Old 22nd April 2005, 03:13   #1
MOBOB
Junior Member
 
Join Date: Apr 2005
Posts: 6
Not sure if this is the same problem, but i just noticed tonight that when i go to play a song, sometimes it will play for 4 seconds sometimes a little longer. Either way, Winamp closes sometims without a message and sometimes i get the XP message that says "Winamp has encountered a problem and needs to close. We are sorry for the inconvenience." and then asks me if i want to send an error report (btw i am running XP Home Edition on a Compaq Presario 6000 US). I have deleted the winhlp program from the system32 file and it retuns but with a filesize of 261 Kb, i did a search on my comp for all files named winhlp* and found a few but none of which have a filesize of 8 Kb (see attached screenshot). I also ran HJT and here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:11:46 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\PROMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\matt\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.cometsystems.com/searc...rch?src_id=274
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MOBOB's Internet Explorer. BEOTCH!!!!!!
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.197.153.197 idenupdate.motorola.com #webjal auth
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: TChkBHO Class - {5D784E80-AA1E-4D18-8E03-6F529C0684E0} - C:\WINDOWS\system32\zuoiek.dll (file missing)
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\Comet\Bin\csbho.dll
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\msqt\mssearch.dll (file missing)
O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\Comet\Bin\csietb.dll
O3 - Toolbar: Toolbar - {BC97B254-B2B9-4D40-971D-78E0978F5F26}} - (no file)
O3 - Toolbar: (no name) - {BC97B254-B2B9-4D40-971D-78E0978F5F26} - (no file)
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-781cd0e19f00} - c:\program files\steganos internet anonym pro 7\siapro7iep.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [dSx18] C:\docume~1\matt\locals~1\temp\dSx18.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Oace] C:\Documents and Settings\matt\Application Data\cacc.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /auto:TivoServer /registry /service
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {46EB676D-8C0B-4C15-8E61-5770B172DE2F} (ThemeCreator Control) - http://www.peanutsoftware.com/tw/TW-ThemeCreator3.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.co...veX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...2/mcinsctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/in...ditControl.cab
O16 - DPF: {D14D6793-9B65-11D3-80B6-00500487BDBA} (CSBHO Class) - http://files.cc.cometsystems.com/cc2...3-333-ccct.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote PC Access Service (RpcSvr) - www.access-remote-pc.com - C:\Program Files\Remote PC Access 3.1\rpcsetup.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe


Thanks in advance!

-MOBOB
Attached Images
File Type: jpg ss.jpg (61.8 KB, 188 views)
MOBOB is offline   Reply With Quote
Old 23rd April 2005, 09:24   #2
siebe83
Forum King
 
siebe83's Avatar
 
Join Date: Feb 2004
Posts: 9,229
@MOBOB:

Any 3rd-party plugins installed? Try a clean install.

Try the DirectSound output tweaks.

No luck?
Please post the error message: in the error box
it should say 'to view error details click here'.
Please do so and post here what you've found.

Provide full system specs.
Are you on a limited user account?

Also please confirm you are using the latest
version of Winamp: 5.08d, or 5.08e if you have
DRM-protected WMA files.

I haven't looked into your HijackThis log yet.
The only thing is noticed is WildTangent. Try
to get rid of it through the Software panel
in the Control Panel.


The last time someone posted here with the winhlp32 issue was 9 months ago

If you're bored go here or, if the boredom is more serious, here.
siebe83 is offline   Reply With Quote
Old 23rd April 2005, 23:58   #3
JonnyMac
Moderator
 
JonnyMac's Avatar
 
Join Date: Dec 2000
Posts: 14,385
Hello MOBOB,

You have some junk in you HjT log. I have split your post from the Sticky, because it would have been too cumbersome to have managed this over there.

For now, lets try to bring down that HjT log to something that is a little more manageable. Download the following spyware busters, Spybot Search&Destroy and Ad-aware. First run Spybot S&D then run Adware. Be sure to update the references/detections for S S&D and Ad-Aware. Do not have e-mail or internet browser apps running and no Windows Explorer or My Computer windows open during the scans.

After that post another HjT log, except this time please add it as a attachment as instructed here by gaekwad2.

Hopefully this thread will catch the eye of DJ Egg our resident Anti-Malware Guru and Tech Support Grandmaster

Please do not PM me for tech support. Any request for tech support through PM will be ignored.
Read the Stickies
---> | | | | <--- Knowledge is power
JonnyMac is offline   Reply With Quote
Old 30th April 2005, 23:52   #4
MOBOB
Junior Member
 
Join Date: Apr 2005
Posts: 6
i think i have isolated the problem. I backed up my skins, and my winamp.ini file, and performed a clean install. I reinstalled the skins and my only plugin (ipod support). It worked fine, then i coppied the winamp.ini file into the directory and started up winamp and got the same error. So now i am reinstalling again, and i am going to reset the settings manually. Thanks for your help guys!
MOBOB is offline   Reply With Quote
Old 1st May 2005, 00:17   #5
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,867
Whoa! Hold your horses!

I'm just in the process of analyzing your HJT log now
and will be back soon with the full cleanup instructions....
DJ Egg is offline   Reply With Quote
Old 1st May 2005, 02:24   #6
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,867
Download the following free programs:

CWShredder - http://cwshredder.net/bin/CWShredder.exe <-- download
http://www.intermute.com/spysubtract..._download.html <-- info
Just save this straight to the desktop, but don't run it just yet.

About:Buster - http://www.downloads.subratam.org/AboutBuster.zip <-- download
http://www.besttechie.net/forums/ind...showtopic=1488 <-- info
Unzip the AboutBuster folder from AboutBuster.zip to a location of your choice.
Open the AboutBuster folder and then open AboutBuster.exe
Click OK
Click the "Update" button, then click "Check for Update"
Then click "Download Update" to let it install the updates.
Close the Update window and move the AboutBuster window out of the way to a corner of the desktop. We will use the actual Fix later.

Ad-Aware SE - http://www.lavasoft.de/software/adaware/
Install Ad-Aware, but don't run the scan just yet.
You should get the detection updates during installation,
but if not, open Adaware, click "check for updates now" and then "connect".
Then close Adaware. We will run the actual scan later.

Spybot Search & Destroy - http://www.safer-networking.org
Install and open it,
cancel out of the setup intro wizard (just click Next x times, and click "start using the program")
Click "search for updates"
Checkmark the listed updates
then click "download updates"
Note: you may need to change the "download server" c/o the drop-down menu first
(ie. from "See-Cure (Europe)" to any of the other servers).
Then close Spybot SD. We will run the actual scan later.

SpywareBlaster - http://www.javacoolsoftware.com/spywareblaster.html
You can install and run this straight away.
Click "Updates" (left pane) then "check for updates"
Then click "Protection" (left pane) and click "enable all protection" (under "Quick Tasks")
You can now close SpywareBlaster.

Killbox - http://www.thespykiller.co.uk/files/killbox.exe
Just save this to the desktop for now.

_________________________________________________


Please move HijackThis.exe OFF the desktop and into its own folder.

If you used the recommended installer, then HJT will have been installed to the "C:\Program Files\HijackThis\" folder, and you'd have a shortcut icon for it on the desktop instead.

_______________________________________________________


Print out these instructions
(or if you don't have a printer, copy the text to Notepad)

Close ALL windows (including this one)

Disconnect from the internet.

Keep all browser/email/office/explorer/im/mediaplayer windows closed.

_______________________________________________


Go to: Control Panel > Add/Remove Programs
If listed, uninstall the following:

-Comet Cursors / Comet Systems Toolbar / Comet anything (more info)

-InstaFinderK

-Wild Tangent

-Party Poker


Alas, Party Poker is adware (ad-sponsored) and if you keep it, then it either won't work any more, or all the problems will just come back as soon as you run it again :/

WildTangent is spyware

InstaFinderK is a browser hijacker

CometCursors is just plain evil scumware


It's unlikely that either of these will be listed under Add/Remove Programs, but two of the other malware items you've got are:

-Apropos Media adware (autoupdater.exe)

-PurityScan/Clickspring adware trojan (cacc.exe)

and a rather nasty looking CoolWebSearch infection...


Close Control Panel window when done


If prompted to reboot by any of the uninstallers, then do NOT reboot.
Say "No" to rebooting, or if not given the option to say "No" then just ignore any 'reboot now' messages.

________________________________________________________


Still with ALL windows closed...

Open HJT and run the scan

Place a checkmark next to the following entries ONLY and click "Fix checked"

(note that some of these entries may no longer exist if any of the above items were successfully uninstalled)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.cometsystems.com/searc...rch?src_id=274

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about :blank

R3 - Default URLSearchHook is missing

O1 - Hosts: 66.197.153.197 idenupdate.motorola.com #webjal auth

O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)

O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL

O2 - BHO: TChkBHO Class - {5D784E80-AA1E-4D18-8E03-6F529C0684E0} - C:\WINDOWS\system32\zuoiek.dll (file missing)

O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\Comet\Bin\csbho.dll

O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\msqt\mssearch.dll (file missing)

O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\Comet\Bin\csietb.dll

O3 - Toolbar: Toolbar - {BC97B254-B2B9-4D40-971D-78E0978F5F26}} - (no file)

O3 - Toolbar: (no name) - {BC97B254-B2B9-4D40-971D-78E0978F5F26} - (no file)

O4 - HKLM\..\Run: [dSx18] C:\docume~1\matt\locals~1\temp\dSx18.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [Oace] C:\Documents and Settings\matt\Application Data\cacc.exe

O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install

O4 - Global Startup: Free WebSite Tools.lnk = ?

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {D14D6793-9B65-11D3-80B6-00500487BDBA} (CSBHO Class) - http://files.cc.cometsystems.com/cc2...3-333-ccct.cab

O19 - User stylesheet: (file missing)

_______________________________________________________


Reasons for fixing some legitimate entries...

Microsoft FindFast & Office Startup (OSA.EXE) are both known useless resource hogs, and your system will run a lot smoother without them loading at startup.

I want you to disable the WinampAgent for now, firstly because there have been known instances where this file can be replaced by a bad version, and secondly because we'll be doing a clean install of Winamp at the end anyway.

TKBellExe/realsched.exe is RealPlayer's Update Scheduler, and is commonly referred to as spyware.


Re: this entry

O1 - Hosts: 66.197.153.197 idenupdate.motorola.com #webjal auth

I'm not sure about this entry. I checked http://66.197.153.197 in the browser and it doesn't lead to http://idenupdate.motorola.com

start > run > cmd
tracert idenupdate.motorola.com
reveals the ip for motorola.com to be 136.182.2.129


Re: this entry

O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)

This is related to the legitimate Popup Manager program, and is not malware. However, it would seem as though the dll file is missing and/or you've uninstalled/deleted the program - therefore this entry should be fixed. I also see that you're running Panicware PopupStopper anyway.

_______________________________________________________


Open Killbox
Click "Tools", then click "Delete Temp files"

That's all for Killbox for now, so you can close it.
Though we may need to use it again later...

_______________________________________________________


Run CWShredder
Click the "Fix" button, and let it do its thing

_______________________________________________________


Back in the AboutBuster window, click "Start".
Follow all the prompts and let it do its thing.
This will scan your computer for the bad files and delete them.
If prompted to run it again, then do so.
When done, you need to reboot.

________________________________________________________


After rebooting, stay offline

Run AboutBuster again.
Confirm that it says your system is clean.

________________________________________________________


To make sure you can view hidden and system files,
Go to: Control Panel > Folder Options > View tab:
Checkmark "show hidden files"
Uncheck "hide extensions for known file types"
Uncheck "Hide protected operating system files"
OK everything and close Folder Options.


Locate and delete the following files (if they still exist):
C:\WINDOWS\image.dll
C:\Documents and Settings\matt\Application Data\cacc.exe
C:\Documents and Settings\matt\Application Data\*.exe (any other exe file in the "Application Data" root folder - not subfolders)

Locate and delete the following folders (if they still exist):
C:\Program Files\InstaFinderK
C:\Program Files\Comet
C:\Program Files\AutoUpdate
C:\Program Files\WildTangent
C:\Program Files\partypoker
C:\WINDOWS\msqt
C:\WINDOWS\wt


Empty all Temp folders (delete all files within):
C:\Documents and Settings\matt\Local Settings\Temp\
C:\Documents and Settings\(all other profile folders)\Local Settings\Temp\
C:\Windows\Temp\
C:\Temp\ (if it exists)


Go to: Control Panel > Internet Options
General tab > Temporary Internet Files > Delete Files:
Checkmark "Delete all offline content"
Click OK

Go to the "Programs" tab, then click the "Reset Web Settings" button.
Click Apply.
Note: You then might need to reset your desired home page c/o General tab

Go to the "Security" tab
Click on "Internet Zone" and then click "Default Level"

Click Apply, then click OK to close Internet Options



If it exists, go to:
Control Panel > Java -or- Java Plugin > General tab > Temporary Internet Files > Delete Files:
Checkmark all 3 options
Click OK
If those settings are different, the "Clear Cache" option might be under the "Cache" tab instead.



Empty the Recycle Bin


Disable System Restore
Control Panel > System > System Restore tab:
Checkmark "Turn off system restore"
Click Apply/OK
(You can re-enable system restore once your system is confirmed clean).


___________________________________________________


Make sure all windows are closed


Now run Spybot Search & Destroy
Click "Immunize" (left pane), then click "Immunize" at the top.
Further down, checkmark "Enable permanent blocking of bad addresses in Internet Explorer"
Click "Search & Destroy" (left pane)
Then click "Check for problems"
Let the scan run
Checkmark all results it finds
and click "fix selected problems"
Close SpybotSD


Now run Ad-Aware SE scan
In the main Adaware window, click "Start"
Checkmark "Do a full system scan"
Uncheck "search for negligible risk entries"
Click "Next" to start the scan.
Checkmark all results, and click "Next" to fix.

_________________________________________________


Now please do a clean install of Winamp

Then apply the following DirectSound Output tweaks
http://forums.winamp.com/showthread....26#post1212926



Post a new HJT log here when done.

______________________________________________


ps. Leave Winhlp32.exe alone.
261kb is the correct filesize for Windows Help under WinXP sp1
DJ Egg is offline   Reply With Quote
Old 1st May 2005, 02:43   #7
Nunzio390
Nugatory Aluminator
Look it up

 
Nunzio390's Avatar
 
Join Date: Oct 2002
Location: Tharsis Ridge (Martian lowlands)
Posts: 8,588
Send a message via AIM to Nunzio390 Send a message via Yahoo to Nunzio390
Talk about concise!! Wow, Egg!

@ MOBOB...

You've got the HijackThis Master helping you now!



HijackThis log SPECIALIST


And of course there are many other titles Egg has been bestowed with in these forums...



ROYAL REGMEISTER
ROYAL GOOGLEMEISTER
SpybotSD log SPECIALIST
HijackThis log SPECIALIST
Tech Support GRANDMEISTER
Founding member:
Post Edit GRANDMEISTERS Society


Hmmm.. I just might ask Egg to check to weed stuff out of my puter.
Egg... I may be emailing you a HJT log shortly

Don't email or PM me concerning Winamp. Instead, either start a NEW TOPIC or post a REPLY in the appropriate thread in these forums. This will also benefit others who may have a similar question or problem. But before posting, please first Search the forums and read all FAQs and all Sticky threads.

ORB Remote Broadcast

[ Automated Jukebox | Nunzio's Home | Wacky Videos | Solve the Prunella Puzzle! ]
[ LINE RIDER! | My Resume | Virtual Chess | Composite Sketch | My Niece's Band ]
[ Plugins by Joonas | DrO's Winamp Plugins and Extras | K-Jöfol ]
Nunzio390 is offline   Reply With Quote
Old 1st May 2005, 03:23   #8
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,867
Yeah, for sure, go for it Nunz.

Or we could go for it in realtime at #winamptech or #support channel,
though it is getting a bit late in my neck of the woods (4:20am GMT)


btw, I've had quite a bit of practice over at TechSupportGuy forums during the past few months, and I guess that I'm now considered to be quite an expert authority on just about all things malware related
http://forums.techguy.org/member.php?u=44330
http://forums.techguy.org/search.php...nduser&u=44330

Ooh whee
DJ Egg is offline   Reply With Quote
Old 4th May 2005, 09:20   #9
siebe83
Forum King
 
siebe83's Avatar
 
Join Date: Feb 2004
Posts: 9,229
Any results yet, MOBOB?

If you haven't followed DJ Egg's instructions yet, you really should. You'll see your system will run much more smoothly afterwards and maybe you'll even get rid of other seemingly unrelated problems as well

If you're bored go here or, if the boredom is more serious, here.
siebe83 is offline   Reply With Quote
Old 5th May 2005, 01:34   #10
MOBOB
Junior Member
 
Join Date: Apr 2005
Posts: 6
i printed out the post and i plan on doing it this weekend because i dont have any time during the week. Thanks alot egg!
MOBOB is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Winamp > Winamp Technical Support

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump