1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ULWindowSeek and ULWindowURL

Discussion in 'Windows - Virus and spyware problems' started by chellak, Jun 2, 2006.

  1. chellak

    chellak Member

    Joined:
    Jun 2, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    I keep getting two windows popping up every 5 minutes - ULWindowSeek and ULWindowURL.

    I am using Windows 98.

    Here is my HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:28:51 PM, on 3/06/06
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    c:\windows\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\MALWARESWEEPER.COM\MALWARE SWEEPER\MALSWEP.EXE
    C:\WINDOWS\SYSTEM\W98EJECT.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\W98EJECT.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\MY DOCUMENTS\INSTALLERS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kpmg.com.au/
    F1 - win.ini: run=hpfsched
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [WINOJK32] rundll32 WINOJK32.DLL,run
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
    O4 - HKCU\..\Run: [Malware Sweeper] C:\PROGRAM FILES\MALWARESWEEPER.COM\MALWARE SWEEPER\MALSWEP.exe /STARTUP
    O4 - HKCU\..\RunServices: [Malware Sweeper] C:\PROGRAM FILES\MALWARESWEEPER.COM\MALWARE SWEEPER\MALSWEP.exe /STARTUP
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: w98Eject.lnk = C:\WINDOWS\SYSTEM\w98Eject.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
     
  2. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Hi chellak.

    Are you sure that it was the whole log?

    You don't have a firewall or an antivirus on your computer, (you have uninstalled McAfee?).

    Download and install one firewall and one antivirus.

    These are good (free) firewalls:
    ZoneAlarm --> http://www.zonelabs.com
    Kerio--> http://www.sunbelt-software.com/Kerio.cfm
    Outpost-> http://www.agnitum.com

    These are good (free) antiviruses:
    AVG Antivirus --> http://www.grisoft.com
    Avast --> http://www.avast.com

    Cleaning instructions:

    Download eScan to your desktop -> http://www.spywareinfo.dk/download/mwav.exe
    Run the file mwav.exe and unzip it to its default location, C:\Kaspersky

    1. Updating the scanner (close the eScan window if open)
    -> Go to My Computer
    -> C:\
    -> Kaspersky
    -> Run the file kavupd.exe, it starts downloading updates
    -> When downloading is finished, go to C:\Downloads
    -> Copy all the files in the Downloads folder by pressing CTRL+A and then CTRL+C
    -> Then go back to the C:\Kaspersky folder and paste the files by pressing CTRL+V
    -> Answer Yes to all when it asks about replacing files
    -> Now the scanner has been updated

    2. Scanner settings
    -> Go to folder C:\Kaspersky and run the file mwavscan.com (or mwavscan.exe)
    -> The scanner window opens
    -> Select the same settings than in this picture -> http://koti.mbnet.fi/pattaya1/eScan6.jpg
    -> When ready, press the Scan Clean button
    -> Scanning for infections begins

    3. Posting the results
    -> When the scan has finished (scan may take a quite long time), you'll need to post the findings
    -> Copy all the text in this field -> http://koti.mbnet.fi/pattaya1/eScan10.jpg
    -> Click the field, press CTRL+A, CTRL+C
    -> Then open Notepad and paste the findings into a new document by pressing CTRL+V
    -> Save the document to your desktop
    -> Post the contents of that textfile to here

    Download and run a scan with WinPFind-> http://www.bleepingcomputer.com/files/winpfind.php
    Follow the instructions on that site and post its log to here.

    Post a new HijackThis log, WinPFind log and eSacn findings to here.
     
    Last edited: Jun 2, 2006
  3. chellak

    chellak Member

    Joined:
    Jun 2, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    Thanks so much for helping me out!

    After I download the http://www.spywareinfo.dk/download/mwav.exe file, when I try to open it, I get an error message saying that the file is damaged. Is there another source of this file that I can use instead?

    The reason why McAfee has been uninstalled was that I had to reinstalll Windows. McAfee became uninstalled in the process. Do you know of any tools that I can use to remove the programs that became uninstalled when I reinstalled Windows?

    In regards to the firewall, I am on dial-up, which I thought meant that I don't need a firewall. Is this correct? Or should I get one anyway?

    Thanks!
    Chellak
     
  4. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok sorry, I missed something :)

    And yes, you still need a firewall even if you use a dial-up connection...

    We can clean those McAfee remainings too...

    But install a firewall and an antivirus.

    Cleaning instructions:

    Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

    O4 - HKLM\..\Run: [WINOJK32] rundll32 WINOJK32.DLL,run
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe

    Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
    Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

    Delete these folders (if found):
    C:\PROGRAM FILES\MCAFEE.COM

    Use the Windows "search" function
    -> Start
    -> Search
    -> Make sure that you serch from hidden files and folders too
    -> search for this and delete if found WINOJK32.DLL

    Clean the Recycle bin and make your hidden files visible again.

    Restart your computer normally.

    Try downloading that eScan installer again the run a scan with the program.

    Post the following logs to here:
    -> a fresh HijackThis log
    -> eScan results
     
    Last edited: Jun 4, 2006
  5. chellak

    chellak Member

    Joined:
    Jun 2, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    I followed your instructions, but I'm still getting the same error. The file downloads about 2MB of the 12MB, and then stops. When I try to open the file, I get the error message "Zip file is damaged, truncated, or has been changed since it was created. If you downloaded this file, try downloading again."
     
  6. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46

Share This Page