WinMe Shutdown + Spyware Removal Advice

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Cdn Cowgirl

Thread Starter
Joined
Sep 22, 2003
Messages
46
Hello everyone. I have been been reading posts here for a long time and have been helped by many of your answers. Thank you for your excellent posts and responses. What I am after is help with a relatives machine. WinMe, using Ez Trust anitvirus, Zone Alarm for a Firewall on Cable for Internet. About a year ago we cleaned it up using Adaware but still had probs. They had maintenance agreement still so had a Techy redo everything. When back put the antivirus and Zone Alarm on for them. Installed WinMX instead of Kazaa. But... teenagers are doing some of the things they were told not to.

They reinstalled Kazaa, and then removed it-not completely though-found some Media Desktop thingys hanging round. Also found reference to Lop (suspect this is why there have been porn popups??). Now when trying to get onto the internet- they use 5.5 which has been updated, takes forever to get on. Almost a 4 minute wait! Using Ctrl alt Delete have seen these running: Sync, Save, and Sahagent, & Loader. The worst thing is-I suspect teens tried to load a program and removed it incorrectly, and now when you shut down normally the computer goes to a black screen completely covered with white dots and a flashing cursor??? You have to manually power off the machine.

Tonight I was going to download Spybot and run it on this machine and see if that helped. I would appreciate any suggestions or advice you can offer, and really could use any help you can provide. I am leery of Adaware since telling another friend to use it, it destroyed their internet connection and they couldn't get back online-possibly when their new program came out in Feb. Anyone know if this has been resolved?

I apologize for the long post, but wanted to give as much info as possible. Thanks in advance.

Cowgirl :)
 
Joined
May 28, 2003
Messages
2,366
Seems to me the teenagers you refer to have been playing in cyberspace and picked up some unwanted adware, spyware ,and BHOs. One way to start the clean up is to run both Spybot S & D and Ad-aware. BTW, I've not heard of adverse issues with Ad-Aware and the experience you mentioned was an anomaly in my view.

Once that is completed a Hijack This scan will help identify the left over nasty critters. You can get HJT HERE. Unzip, doubleclick HijackThis.exe, and hit "Scan".When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log as a .txt file, and copy and paste its contents into your next post. There are experienced gurus here that can help. Alas, I'm still learning.
 
Joined
Oct 4, 2002
Messages
2,773
Hi Cdn Cowgirl

Hi BillC

There were a lot of issues with adaware towards the end of last year, when they stopped issuing updated reference files to the old adaware - new varients of spyware came out that adaware could not deal with and instead of withdrawing the old adaware, people kept using it, and thousands suffered crashes and lost their internet connections. There was even a few teething troubles with the new adaware - but I think eveythings ok now.

And Cdn Cowgirl - yes run spybot - get rid of a lot of the rubbish, then post a hijackthis log as BillC suggests, after that we can sort the shutdown problem

steam
 
Joined
May 28, 2003
Messages
2,366
Thanks for the heads-up Steamwiz. I know folks who use and recomend Ad-Aware all the time and I didn't know there was ever a problem. I guess I missed out on all the fun crashes, huh? :p

Oh, btw, I've been using your suggested little program, RegProt for months and think it's great. Thank you. :)
 

Cdn Cowgirl

Thread Starter
Joined
Sep 22, 2003
Messages
46
Thanks very much guys. Am at this computer right now. Have found a Kazaa folder under programs, but nothing in Add/Remove programs to get rid of it. Any help here?

Will post back after the Spybot run. Thanks very much


Cowgirl
 

Cdn Cowgirl

Thread Starter
Joined
Sep 22, 2003
Messages
46
Ok-had to leave the computer for a bit-and go back after doing the Taxi for the kid...

Downloaded and installed Spybot. Updated it. Tried a number of times to scan but it hangs a a Lop2 entry and freezes. Have left it for an hour now and nothing.

Any suggestions as to this problem. Prior to reaching this point numerous entries appeared in red to be removed.... but can't complete as the program hangs.

Thanks in advance.

Cowgril
 

Cdn Cowgirl

Thread Starter
Joined
Sep 22, 2003
Messages
46
Ok then... Unistalled Spybot. Reinstalled and tried to run the scan-the program hangs when scanning C2.lop. Downloaded Adaware.... and oh my-guess what happened? Lost the internet connection. Had to reinstall the quarantined items and went to Lavasoft-fumbled thru their winsock fix... did anothe Ad scan. deleted all it could find. Still can't run Spybot-hangs at this Lop thingy. I am still very leery about Adaware at this point!!!

So, downloaded Hijack-and scanned. Here is the log. I am hoping you can provide you guys can provide direction after reading this. Thanks in advance for any help you can provide.

Will check back tomorrow.... too late to continue tonight....

Logfile of HijackThis v1.97.2
Scan saved at 9:10:19 PM, on 2003-09-22
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\PROGRAM FILES\COMPUTER ASSOCIATES\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ZIPCENTRAL\ZCENTRAL.EXE
C:\WINDOWS\TEMP\_ZCTMP.DIR\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://free64all.com/tgp/out.php3?l=207
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://free64all.com/tgp/out.php3?l=207
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://free64all.com/tgp/out.php3?l=207
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://free64all.com/tgp/out.php3?l=207
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://free64all.com/tgp/out.php3?l=207
R3 - Default URLSearchHook is missing
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O15 - Trusted Zone: chat.msn.ca
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt0_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs9_x.cab
O16 - DPF: {5C015AA7-3392-4044-90CC-8E95019CFFF1} - http://www.mainentrypoint.com/linkzz/LinkZZ2.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://play.toontown.com/ttinst.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt1_x.cab
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://about.chatspace.com/Java/cs4fs084.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50006/btiein.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37885.6526273148
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/SonyPicturesGameDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
 

Cdn Cowgirl

Thread Starter
Joined
Sep 22, 2003
Messages
46
Good Morning All. Just wanted to let you know that after posting the Hijack log we shut this computer down and Wow, it shut down normally. Whatever Adaware removed must of helped.

But, would appreciate someone checking the log as well as any suggestions on the Spybot hangup. Prior to the point of hanging a large number of Red items appear in the scan window. Obviously there is still cleanup to be done....

Any help is most appreciated.


Cowgirl:)
 
Joined
Aug 18, 2003
Messages
2,438
Regarding the SB hang with c2.lop:

http://spybot.eon.net.au/index.php?lang=en&page=knowledgebase/faq/faq022

http://forums.spywareinfo.com/index.php?showtopic=10585&hl=c2+lop

With regard to your A-A difficulties, I'd be interested in knowing more about your situation. Were you running build 181 with reference file 01R221 20.09.2003? That information will appear on the start screen when you launch the program. A-A is a very powerful program, and it is imperative that you always have the current Build and Reference File in use to ensure the proper detection and removal of objects.
 

Cdn Cowgirl

Thread Starter
Joined
Sep 22, 2003
Messages
46
Thanks for responding Winchester 73. I will have to go back to this computer tonight-am at work today. I looked at the Spybot link and will check into downloadinig the Library item as well as possibly updating the IE to 6.??. We had deleted the History/Temp Internet Files, etc. Went into the c/Cookies and deleted those and one gave us an error... Now, I can't remember which one but hope this is unrelated.

As for Adaware...yes it is the latest build-was positive of that and also distinctly remember the 9/20 being the Ref File we updated to after the install. This is exactly what happened when we used this program on another machine earlier this year. That machine had a Win98 o/s. The current one we are trying to fix is WinME. The ISP for both machnes is Shaw Cable. I believe they are both using IE 5.5 as well. The 98 owner contacted Shaw to get back online-I am not sure what they did to reconnect-but they are still experiencing some problems-not sure if they are related to the Winsock error at this time.
Also, I am not postive on what helped to reconnect on the ME machine last night-We did restore the quarantined items as mentioned, got online, and I downloaded the Winsock Fix from Lavasoft Forum. As said earlier-fumbled thru that Unzip/Install and kept my fingers crossed. Did another A/A scan and got rid of everything again (217 items!!). Rebooted and was able to get online. So, that's where we sit at the moment....

Anything in the Hijack log that needs to be fixed? Will check back later. Thanks muchly!

Cowgirl
 
Joined
Aug 18, 2003
Messages
2,438
I am still learning my way around HT, but the R0 and R1 entries that point to http://free64all.com/tgp/out.php3?l=207 are for a porn site.

Wait until someone more knowledgeable than I advises you on everything else.

When you are all cleaned up, you might want to visit http://www.wilderssecurity.net/index.html and download the following:

SpywareBlaster v2.6.1
SpywareGuard v2.2

These will prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection.

Lastly, consider installing IE-SPYAD, a registry file that adds a long list of known crapware to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm

(the free64all site happens to be one of the MANY ie-spyad entries)
 
Joined
Oct 4, 2002
Messages
2,773
Regards LOP

open spybot, click on excludes and tick C2 lop - that'll let it finish

There are a few things to fix in your log - but nothing serious

I'm in a hurry now - will post back later

steam
 
Joined
Oct 4, 2002
Messages
2,773
Close all browser windows - run hijackthis and tick to fix :-


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://free64all.com/tgp/out.php3?l=207

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://free64all.com/tgp/out.php3?l=207

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://free64all.com/tgp/out.php3?l=207

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://free64all.com/tgp/out.php3?l=207

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://free64all.com/tgp/out.php3?l=207

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [wcmdmgr]
C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe

O16 - DPF: {5C015AA7-3392-4044-90CC-8E95019CFFF1} - http://www.mainentrypoint.com/linkzz/LinkZZ2.cab



steam
 

Cdn Cowgirl

Thread Starter
Joined
Sep 22, 2003
Messages
46
Thank you Steamwiz and Die Hard. Success!! We have checked the Lop items to be excluded under the Spybot. Ran the program and fixed all that came up.

Then ran Hijack and deleted all the entries you have said to check off. The internet is running well. No holdups so far. I appreciate all the suggestions and responses.

Two questions though... Is the Lop thingy still here-not sure if we have completely gotten rid of it? In other words are we safe for now or do we have to worry about it?

The other relates to Adaware. Any ideas as to why it detroys your internet connection? I would like to have this running on my two pcs at home but due to these two instances am afraid to install it.

Anyway, we really appreciate the help you have given and if I should need assistance in the future (hopefully NOT!!!) will return.

Oops... one more question-about the Kazaa thing-there is a folder under the C:/Programs. But-nothing under Control Panel to Add or Remove. Can I just delete these or how do we uninstall it???

**Edit-one other problem...When I first looked at this computer-tried to do a system restore. There were previous restore points-back in May-nothing from May to now. Tried to restore-wouldn't work. Previously this Spring I know they successfully restored to a previous point. During the processes above-disabled restore/then renabled after all the repairs. Attempted to create a restore point and keep getting the message-cant set restore point-reboot and try again. Did that-still no go. If anything-I have searched the forum-quite a few posts on this...will try and work thru them.

Cowgirl:)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top