To make a long story short, I've been trying to get rid of whatever malware had been causing my IE to crash. According to Ad Aware and Trend Micro my system is clean now(and seems to be behaving ok) but everytime I run spybot it finds WinPup. I check the box to delete, but when I restart and run Spybot again - Its Back.

Can someone please help me? I'm not sure what to do. Please find my Hijack This log below. Thanks.


Logfile of HijackThis v1.99.0
Scan saved at 2:46:15 AM, on 11/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\APACHE TOMCAT 4.0\WEBAPPS\TOOLBOX\STATUSCLIENT\STATUSCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\JAVASOFT\JRE\1.3.1\BIN\JAVAW.EX E
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\TOOLS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)
O15 - Trusted IP range: (HKLM)
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://E:\ENGLISH\VJ.CD\VJ98\VSTUDIO6.CAB
O16 - DPF: Microsoft WFC Forms Designer - file://E:\ENGLISH\VJ.CD\VJ98\WFCFORMS.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

Welcome to DAL,

Not much showing in your log.

Look in add/remove program and see if winpup is there if so try to remove.

Then do some scans here:

Make Internet explorer you default browser while doing these scans or will not work on Firefox.


Internet Explorer required
Run these two online virus scanners (Panda Activescan) following these instructions below:
http://www.pandasoftware.com/product..._principal.htm


Internet Explorer required
Also this excellent(BitDefender) scanner:http://www.bitdefender.com/scan8/ie.html


Both scanners will make logs if anything is found please post those and a new HJT log please.

Thanks Neal. I really appreciate your help.

1.) My add/remove program looks good. Nothing strange. No Winpup.

2.) Panda Activescan gave me a clean bill of health.

3.) bitdefender crashed my computer twice (blue screen of death). I assume this is a ME issue though. It gets more outdated every day.

FYI - I think I had Winpup at one time since Trendmicro found its alias ADW_WINAD.A and took care of it. I'm hoping I'm clean now??? I hope.

What do you think? I feel pretty good, but my IT guy at work says all of these programs find different stuff, so if Spybot finds something - its a real problem. Also, it scares me too because that whole "returns on restart" thing gives me CoolWebSearch flashbacks - I still wake up in cold sweats sometimes.

Thanks. Looking forward to your reply

Look for these in system folder: if found delete them

Winpup.exe
Winpup32.exe

If you are not having a large amount of popups then it could be nothing to worry about as winpup is notorious for a large amount of popups.

Read this:

http://securityresponse.symantec.com...re.winpup.html

I searched for the Winpup files you mentioned and did not find them. I did find 6 Winpup zip files in my spypot recovery directory though.

I never got the pop-ups, but my symptom - IE crashes was consistent with someone else who had the malware according to a google search I did.

Do you think Spybot could be wrong about this? Thanks.

Empty the spybot recovery and scan again and see what happens.

Go for an online Trojan scan just to make sure.

Trojan Scanner

Let me know what happens there.

Hi Neal. Thanks.

I emptied the recovery folder, ran spybot again and it still found Winpup.

Looks like something is going on as the trojan scan found:

C:\WINDOWS\SYSTEM\addyz.dll
C:\Program Files\Windows ServeAD\WinServSuit.exe
C:\Program Files\Windows ServeAD\WinAtServe.dll
C:\tools\backups\backup-20050105-180614-940.dll
C:\tools\backups\backup-20050105-183943-391.dll
C:\tools\backups\backup-20050105-184429-261.dll

I'm going to try to use the tool to eliminate them. I'll update you.

Look in program files folder for a folder named: Windows ServeAD kill that sucker

show hidden files/folders
Open My Computer.
2. Select the Tools menu and click Folder Options.
3. Select the View Tab.
4. Under the Hidden files and folders heading select Show hidden files and folders.
5. Uncheck the Hide protected operating system files (recommended) option.
6. Click Yes to confirm.
7. Click OK.
8. Click Start, Programs and Accessories and open Windows Explorer.
9. Select a hard drive from the left hand side of the Windows Explorer window.
10. Select View the Entire contents of this drive.



Boot into safe mode to delete folder

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Hi Neal. I did what you said, but Spybot still finds Winpup.

I also downloaded the a2 program and ran it. They are legit right? Thanks.