1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Possible virus or worm- Help

Discussion in 'Earlier Versions of Windows' started by yona15, Sep 17, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. yona15

    yona15 Thread Starter

    Joined:
    Sep 17, 2004
    Messages:
    13
    I am running Windows ME- I have Lavasoft Ad-Aware and spybot installed. I have a business e-mail account because I work at home. On monday I received an e-mail re: Bad E-mail! It says Clam AV: Encrypted.zip contains worm bagle.Gen-zippwd, since then my computer has been running extremely slow with alot of error messages like: exployer has caused an error in KERNEL.32DLL. and another error message when I tried to restart Internet exployer has caused an error SHELL32.DLL. Also, when try to restart my computer it just gets a blue screen and hangs so I have to shut down with the master switch. Than when I try to launch a program I receive this error message error loading C:\progra"1\wildta~1\apps\cda\cdaeng~1.DLL.( this message I have been getting since the tech guy at the office tried to clean up my computer, now you know why I came to you guys) I ran ad-aware and found 61 critical items that I tried to delete, first it quarintined them sucessfully then tried to delete from the system the window that comes up says deleted then you are supposed to click finish, well the windows stays up and you can never finish the deletion . I also tried to run spy-bot and after it finds problems it just stops responding. I am not very much of a computer wiz probably a computer fizz actually and I was just wondering if someone can first of all sort out what I am saying and then send HELP! :D
     
  2. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,294
    First Name:
    Wayne
    probably can be fixed here.
    i would suggest a hijackthis log - lets see the extent of the problems


    HIJACK THIS:

    Download and copy hijackthis to its own folder , it makes backups so keeping them separate and available can be useful.

    Note the Spyware tools websites are very often under attack and so I have provided more than 1 location to download from:

    http://www.tomcoyote.org/hjt/
    http://209.133.47.200/~merijn/downloads.html
    http://www.thespykiller.co.uk/
    http://www.majorgeeks.com/download3155.html
    http://aumha.org/downloads/hijackthis.exe
    http://www.sherrylynn.us/privacypolicy (this has an older version 1.97 - if you can not get to any of the above sites)

    Close all open windows and open Hijack This. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”.
    Click on “Save Log” and then save it to NotePad.
    Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.
    DO NOT FIX ANYTHING wait advice from one of the many security experts in this forum.

    I currently do not have the skill/competence to advise and poor advice can be far more damaging to your PC with this software, and so I will be unable to add any advice on the log and so will nolonger be replying to your post with regards to the HJT issue, so please have patience and wait for one of the secruity experts to provide further detailed advice

    i will however, be notified when you post the log
     
  3. yona15

    yona15 Thread Starter

    Joined:
    Sep 17, 2004
    Messages:
    13
    ETAF- thank you for your help. I went to the first site you listed and clicked on hijackthis. I tried to copy it but couldn't. I know that I am soing something wrong. I am at the bottom of the rung with computer knowledge. I tried to save this file into a new folder in my documents and then tried to open it to scan and nothing is there. I'm sorry. I guess I am not understanding how to actually download this file to use it. My computer is running so slow I am afraid it is going to crash before I can figure out what to do.
     
  4. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,294
    First Name:
    Wayne
  5. yona15

    yona15 Thread Starter

    Joined:
    Sep 17, 2004
    Messages:
    13
    Logfile of HijackThis v1.97.7
    Scan saved at 4:11:07 PM, on 9/17/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\WZCBDL SERVICE\WZCBDL9X.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\PRINTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
    C:\PROGRAM FILES\D-LINK\AIR USB UTILITY\AIRCFG.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\WINDOWS\WUAUCLT.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\Y2SHWH5X\HIJACKTHIS[1].EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\JUSEARCH\SEARCHENH1.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_3_16_0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
    O4 - HKLM\..\Run: [WeatherOnTray] C:\PROGRAM FILES\HOTBAR\BIN\4.5.1.0\WEATHERONTRAY.EXE
    O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [WZCBDLService] C:\Program Files\WZCBDL Service\WZCBDL9X.exe
    O4 - HKCU\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w
    O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Viewpoint Search - res://C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL/CXTSEARCH.HTML
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/download/tgctlcm.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38234.269375
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1,4.2.2.2

    Here is the hijackthis log. Can someone help me?
     
  6. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,294
    First Name:
    Wayne
    ?? thats strange - thats an obsolete version the link i gave you should have downloaded 1.98.2 not 1.97
     
  7. yona15

    yona15 Thread Starter

    Joined:
    Sep 17, 2004
    Messages:
    13
    ETAF-what does that mean exactly? will I need to try another site?
     
  8. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,294
    First Name:
    Wayne
    are you on dial up or adsl/dsl
    if on adsl/dsl - can you just try clicking on link and opening the file rather than save.
    it will give you a warning about temp files after that see what version it is.

    i have requested a guru to look at the log
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Go to Add/Remove programs and uninstall these programs:

    ViewPoint or ViewPoint Media Player
    Winad Client


    I also recommend that you uninstall Wild Tangent. See here:

    http://www.kephyr.com/spywarescanner/library/wildtangent/index.phtml


    I did not Add Weatherbug to my list for removal, but it is adware. Check this out for info on Weatherbug and make your own decision:

    http://www.pchell.com/support/weatherbug.shtml

    Here are two adware free alternatives:

    http://www.tropicdesigns.net/ -----> I use this one.

    http://www.singerscreations.com/


    Restart your computer after each uninstall and then rescan with Hijack This and post another log.
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Also a new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it after you do the uninstalls.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/275105

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice