Tech Support Guy banner
Cancel

Solved: portland.co.uk adware

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 8 of 8 Posts
S

· Registered
Joined
·
3 Posts
Discussion Starter · #1 ·
Ok, every time I start up the internet, the first time I open my browser window I get a popup from some portland.co.uk hosted site that says it's exceeded it's allotted bandwidth limit (obviously because it's been whoring itself out in adware). So I need help on removing it.
I've tried running ad-aware to no avail, so here's my hijackthis log file. Just let me know if you find anything that I should get rid of.

Logfile of HijackThis v1.98.2
Scan saved at 10:03:02 PM, on 14/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\vpc32.exe
C:\187.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\3web\3web.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Kent\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestpageintheuniverse.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [Windows Service Pack Auto Update] C:\187.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AD90A35-B936-4E0E-82A6-0F2B6FF30439}: NameServer = 209.197.128.2 209.195.95.95
 
EAFiedler

· Retired Moderator
Joined
·
14,262 Posts
#2 ·
Hi SirKent

Welcome to Tech Support Guy Forums!

Please update HijackThis your version is out of date.

Run an online antivirus check from at least one and preferably 2 of the following sites
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://security.symantec.com/default.asp?
http://www.ravantivirus.com/scan/
Allow them to clean/delete any spyware/malware or viruses/trojans they may find.
Make a note of any files flagged that were unable to be cleaned or deleted.

Download or verify you have the most recent versions of:
Ad-Aware SE 1.05
Spybot-S&D (ver. 1.3) and
HijackThis (ver 1.99)

Install Ad-Aware SE and Spybot-S&D and check each of them in turn for updates.

For Ad-Aware SE click on Full System Scan and deselect Search for negligible risk entries.
Let Ad-Aware SE remove what it finds.
Run Spybot-S&D and have it fix what it finds marked in Red.

Install HijackThis to a FOLDER on your C or main harddrive, do NOT install HijackThis to a temporary folder.
This will allow HijackThis to properly create backup files.

After running your online virus scans and running Ad-Aware SE and Spybot S&D, close all programs and reboot to complete the removal process.
After Rebooting your computer,
start HijackThis
click on Do a system scan and save a logfile.
Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Close HijackThis and post your logfile here and one of our security experts will take a look at it.

Thank you for your patience, there are many HijackThis logs for them to go over.
 
Flrman1

· Registered
Joined
·
46,465 Posts
#3 ·
Hi SirKent

Welcome to TSG! :)

A new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it.
 
Save Share
S

· Registered
Joined
·
3 Posts
Discussion Starter · #4 ·
Ok, I ran the latest versions of Ad-Aware and Spybot and it got rid of quite a bit, but the main problem is still there. So here's my new HijackThis log file from v1.99 like you instructed:

Logfile of HijackThis v1.99.0
Scan saved at 12:23:28 PM, on 15/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\187.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\vpc32.exe
C:\Program Files\3web\3web.exe
D:\Program Files\WinAMP\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestpageintheuniverse.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [Windows Service Pack Auto Update] C:\187.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AD90A35-B936-4E0E-82A6-0F2B6FF30439}: NameServer = 209.197.128.2 209.195.95.95
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
 
Flrman1

· Registered
Joined
·
46,465 Posts
#5 ·
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe

O4 - HKLM\..\Run: [Windows Service Pack Auto Update] C:\187.exe

O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe

O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab

O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab

O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab

O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab

Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

C:\187.exe
C:\WINDOWS\System32\vpc32.exe

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.

Empty the Recycle Bin

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

When you are sure you are clean turn it back on and create a restore point.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

IMPORTANT!: I see that you do not have an antivirus running or a firewall. If I may so this without being rude, with the net as it is these days it is quite foolish to be without an antivirus and a firewall. By all means get both ASAP!. See This thread for some good free ones.

IMPORTANT!: I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" except for Service Pack 2 ASAP!. This will patch numerous security holes in IE and Windows. Many baddies get on your machine by taking advantage of these vulnerabilities. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates IMMEDITELY!

Note: At this time I do not recommend that you install Service Pack 2 until you have read the info at the following links and are sure that it will not cause problems with your system:

http://www.microsoft.com/windowsxp/using/security/expert/russel_installsp2.mspx

http://support.microsoft.com/default.aspx?scid=kb;en-us;884130

http://support.microsoft.com/default.aspx?kbid=842242

http://support.microsoft.com/default.aspx?scid=kb;en-us;878474
 
Save Share
S

· Registered
Joined
·
3 Posts
Discussion Starter · #6 ·
Thanks loads. It worked like a charm. I turned off windows update a while back because I'm runnion on a 28.8kbps modem, so it takes quite a while to download each of them. But if they're that important I guess I'll turn it back on.

Also, I'll check out those anti-virus programs listed in that thread you linked. I have a copy of Norton, but I don't imagine it's very secure by now.

Thanks for all the help!
 
Flrman1

· Registered
Joined
·
46,465 Posts
#8 ·
SirKent said:
Thanks loads. It worked like a charm. I turned off windows update a while back because I'm runnion on a 28.8kbps modem, so it takes quite a while to download each of them. But if they're that important I guess I'll turn it back on.

Also, I'll check out those anti-virus programs listed in that thread you linked. I have a copy of Norton, but I don't imagine it's very secure by now.

Thanks for all the help!
Click to expand...
You're Welcome! :)
 
Save Share
1 - 8 of 8 Posts
Status
Not open for further replies.
About this Discussion
7 Replies
4 Participants
Last post:
Flrman1
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top