Fatal errors in IE when trying to run online Trend Micro and Symantec scans

Discussion in 'Malware Help (A Specialist Will Reply)' started by brandoncox78, Jul 7, 2005.

  1. brandoncox78

    brandoncox78 Private E-2

    Thanks for the site.
    I read your sticky threads on basic spyware/virus removal and am having trouble getting past the online scans. I was unable to run the scans from safe mode with networking support because the options to connect to internet via modem were grayed out in safe mode. In normal mode, I click on the link to Trend Micro scan from your thread and the title bar of the page loads and then has a fatal error in internet explorer. When I click the Symantec scan link, I get their page and then a pop-up for the scan to run. The progress bar at the bottom says the page is done but nothing shows up on the screen--just an arrow with hour glass. I'm not having this problem with any other sites using internet explorer. Could this be due to spyware? Any thoughts on a way around it? The only changes I have recently made to my computer are the installation (not running) of the programs listed in your thread and the latest Windows update--if these could have anything to do with it. Look forward to your reply.
     
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

    Sysclean Package

    Pattern.zip

    Once you have these downloaded into the folder you just created, double click the file sysclean.com

    When the system cleaner loads, click SCAN to start the scanner. After you have completed this scan above procede with the below.


    http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

    http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

    http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

    http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

    http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting
     
  3. brandoncox78

    brandoncox78 Private E-2

    Thanks for giving me my computer back! I was having problems with about:blank and Only the Best pop ups. I followed your sticky thread directions esp. the generic solution for "only the best" aka "HSA" and about:blank Hijackers. All seems fine so far after some browsing and several reboots.

    Couple questions though:

    I've attached my most recent HJT log after the last reboot like you asked. Anything still look fishy?

    I've download Mozilla now as my browser. Should I uninstall Internet Explorer or just not use it as a browser?

    And, how do I donate to your site? You guys do great work!
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have some problems.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {5364ABD3-3300-341C-1D26-05C46F9627DD} - (no file)
    O4 - HKLM\..\Run: [iexplore.exe] :C:\Program Files\Internet Explorer\iexplore.exe
    O4 - HKLM\..\Run: [baseula] :C:\WINDOWS\java\baseula.exe
    O4 - HKCU\..\Run: [wmadmod] :C:\WINDOWS\System32\wmadmod.exe
    O4 - HKCU\..\Run: [winpack] :C:\WINDOWS\System32\winpack.exe
    O4 - HKCU\..\Run: [sysinv] :C:\WINDOWS\System32\sysinv.exe
    O9 - Extra button: Microsoft AntiSpyware helper - {6BA3D4A9-3232-4FCA-A514-40C1C2313BEC} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6BA3D4A9-3232-4FCA-A514-40C1C2313BEC} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {DDBEF8F4-4097-4CF9-BBB7-397D485BA4F4} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DDBEF8F4-4097-4CF9-BBB7-397D485BA4F4} - (no file) (HKCU)

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\java\baseula.exe
    C:\WINDOWS\System32\wmadmod.exe
    C:\WINDOWS\System32\winpack.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.
    This next file I want you to rename instead of delete. So right click on it and select rename.
    C:\WINDOWS\System32\sysinv.exe rename to sysinv.xxx


    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  5. brandoncox78

    brandoncox78 Private E-2

    OK

    So i fixed the items in HiJack This and rebooted in safe mode.

    With options for hidden files to be shown checked, hide file extensions disabled, and protected operating system files to be shown, I looked for the four files in question:

    I deleted baseula.exe

    When searching for wmadmod (with no file extension), windows explorer only found wmadmod.dll (not .exe) in the following folders:

    C:\I386
    C:\WINDOWS\$NTServicePackUninstall$
    C:\WINDOWS\system32
    C:\WINDOWS\ServicePackFiles\i386
    C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989

    I did not delete any of these files

    I deleted winpack.exe

    When searching for sysinv (with no file extension), windows explorer only found sysinv.dll (not .exe) in the following folders:

    C:\I386
    C:\WINDOWS\system32
    C:\WINDOWS\system32\DLLCache

    I did not delete or rename any of these files.

    I ran CCleaner, deleted all prefetch files, reset web settings, and rebooted.

    Here's the lastest HJT log.
     
  6. brandoncox78

    brandoncox78 Private E-2

    Doh! Forgot to attach the HJT log to the last post. Not sure how to edit so I'm attaching it here. Sorry.
     

    Attached Files:

  7. brandoncox78

    brandoncox78 Private E-2

    Now I'm a little worried :rolleyes:

    Today the network connection refused to produce the dialog box it usually does to establish my dial-up connection. The icon was not grayed out--just didn't do anything when I clicked it.

    Also, PowerDVD (a software that plays DVD's) crashes shortly after it opens. It worked fine as of about 2 days ago when I last used it.

    Because I couldn't get back to this post without an internet connection, I had to reboot, unfortunately.

    On reboot, I received the following error message: "Generic Host Process for Win32 services encountered a problem and needed to close."

    The internet connection now works fine, but PowerDVD still crashes. I tried to print from a site that sells online postage and received the error message: "Spooler subsystem App has encountered a problem and needs to close." Printing other things like Word documents seems to be OK.

    Not sure what's going on. Should I use System Restore to go back to the last restore point and start the whole clean-up process from square one again? The system restore function is still currently disabled from when I started the clean-up.

    I attached the HJT log that I saved before I did anything after this last reboot.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I did not say to search for a file (especially with no file extension). I said:

    Boot into safe mode and use Windows Explorer to delete:

    This is not a Windows search. Windows search would have to be configure properly too to locate hidden files.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You HijackThis log is clean.

    If you ran all the steps in the READ ME FIRST, step 1 was to disable system restore. Thus you have no System Restore points. All that would have done is to restore malware. That's the reason for disabling it.

    I'm not sure why you are getting error messages. Take a look at the below link and see if it is of any help:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;821690
     
    Last edited: Jul 10, 2005
  10. brandoncox78

    brandoncox78 Private E-2

    Glad to hear that the log checks out clean!

    I used the advanced options for hidden, system, and sub folders when I did the search earlier. I only deleted the files with the exact path that you listed in your post.

    It turns out the that "Generic Host Process" error, the spooler error, and the problems with powerDVD were all related to some Windows automatic updates that had installed since the prior reboot. They took effect after the reboot and caused the issues. I uninstalled the updates and everything is back to normal.

    My computer is clean by all online scans and both the main and secondary Spyware Removers I downloaded from your site. :)

    Thanks for all your help! How can I support your site?
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Tell your friends to come here for downloads of files and for help in the forums. You can also buy any of the MG's items like teashirts, sweatshirts, hats, etc (if you wish).
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds