Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Umonitor error r11.com popups spyware dowloading


  • Please log in to reply

#1
zach_

zach_

    Member

  • Member
  • PipPip
  • 11 posts
Hi. My computer has so many problems and I cannot fix them, they always come back. I need professional help or else I'll have to reformat my hard drive and I have too much data to backup to do that. Please help. My computer freezes abrubtly and restarts for no reason(seems like a video driver issue). I get popups and the webpage I browse changes constantly, even in safe mode. I've ran every spyware/adware/virus scanner listed on this website, I've deleted files manually ran hjt scans but no luck.

The first thing I notice is this when windows starts:
An exception occurred while trying to run ""C:\WINDOWS\system32\mzcbase.dll",Umonitor" at startup

Another big problem is the popups, which go to loadingwebsite.com/yyy***something I forget, r11.com, sharewareonline.com, and adserver sites. Also, any time I leave my computer alone more and more spyware gets installed. Here is my hijack this log below, followed by a findit2000xp log. Any help is appreaciated. If I can't get it figured out in a few hours I'm going to go to best buy to buy something to back up 50gb of data and wipe my system clean.
~~~~~~~~~
hijackthis log
~~~~~~~~~
Logfile of HijackThis v1.99.0
Scan saved at 5:13:46 PM, on 1/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\yiquuu.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Z\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvdno32.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
findit2000xp log
~~~~~~~~~~
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Z\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A056-2FD1

Directory of C:\WINDOWS\System32

01/17/2005 11:24 AM 224,786 hr8u05l9e.dll
01/17/2005 02:38 AM 224,786 kt86l7ls1.dll
01/17/2005 12:54 AM 224,786 k4pmle711h.dll
01/17/2005 12:41 AM 225,438 n2n60c5sef.dll
01/17/2005 12:25 AM <DIR> dllcache
12/08/2004 10:15 AM 389,120 t?skmgr.exe
10/19/2004 06:15 PM <DIR> Microsoft
5 File(s) 1,288,916 bytes
2 Dir(s) 21,535,756,288 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A056-2FD1

Directory of C:\WINDOWS\System32

01/17/2005 02:15 AM <DIR> vmss
01/17/2005 12:25 AM <DIR> dllcache
12/15/2004 01:47 PM 21,330 FFASTLOG.TXT
12/08/2004 10:15 AM 389,120 t?skmgr.exe
10/12/2004 08:20 PM 488 WindowsLogon.manifest
10/12/2004 08:20 PM 488 logonui.exe.manifest
10/12/2004 08:20 PM 749 nwc.cpl.manifest
10/12/2004 08:20 PM 749 ncpa.cpl.manifest
10/12/2004 08:20 PM 749 sapi.cpl.manifest
10/12/2004 08:20 PM 749 cdplayer.exe.manifest
10/12/2004 08:20 PM 749 wuaucpl.cpl.manifest
9 File(s) 415,171 bytes
2 Dir(s) 21,535,752,192 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is A056-2FD1

Directory of C:\WINDOWS\System32

01/17/2005 03:01 PM 224,786 guard.tmp
1 File(s) 224,786 bytes
0 Dir(s) 21,535,752,192 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is A056-2FD1

Directory of C:\WINDOWS\System32

01/17/2005 03:01 PM 224,786 guard.tmp
08/18/2001 06:00 AM 2,577 CONFIG.TMP
2 File(s) 227,363 bytes
0 Dir(s) 21,535,752,192 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{44FECED8-3586-491B-844A-6E54CD65BBD2}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k4pmle711h.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
ffastlog.txt Wed Dec 15 2004 1:47:14p A..H. 21,330 20.83 K
hr8u05~1.dll Mon Jan 17 2005 11:24:12a ..S.R 224,786 219.52 K
k4pmle~1.dll Mon Jan 17 2005 12:54:14a ..S.R 224,786 219.52 K
kt86l7~1.dll Mon Jan 17 2005 2:38:38a ..S.R 224,786 219.52 K
n2n60c~1.dll Mon Jan 17 2005 12:41:36a ..S.R 225,438 220.15 K
tskmgr~1.exe Wed Dec 8 2004 10:15:54a ..SHR 389,120 380.00 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,310,246 bytes 1.25 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\gyiuuu.dll: updates.qoologic.com
C:\WINDOWS\system32\pav.sig: Qoologic
C:\WINDOWS\system32\pav.sig: Qoologic
C:\WINDOWS\system32\pzxuuu.exe: updates.qoologic.com
C:\WINDOWS\system32\zosppp.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\pav.sig: AsPack
C:\WINDOWS\system32\qaguuu.dat: .aspack
C:\WINDOWS\system32\yiquuu.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\yufggg.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P30 \"EPSON Stylus Photo R200 Series\" /O6 \"USB001\" /M \"Stylus Photo R200\""
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ntechin"="C:\\WINDOWS\\system32\\n20050308.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"kalvsys"="C:\\windows\\system32\\kalvdno32.exe"
"Narrator"="C:\\WINDOWS\\system32\\yiquuu.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"


Thanks
Zach
  • 0

Advertisements


#2
zach_

zach_

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
alright I guess it'd just be easier to format and reinstall
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP