPlus. Perhaps someone would like to examine this code to see what it's doing - I have NOT run it. Also, not knowing the best choice for an alternate popup blocker, I realized that the Firefox team has version 1.5 released. I installed it, and I am no longer getting the popups. I still don't know if or what the difference is or was but the popups no longer happen - your hunch about the blocker function was apparently correct. It's very confusing because I know that Firefox was in fact blocking popups from other sites. Is it possible to have an exception and have it be hidden in Firefox? I will run the SpySweeper scan anyway, per your suggestion. Here is the full text of the message from ContextPlus. ==== Dear User: Be advised that the attached uninstaller is FOR USERS WITH WINDOWS 2000 AND WINDOWS XP OPERATING SYSTEMS ONLY. See below for instructions on how to use it. IF YOUR OPERATING SYSTEM IS WINDOWS MILLENIUM OR WINDOWS 98 OR BEFORE, the attached uninstaller will not work. You should instead go to http://download.contextplus.net/apro...ninstaller.exe and "Open" or "Run" the uninstaller file at this URL to remove ContextPlus completely from your older operating system. When the uninstaller runs, your mouse cursor may change to an hourglass for a moment to indicate it is running. Once the cursor returns to normal, the uninstallation process will be complete. There is no need to restart your computer. WINDOWS XP AND 2000 USERS Be advised that the attached uninstaller will only work once, on one computer. If you need to uninstall ContextPlus from more than one computer, please contact support@contextplus.com to request another uninstaller. To uninstall ContextPlus using the Attached uninstaller for XP and Win2000, please follow these instructions: 1. Double-click and Open the attached zip file which should unzip the ContextPlus uninstaller and allow you to run it. 2. Double-click the uninstaller file to run it. 3. Your Windows Operating System may ask if you wish to Open or Run the uninstaller. To begin uninstallation, click "OK". 4. When you run the uninstaller, your mouse cursor may change to an hourglass for a moment. 5. Once the cursor returns to normal, the uninstallation process will be complete. There is no need to restart your computer. 6. If for some reason, you believe that the uninstallation was unsuccessful for your XP or Win2000 computer, you may have an older version of our software on your computer (or you are receiving ads from some other web site or software program.) To be sure you have removed us completely, please follow the instructions above for older Operating Systems and Run the installer at http://download.contextplus.net/apro...ninstaller.exe. This uninstaller will work for older versions of our software on any operating sytem. We apologize for any inconvenience this may have caused you. Sincerely, The ContextPlus Support Team ContextPlusUninstaller.gz ====

12-16-2005, 09:18 AM	#29 (permalink)
LeftieLouie Registered User Join Date: Nov 2005 Location: Oregon Posts: 17 OS: Win98SE	MicroBell: It appears that the unregistered version of Spysweeper doesn't produce a hardcopy log, however, no malware was detected - so it came up clean again. That's good news. Firefox 1.5 seemes to be successfully blocking the yieldmanager popups. We may be able to wrap this thread up pretty soon. I feel badly about wasting so much of your time, but I probably have one of the cleanest systems around. I DO appreciate your help! Thank You! I have a couple of questions. In the course of this search I have the following packages installed on my computer: Ad-Aware AVG Virus scan Spyguard Spyblaster Spysweeper Spybot SD 1.4 Teatimer (broken OK box) IESpyad ZoneAlarm How much was for investigative purposes? How much is redundant? The irony is that malware compromises system responsinveness but so does all the protection software! In your opinion, which of these should I keep and which should I uninstall? Best Regards, Lou

12-16-2005, 06:58 PM	#31 (permalink)
LeftieLouie Registered User Join Date: Nov 2005 Location: Oregon Posts: 17 OS: Win98SE	MicroBell, Thanks for all the help, what did you find out by dissecting the ContextPlus stuff? Lou

12-17-2005, 12:56 AM	#32 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,962 OS: Windows 7	Don't trust it....lol. That infection is one nasty mother. If you could see all the garbage this thing installs it's unreal. The uninstaller leaves a tag in the system which looks like it contacts the Context servers for some reason. So lets consider this solved unless you have another issue... Your logs are clean. Any more issues? If not you should be good to go. We still have a few more items to address so please follow the instructions below. Reset hidden/system files and folders Windows XP =============== Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Windows 2000 =============== Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Select the Advanced settings box option. Select the Hidden files Folders. Deselect the Show all files option. Click Yes to confirm. Click OK. Windows ME =============== Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Windows 95/98/98SE =============== Open My Computer. Select the View Select the Folder Options option. Select the View tab. option. Select the Advance Advanced settings box option. Select the Hidden files folder. Deselect the Show all files option Click Apply to confirm. Click OK. Create a new System Restore point Windows XP =============== Click Start >> Run - type SYSDM.CPL & press Enter Select the System Restore Tab Tick on the checkbox - "Turn off System Restore on all drives" Click Apply Then untick the same checkbox & click OK This deletes ALL restore points that had the infection and creates a clean one Windows ME =============== Click the Start tab. Select the Settings option. Select the Control Panel option. Double Click the System icon Performance tab option. Select File System Select the Troubleshooting tab Check the Disable System Restore box Click Apply to confirm. Click OK. Reboot the PC and repeat the above procedure again When you get to this option Uncheck the Disable System Restore box For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below. Click the Start button. Point to Programs, point to Accessories, point to System Tools, and then click System Restore. Choose Create a restore point, and then click Next. In the Restore point description box, type a name for your restore point, and then click Next. Click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl Tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system. Recommended Protection Programs Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. SpywareGuard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. WinPatrol to monitor any changes that programs make to the registry. If you do not have a firewall, here are 4 free ones available for personal use: ZoneAlarm Avast Antivirus/firewall Tiny Personal Firewall OutPost Firewall In today’s world you MUST have an Antivirus program. If you do not have one, here are 3 FREE ones available for personal use: Grisoft AVG Anti-Virus System Alwil Avast 4 Home Edition Softwin BitDefender Free Edition Version 7 In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place. Please respond to this thread one more time so we can mark this thread as resolved. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

12-20-2005, 11:46 PM	#33 (permalink)
LeftieLouie Registered User Join Date: Nov 2005 Location: Oregon Posts: 17 OS: Win98SE	MicroBell: Sorry about the delay in responding - we had a power outage in the middle of my last attempt to reply... Again, thanks for your input. FYI I always run with show extensions and show all files. I don't like an OS to decide what I should and shouldn't see, and Microsoft certainly has no reasonable or secure perspective on this. There is no system restore point for Win98SE, should I take a snapshot of the registry? Also, from time to time, I use WinZip to make a compresed copy of my system disk (minus the swap file and cache files), I use Question: I have been unable to actually uninstall Teatimer. I have opted to disable it from startup using MSCONFIG. Is there a better way? Question: I purchased SpySweeper, I like it's thoroughness. It appears that SpySweeper and Ad-Aware are redundant, should I keep both installed? Also, Spysweeper complains of corrupted installation under my Win98SE systems but seems robust and happy under my wife's WinXP system. Are you aware of SpySweeper compatibility issues with Win98SE? I dread the prospect of upgrading to WinME or XP, I have thousands of dollars of engineering tools that would break. The cost of conversion is prohibitive, yet I expect the sophistication of these infections may require upgrades. Best Regards, Lou