Possible virus or worm- Help

yona15 · Sep 17, 2004

I am running Windows ME- I have Lavasoft Ad-Aware and spybot installed. I have a business e-mail account because I work at home. On monday I received an e-mail re: Bad E-mail! It says Clam AV: Encrypted.zip contains worm bagle.Gen-zippwd, since then my computer has been running extremely slow with alot of error messages like: exployer has caused an error in KERNEL.32DLL. and another error message when I tried to restart Internet exployer has caused an error SHELL32.DLL. Also, when try to restart my computer it just gets a blue screen and hangs so I have to shut down with the master switch. Than when I try to launch a program I receive this error message error loading C:\progra"1\wildta~1\apps\cda\cdaeng~1.DLL.( this message I have been getting since the tech guy at the office tried to clean up my computer, now you know why I came to you guys) I ran ad-aware and found 61 critical items that I tried to delete, first it quarintined them sucessfully then tried to delete from the system the window that comes up says deleted then you are supposed to click finish, well the windows stays up and you can never finish the deletion . I also tried to run spy-bot and after it finds problems it just stops responding. I am not very much of a computer wiz probably a computer fizz actually and I was just wondering if someone can first of all sort out what I am saying and then send HELP!

etaf · Sep 17, 2004

probably can be fixed here.
i would suggest a hijackthis log - lets see the extent of the problems

HIJACK THIS:

Download and copy hijackthis to its own folder , it makes backups so keeping them separate and available can be useful.

Note the Spyware tools websites are very often under attack and so I have provided more than 1 location to download from:

http://www.tomcoyote.org/hjt/
http://209.133.47.200/~merijn/downloads.html
http://www.thespykiller.co.uk/
http://www.majorgeeks.com/download3155.html
http://aumha.org/downloads/hijackthis.exe
http://www.sherrylynn.us/privacypolicy (this has an older version 1.97 - if you can not get to any of the above sites)

Close all open windows and open Hijack This. Click Scan. When the scan is finished (it only takes a second), the scan button will change to Save Log.
Click on Save Log and then save it to NotePad.
Click on Edit Select all copy and then paste into the thread.
DO NOT FIX ANYTHING wait advice from one of the many security experts in this forum.

I currently do not have the skill/competence to advise and poor advice can be far more damaging to your PC with this software, and so I will be unable to add any advice on the log and so will nolonger be replying to your post with regards to the HJT issue, so please have patience and wait for one of the secruity experts to provide further detailed advice

i will however, be notified when you post the log

yona15 · Sep 17, 2004

ETAF- thank you for your help. I went to the first site you listed and clicked on hijackthis. I tried to copy it but couldn't. I know that I am soing something wrong. I am at the bottom of the rung with computer knowledge. I tried to save this file into a new folder in my documents and then tried to open it to scan and nothing is there. I'm sorry. I guess I am not understanding how to actually download this file to use it. My computer is running so slow I am afraid it is going to crash before I can figure out what to do.

etaf · Sep 17, 2004

try this link - its the .exe
http://aumha.org/downloads/hijackthis.exe
save to the directory you created- good luck

yona15 · Sep 17, 2004

Logfile of HijackThis v1.97.7
Scan saved at 4:11:07 PM, on 9/17/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\WZCBDL SERVICE\WZCBDL9X.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\D-LINK\AIR USB UTILITY\AIRCFG.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\Y2SHWH5X\HIJACKTHIS[1].EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\JUSEARCH\SEARCHENH1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_3_16_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [WeatherOnTray] C:\PROGRAM FILES\HOTBAR\BIN\4.5.1.0\WEATHERONTRAY.EXE
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [WZCBDLService] C:\Program Files\WZCBDL Service\WZCBDL9X.exe
O4 - HKCU\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Viewpoint Search - res://C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL/CXTSEARCH.HTML
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38234.269375
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1,4.2.2.2

Here is the hijackthis log. Can someone help me?

etaf · Sep 17, 2004

?? thats strange - thats an obsolete version the link i gave you should have downloaded 1.98.2 not 1.97

yona15 · Sep 17, 2004

ETAF-what does that mean exactly? will I need to try another site?

etaf · Sep 17, 2004

are you on dial up or adsl/dsl
if on adsl/dsl - can you just try clicking on link and opening the file rather than save.
it will give you a warning about temp files after that see what version it is.

i have requested a guru to look at the log

Flrman1 · Sep 17, 2004

Go to Add/Remove programs and uninstall these programs:

ViewPoint or ViewPoint Media Player
Winad Client

I also recommend that you uninstall Wild Tangent. See here:

http://www.kephyr.com/spywarescanner/library/wildtangent/index.phtml

I did not Add Weatherbug to my list for removal, but it is adware. Check this out for info on Weatherbug and make your own decision:

http://www.pchell.com/support/weatherbug.shtml

Here are two adware free alternatives:

http://www.tropicdesigns.net/ -----> I use this one.

http://www.singerscreations.com/

Restart your computer after each uninstall and then rescan with Hijack This and post another log.

Flrman1 · Sep 17, 2004

Also a new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it after you do the uninstalls.

Log in or Sign up

Possible virus or worm- Help

yona15 Thread Starter

etaf Moderator

yona15 Thread Starter

etaf Moderator

yona15 Thread Starter

etaf Moderator

yona15 Thread Starter

etaf Moderator

Flrman1

Flrman1

Sponsor

Welcome to Tech Support Guy!

Log in or Sign up

Possible virus or worm- Help

yona15 Thread Starter

etaf Moderator

yona15 Thread Starter

etaf Moderator

yona15 Thread Starter

etaf Moderator

yona15 Thread Starter

etaf Moderator

Flrman1

Flrman1

Sponsor

Welcome to Tech Support Guy!

Useful Searches