Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help!


  • This topic is locked This topic is locked
3 replies to this topic

#1 kaneshansley

kaneshansley

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 24 June 2004 - 11:05 AM

Hi, I've had this problem before and was able to get rid of it, but this time it seems impossible.

Symptoms:

Home page changed and can't change it back.
Pop-ups constantly.
A window that comes up and tells me my virtual memory is low.
Search engine changed.
Slow to the point where I usually have to close down the whole computer.

Have
Adaware
Adwatch
Spybot
Pop up stopper
Norton anti virus
firewall
cwshredder
Hijack this

I've tried running spybot to no avail. I have the newest version installed yet
when I run it it a) takes *so* long and :thumbsup: when it finally does finish I get all these
messages that files can't be run because they can't be found. So the bad files never end up getting fixed.

Here is my current hijackthis file:

Logfile of HijackThis v1.97.7
Scan saved at 11:27:20 AM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ddawua.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\Play Plus\ToolBlah.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\mcamgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Jasc Software Inc\After Shot\IXApplet.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\System32\keyword.exe
C:\Documents and Settings\Karen\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: enc ooze - {99F88EA1-05C5-7A2B-F831-9B8DD68BEFAC} - C:\PROGRA~1\MEALDE~1\Dash Ford.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [smptnkcpulaky] C:\WINDOWS\System32\ddawua.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\Play Plus\ToolBlah.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - Startup: Forget Me Not.lnk = C:\Program Files\Mindscape\AGCraft\PMREMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Jasc Software Inc\After Shot\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: PC Connection Manager.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/Ud3rT0n5.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1069780266390
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab


Please, please help!
Thanks!

BC AdBot (Login to Remove)

 


#2 Lobos

Lobos

  • Members
  • 317 posts
  • OFFLINE
  •  
  • Location:California USA
  • Local time:04:40 AM

Posted 24 June 2004 - 01:34 PM

Hi kaneshansley

Welcome to BC


click herefor LSPFix
Launch the application, and click the "I know what I'm doing" checkbox.
Check all instances of cdlsp.dll (and nothing else) , and move them to the "Remove" pane.
Then click Finish.

Reboot
------------------------------------------------------------------------------------------

go here and remove wintools
http://www.pchell.com/support/wintools.shtml

--------------------------------------------------------------------------
then

Run hijack this Put a check next to these close all browsers and click fix

make sure not to miss one

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - Default URLSearchHook is missing

O3 - Toolbar: enc ooze - {99F88EA1-05C5-7A2B-F831-9B8DD68BEFAC} - C:\PROGRA~1\MEALDE~1\Dash Ford.dll

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [smptnkcpulaky] C:\WINDOWS\System32\ddawua.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\Play Plus\ToolBlah.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background



O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/Ud3rT0n5.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

-----------------------------------------------------------------------------------------------------------------------------------

To enable the viewing of Hidden files follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now your computer is configured to show all hidden files.

reboot into safe mode
How to boot into safe mode

delete

this files

C:\WINDOWS\System32\ddawua.exe
C:\WINDOWS\System32\manage.exe
C:\WINDOWS\System32\keyword.exe

these folders

C:\PROGRA~1\Play Plus
C:\Program Files\Common files\WinTools
C:\PROGRA~1\MEALDE~1



reboot to normal

come back and post a fresh log and tell me how you computers running

Lobos
<span style='color:blue'>Ad-Aware SE</span> | Spybot S&D 1.4

For extra protection try spyware blaster

<span style='color:blue'>If you use IE I suggest using these two programs</span> MVPHosts & IE-SPYAD

#3 kaneshansley

kaneshansley
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 24 June 2004 - 08:25 PM

Hi. Things are even worse! I did the LSPfix OK, and then when I went to remove Wintools is when I had problems. I was able to change the registry and turn off the system restore, but when I tried to use safe mode it would just hang and not go anywhere. Then I followed the directions and deleted Wintools, and now I can't even get on at all. I'm using a friend's computer right now to log on. When I try to get on to my account, I get messages like this:

I get a parser message
Value creation failed at line 422
Viewmgr.exe application error
manage.exe application error
and tons of other application errros.

Even if I do manage to get to my account, I can't open explorer, word, or anything else. What have I done??

Karen

#4 Lobos

Lobos

  • Members
  • 317 posts
  • OFFLINE
  •  
  • Location:California USA
  • Local time:04:40 AM

Posted 25 June 2004 - 12:39 PM

mmmm that dont sound good looks to be spy ware related
both of those files are spy ware related


well you may try and repair XP

I got a second opinion on this thanks to Stienhart
he said to try repairing XP

we figure it might be some sort of malware screwing with it
that one reason why you will never hear me say use systems restore

http://www.michaelstevenstech.com/XPrepairinstall.htm

then rerun hijack this and give us a new log

come back and let us know

lobos
<span style='color:blue'>Ad-Aware SE</span> | Spybot S&D 1.4

For extra protection try spyware blaster

<span style='color:blue'>If you use IE I suggest using these two programs</span> MVPHosts & IE-SPYAD




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users