Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

msgsvr, searc-h.com,shopathomeselect, etc.

Started by kiwiscott , Sep 18 2005 08:01 PM

  • Please log in to reply

#1
kiwiscott
Posted 18 September 2005 - 08:01 PM

kiwiscott

    Member

  • Member
  • PipPip
  • 14 posts
Hi, I don't know much about these things, all I know is I need help! I reviewed the requirement and completed as much as I could with my computer crashing constantly (took 3 reboots just to get this message posted!) Here is my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 6:56:19 PM, on 9/18/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://castle.webex...bex/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.rapidsurv...RSG/XUpload.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.ho...es/MsnPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://amazon.kodakg..._1/axofupld.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} -

Thank you!!!
  • 0

Advertisements

#2
Metallica
Posted 22 September 2005 - 01:33 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download CWShredder from http://www.trendmicro.com/cwshredder/
Use the Fix button.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder)

Regards,
  • 0

#3
kiwiscott
Posted 22 September 2005 - 02:46 PM

kiwiscott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi, CWShredder didn't find anything.

I downloaded WinPFind and then tried several times to restart in safe mode, but it won't work. I tried the F8 method a couple of times, but it won't take me to the boot menu - it just starts up normallly. I also tried using the ctrl key, but the same thing happened.

So I tried WinPFind in normal mode anyway and ended up with a blue screen.

Now what do I do?

By the way, here is a list of SOME of the weird things I'm finding on my computer:
AutoLaunch
Shopathomeselect
searc-h
paypopup
party poker
selectrebates
pacimedia
wvdxregu
msgsrv32
and rundll32 seems to have something to do with at lease one of these because if I end task, then check again after getting another popup, it's right back in there again.

Also, when I shut down, I usually get a window saying that some program is not responding (wait, end task, or cancel). It's almost always AutoLaunch in addition to two or three blank ones. Then when I click End Task, I get the blue screen.

My computer is really messed up. I appreciate your time and help with this!
  • 0

#4
Metallica
Posted 23 September 2005 - 07:53 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download, unzip and run About:Buster http://www.malwareby...boutBuster5.zip
Reboot into safe mode and run it.
It ususally takes two runs to get cleaned.
  • Download the Backdoor.Agent.B Removal Tool from Symantec.
  • Follow Symantec's instructions for how to run it.
  • Be sure to save the log file. I will need to see it later.
  • Restart your computer.
Then try this method to get into safe mode:
http://service1.syma...ion=1#_Section1

If it works I'd like to see the WinPFind log.

Regards,
  • 0

#5
kiwiscott
Posted 23 September 2005 - 02:32 PM

kiwiscott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Thank you for the safe mode instructions. I was able to reboot into safe mode and run AboutBuster5 and FxAgentB. Both found nothing. Here are their logs:
____________________________________________________________________

AboutBuster 5.0 reference file 28
Scan started on [9/23/05] at [10:14:31 AM]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:14:34 AM


AboutBuster 5.0 reference file 28
Scan started on [9/23/05] at [10:15:43 AM]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:15:45 AM
____________________________________________________________________

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2


Backdoor.Agent.B has not been found on your computer.
__________________________________________________________________

I have not been able to complete a WinPFind scan. The first few times I tried it, it stopped responding when it got to C:\MyBackup.qic. Then before my last attempt, I rebooted into safe mode again and hit ctl-alt-del to see if there was anything running that may be causing it to stop responding. The only thing in there was Rundll32, which I shut down. This time, WinPFind stopped at C:\MyBackup.qic again, but I left it alone to see if it would eventually get past it. The next time I looked at my monitor, it had gotten past it but had stopped responding again, and there was a window open that said Rundll32 has performed an illegal operation and will be shut down. I clicked ok and the window stayed and everything was frozen again.
So I'm still without a WinPFind log.
  • 0

#6
Metallica
Posted 24 September 2005 - 04:55 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Let's see if SpySweeper can find the files.

Download it from here: http://www.majorgeek...wnload3263.html
Install it and do a full system scan.

Regards,
  • 0

#7
kiwiscott
Posted 25 September 2005 - 03:24 PM

kiwiscott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I downloaded and tried to scan, but it froze up so I rebooted into safe mode and scanned. The first sweep found and quarantined 100 items. Then I rebooted into normal mode and a box opened with this message:

Runtime Error!
Program: C:\WINDOWS\EXPLORER.EXE
This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.

I have no idea what that means. I didn't click OK, I just left the box there and was able to run another sweep anyway. The second pass found 8 items. Would you like to see the log?
  • 0

#8
Metallica
Posted 26 September 2005 - 11:48 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Yes please. Show me the log.

And let me know if the explorer.exe error was a one time event or if it is still happening.

Regards,
  • 0

#9
kiwiscott
Posted 26 September 2005 - 02:12 PM

kiwiscott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I am still getting the explorer.exe error every time I start up. If I click OK, then everything disappears and I'm left with a blank green screen. Can't even ctrl-alt-del. Here is a spy sweeper log. Even after quarantining all of these items, I'm still getting the popups. grr.

********
11:01 AM: |··· Start of Session, Sunday, September 25, 2005 ···|
11:01 AM: Spy Sweeper started
11:01 AM: Sweep initiated using definitions version 540
11:01 AM: Starting Memory Sweep
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 015816F0
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 0158B424
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 02AFFE80
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:01 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 02B0D4F0
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 02B3C844
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:02 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 03430FA4
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 02B8F6B8
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 034E4344
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 02C7262C
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:03 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:04 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:04 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:04 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:04 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:04 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:04 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:04 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 036193D0
11:04 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 033D25F0
11:04 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 004DF3CF in module 'WRSSSDK.EXE'. Read of address 038DD3BC
11:05 AM: Memory Sweep Complete, Elapsed Time: 00:03:42
11:05 AM: Starting Registry Sweep
11:05 AM: Found Adware: altnet
11:05 AM: HKLM\altnet\ (2 subtraces) (ID = 103447)
11:05 AM: Found Adware: blazefind
11:05 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/bridge.dll\ (2 subtraces) (ID = 104526)
11:05 AM: Found Adware: blazefind_adstat
11:05 AM: HKLM\software\classes\winstatx.installer\ (3 subtraces) (ID = 104588)
11:05 AM: HKCR\winstatx.installer\ (3 subtraces) (ID = 104594)
11:06 AM: Found Adware: delfin
11:06 AM: HKLM\software\microsoft\windows\currentversion\uninstall\displayutility\ (2 subtraces) (ID = 124879)
11:06 AM: HKLM\software\mvu\ (2 subtraces) (ID = 124885)
11:07 AM: Found Adware: roings search enhancment
11:07 AM: HKLM\software\microsoft\code store database\distribution units\{e0ce16cb-741c-4b24-8d04-a817856e07f4}\ (4 subtraces) (ID = 140141)
11:07 AM: Found Adware: searchrelevancy
11:07 AM: HKCR\searchrelevant\ (3 subtraces) (ID = 141291)
11:07 AM: HKLM\software\classes\searchrelevant\ (3 subtraces) (ID = 141296)
11:07 AM: Found Adware: shopathomeselect
11:07 AM: HKLM\software\winsock2\layered provider sample\ (ID = 141736)
11:07 AM: Found Adware: zenosearchassistant
11:07 AM: HKLM\software\microsoft\windows\currentversion\run\ || zstart (ID = 147933)
11:07 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall6.dll\ (2 subtraces) (ID = 509618)
11:07 AM: Registry Sweep Complete, Elapsed Time:00:02:36
11:07 AM: Starting Cookie Sweep
11:07 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:07 AM: Found Spy Cookie: go2net.com cookie
11:07 AM: kari scott@go2net[2].txt (ID = 2730)
11:07 AM: Found Spy Cookie: ask cookie
11:07 AM: kari scott@ask[2].txt (ID = 2245)
11:07 AM: Found Spy Cookie: preferences cookie
11:07 AM: kari scott@preferences[2].txt (ID = 3183)
11:07 AM: Found Spy Cookie: about cookie
11:07 AM: kari scott@about[2].txt (ID = 2037)
11:07 AM: Found Spy Cookie: go.com cookie
11:07 AM: kari scott@go[1].txt (ID = 2728)
11:07 AM: kari [email protected][1].txt (ID = 3184)
11:07 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:07 AM: kari scott@ask[1].txt (ID = 2245)
11:07 AM: Found Spy Cookie: bannerspace cookie
11:07 AM: kari scott@bannerspace[2].txt (ID = 2284)
11:07 AM: kari [email protected][1].txt (ID = 2038)
11:07 AM: kari [email protected][2].txt (ID = 2246)
11:07 AM: Found Spy Cookie: bizrate cookie
11:07 AM: kari scott@bizrate[1].txt (ID = 2308)
11:07 AM: Found Spy Cookie: web-stat cookie
11:07 AM: kari [email protected][2].txt (ID = 3649)
11:07 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:07 AM: Found Spy Cookie: classmates cookie
11:07 AM: kari scott@classmates[1].txt (ID = 2384)
11:07 AM: kari scott@preferences[3].txt (ID = 3183)
11:07 AM: Found Spy Cookie: homestore cookie
11:07 AM: kari scott@homestore[2].txt (ID = 2793)
11:07 AM: kari [email protected][1].txt (ID = 2794)
11:07 AM: Found Spy Cookie: com.com cookie
11:07 AM: kari [email protected][2].txt (ID = 2446)
11:07 AM: kari [email protected][1].txt (ID = 2246)
11:07 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:07 AM: Found Spy Cookie: infospace cookie
11:07 AM: kari scott@infospace[2].txt (ID = 2865)
11:07 AM: kari scott@go2net[1].txt (ID = 2730)
11:07 AM: kari scott@homestore[3].txt (ID = 2793)
11:07 AM: kari scott@classmates[2].txt (ID = 2384)
11:07 AM: kari scott@homestore[4].txt (ID = 2793)
11:08 AM: kari [email protected][1].txt (ID = 2794)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:08 AM: Found Spy Cookie: cardomain cookie
11:08 AM: kari scott@cardomain[2].txt (ID = 2350)
11:08 AM: Found Spy Cookie: wtlive.com cookie
11:08 AM: kari [email protected][1].txt (ID = 3700)
11:08 AM: Found Spy Cookie: dealtime cookie
11:08 AM: kari scott@dealtime[1].txt (ID = 2505)
11:08 AM: kari [email protected][1].txt (ID = 2506)
11:08 AM: Found Spy Cookie: clickxchange adware cookie
11:08 AM: kari [email protected][2].txt (ID = 2409)
11:08 AM: kari scott@about[3].txt (ID = 2037)
11:08 AM: Found Spy Cookie: belointeractive cookie
11:08 AM: kari scott@belointeractive[2].txt (ID = 2294)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:08 AM: Found Spy Cookie: rn11 cookie
11:08 AM: kari scott@rn11[1].txt (ID = 3261)
11:08 AM: kari scott@go2net[3].txt (ID = 2730)
11:08 AM: kari scott@about[4].txt (ID = 2037)
11:08 AM: kari scott@dealtime[2].txt (ID = 2505)
11:08 AM: kari scott@com[2].txt (ID = 2445)
11:08 AM: kari [email protected][2].txt (ID = 2506)
11:08 AM: kari scott@bizrate[3].txt (ID = 2308)
11:08 AM: kari scott@belointeractive[1].txt (ID = 2294)
11:08 AM: kari [email protected][1].txt (ID = 2295)
11:08 AM: kari [email protected][1].txt (ID = 2295)
11:08 AM: Found Spy Cookie: gostats cookie
11:08 AM: kari [email protected][2].txt (ID = 2748)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:08 AM: kari [email protected][1].txt (ID = 2309)
11:08 AM: Found Spy Cookie: webtrendslive cookie
11:08 AM: kari scott@dcs8ir0f010000oyioyaka1kl_8j7n[2].txt (ID = 3673)
11:08 AM: kari scott@homestore[5].txt (ID = 2793)
11:08 AM: kari [email protected][3].txt (ID = 3649)
11:08 AM: Found Spy Cookie: myaffiliateprogram.com cookie
11:08 AM: kari [email protected][1].txt (ID = 3032)
11:08 AM: kari [email protected][1].txt (ID = 2038)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:08 AM: kari [email protected][2].txt (ID = 2295)
11:08 AM: Found Spy Cookie: specificpop cookie
11:08 AM: kari scott@specificpop[1].txt (ID = 3401)
11:08 AM: kari [email protected][1].txt (ID = 2038)
11:08 AM: Found Spy Cookie: gorillanation cookie
11:08 AM: kari [email protected][1].txt (ID = 2744)
11:08 AM: kari [email protected][2].txt (ID = 2446)
11:08 AM: Found Spy Cookie: atwola cookie
11:08 AM: kari scott@atwola[2].txt (ID = 2255)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:08 AM: Found Spy Cookie: pub cookie
11:08 AM: kari scott@pub[2].txt (ID = 3205)
11:08 AM: Found Spy Cookie: tracking cookie
11:08 AM: kari scott@tracking[1].txt (ID = 3571)
11:08 AM: kari scott@bannerspace[1].txt (ID = 2284)
11:08 AM: kari [email protected][2].txt (ID = 2038)
11:08 AM: kari scott@go2net[4].txt (ID = 2730)
11:08 AM: Found Spy Cookie: 2o7.net cookie
11:08 AM: kari [email protected][2].txt (ID = 1958)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 0051B527 in module 'WRSSSDK.EXE'. Write of address 02BB5181
11:08 AM: Found Spy Cookie: howstuffworks cookie
11:08 AM: kari scott@howstuffworks[1].txt (ID = 2805)
11:08 AM: kari [email protected][4].txt (ID = 3649)
11:08 AM: kari scott@tracking[2].txt (ID = 3571)
11:08 AM: kari scott@infospace[3].txt (ID = 2865)
11:08 AM: kari [email protected][2].txt (ID = 2744)
11:08 AM: Found Spy Cookie: gotoast cookie
11:08 AM: kari scott@gotoast[1].txt (ID = 2751)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:08 AM: kari scott@go[3].txt (ID = 2728)
11:08 AM: kari [email protected][1].txt (ID = 2729)
11:08 AM: kari [email protected][2].txt (ID = 2729)
11:08 AM: Found Spy Cookie: touchclarity cookie
11:08 AM: kari [email protected][1].txt (ID = 3566)
11:08 AM: kari [email protected][1].txt (ID = 2038)
11:08 AM: kari [email protected][1].txt (ID = 2038)
11:08 AM: kari [email protected][1].txt (ID = 2038)
11:08 AM: Found Spy Cookie: l2m.net cookie
11:08 AM: kari scott@l2m[1].txt (ID = 2913)
11:08 AM: Found Spy Cookie: one-time-offer cookie
11:08 AM: kari scott@one-time-offer[2].txt (ID = 3095)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00404C1E in module 'WRSSSDK.EXE'. Read of address FFFFFFFF
11:08 AM: kari [email protected][1].txt (ID = 2038)
11:08 AM: kari scott@atwola[3].txt (ID = 2255)
11:08 AM: kari [email protected][1].txt (ID = 2038)
11:08 AM: kari [email protected][3].txt (ID = 2295)
11:08 AM: Found Spy Cookie: metareward.com cookie
11:08 AM: kari scott@metareward[2].txt (ID = 2990)
11:08 AM: Found Spy Cookie: pricegrabber cookie
11:08 AM: kari scott@pricegrabber[1].txt (ID = 3185)
11:08 AM: Found Spy Cookie: specificclick.com cookie
11:08 AM: kari [email protected][2].txt (ID = 3400)
11:08 AM: kari [email protected][1].txt (ID = 2038)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:08 AM: kari scott@dealtime[4].txt (ID = 2505)
11:08 AM: kari scott@bizrate[4].txt (ID = 2308)
11:08 AM: Found Spy Cookie: banner cookie
11:08 AM: kari scott@banner[1].txt (ID = 2276)
11:08 AM: kari scott@about[5].txt (ID = 2037)
11:08 AM: kari scott@homestore[6].txt (ID = 2793)
11:08 AM: Found Spy Cookie: stats.klsoft.com cookie
11:08 AM: kari [email protected][1].txt (ID = 3451)
11:08 AM: kari [email protected][3].txt (ID = 2506)
11:08 AM: kari scott@specificpop[2].txt (ID = 3401)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:08 AM: kari [email protected][2].txt (ID = 2038)
11:08 AM: kari scott@dcs8ir0f010000oyioyaka1kl_8j7n[1].txt (ID = 3673)
11:08 AM: kari [email protected][2].txt (ID = 2295)
11:08 AM: kari scott@belointeractive[3].txt (ID = 2294)
11:08 AM: kari [email protected][3].txt (ID = 2295)
11:08 AM: kari [email protected][2].txt (ID = 2038)
11:08 AM: kari [email protected][2].txt (ID = 3032)
11:08 AM: kari scott@com[3].txt (ID = 2445)
11:08 AM: kari [email protected][3].txt (ID = 3032)
11:08 AM: Found Spy Cookie: cd freaks cookie
11:08 AM: kari [email protected][1].txt (ID = 2371)
11:08 AM: kari scott@cdfreaks[1].txt (ID = 2370)
11:08 AM: kari [email protected][1].txt (ID = 2038)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 01523483. Write of address 033D3D0A
11:08 AM: kari [email protected][4].txt (ID = 2038)
11:08 AM: kari [email protected][1].txt (ID = 2371)
11:08 AM: kari [email protected][4].txt (ID = 2295)
11:08 AM: kari scott@ask[3].txt (ID = 2245)
11:08 AM: kari scott@go2net[5].txt (ID = 2730)
11:08 AM: kari [email protected][5].txt (ID = 2506)
11:08 AM: kari scott@atwola[4].txt (ID = 2255)
11:08 AM: Found Spy Cookie: reunion cookie
11:08 AM: kari [email protected][1].txt (ID = 3256)
11:08 AM: kari scott@bizrate[2].txt (ID = 2308)
11:08 AM: kari [email protected][1].txt (ID = 2038)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00404C1E in module 'WRSSSDK.EXE'. Read of address FFFFFFFF
11:08 AM: kari scott@pub[3].txt (ID = 3205)
11:08 AM: kari [email protected][1].txt (ID = 3256)
11:08 AM: kari scott@reunion[2].txt (ID = 3255)
11:08 AM: kari scott@pricegrabber[3].txt (ID = 3185)
11:08 AM: kari scott@about[6].txt (ID = 2037)
11:08 AM: Found Spy Cookie: domain sponsor cookie
11:08 AM: kari [email protected][1].txt (ID = 2534)
11:08 AM: kari scott@homestore[7].txt (ID = 2793)
11:08 AM: kari scott@belointeractive[4].txt (ID = 2294)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 033B59CA. Write of address 0435AFC6
11:08 AM: kari [email protected][1].txt (ID = 2729)
11:08 AM: kari scott@go[4].txt (ID = 2728)
11:08 AM: kari [email protected][1].txt (ID = 3186)
11:08 AM: kari [email protected][2].txt (ID = 2038)
11:08 AM: Found Spy Cookie: euniverseads cookie
11:08 AM: kari [email protected][2].txt (ID = 2630)
11:08 AM: kari scott@rn11[3].txt (ID = 3261)
11:08 AM: Found Spy Cookie: apmebf cookie
11:08 AM: kari scott@apmebf[1].txt (ID = 2229)
11:08 AM: kari scott@com[4].txt (ID = 2445)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 0155E9FB. Write of address 295C44F4
11:08 AM: Found Spy Cookie: belnk cookie
11:08 AM: kari [email protected][1].txt (ID = 2293)
11:08 AM: Found Spy Cookie: yieldmanager cookie
11:08 AM: kari [email protected][1].txt (ID = 3751)
11:08 AM: Found Spy Cookie: screensavers.com cookie
11:08 AM: kari [email protected][1].txt (ID = 3298)
11:08 AM: Found Spy Cookie: adserver cookie
11:08 AM: kari [email protected][1].txt (ID = 2142)
11:08 AM: Found Spy Cookie: zedo cookie
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:08 AM: kari scott@zedo[2].txt (ID = 3762)
11:08 AM: Found Spy Cookie: paypopup cookie
11:08 AM: kari scott@paypopup[3].txt (ID = 3119)
11:08 AM: Found Spy Cookie: hbmediapro cookie
11:08 AM: kari [email protected][2].txt (ID = 2768)
11:08 AM: kari scott@banner[2].txt (ID = 2276)
11:08 AM: Found Spy Cookie: hotbar cookie
11:08 AM: kari [email protected][2].txt (ID = 4207)
11:08 AM: kari scott@paypopup[6].txt (ID = 3119)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:08 AM: Found Spy Cookie: falkag cookie
11:08 AM: kari [email protected][1].txt (ID = 2650)
11:08 AM: kari [email protected][1].txt (ID = 3298)
11:08 AM: Found Spy Cookie: starware.com cookie
11:08 AM: kari scott@starware[2].txt (ID = 3441)
11:08 AM: kari scott@bizrate[6].txt (ID = 2308)
11:08 AM: kari scott@paypopup[2].txt (ID = 3119)
11:08 AM: kari [email protected][2].txt (ID = 3567)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:08 AM: kari [email protected][1].txt (ID = 2038)
11:08 AM: Found Spy Cookie: revenue.net cookie
11:08 AM: kari scott@revenue[2].txt (ID = 3257)
11:08 AM: kari scott@adserver[1].txt (ID = 2141)
11:08 AM: kari scott@paypopup[1].txt (ID = 3119)
11:08 AM: Found Spy Cookie: server.iad.liveperson cookie
11:08 AM: kari [email protected][2].txt (ID = 3341)
11:08 AM: kari [email protected][3].txt (ID = 3751)
11:08 AM: Found Spy Cookie: clickandtrack cookie
11:08 AM: kari [email protected][2].txt (ID = 2397)
11:08 AM: Found Spy Cookie: adrevolver cookie
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000009. Read of address FFFFFFFF
11:08 AM: kari scott@adrevolver[2].txt (ID = 2088)
11:08 AM: Found Spy Cookie: adjuggler cookie
11:08 AM: kari [email protected][1].txt (ID = 2071)
11:08 AM: Found Spy Cookie: 888 cookie
11:08 AM: kari scott@888[2].txt (ID = 2019)
11:08 AM: Found Spy Cookie: clickbank cookie
11:08 AM: kari scott@clickbank[1].txt (ID = 2398)
11:08 AM: Found Spy Cookie: did-it cookie
11:08 AM: kari scott@did-it[1].txt (ID = 2523)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00000026. Read of address FFFFFFFF
11:08 AM: kari scott@about[7].txt (ID = 2037)
11:08 AM: Found Spy Cookie: centrport net cookie
11:08 AM: kari scott@centrport[2].txt (ID = 2374)
11:08 AM: Found Spy Cookie: casalemedia cookie
11:08 AM: kari scott@casalemedia[1].txt (ID = 2354)
11:08 AM: kari scott@one-time-offer[1].txt (ID = 3095)
11:08 AM: Found Spy Cookie: hitstats.net cookie
11:08 AM: kari scott@hitstats[2].txt (ID = 2791)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 00403AD4 in module 'WRSSSDK.EXE'. Read of address FFFFFFFC
11:08 AM: Found Spy Cookie: adknowledge cookie
11:08 AM: kari scott@adknowledge[1].txt (ID = 2072)
11:08 AM: kari scott@hbmediapro[1].txt (ID = 2767)
11:08 AM: kari scott@paypopup[4].txt (ID = 3119)
11:08 AM: Found Spy Cookie: hypertracker.com cookie
11:08 AM: kari scott@hypertracker[1].txt (ID = 2817)
11:08 AM: kari scott@ask[4].txt (ID = 2245)
11:08 AM: kari [email protected][1].txt (ID = 1958)
11:08 AM: kari scott@2o7[2].txt (ID = 1957)
11:08 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 0040533C in module 'WRSSSDK.EXE'. Read of address FFFFFFFF
11:08 AM: Found Spy Cookie: questionmarket cookie
11:08 AM: kari scott@questionmarket[1].txt (ID = 3217)
11:08 AM: Found Spy Cookie: trafficmp cookie
11:08 AM: kari scott@trafficmp[2].txt (ID = 3581)
11:08 AM: kari scott@paypopup[5].txt (ID = 3119)
11:08 AM: Found Spy Cookie: tribalfusion cookie
11:08 AM: kari scott@tribalfusion[1].txt (ID = 3589)
11:08 AM: Found Spy Cookie: overture cookie
11:08 AM: kari scott@overture[1].txt (ID = 3105)
11:08 AM: kari [email protected][2].txt (ID = 3400)
11:08 AM: Found Spy Cookie: peel network cookie
11:08 AM: kari scott@peel[2].txt (ID = 3127)
11:08 AM: Found Spy Cookie: addynamix cookie
11:08 AM: kari [email protected][2].txt (ID = 2062)
11:08 AM: kari scott@adrevolver[1].txt (ID = 2088)
11:08 AM: Found Spy Cookie: realmedia cookie
11:08 AM: kari scott@realmedia[2].txt (ID = 3235)
11:08 AM: kari scott@atwola[1].txt (ID = 2255)
11:08 AM: Found Spy Cookie: shop@home cookie
11:08 AM: kari [email protected][2].txt (ID = 3368)
11:08 AM: kari scott@belnk[1].txt (ID = 2292)
11:08 AM: Found Spy Cookie: tickle cookie
11:08 AM: kari scott@tickle[2].txt (ID = 3529)
11:08 AM: Found Spy Cookie: ru4 cookie
11:08 AM: kari [email protected][2].txt (ID = 3269)
11:08 AM: Starting File Sweep
  • 0

#10
Metallica
Posted 27 September 2005 - 11:54 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
OK. I saw L2M mentioned in the SpySweeper log, so let's tryb this first.

Please download L2m9xfix here:
http://swandog46.gee...om/l2m9xfix.exe

Save it to the desktop and run it. Extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat.

It would explain the explorer crashes, so my guess is this should give a big improvement.

Regards,
  • 0

Advertisements

#11
kiwiscott
Posted 28 September 2005 - 09:04 AM

kiwiscott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here is the log.txt file:

Log of L2M9XFix v1.01a

************

Running from directory:
C:\WINDOWS\Desktop\l2m9xfix

************

Files found:

C:\WINDOWS\system\ANIVPEAA.DLL
C:\WINDOWS\system\ASIV16AA.DLL
C:\WINDOWS\system\AVRESX32.DLL
C:\WINDOWS\system\BFTMETER.DLL
C:\WINDOWS\system\BJOWSELC.DLL
C:\WINDOWS\system\CYM.DLL
C:\WINDOWS\system\CYOOSUSR.DLL
C:\WINDOWS\system\Czsby_Crypto.dll
C:\WINDOWS\system\DBKAPI16.DLL
C:\WINDOWS\system\DFNMPNTW.DLL
C:\WINDOWS\system\DKSTYLE.DLL
C:\WINDOWS\system\DQNDI.DLL
C:\WINDOWS\system\drmasf.dll
C:\WINDOWS\system\drnzip32.dll
C:\WINDOWS\system\duvxdec_0407.dll
C:\WINDOWS\system\DYSPDIB.DLL
C:\WINDOWS\system\GVDEF.DLL
C:\WINDOWS\system\HYGDTUU.DLL
C:\WINDOWS\system\iCeyApi.dll
C:\WINDOWS\system\IINPSTUB.DLL
C:\WINDOWS\system\Isside your Computer.dll
C:\WINDOWS\system\JBVART.DLL
C:\WINDOWS\system\JFT.DLL
C:\WINDOWS\system\jxsd400.dll
C:\WINDOWS\system\JYVAPRXY.DLL
C:\WINDOWS\system\lgfil13n.dll
C:\WINDOWS\system\lktga11n.dll
C:\WINDOWS\system\mbrd2x35.dll
C:\WINDOWS\system\mbtask.dll
C:\WINDOWS\system\Mcfs14n.dll
C:\WINDOWS\system\MIIDENT.DLL
C:\WINDOWS\system\MJRATING.DLL
C:\WINDOWS\system\mjtask.dll
C:\WINDOWS\system\MKLOCUSR.DLL
C:\WINDOWS\system\mOpi32.dll
C:\WINDOWS\system\MREXCL40.DLL
C:\WINDOWS\system\MUDART32.DLL
C:\WINDOWS\system\mvpatcha.dll
C:\WINDOWS\system\mwihnd.dll
C:\WINDOWS\system\myimsg.dll
C:\WINDOWS\system\MYTCP.DLL
C:\WINDOWS\system\MZR.DLL
C:\WINDOWS\system\NJNDS.DLL
C:\WINDOWS\system\NLNDS.DLL
C:\WINDOWS\system\omeaccrc.dll
C:\WINDOWS\system\Oxchk32.dll
C:\WINDOWS\system\RKCRES.dll
C:\WINDOWS\system\SgncUploadDownload.dll
C:\WINDOWS\system\SHLWID.DLL
C:\WINDOWS\system\SUSINV.DLL
C:\WINDOWS\system\UHL.DLL
C:\WINDOWS\system\vfoxs.dll
C:\WINDOWS\system\wrv8dmod.dll
C:\WINDOWS\system\WXNTRUST.DLL

************

Registry entries found:



************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Deletion of C:\WINDOWS\system\drmasf.dll failed!
Done!


Finished!

----------------------------------
And here is the HijackThis log
----------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:49:57 AM, on 9/28/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
C:\WINDOWS\TEMP\BUNDLEP.EXE
C:\WINDOWS\SYSTEM\E6KPC07R.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\Run: [ZStart] C:\WINDOWS\SYSTEM\CXDXREGT.EXE DO0605
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://castle.webex...bex/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.rapidsurv...RSG/XUpload.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.ho...es/MsnPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://amazon.kodakg..._1/axofupld.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} -
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} -

---------------------------------------------------------------------

For the record, the Spysweeper Starup Shield keeps alerting me to Zstart. But if I click remove, the alert goes away, then comes back a few seconds later. I've tried to fix it with HijackThis, then I'll scan again and it's right back in there.

Thanks!
  • 0

#12
Metallica
Posted 28 September 2005 - 01:36 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hmmm. That one again?
You are reading the Teatimer alerts properly are you?
Excuse th probably dumb question, but you wouldn't be the first one conatantly disallowing a entry to be removed.


*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file name below to be deleted:

C:\WINDOWS\SYSTEM\CXDXREGT.EXE

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [ZStart] C:\WINDOWS\SYSTEM\CXDXREGT.EXE DO0605

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} -
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} -

Then boot back to nromal and post a new HijackThis log.
Let me know if the explorer crashes stopped. :tazz:

Regards,
  • 0

#13
kiwiscott
Posted 28 September 2005 - 05:39 PM

kiwiscott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I thought about that too - that maybe I'm just not reading them right, but I've double and triple checked that I'm clicking the right buttons.

I downloaded Killbox, pasted the file name to delete, then clicked on the red and white Delete File button. A Confirm Delete box came up that said: Backup and Delete C:\WINDOWS\SYSTEM\CXDXREGT.EXE
I clicked Yes. Then a File Error box came up that said: This file does not seem to exist.
So on the left where there are three choices: Standard File Kill (which was already selected as default), Delete on Reboot, and Replace on Reboot, I changed the selection to Delete on Reboot. It said: File will be deleted on next reboot.

I rebooted into safe mode and ran HijackThis. I checked the three items, clicked on Fix Checked, then scanned again to make sure they didn't come back again, which they didn't. Then I rebooted into normal mode and scanned again. All three were back. So I selected them again, clicked Fix Checked, then scanned again. The ZStart one was still there, but the other two were gone. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 4:16:17 PM, on 9/28/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\Run: [ZStart] C:\WINDOWS\SYSTEM\CXDXREGT.EXE DO0605
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://castle.webex...bex/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.rapidsurv...RSG/XUpload.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.ho...es/MsnPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://amazon.kodakg..._1/axofupld.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
  • 0

#14
Metallica
Posted 29 September 2005 - 11:59 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you try WinPFind again?

I'm hoping it will work now that we got rid of L2M

Regards,
  • 0

#15
kiwiscott
Posted 30 September 2005 - 01:48 PM

kiwiscott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I didn't work. I rebooted into safe mode and let it run all night. Before I went to bed, I noticed that it seemed to stuck on C:\WINUNDO.DAT. This morning it was still there and not responding.
In my previous post, I forgot to mention that I am still getting the explorer.exe errors. If I ignore the window, I can usually work around it, but it's still a pain in the [bleep]. If I don't ignore and I click OK, it goes away along with everything else.
Spysweeper is still messed up too, giving me the Wrsssdk has performed an illegal operation messages.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP