Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

neededware? I have tried to fix winstat11.dll error


  • Please log in to reply
6 replies to this topic

#1 benjlenbar

benjlenbar

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 05 July 2005 - 03:58 PM

problem 1:going to certain sites and trying to open html files. I get this error message I cant remember all of it...Iexplorer caused error in winstat11.dll and will now close, anyway the error would come up and I would have to hit control+alt+del or the page would just close

problem 2: when opening (favorites) pages would close quickly, but typing them in the address bar seemed to have no or little problem I went to forums and followed intructions to delete certain neededware files, could not find files but found under search about 7 having to do with neededware I wanted more info on what is safe to delete before taking that move some system files and logs, deleted winstat11.dll and added neededware to my restricted sites list where it still is. When viewing winstat11 i saw another winstat10 the ones i saw in the forum were 11,12

problem 3: installed ad-ware with updates, ran and found 54 problems but could only fix 53 having to do with a _restore.CPY file? there were 2 of them one was removed using ad-aware upon reboot and the other would not delete. I also for many weeks have noticed a file in my Windows\temp folder called merado_run while online i am unable to access it offline i can put it in the recyle bin

problem 4: went and used an online scanner from housecall at 71% it stopped responding Arggg!!! so installed updated and ran mcafee virus scan which also stopped responding when starting scan then ran ad-ware found 6 problems and fixed them all, went into safe mode and started scan with mcafee and ad-ware, it worked but nothing was found.

I now find that when online i sometimes see popups then i hear my hard drive hard at work, also the cursor flashes really fast. found a list of many sites it had left in my history...if i may list them...adacuity, ads 1 revenue.net, creatrixads, dotexplore, findonpage, ncontextsearch,neededware, realcasinoreview of which i deleted what was shown only to be as a shortcut to the program in windows system files,songsonpage, tinkopal, trafficexplorer, and finally yazifind

This system is using windows millenium, i also have hijackthis i looked over it but dont know what are system files versus viruses or other problems, also i notice i am getting disconnected every 10 minutes. Well I hope i have given you enough info for now this Merado_run.log file along with some others that have started staying in my temp folder ~DF3806.TMP and another on that will come back these files i have deleted many times but keep appearing

here is my log file for HJT..

Logfile of HijackThis v1.99.1
Scan saved at 1:34:44 PM, on 7/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\IOA.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\ISP50\BIN\PPSHARED.EXE
C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\REGEDIT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ISP50\DIALER\DIALER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\PROGRAM FILES\PEOPLEPC\TOOLBAR\PPCTOOLBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\PROGRAM FILES\PEOPLEPC\TOOLBAR\PPCTOOLBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IOA] C:\WINDOWS\SYSTEM\IOA.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

ANd YES I have tried using hijack this to fix IOA.EXE with no results, I even went into regedit and deleted it is i saw instructed on some other sites maybe i have used the wrong advice for my situation?

ANY HELP WILL BE GREATLY APPRECIATED THANKS!!! A MILLION!!!!

Edited by benjlenbar, 05 July 2005 - 06:22 PM.


BC AdBot (Login to Remove)

 


#2 benjlenbar

benjlenbar
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 05 July 2005 - 04:31 PM

ok i saw in another post that going to msconfig and checking everything in startup would be good. I rebooted and here is my new log info I see a few things but need a walkthough



Logfile of HijackThis v1.99.1
Scan saved at 2:23:12 PM, on 7/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\IOA.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
C:\WINDOWS\SYSTEM\E_S5I2A1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ISP50\BIN\PPSHARED.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\PROGRAM FILES\PEOPLEPC\TOOLBAR\PPCTOOLBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\PROGRAM FILES\PEOPLEPC\TOOLBAR\PPCTOOLBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ioa] C:\WINDOWS\SYSTEM\ioa.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\SYSTEM\E_S5I2A1.EXE /P26 "EPSON Stylus CX4600 Series" /O7 "EPUSB1:" /M "Stylus CX4600"
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\SYSTEM\PPCRunOnce.exe
O4 - HKLM\..\Run: [EDCXLYW] C:\MY DOCUMENTS\EDCXLYW.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Startup: Epson all-in-one Registration.lnk = D:\EREG\EpsonReg.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

thanks, ben

#3 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:13 PM

Posted 06 July 2005 - 06:13 PM

Actually, putting a check beside everything means that some programs are not being started, so we can now no longer see them. Can you undo that, and then repost a fresh log please? There may have been a reason that the helper wanted their user to do that which was related only to their particular problem. :thumbsup:

#4 benjlenbar

benjlenbar
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 11 July 2005 - 07:51 PM

Ok well here it is, thanks for responding! I wanted to add that a program that i have I cant think which it could possibly be but, I now have in certain views my icons have changed color and detail but in large view they are normal. 1 of them looks like a normal yellow file folder only green in color with a dark hand on it. Im curious if you have ever heard of this problem? oh and no i do not know what the file ioa.exe is i think it is part of the problem. As far as sending a link i only copy/pasted the page where i found the info on how to remove neededware...I dont know of the link....I saw webuser but not sure if that was the site that i got info from just happen to see it on the page.



Logfile of HijackThis v1.99.1
Scan saved at 5:40:29 PM, on 7/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\IOA.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\PROGRAM FILES\PEOPLEPC\TOOLBAR\PPCTOOLBAR.DLL
O2 - BHO: PeoplePC FixedBandBHO - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\PROGRAM FILES\ISP50\BIN\BANDOBJECT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\PROGRAM FILES\PEOPLEPC\TOOLBAR\PPCTOOLBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IOA] C:\WINDOWS\SYSTEM\IOA.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

Edited by benjlenbar, 11 July 2005 - 08:22 PM.


#5 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:13 PM

Posted 11 July 2005 - 08:11 PM

I only see one thing that I can't identify. Other than that, everything looks great. Do you know what this file is?:
C:\WINDOWS\SYSTEM\IOA.EXE

Can you link me to the directions that you followed in order to remove your malware? I need to try to reconstruct what you did. :thumbsup:

I like a good mystery.

#6 benjlenbar

benjlenbar
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 12 July 2005 - 12:12 AM

Ok i was able to find the link, I also edited the above reply if you have not already read it....here's the link im not sure if this is the right way to post it or not ....http://www.webuser.co.uk clicked hijackthislog link and then searched for winstat11.dll and came up with about 6 Isearched under grumpybear and this is where i did what they said all the files but most i did not have anyways that is the closest i can come to a link...oh im not sure if i have mentioned this but when i am typing it will cut off and i have to keep clicking this page to keep typing this happens every 30-45 seconds and my curser always flashes. anyways there you go hope this may help.

#7 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:13 PM

Posted 12 July 2005 - 09:29 AM

To paste a hyper-link in your post, just copy it from the address bar, and then paste it into your reply. The board software will automatically format it for you.

I would like you to submit a file for me please. Go here:
http://www.bleepingcomputer.com/submit-malware.php

In the submission box, paste in the following:C:\WINDOWS\SYSTEM\IOA.EXE and let me know by PM when you have done that so I can take a look at it.

oh im not sure if i have mentioned this but when i am typing it will cut off and i have to keep clicking this page to keep typing this happens every 30-45 seconds and my curser always flashes. anyways there you go hope this may help.


I don't know what is causing that..it may be a memory issue. Let's tackle one thing at a time so we don't get confused. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users