Tech Support Guy banner
Status
Not open for further replies.

PLEASE HELP ME, I beg you! Spyware problem! HijackThis info included!

949 views 9 replies 5 participants last post by  Flrman1 
#1 ·
Dear users,

Please help me. I am at my wits' end.
I have a lot of experience dealing with spyware, but I am having a problem right now which looks impossible!!!!

Here's the deal.
I have ZoneAlarm, which -- when it's on -- supposedly protects me from a lot of crap. With ZoneAlarm running, my broadband connection is painfully slow but at least everything works. (By the way, I'm sure it shouldn't be that slow -- but I got rid of all the CoolWWWSearch stuff, so...)

Here is the issue!!!
As soon as I turn ZoneAlarm off, in about 2-3 min., I get the "svchost.exe Incorrect memory address" error which looks just like the MSBlast virus that we've all had, but I don't have MSBlast, I checked it many times, with various tools!!!!

AS SOON AS this error message appears, I am automatically unable to:
1) open popup (secondary) windows in IE, or links that are supposed to open in another window;
2) open the Find dialog box (Ctrl+F) in IE;
3) Run the Find program in Windows;
4) paste text in any edit-boxes.

This is killing me!!! I've tried everything, got rid of all the phony scvhost.exe and msmsgri32.exe, and still something's there!

OUTPUT FROM HijackThis **AFTER** ERROR MESSAGE (i.e. after ZoneAlarm is turned off):
-------------------
Logfile of HijackThis v1.97.3
Scan saved at 10:10:48 PM, on 10/13/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\eugene\POPUPS~1\dpps2.exe
C:\eugene\winamp\Winampa.exe
C:\WINNT\System32\DeltTray.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINNT\System32\wKernel32.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\DivX.Exe
C:\WINNT\System32\internat.exe
C:\winnt\config\adobea.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\cmd.exe
C:\eugene\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\eugene\POPUPS~1\dpps2.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\eugene\winamp\Winampa.exe"
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [Windows BootCheck] wKernel32.exe
O4 - HKLM\..\Run: [AdobeA] C:\winnt\config\adobes.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DivX Updater] C:\WINNT\System32\DivX.Exe
O4 - HKLM\..\RunServices: [Windows BootCheck] wKernel32.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O12 - Plugin for .pl: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/CGA18102/clean.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37899.7681712963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
O19 - User stylesheet: c:\winnt\java\my.css

-----

Nothing really suspicious that I can see.
How can I solve this problem that's been bugging me for WEEKS? Is someone trying to access my PC? :confused:

thanks!!!!!!
 
See less See more
#2 ·
... and also another question, somewhat related:

ZoneAlarm shows me that every second or so, some mysterious places try to connect to me, stuff like some .su address from somewhere, or .edu, or just different IP addresses.

What does all of that mean?!
Are they all targeting my specific host, or what? How did they know about me and what do they want?
 
#5 ·
HomeUserGene

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

O4 - HKLM\..\Run: [Windows BootCheck] wKernel32.exe

O4 - HKLM\..\Run: [AdobeA] C:\winnt\config\adobes.exe

O4 - HKLM\..\RunServices: [Windows BootCheck] wKernel32.exe

O13 - DefaultPrefix:

O13 - WWW Prefix:

O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.co...18102/clean.cab

O19 - User stylesheet: c:\winnt\java\my.css

Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

In Safe Mode delete:

The C:\winnt\config\adobes.exe file
The C:\WINNT\System32\wKernel32.exe file
The c:\winnt\java\my.css file
 
#10 ·
BillC

I have no idea what it is. I must have completely overlooked it.

Well spotted Bill :up:

HomeUserGene

Please do this navigate to C:\WINNT\System32 and locate the DeltTray.exe file and right click it and choose "Properties" and look under the "version" tab and see what it says the "Company Name" and "Product Name".

Also copy the DeltTray.exe and upload it here:

http://www.kaspersky.com/remoteviruschk.html

Let us know the results.

If that tells us nothing I would like you send me a copy.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top