full time job - winstat?

I scanned your forums - interesting.
My problems seem... well, unique.
I went through the entire tutorial. (full time job)
Still have a few problems. Could use a little help.

I completed Scanning And Cleaning Steps 1 thru 4
1:a) "Housecall" - needed to ctrl-alt-del and close Tsc for system scan to continue - found 7 infected files troj_agent.r,.l and troj_uploader.f, and js_noclose.c,.i,and.e - deleted all, offline and restarted.
Symantec Security Check - needed to update virus definitions, scanned again - "consider updating your antivirus software to the latest version" - Virus Check: 111129 files scanned, 0 file(s) infected on your disk drives. No viruses were detected in memory. Your computer is free of known viruses and Trojan horses."
Booted in safe mode and ran McAfee AVERT Stinger.

2: Clean Your Hard Drive; Remove temporary internet and other files not needed with CCleaner. Ran CCleaner."CCLEANER caused an exception 10H in module MSVBVM60.DLL at 0167:73444b1a." I tried disk cleanup - shows no temp internet files and no temp files yet files are full of 'em.

3: Main Spyware Scan And Removal; Ad-Aware SE Ad-Aware VX2 Cleaner Plug-In and Spybot w/DSO Exploit patch
Ad-Aware smart scan hung up. I cancelled. Tried Full system scan - hung up during conditional scans - says Busy but nothing is happening. I cancelled. (had trouble with an earlier version of AdAware and uninstalled a year ago) S&D found 4 problems fixed, immunized 84 add'l protections. (been using S&D and ZoneAlarm for about a year)

4: Secondary Spyware Scan And Removal:
"Your system was completely clean." Windows 98 (4.10.2222 A) CWShredder v1.59.1 - Ran about:Buster - did not find anything although I have seen the about:blank address in IE.

With all of this I still find these processes running on normal bootup: Cxtpls_loader_ff, Winstat, Winstatkeep
I see "Opening page about:blank" (briefly) in the lower left IE window when launching - my.Netzero page. I have browser problems such as pages don't fully load - refresh 2-3x helps. For example I open a new window, Spybot blocks doubleclick, I see addresses (briefly) in the lower left IE window (like doubleclick), and then I get an incomplete page.
Note: about a month ago NAV scan started and indicated "changes to boot record", repaired boot record.
Looking forward to your reply.
Thanks in advance.
Got HJT 1.99

 

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

Had a little trouble getting back to my thread
tripped on AvenueA
.log file attached

 

Will try to get someone to look at log today. Hang in there.

 

will do

 

A couple of questions.

Were you successful in running the Trend micro online scan.
Did you intentionally download this gamebar malware.

 

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please look in Add or Remove Programs for the following and Uninstall them if found:

Gamebar
WINDOWS ADSTATUS

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

FSScrCtl.exe
WINSTAT.EXE
CXTPLS_LOADER_FF.EXE

Now scan with HijackThis and Check the Boxes for the following:

O2 - BHO: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\GAMEBAR.DLL
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O3 - Toolbar: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\GAMEBAR.DLL

O4 - HKLM\..\Run: [Windows AdStatus] C:\PROGRAM FILES\WINDOWS ADSTATUS\WINSTAT.EXE
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\TEMP\CXTPLS_LOADER_FF.EXE" /PC=CP.CDT3 /ShowLegalNote=nonbranded /ForSupportedBrowsers
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe

O9 - Extra button: (no name) - {011E1110-AF57-11d4-AC1C-E843E6000000} - (no file) (HKCU)

O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://central1.clevercontent.com/c...everContent.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C...Bridge-c135.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball...tgameloader.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following files and folder if they should remain:

C:\WINDOWS\DOWNLO~1\GAMEBAR.DLL
C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
C:\WINDOWS\FSScrCtl.exe
C:\PROGRAM FILES\WINDOWS ADSTATUS <-- the whole folder
C:\TEMP\CXTPLS_LOADER_FF.EXE

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Were you successful in running the Trend micro online scan.
I don't think it was scanning properly, as I recall it hung up - I used task manager to End Task: Tsc (?) and the system scan continued. It found 7 infected files (trojans). I deleted all, got offline and restarted. As far as I know it worked OK but you don't get a log.

Did you intentionally download this gamebar malware.
It was intentionally downloaded.

 

HJT log attached.

These processes appear to be history: Cxtpls_loader_ff, Winstat, Winstatkeep (also Fsscrctl and gamebar)

I still see "Opening page about:blank" (briefly) in the lower left IE window when launching - my.Netzero page. Still having browser problems. For example: I open a new window, Spybot blocks doubleclick or Avenue A, I see addresses (briefly) in the lower left IE window (like doubleclick), and then I get an incomplete page - refresh 2-3x and the page loads completely. It seems like the pages will load OK unless S&D blocks a bad download while the page is trying to load.

No trouble with the instructions - thanks again for your help.

 

I want you to check a file for me.
ATIPTAAA.EXE

It's location is:
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE

Find the Properties/Version info and let me know.

 

Never mind. I finally figured out what that file is. I just don't see anything in your log that jumps out at me. I will try to get PP to look at it and see if they can come up with something.

 

thanks-I'll check in later...

 

Neither Phillie or myself see anything wrong with your HJT log.

Spybot has been known to have issues with doubleClick - You might try to make sure it is set to "Block Bad Items Silently" - I can't remember actual message.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

 

Looks like you all are keeping busy...

I set Spybot to block silently and the pages load normally now.

I did the recommended Reset Web Settings.

I still see "Opening page about:blank..." (briefly) in the lower left IE window when launching - is this a problem?
Also, I have now noticed the little red "Privacy Report" thingy towards the bottom right side of the IE window. This may appear when opening a page. Clicking on it opens a list of blocked cookies from sites like mediaplex, hitbox, tribalfusion, adserver, fastclick etc. that appear to be downloading as the page is opening. Is this normal? never noticed before now.

Unless you indicate otherwise, I think I'm straight for now.
Thanks.

 

The 'little red thingy" is fine, that is normal. I would not worry about the brief about:blank unless it becomes a problem.

Now go here and protect yourself. Use Firefox as your browser.

Glad you got it all fixed. You should check this out now: How to Protect yourself from malware!