1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

PLEASE HELP ME, I beg you! Spyware problem! HijackThis info included!

Discussion in 'Windows XP' started by HomeUserGene, Oct 13, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. HomeUserGene

    HomeUserGene Thread Starter

    Joined:
    Oct 13, 2003
    Messages:
    3
    Dear users,

    Please help me. I am at my wits' end.
    I have a lot of experience dealing with spyware, but I am having a problem right now which looks impossible!!!!

    Here's the deal.
    I have ZoneAlarm, which -- when it's on -- supposedly protects me from a lot of crap. With ZoneAlarm running, my broadband connection is painfully slow but at least everything works. (By the way, I'm sure it shouldn't be that slow -- but I got rid of all the CoolWWWSearch stuff, so...)

    Here is the issue!!!
    As soon as I turn ZoneAlarm off, in about 2-3 min., I get the "svchost.exe Incorrect memory address" error which looks just like the MSBlast virus that we've all had, but I don't have MSBlast, I checked it many times, with various tools!!!!

    AS SOON AS this error message appears, I am automatically unable to:
    1) open popup (secondary) windows in IE, or links that are supposed to open in another window;
    2) open the Find dialog box (Ctrl+F) in IE;
    3) Run the Find program in Windows;
    4) paste text in any edit-boxes.

    This is killing me!!! I've tried everything, got rid of all the phony scvhost.exe and msmsgri32.exe, and still something's there!

    OUTPUT FROM HijackThis **AFTER** ERROR MESSAGE (i.e. after ZoneAlarm is turned off):
    -------------------
    Logfile of HijackThis v1.97.3
    Scan saved at 10:10:48 PM, on 10/13/2003
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\eugene\POPUPS~1\dpps2.exe
    C:\eugene\winamp\Winampa.exe
    C:\WINNT\System32\DeltTray.exe
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\WINNT\System32\wKernel32.exe
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\System32\DivX.Exe
    C:\WINNT\System32\internat.exe
    C:\winnt\config\adobea.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\cmd.exe
    C:\eugene\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\eugene\POPUPS~1\dpps2.exe"
    O4 - HKLM\..\Run: [WinampAgent] "C:\eugene\winamp\Winampa.exe"
    O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    O4 - HKLM\..\Run: [Windows BootCheck] wKernel32.exe
    O4 - HKLM\..\Run: [AdobeA] C:\winnt\config\adobes.exe
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DivX Updater] C:\WINNT\System32\DivX.Exe
    O4 - HKLM\..\RunServices: [Windows BootCheck] wKernel32.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Support (HKCU)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: ComcastHSI (HKCU)
    O12 - Plugin for .pl: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/CGA18102/clean.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37899.7681712963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
    O19 - User stylesheet: c:\winnt\java\my.css

    -----


    Nothing really suspicious that I can see.
    How can I solve this problem that's been bugging me for WEEKS? Is someone trying to access my PC? :confused:

    thanks!!!!!!
     
  2. HomeUserGene

    HomeUserGene Thread Starter

    Joined:
    Oct 13, 2003
    Messages:
    3
    ... and also another question, somewhat related:

    ZoneAlarm shows me that every second or so, some mysterious places try to connect to me, stuff like some .su address from somewhere, or .edu, or just different IP addresses.

    What does all of that mean?!
    Are they all targeting my specific host, or what? How did they know about me and what do they want?
     
  3. C'plus

    C'plus

    Joined:
    Dec 16, 2002
    Messages:
    54
    Which OS are you running?

    Also what do you use as a P2P client?

    What do you use to remove your spyware?
     
  4. C'plus

    C'plus

    Joined:
    Dec 16, 2002
    Messages:
    54
    Sorry, windows 2000, got it
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    HomeUserGene

    Welcome to TSG!

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    O4 - HKLM\..\Run: [Windows BootCheck] wKernel32.exe

    O4 - HKLM\..\Run: [AdobeA] C:\winnt\config\adobes.exe

    O4 - HKLM\..\RunServices: [Windows BootCheck] wKernel32.exe

    O13 - DefaultPrefix:

    O13 - WWW Prefix:

    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.co...18102/clean.cab

    O19 - User stylesheet: c:\winnt\java\my.css

    Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

    In Safe Mode delete:

    The C:\winnt\config\adobes.exe file
    The C:\WINNT\System32\wKernel32.exe file
    The c:\winnt\java\my.css file
     
  6. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
  7. HomeUserGene

    HomeUserGene Thread Starter

    Joined:
    Oct 13, 2003
    Messages:
    3
    THANK YOU!!!!
    flrman1, I did everything as you said, now the system is rocket-fast :D !

    Thanks to everyone who replied, and flrman1 in particular!!
    Really appreciate your help.
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome! (y)
     
  9. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    I'm still trying to learn. Can you tell me what DeltTray.exe is and does?
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    BillC

    I have no idea what it is. I must have completely overlooked it.

    Well spotted Bill (y)

    HomeUserGene

    Please do this navigate to C:\WINNT\System32 and locate the DeltTray.exe file and right click it and choose "Properties" and look under the "version" tab and see what it says the "Company Name" and "Product Name".


    Also copy the DeltTray.exe and upload it here:

    http://www.kaspersky.com/remoteviruschk.html

    Let us know the results.

    If that tells us nothing I would like you send me a copy.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/171827

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice