PLEASE HELP ME, I beg you! Spyware problem! HijackThis info included!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

HomeUserGene

Thread Starter
Joined
Oct 13, 2003
Messages
3
Dear users,

Please help me. I am at my wits' end.
I have a lot of experience dealing with spyware, but I am having a problem right now which looks impossible!!!!

Here's the deal.
I have ZoneAlarm, which -- when it's on -- supposedly protects me from a lot of crap. With ZoneAlarm running, my broadband connection is painfully slow but at least everything works. (By the way, I'm sure it shouldn't be that slow -- but I got rid of all the CoolWWWSearch stuff, so...)

Here is the issue!!!
As soon as I turn ZoneAlarm off, in about 2-3 min., I get the "svchost.exe Incorrect memory address" error which looks just like the MSBlast virus that we've all had, but I don't have MSBlast, I checked it many times, with various tools!!!!

AS SOON AS this error message appears, I am automatically unable to:
1) open popup (secondary) windows in IE, or links that are supposed to open in another window;
2) open the Find dialog box (Ctrl+F) in IE;
3) Run the Find program in Windows;
4) paste text in any edit-boxes.

This is killing me!!! I've tried everything, got rid of all the phony scvhost.exe and msmsgri32.exe, and still something's there!

OUTPUT FROM HijackThis **AFTER** ERROR MESSAGE (i.e. after ZoneAlarm is turned off):
-------------------
Logfile of HijackThis v1.97.3
Scan saved at 10:10:48 PM, on 10/13/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\eugene\POPUPS~1\dpps2.exe
C:\eugene\winamp\Winampa.exe
C:\WINNT\System32\DeltTray.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINNT\System32\wKernel32.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\DivX.Exe
C:\WINNT\System32\internat.exe
C:\winnt\config\adobea.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\cmd.exe
C:\eugene\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\eugene\POPUPS~1\dpps2.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\eugene\winamp\Winampa.exe"
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [Windows BootCheck] wKernel32.exe
O4 - HKLM\..\Run: [AdobeA] C:\winnt\config\adobes.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DivX Updater] C:\WINNT\System32\DivX.Exe
O4 - HKLM\..\RunServices: [Windows BootCheck] wKernel32.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O12 - Plugin for .pl: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/CGA18102/clean.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37899.7681712963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
O19 - User stylesheet: c:\winnt\java\my.css

-----


Nothing really suspicious that I can see.
How can I solve this problem that's been bugging me for WEEKS? Is someone trying to access my PC? :confused:

thanks!!!!!!
 

HomeUserGene

Thread Starter
Joined
Oct 13, 2003
Messages
3
... and also another question, somewhat related:

ZoneAlarm shows me that every second or so, some mysterious places try to connect to me, stuff like some .su address from somewhere, or .edu, or just different IP addresses.

What does all of that mean?!
Are they all targeting my specific host, or what? How did they know about me and what do they want?
 
Joined
Dec 16, 2002
Messages
54
Which OS are you running?

Also what do you use as a P2P client?

What do you use to remove your spyware?
 
Joined
Jul 26, 2002
Messages
46,331
HomeUserGene

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

O4 - HKLM\..\Run: [Windows BootCheck] wKernel32.exe

O4 - HKLM\..\Run: [AdobeA] C:\winnt\config\adobes.exe

O4 - HKLM\..\RunServices: [Windows BootCheck] wKernel32.exe

O13 - DefaultPrefix:

O13 - WWW Prefix:

O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.co...18102/clean.cab

O19 - User stylesheet: c:\winnt\java\my.css

Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

In Safe Mode delete:

The C:\winnt\config\adobes.exe file
The C:\WINNT\System32\wKernel32.exe file
The c:\winnt\java\my.css file
 

HomeUserGene

Thread Starter
Joined
Oct 13, 2003
Messages
3
THANK YOU!!!!
flrman1, I did everything as you said, now the system is rocket-fast :D !

Thanks to everyone who replied, and flrman1 in particular!!
Really appreciate your help.
 
Joined
May 28, 2003
Messages
2,366
I'm still trying to learn. Can you tell me what DeltTray.exe is and does?
 
Joined
Jul 26, 2002
Messages
46,331
BillC

I have no idea what it is. I must have completely overlooked it.

Well spotted Bill (y)

HomeUserGene

Please do this navigate to C:\WINNT\System32 and locate the DeltTray.exe file and right click it and choose "Properties" and look under the "version" tab and see what it says the "Company Name" and "Product Name".


Also copy the DeltTray.exe and upload it here:

http://www.kaspersky.com/remoteviruschk.html

Let us know the results.

If that tells us nothing I would like you send me a copy.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top