-
April 15th, 2004, 03:33 PM
#1
Registered User
problems after trojan
on a win98 system, got a trojan, dowload.small.en, after downloading a program from the 'net. AVG diagnosed and killed it but since then this system is acting very weird. It gets annoying popup windows, loses the toolbar, and the desktop icons do nothing after it is on for about an hour. I have to push reset to get it back and then it is fine for another hour or so.
This kills me because I run spybot and adaware and have spywareblaster installed. Everytime I run one of these now it finds problems and fixes them; I've run them both a few times today and it still happens. I also have the google toolbar and panicware's popup stopper installed. I've run hijack this and bhodmn but they show anything unusual.
Anyone seen anything like this?
"You've been livin' on the razor's edge, since you began to shave...
Make sure you live, you're a long time dead, cradle to the grave"-Motorhead
-
April 18th, 2004, 01:59 PM
#2
Driver Terrier
Yes, look in hijack this log for netpal games or variant thereof
Look in the c:\ for an installerupdater.exe
Delete the java applets in the internet cache.
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
April 18th, 2004, 08:13 PM
#3
Registered User
Thanks, NooNoo. I'll try this tomorrow morning.
"You've been livin' on the razor's edge, since you began to shave...
Make sure you live, you're a long time dead, cradle to the grave"-Motorhead
-
April 20th, 2004, 12:07 PM
#4
Registered User
I looked in the hijack this log but didn't see any entries for either of the items you mentioned. I got curious and installed zonealarm on this system. I noticed that rundll32.exe wanted to access the internet; when I let it I got the popup ads, and if I blocked it the system works fine. It's been running all day without a problem. Does this mean something has corrupted this dll?
"You've been livin' on the razor's edge, since you began to shave...
Make sure you live, you're a long time dead, cradle to the grave"-Motorhead
-
April 20th, 2004, 10:27 PM
#5
Registered User
Originally Posted by cabal
I looked in the hijack this log but didn't see any entries for either of the items you mentioned. I got curious and installed zonealarm on this system. I noticed that rundll32.exe wanted to access the internet; when I let it I got the popup ads, and if I blocked it the system works fine. It's been running all day without a problem. Does this mean something has corrupted this dll?
Nope, it means you have an adware or spyware DLL on your system. Rundll32 allows a DLL file to run as an executable file, so it's getting blamed for the problem but it's not the real culprit. The DLL that's calling it is to blame.
-
April 21st, 2004, 12:53 AM
#6
Driver Terrier
It will show up in the hijack log, its a question of finding the little bugga...
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
April 21st, 2004, 11:10 AM
#7
Registered User
here is the hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 12:03:58 PM, on 4/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISERVICE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 99\DMHKEY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SIMAILPROXYSERVER.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISPAMFILTERENGINE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SIMAIN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UTILITIES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windrivers.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SISERVICE.exe] "C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\SPAM INSPECTOR\SISERVICE.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 99\DMHKEY.EXE
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
Since i told zonealarm to not allow rundll32 to access the 'net, I get an error message that says "rundll32 has caused an invalid page fault in mrtcp.cpy.dll"
something strange is running on this system.
"You've been livin' on the razor's edge, since you began to shave...
Make sure you live, you're a long time dead, cradle to the grave"-Motorhead
-
April 21st, 2004, 11:30 AM
#8
Driver Terrier
go into safe mode, go on a search and destroy mission in both the registry and the system files for the mrtcp.cpy.dll Turn off system restore, otherwise it will be back.
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
April 21st, 2004, 12:17 PM
#9
Registered User
thanks NooNoo. I had to reboot with a floppy to remove that file, in safe mode it said it was in use. One very annoying and stubborn piece of spyware to get rid of.
"You've been livin' on the razor's edge, since you began to shave...
Make sure you live, you're a long time dead, cradle to the grave"-Motorhead
-
April 21st, 2004, 12:23 PM
#10
Driver Terrier
Never, ever approach a computer saying or even thinking "I will just do this quickly."
Similar Threads
-
By geeksRus in forum Tech-To-Tech
Replies: 3
Last Post: February 3rd, 2004, 07:15 PM
-
By freddy in forum Spyware & Antivirus - Security
Replies: 3
Last Post: December 21st, 2003, 05:16 AM
-
By ilovetheusers in forum Tech-To-Tech
Replies: 12
Last Post: September 30th, 2002, 03:20 PM
-
By alley in forum CD-ROM/CDR(-W)/DVD Drivers
Replies: 5
Last Post: September 4th, 2001, 05:25 AM
-
By jasonflorida1 in forum Tech-To-Tech
Replies: 5
Last Post: October 12th, 2000, 08:34 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks