Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Popups when active I-Net connection

Status
Not open for further replies.
visionthing

visionthing

Technical User
Oct 16, 2003
86
0
0
US
I've been dealing with some nasty spyware for 3 days now and am spinning my wheels. Suggestions needed/appreciated.
When the PC is connected to the internet, pop-ups will launch by themselves without any user intervention. I've run Spybot, hyjackthis, ewido, NAV and still same probs. In HyjackThis, I'm seeing a reference to:

C:\widows\system32\phppju.exe

In the registry part of HyjackThis I see this:

HKLM\..\Run: [KavSvc] C:\windows\system32\phppju.exe reg_run

When I look in Explorer for phppju.exe, it doesn't show up (yes, I have "show hidden files" marked)

I'm thinking that this is the culprit, but am not sure.
Any ideas???????
 
Sort by date Sort by votes
Hi,

You have a qoologic problem.

What is your operating system?



-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
(If it is NT, try an ewido scan in SAFE mode:

If it is 9x, we'll have to have more info. )




-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Ewido should clean most of it if not all, but best to run find qoologic as diogenes says!



download FindQoologic-Narrator.zip save it to your Desktop.


Extract (unzip) the files inside into their own folder called FindQoologic.Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.Wait until a text opens, post it in a reply to your thread.

you might find you get an error message when first running this file, if so close it & run again and wait until file.txt opens on desktop.

Ignore the first list that opens with a long list of files and wait for FILE.TXT to pop up

It normally takes somewhere between 10 to 15 minutes depending on your computer so don't panic if it takes some time.


you should also download hijack this and post a log.


Download hijack this from the link below.Please do this. Click here:


to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.
 
Upvote 0 Downvote
From FindQoologic, this is the file:

* web-nex C:\WINDOWS\System32\DATADX.DLL
* web-nex C:\WINDOWS\System32\INIIPCP.DLL
* winsync C:\WINDOWS\System32\DATADX.DLL
* rec2_run C:\WINDOWS\System32\DATADX.DLL
* KavSvc C:\WINDOWS\System32\INIIPCP.DLL
* datadx.dll C:\WINDOWS\System32\DATADX.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Packed files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* UPX! C:\WINDOWS\QOOLREM.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\IRII.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
America Online Tray Icon.lnk
DESKTOP.INI
irii.exe

User Startup:
C:\Documents and Settings\username\Start Menu\Programs\Startup
.
..
DESKTOP.INI

In my 1st post is the relative HyjackThis piece.

Thanks
 
Upvote 0 Downvote

You can try killboxing these and fixing your relevant hijackthis lines.

C:\windows\system32\phppju.exe
C:\WINDOWS\System32\DATADX.DLL
C:\WINDOWS\System32\INIIPCP.DLL
C:\WINDOWS\System32\DATADX.DLL
C:\WINDOWS\System32\INIIPCP.DLL
C:\WINDOWS\QOOLREM.EXE
C:\docume~1\alluse~1\startm~1\programs\startup\IRII.EXE

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
That's just the thing. Although these are showing up with HiJackThis, etc., it's not showing up when I look for it. I have all of the options turned on ie: show hidden files.

I'd love to delete them if they'd just could be found. I tried in normal and safe mode.
 
Upvote 0 Downvote
If you go to subratam.org and the removal tools menu, you can get a program called killbox.

When you use that, it is a matter of pasting a file path to delete into the box and then selecting an immediate delete or delete on reboot.

If you answer delete on reboot, then say no to rebooting until you have pasted all the files in.

If you google on this file:
DATADX.DLL
You will find threads on the help sites and you can see how it is being dealt with.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Download the pocket killbox






* Download the trial version of Ewido Security Suite here



* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.




*Download Cleanup from Here


* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET




* Click here for info on how to boot to safe mode if you don't already know how.


How to boot to safe mode



* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the Full Path of File to Delete box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do notexist. If that happens, just continue on with all the files. Be sure you don't miss any.



C:\windows\system32\phppju.exe
C:\WINDOWS\System32\DATADX.DLL
C:\WINDOWS\System32\INIIPCP.DLL
C:\WINDOWS\QOOLREM.EXE
C:\docume~1\alluse~1\startm~1\programs\startup\IRII.EXE



* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop


* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.





post another log and the ewido log
 
Upvote 0 Downvote
Be sure to check "search in System Folders" if you're using the Search function.

Also check C:\Windows\PreFetch
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Curious network activity over port 445
Replies
8
Views
107
DrB0b
DrB0b
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
79
2ffat
2ffat
Mike Lewis
  • Locked
  • Question
MsMpEng.EXE in MSE: necessary? desirable?
Replies
3
Views
87
Mike Lewis
Mike Lewis
2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
62
2ffat
2ffat
ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
150
Yoko Littner
Yoko Littner

Part and Inventory Search

Sponsor

Back
Top