Spyware removed I think - now statup problems

YT1300 · Mar 6, 2005

Windows 2000 Pro 5.00.2195 Serv. pack 4
65064kb RAM x86 Family 6 Model 5 stepping 2
6 gb Hard drive

I have run these scans:
Ad-Aware SE (w/ VX2 plugin), CCleaner, Spybot, McAfee AVERT stinger, CWshredder, & kill2me. I have also installed SpywareBlaster & Hijackthis.

I did have the "Warning your system is in danger" malware? & doing all these things seemed to have removed it.

In order to get onto my machine while this was on it I had to go to the task manager, end process on explorer.exe & start explorer.exe as a new process.

I still have to do this and I still can not get my PC-cillan (2005) to run. It seems that there might be an endless loop running preventing this from loading (just guessing).

When I try to run PC-cillan and click to scan I get a message:

"This feature is still initializing. Wait a few moments and try again later."
It never finishes initializing.

I have tried uninstalling PC-cillan & re-installing.
I have also been trying to install windows updates, but they will never finish installation due to the startup problem.

When I try to do the Free Online Scan from Trend Micro I get this message:

"HouseCall ActiveX component is not ready." (that may be my fault - I may have removed or disabled something to do with ActiveX when combatting the warning your computer is in danger thing.)

I am by no means a computer expert & I apologize for that, but will do better to educate myself using this sight probably during lunch hours.

Any useful suggestions would be must appreciated as I have spent at least 10 to 15 hours trying to get my system back to where I feel safe. These are hours of alternating between blinding rage and self loathing. (I did not make a back up disc.)

chaslang · Mar 6, 2005

If you have run ALL steps in are READ ME FIRST (that you can run),
and after doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message.(Do NOT copy/paste the log into your post).

YT1300 · Mar 7, 2005

I have since been able to get PC-Cillan working. (it found no viruses or spyware) I will now be checking for multiple copies of .exe's in places that they are not supposed to be.

Once again, thanks for any help. (The last time I went into task manager it had possibly 10-15 spoolsv.exe's running. It seemed wierd to me, but I am not knowledgable enough to declare that improper.)

chaslang · Mar 7, 2005

I understand you had a problem with running the TrendMicro online scan but you did not mention the Symantec online scan and did not run it either. Did you have the same problem?

Is the WebJet program something you downloaded and installed? If so, what is it for?

Are the below lines with eznsearch.com expected? That is are these something you setup and want? If not, add them to the list of items to fix below with HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eznsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.eznsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.eznsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.eznsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EZN

Make sure viewing of hidden files is enabled (per the tutorial).
Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINNT\webdir.dll
then click OK. If a dialog box confirming this action appears, click OK.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINNT\System32\spoolsrv32.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINNT\webdir.dll
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINNT\webdir.dll
C:\WINNT\System32\spoolsrv32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now:
Run Ccleaner that you downloaded and installed during the READ ME FIRST steps.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

YT1300 · Mar 7, 2005

Chaslang, you're my hero.

Everything starts up normally now, though it looks like I need more memory. I am going to look into pulling it out of my old PC. (as if this current one is not old.)

I have 6 jobs I need to do at home and was seriously stressing out as I did not want to have to take the responsibility for transfering anything to anyone else's machine.

I will now look at the various help sections as soon as possible. But for now I need to get started on those projects.

I forgot to mention that WebJet is an accelerator that came from my internet provider. It doesn't seem to help much, though. I will soon be giving very serious thought to getting a high speed connection.

chaslang · Mar 7, 2005

Looks much better but where did the below come from:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:3128

It was not in your previous log! Do you use a proxy server?

YT1300 · Mar 8, 2005

I assumed that was due to my internet provider EV1.net. Should I ask them if that is theirs?

chaslang · Mar 8, 2005

YT1300 said:

I assumed that was due to my internet provider EV1.net. Should I ask them if that is theirs?
Click to expand...

Yes! But it was not there in your previous log. Why did it show up now?

How are things working?

YT1300 · Mar 9, 2005

That machine only had 64 mb RAM. I switched out w/ 384 mb & now it is running much better. I think most of my anger at the machine may have been due to it almost being out of memory. (I know 384 is not alot, but that is what I read is max allowable.)

I will be downloading all of the windows updates over the next few days.

chaslang · Mar 9, 2005

Ok! Make sure you complete the steps in the below link to help you avoid future issues:

How to Protect yourself from malware!

Log in or Sign up

Spyware removed I think - now statup problems

YT1300 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

YT1300 Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

YT1300 Private E-2

Attached Files:

20050307(2)hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

YT1300 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

YT1300 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member