If something weird can go wrong...

Unknown

Hi all
I got buried in adware and spyware. I've been using AdAware to get it off. I'm at my 17th time running thru it because what ever is there keeps replicating a file or two and I'm not winning the battle too well. I've even tried deleting all the files (218 at one point) by hand out of the registry.

When I got it down to 4 files, (whew) I come to find now that when the comp boots up, when I put my cursor in the Start bar, it goes into the "I'm working" mode. I'm positive I didn't delete anything important, I was pathologically careful and know what I'm doing as far as deleting files. I managed to get to my Restore thru My Computer, and put it all back a few days before tha Adware blitz. It didn't do a thing. Out of desperation I unquarantined all the AdAware files. That didn't work either. What did work was pulling up the browser, pulling up a page or two, and something jarred the rest of the installation loose so that the Start bar/desktop continued to install like it should have when I booted up. This goes on every time I boot the comp up. I find programs I shut down, like AIM, still stay up tho they're not visibly up, they're shown as running in my task manager. So I'm back to being jammed with spyware, with this problem of not being able to get to my programs and having a lot of things not load on boot up until I do the whole web-page-pull-up-something-to-knock-it-loose thing.

I told you it was weird, but it's aggrivating as hell and this adware and spyware is so stubborn it's insane. It's just 3 programs but it's all over the place and AdAware tells me it can't quanantine a .dll file or two since it's in use, and that seems to be all it takes to have those 2 files turn into 39 on next boot.

Any help is appreciated! Thanks!

profdlp

Run HijackThis! and post the log here.

You came to the right place.

Straight_Man

Wrennik wrote:

Hi all
I got buried in adware and spyware. I've been using AdAware to get it off. I'm at my 17th time running thru it because what ever is there keeps replicating a file or two and I'm not winning the battle too well. I've even tried deleting all the files (218 at one point) by hand out of the registry.

When I got it down to 4 files, (whew) I come to find now that when the comp boots up, when I put my cursor in the Start bar, it goes into the "I'm working" mode. I'm positive I didn't delete anything important, I was pathologically careful and know what I'm doing as far as deleting files. I managed to get to my Restore thru My Computer, and put it all back a few days before tha Adware blitz. It didn't do a thing. Out of desperation I unquarantined all the AdAware files. That didn't work either. What did work was pulling up the browser, pulling up a page or two, and something jarred the rest of the installation loose so that the Start bar/desktop continued to install like it should have when I booted up. This goes on every time I boot the comp up. I find programs I shut down, like AIM, still stay up tho they're not visibly up, they're shown as running in my task manager. So I'm back to being jammed with spyware, with this problem of not being able to get to my programs and having a lot of things not load on boot up until I do the whole web-page-pull-up-something-to-knock-it-loose thing.

I told you it was weird, but it's aggrivating as hell and this adware and spyware is so stubborn it's insane. It's just 3 programs but it's all over the place and AdAware tells me it can't quanantine a .dll file or two since it's in use, and that seems to be all it takes to have those 2 files turn into 39 on next boot.

Any help is appreciated! Thanks!

Let me ask a very dumb sounding question-- it isn't, and this could be a resource issue and not just junkware-- could be both, possibly not. NO, I am not hijacking this thread.

I'll simply say this: AIM (for example, used simply becasye that app was mentioned in this thread) can run defaulted to minimized in AIM's setup, and run on startup. You may not ever get a window or have a blocky text button for a window with this kind of run. BUT, over by the clock you will get an AIM icon. Right-click it, you will get options. Ignore it, and part of AIM is still running and taking up resources. Do this with 8-10 apps and you get bogs like nobody's business when running other high-resource-demand games or apps simply because the apps in this area by the clock are loaded at least in part all the time.

We should start another thread elsewhere on how to tune in detail (and I will let the thread starter start one if he\she wants), but I will give one hint here: to see if this is a resource issue mostly, try right-clicking each app (except your AV) and see if you can then choose a quit or exit option. IF the box gets suddenly more usable with most of these things quitted, this is not solely a spyware or trojan or bot problem. They WILL normally restart on restart of Windows, but you can see if a load decrease makes things a lot more usable otherwise this way.

ALSO (and here we get right back onto topic of cleaning box with security apps), doing this and deloading the box some BEFORE you remove bots and trojans can sometimes make those removal apps not hang or malf or simply fail to work if the box "normally" has a lot running in the background and resources are constrained because of these extra running apps that are each minimized to an active process icon over by the clock. Even the removal apps need resources and can benefit a lot if they have more rather than fewer of those present when they are run and the whole time while they are running. This combo of things happening on this person's box looks overall like something caused by a combo of issues.

Wrennik

Hi guys!
Thanks for your help I thought I had this thing fixed but when I booted up today, it's Baaaaaccckkkkk. Here's what's going on, and HijackThis log below: seems when the comp boots up, something isn't letting it finish pulling up the applications, or one of the programs that pulls up on start up is missing something so it hangs? A scan with AdAware showed NO files left (whew) but things are running at a crawl any way. I get my desktop and maybe Weatherbug will pull up. It looks OK but if I put my cursor in the Start bar area, it's still a "working yet" icon. If I do a Ctrl-alt-del the processes are listed that are running but nothing at all is listed in the Applications window. What snapped this out of it's fog last time was downloading HijackThis from your site; the "act" of the download broke whatever was hanging and everything then finished that ought to have at the boot up. Yesterday it worked fine with no problems, now it's back. John - whatever you said in your post is a great idea, please start that thread. I have no idea what you said since you have an Alphageek Smart Brain for all this while it took me 2 days to find these boards again. Scary, huh?
Thanks for being here! I appreciate it

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\msvcmm32.exe
C:\Program Files\Movielink\MovielinkManager\Movielink Tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Wrenna\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local&gt;
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\System32\msvcmm32.exe
O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Tray.exe /WNDSTART
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7b77298065d0b9/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4306/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab

profdlp

Back them up, then delete these:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;http://localhost;
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
O1 - Hosts: comments (such as these) may be inserted on individual
O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe
opnste.exe description:
File opnste.exe is related to adware OpenSite.
Files related to opnste.exe:
dateclen.dll, rbsman.dll, uninstall.exe

O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE –k
Info: http://www.pestpatrol.com/PestInfo/S/StopSign.asp
*********************
This could be related to the Petch virus, which replaces this file. Leave this alone for now. If you continue to have problems we may come back to it.
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
W32.Petch Info:
http://securityresponse.symantec.com/avcenter/venc/data/w32.petch.html
*********************
These are resource drains. If you don't absolutely need them you can disable the related service and delete these:

Anything related to MovielinkManager
C:\WINDOWS\system32\cidaemon.exe (Indexing Service)
C:\WINDOWS\system32\cidaemon.exe (Wonder why you have two of these...)
C:\WINDOWS\system32\cisvc.exe (Indexing Service)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Wrennik

Hiya!

Well, I weeded, I ran things again. NO luck. What's happening is the desktop doesn't finish pulling up, the programs that ought to install at start up hang some where. I have no idea what it is. Weatherbug pulls up, the icons all pull up, the icons work, I can get online. Any web page I got to is a 3 minute wait, but it'll come up. If I put my cursor in the START bar ot task bar area, it goes to "working" mode because all that stuff hasn't pulled up yet from when I booted up. If I do a Ctrl-Alt-Del all the processes are shown running but no applications are listed, unless I'm on the web then that web page will be listed. None of the programs I have bott up like Zone Alarm, 2Wire, or Weatherbug show in the Applications window even when they're running. Nothing I do kicks this puppy to unglitch, it'll just do it eventually. Today it took 2 hours of trying to work around it all and all of a sudden windows popped up from things I'd clicked on that never opened, the Start programs window shot up, Aim pulled up, yikes! Something let go, and bam! the comp continued the boot up like it should have done. I'm out of ideas. I did two restores even putting it back a month and a half and it didn't help. I got all this spyware a week ago, tops. Thanks for any help, you folks are amazing

profdlp

Run msconfig and uncheck anything you recognize as non-essential for the OS itself. It almost sounds like there is a call in the startup process to a file which either no longer exists, or is corrupt. If there is still a piece of some of the crapware in your registry relating to a rotten file you have already removed it could give you the indication you're getting.

One other trick which may help is to disconnect your network and/or modem cable before booting. If there is a piece of a malware dialer lurking it may not try loading itself if there is no connection available.

Can you get into Safe Mode alright?

Wrennik

Hiya! Oh, crapware is a great word, yessiriee. I ran the msconfig and there are two entries that are just listed as boxes. No text, just boxes. They're in Software/MS/Windows NT/Current Version/Windows. When I boot up now I get 6 screens saying the Desktop can't load or run >boxes< specified in the registry or Windows can't find >boxes<. I click OK OK OK OK and have a folder sitting in the task bar ad infinitum now with those windows in it. So, I thought hell, I'll reinstall XP over what's here and see what repairs. I found my CD! Woohoo! I was installing when it stopped dead after stage 2, went to the desktop and I was given the message that IE wasn't responding, end now? I said yeah, ok. I went to the blue Start Up Screen where I was told one of the following installations is damaged (I knew this, I told the computer) and if I choose to continue to install on drive C, well that contains anaother operating system than XP. Huh? It's upgraded with files from the CD ROM XP but it's XP. SO...for want of what I think are two little minor files, do I have to reformat this whole dang comp? It will be so bad, you'll hear me yelling from there. Is this all because I don't have the iecont and iecontlc.dlls? Aren't they on the CD or in a CAB? So, the prob is something was removed from the registry that's keeping the Desktop from installing the Stuffs. The Dreaded Box Files, hahahaha. I'll reformat if y'all think that's best (I never get to use Y'all, that was pretty neat just now!). Thank you so much for your help...I envy your patience :banghead:

profdlp

Try running StartUp Mechanic (free!).

Any of those which don't tell you what they are (the blank entries) ought to go. This program makes backups - if in doubt, disable it.

Wrennik

Hiya! Well, I think I got it. I found blank run= and load= lines left in two registries and the win.ini that didn't belong there. I haven't shut the comp down yet to see if it'll boot back up, I'm not that brave yet, but I'll get there! If it didn't work, I'll reformat :

Thank you for all your help, you're all wonderful and I can't thank you enough. The best thing is I learned a lot so I will of course be back to read and learn more! And I have a few neat little programs to check things now and Oh, I looooovvvvveeeee little programs. Next time I screw up maybe it'll be something less stupid??