Help please! Stop Error

[Guest]

You have some nasties there, try to perform the scan in Safe Mode with
Spybot and Adware.
Wait for the Coyote People and they will get you sorted.
By the way while you are at it, think about what toolbar you will keep and
which you will remove.
Also messengers, you have more than one, why?, and do you use them all?.
HTH.
nass

 

[nybarton]

Nass......

please elaborate. I assume from your post that you saw my log in Coyote.
What "nasties" do you see, and which toolbars are you talking about? As per
your advice, I'm not going to do anything until I hear from the Coyote
people, but I am curious about what you saw in my log.

As always.........many thanks.

 

[Guest]

Nass......

please elaborate. I assume from your post that you saw my log in Coyote.
What "nasties" do you see, and which toolbars are you talking about? As per
your advice, I'm not going to do anything until I hear from the Coyote
people, but I am curious about what you saw in my log.

As always.........many thanks.

You have a file that can be a risk to your system. Toolbars like Google,
AOL, MSN, Yahoo that if I remember correctly.
You only need one Toolbar the one you like and you used most.
Messengers , MSN, AOL and |I don't if you have Yahoo messenger too.
\3\Wrtmon.exe this process is categorized as Suspicious, do you know if you
installed a program like that?.
Wait for the expert you don't need to go Mad and remove things.
The above from a quick look I even didn't copy the log.
PDFs, do you work a lot with PDF files?.
HTH.
nass

 

[Guest]

w32x86\3\WrtMon.exe

 

[nybarton]

NASS!!! I think we're getting closer!

Look at these lines from my HJT log:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://my.msn.com/?page=2&refresh=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=566...p://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} -
(no file)

Those lines appear to be from the Registry scan and after my McAfee scan
shut down the computer a few times with the Page Fault problem, I kept a
close eye the next time I did a scan. When it got to the point where it was
shutting down, somewhere around 110,000 files, I took close notice and saw
it was scanning HKLM entries and then HKCU entires, and suddenly it went
dead and I got the Page Fault screen. However, I'm not sure if the
"suspicious" registry entry shows on the log.

I have NO toolbars operating to my knowledge and have no idea why they
appear in the log. The only thing I have from Google is a search window next
to the URL window in IE7, but that appeared with the upgrade to IE7 and I
never could figure out how to remove it. However, it never gave me any
trouble and I do use it. YES, I do use PDF files, but only to read. I cannot
create PDF files because I don't have the Adobe program. I do not have the
Yahoo toolbar.

I have no idea what the Wrtmon.exe file is and apparently not many people
do. I ran a search on it and at the moment it appears, as you say, to be
merely "suspicious". It may be the culprit or there may be something in the
Registry that's killing the scans and causing the Page Fault. The only new
programs installed on my computer as of late are McAfee and the software to
run my new Canon Multifunction Printer (with all its ancillary features).

I will wait to hear from the Coyote people. I have to say I'm learning a
lot, it's not easy for me, but I'm learning.

Talk to you soon........thanks.

legality

 

[Daave]

w32x86\3\WrtMon.exe

Good catch, nass.

nybarton, scan wrtmon.exe. You may scan online at:

http://www.virustotal.com/en/indexx.html

or http://virusscan.jotti.org/

It might wind up being okay, but a Google search reveals it's
suspicious.

 

[Guest]

Yes, we are getting closer, try to look in the event Viewer for any error
message that can shed some light for all of us about the causer, it should be
a log file/event for the error in the event viewer.
Double click the error to get more info and be ready to hand to the Coyote
people.
How is the printer behaving?, I forget that you have IE7, of course it will
come with Google toolbar installed.
Do you use a Proxy to connect?, if you don't go to your IE Properties under
connections tab then click LAN settings and uncheck the proxy from there.
Go to the Add/Remove and see all the App/Programs there and uninstall the
unfriendly ones, but be sure you are removing something you don't or the
System don't need (extra stuff).
HTH.
nass

 

[Guest]

Good catch, nass.

nybarton, scan wrtmon.exe. You may scan online at:

http://www.virustotal.com/en/indexx.html

or http://virusscan.jotti.org/

It might wind up being okay, but a Google search reveals it's
suspicious.

Thanks Daave, I nearly mentioned for Him/Her to send a Sample file to get a
definite Answer.
HTH.
nass

 

[nybarton]

Nass.......

Event Viewer.......that was a new one for me (I told you I was an "end user"
only). Anyway, I found it and it was interesting to see all the "events",
including many errors and warnings, most of which I cannot possibly
understand. It appears many of the errors deal with "Hang Modules" and with
particular addresses for "iexplore.exe". I have no idea if an event error
would log for the problems I'm having, namely the Page Fault screen during a
full scan. None of the errors I looked at referred to that problem.
Interestingly, one of the fault addresses that shows up on all the
iexplore.exe error events is 0x00000000 and that number also appears on the
Page Fault screen I get when Win suddenly shuts down during a scan, to wit:

"A problem has been detected and Windows has been shut down to prevent
damage to your computer.
PAGE_FAULT_IN_NONPAGED_AREA
Tech Information
***STOP: Ox00000050 (OxFFFFDFF8, Ox00000000, Ox80550211, Ox00000000)"

We're getting closer!
Legality

 

[nybarton]

Daave.......

Thanks for the info. I went to both sites posted by you and entered
Wrtmon.exe for scanning. After an hour of "uploading" on each of the sites,
nothing happened. Don't know if that's because their site is overloaded or
what. By the way, nybarton=female (lol).

 

[nybarton]

Nass, one more thing.........

You asked if my Canon Multifunction printer was working ok......it's working
just fine. However, I just took a look into the Win/System32/Spool folder
to see exactly where that WrtMon.exe file was located and it appears to be
in the Drivers/3 folder which appears to have certain Canon drivers in it as
well as certain HP drivers (my former printer). There is also a file called
WrtMon.proc in that folder and the properties of both of those files show
they were created on June 23rd, the day my new printer was installed. There
is absolutely no info regarding those two WrtMon files, but they both have
the MPC logo and they both show they were modified in September 2006. Where
those two files came from is beyond me because I can't imagine that Canon
would allow files to load that were bogus.

This is getting mighty interesting. There had better not be a problem with
my new printer (Canon Pixma MP530), but it's beginning to look more and more
like my Spyware/Malware scanning problems began about the same time as the
printer installation.

Legality

 

[Daave]

Look at these lines from my HJT log:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://my.msn.com/?page=2&refresh=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=566...p://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) -
_{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)

Very interesting.

I'm not sure there's anything suspicious about the R0 or R1 entries, but
the R3 entry could be what's screwing things up. See:

http://www.castlecops.com/tk31896-QaBar_dll.html

Which leads to:

http://www.symantec.com/security_response/writeup.jsp?docid=2003-112612-1627-99
(updated link)

You really should get rid of this registry entry (even if it isn't the
cause of your current problem)!

Also http://www.bleepingcomputer.com/tutorials/tutorial42.html has
information on R3/URL Search Hooks. Yours looks suspicious because of
the (no name) and (no file) designation as well as the underscore.
Removal instructions (in case HijackThis can't remove it) can be found
at:

http://www.symantec.com/security_response/writeup.jsp?docid=2003-112612-1627-99&tabid=3

I have no idea what the Wrtmon.exe file is and apparently not many
people do. I ran a search on it and at the moment it appears, as you
say, to be merely "suspicious". It may be the culprit or there may
be something in the Registry that's killing the scans and causing the
Page Fault. The only new programs installed on my computer as of late
are McAfee and the software to run my new Canon Multifunction Printer
(with all its ancillary features).

Can you pinpoint as precisely as possible when this problem started? I
had assumed it was with the McAfee install. Might it have been at the
time Canon was installed?

Other ideas:

1. I forget... had you ever tried a System Restore to a time before this
problem?

2. Have you scanned for viruses *and* spyware in Safe Mode?

3. Have you tried a Clean Boot Troubleshoot? If not, see:

http://support.microsoft.com/kb/316434

I wouldn't do the last idea until you've done the other things.

Backing up the registry is always a good idea. For this, I would suggest
ERUNT:

http://www.larshederer.homepage.t-online.de/erunt/

Oh, and I still think you'd be better off without McAfee.
(Remember AVG, Avast, Antivir, Kaspersky, NOD32...)

Good luck, nybarton/Legality!

 

[nybarton]

Daave.......

Thanks for all the info. Before I do anything else, I want to say that I'm
leaning toward the Canon Pixma MP530 installation as the source of my
problem, especially since it appears that the problem started at just about
the same time as the installation. Just out of curiosity, I decided to
explore the ENTIRE installation disk that came with the machine and although
I couldn't find "WrtMon.exe" or "WrtMon.proc" anywhere on the disk, I did
find a file called "StartHtm.exe" in the VManual folder on the disk. Now
what does that file have to do with WrtMon? I have no idea EXCEPT that the
logo of the StartHtm.exe file is the EXACT same logo as that of the WrtMon
files (the letters MFC displayed as 3 green blocks). When I checked the
properties of StartHtm.exe, it showed the company as Canon. HOWEVER, the
StartHtm.exe file only exists on the installation disk.....it is NOT on my
computer system. The new printer was installed on June 23rd, and the two
WrtMon files were created on the same date.

The Canon all-in-one printer is working beautifully, no problems at all. The
only problem I'm having is when I run a full scan for viruses, spyware and
malware. All programs that check for spyware or malware are causing the Page
Fault screen (it's not just McAfee). When I scan only for viruses, there's
no problem.

By the way, I'm also seeing drivers from my HP Photosmart printer that was
just replaced with the Canon. Is it possible that the HP drivers may be in
conflict with the Canon Drivers. My son installed the Canon for me, but we
did not uninstall and remove the HP printer from the system.

Thanks.........

legality

 

[Daave]

Thanks for all the info. Before I do anything else, I want to say
that I'm leaning toward the Canon Pixma MP530 installation as the
source of my problem, especially since it appears that the problem
started at just about the same time as the installation. Just out of
curiosity, I decided to explore the ENTIRE installation disk that
came with the machine and although I couldn't find "WrtMon.exe" or
"WrtMon.proc" anywhere on the disk, I did find a file called
"StartHtm.exe" in the VManual folder on the disk. Now what does that
file have to do with WrtMon? I have no idea EXCEPT that the logo of
the StartHtm.exe file is the EXACT same logo as that of the WrtMon
files (the letters MFC displayed as 3 green blocks). When I checked
the properties of StartHtm.exe, it showed the company as Canon.
HOWEVER, the StartHtm.exe file only exists on the installation
disk.....it is NOT on my computer system. The new printer was
installed on June 23rd, and the two WrtMon files were created on the
same date.

StartHtm.exe is the installation executable. It sounds like the WrtMon
files are part of your Canon installation.

The Canon all-in-one printer is working beautifully, no problems at
all. The only problem I'm having is when I run a full scan for
viruses, spyware and malware. All programs that check for spyware or
malware are causing the Page Fault screen (it's not just McAfee).

I doubt the problem is related to your Canon files (it's probably
coincidental), but I'll keep it in the back of my mind.

When I scan only for viruses, there's no problem.

I thought that's how this whole problem started--with McAfee scanning
for viruses:

The problem:

When running a complete scan of my system using McAfee Virus Scan,
the scan proceeds uninterrupted until it reaches a point somewhere
around the 110,000 file mark. That's when Windows abruptly shuts down
and I get the following screen:



"A problem has been detected and Windows has been shut down to prevent
damage to your computer.

PAGE_FAULT_IN_NONPAGED_AREA

Tech Information

***STOP: Ox00000050 (OxFFFFDFF8, Ox00000000, Ox80550211, Ox00000000)"

Please clarify!

By the way, I'm also seeing drivers from my HP Photosmart printer
that was just replaced with the Canon. Is it possible that the HP
drivers may be in conflict with the Canon Drivers. My son installed
the Canon for me, but we did not uninstall and remove the HP printer
from the system.

If you're no longer using the HP printer, you should uninstall the
software associated with it.

Getting back to your problem, I still believe the culprit is either a
corrupted file in McAfee (which is also causing conflicts with other
malware scanners) or some persistent spyware--perhaps
Adware.AdultLinks.B:

R3 - URLSearchHook: (no name) -
_{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)

Have you run Spybot S&D in Safe Mode yet? I'd be curious to see if you
get the page fault then. And whether or not it fixes your problem.

At least one person here has recommended SuperAntiSpyware. Although I
can't personally vouch for it, many techs seem to like it.

 

[nybarton]

Daave.......

After reading your message, I ran Spybot-SD in Safe mode. It ran all the way
through without causing the Page Fault and found 30 items, all red. Just
before finishing the scan a warning window popped up that said "There were
problems in the include file C:\Program
Files\Spybot-Search_Destroy\Includes\Trojan.sbi. See Include errors.log for
details"

I didn't "fix" anything because I'm not sure if everything there should be
fixed. Most of the items were tracking cookies which I would gladly
eliminate. There were 8 Registry items, one of them being something called
"DyFuCA" which Spybot called malware. Other registry items deal with various
Windows Security matters such as "FirewallDisableNotify",
"AntiVirusDisableNotify", "IEFirewallBypass" and "InternetExplorer. Registry
change". There's an item called ISearchTechPowerScan (registry value), two
items for AdwareAlert (one is a registry key and the other is a log in
Program Files). I thought I got rid of AdwareAlert, but I guess not. There's
also an entry for 180SolutionsAssistant: Data

I couldn't print the results in Safe mode, so I rebooted into regular mode
and just out of curiosity I ran Spybot again. It went through without
causing the Page Fault and I was able to print out the results. However, I
did get the same warning window about the problem in the Includes folder.
Since I hadn't "fixed" anything yet, I was surprised that Spybot operated
without causing the Page Fault which it did the first time I used it a few
days ago.

I just don't know if it's safe to proceed with a fix on ALL the items. I
don't know how to copy and paste all the entries for review by others.
Thanks.

legality

 

[nybarton]

Daave.......

I found "view report" in Spybot and was able to copy and paste it. These
items were all in red. Here it is:

--- Report generated: 2007-07-10 02:08 ---

ISearchTech.PowerScan: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\BandRest

AdwareAlert: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-335388756-1319870562-3049974079-1006\Software\AdwareAlert

AdwareAlert: Program directory (Directory, nothing done)
C:\Program Files\AdwareAlert\Log\

DyFuCA: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-335388756-1319870562-3049974079-1006\Software\Microsoft\Internet
Explorer\Main\BandRest

Rotue: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue

Microsoft.Windows.Security.InternetExplorer: Settings (Registry change,
nothing done)
HKEY_USERS\S-1-5-21-335388756-1319870562-3049974079-1006\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry
change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry
change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\FirewallDisableNotify!=dword:0

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program
Files\Internet Explorer\IEXPLORE.EXE

180Solutions.SearchAssistant: Data (File, nothing done)
C:\WINDOWS\saap.log

BlueStreak: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

HitBox: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

FastClick: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

HitBox: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

Statcounter: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

Clickbank: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

TagASaurus: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

Advertising.com: Tracking cookie (Internet Explorer: Marilyn) (Cookie,
nothing done)

CoreMetrics: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

Zedo: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

FastClick: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

WebTrends live: Tracking cookie (Internet Explorer: Marilyn) (Cookie,
nothing done)

WebTrends live: Tracking cookie (Internet Explorer: Marilyn) (Cookie,
nothing done)

HitBox: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

MediaPlex: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

HitBox: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

WebTrends live: Tracking cookie (Internet Explorer: Marilyn) (Cookie,
nothing done)

Win32.Small.ddx: Bookmark (Internet Explorer: Marilyn) (Bookmark, nothing
done)

 

[Guest]

My Reply inline:

Daave.......

I found "view report" in Spybot and was able to copy and paste it. These
items were all in red. Here it is:

--- Report generated: 2007-07-10 02:08 ---

ISearchTech.PowerScan: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\BandRest

Make sure the check box is selected for this item [ ]

AdwareAlert: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-335388756-1319870562-3049974079-1006\Software\AdwareAlert

Make sure the check box is selected for this item [ ]

AdwareAlert: Program directory (Directory, nothing done)
C:\Program Files\AdwareAlert\Log\

Make sure the check box is selected for this item [ ]

DyFuCA: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-335388756-1319870562-3049974079-1006\Software\Microsoft\Internet
Explorer\Main\BandRest

Make sure the check box is selected for this item [ ]

Rotue: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue

Microsoft.Windows.Security.InternetExplorer: Settings (Registry change,
nothing done)

Make sure the check box is selected for this item [ ]

HKEY_USERS\S-1-5-21-335388756-1319870562-3049974079-1006\Software\Microsoft\Internet

Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry
change, nothing done)

For now Make sure the check box is selected for this item [ ]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry
change, nothing done)

For Now Make sure the check box is selected for this item [ ]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\FirewallDisableNotify!=dword:0

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)

For now Make sure the check box is selected for this item [ ]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program

Files\Internet Explorer\IEXPLORE.EXE

180Solutions.SearchAssistant: Data (File, nothing done)

Make sure the check box is selected for this item [ ]

C:\WINDOWS\saap.log

BlueStreak: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

Make sure the check box is selected for this item [ ]

HitBox: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

Make sure the check box is selected for this item [ ]

FastClick: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

Make sure the check box is selected for this item [ ]

HitBox: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

Make sure the check box is selected for this item [ ]

HitBox: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

Make sure the check box is selected for this item [ ]

Statcounter: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

Make sure the check box is selected for this item [ ]

Clickbank: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

Make sure the check box is selected for this item [ ]

TagASaurus: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done

Make sure the check box is selected for this item [ ]

Advertising.com: Tracking cookie (Internet Explorer: Marilyn) (Cookie,
nothing done)

Make sure the check box is selected for this item [ ]

CoreMetrics: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

Make sure the check box is selected for this item [ ]

Zedo: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

Make sure the check box is selected for this item [ ]

FastClick: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

Make sure the check box is selected for this item [ ]

WebTrends live: Tracking cookie (Internet Explorer: Marilyn) (Cookie,
nothing done)

Make sure the check box is selected for this item [ ]

WebTrends live: Tracking cookie (Internet Explorer: Marilyn) (Cookie,
nothing done)

Make sure the check box is selected for this item [ ]

HitBox: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

Make sure the check box is selected for this item [ ]

HitBox: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

Make sure the check box is selected for this item [ ]

MediaPlex: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing
done)

Make sure the check box is selected for this item [ ]

HitBox: Tracking cookie (Internet Explorer: Marilyn) (Cookie, nothing done)

Make sure the check box is selected for this item [ ]

WebTrends live: Tracking cookie (Internet Explorer: Marilyn) (Cookie,
nothing done)

Make sure the check box is selected for this item [ ]

Win32.Small.ddx: Bookmark (Internet Explorer: Marilyn) (Bookmark, nothing
done)

Make sure the check box is selected for this item [ ]


Click Fix All Button and let Spybot fix then and pay attention to any
message will pop up and write down.

Run Lavasoft SE and a Virus Scan, any thing found?.

Then Run the HijackThis and select these items:

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://my.msn.com/?page=2&refresh=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=566...p://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} -
(no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program
Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [WrtMon.exe]
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no
file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no
file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
%windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O16 - DPF: symsupportutil -
https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: Yahoo! Finance MarketTracker - http://finance.yahoo.com/jmt/mt.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
http://www.ipix.com/download/ipixx.cab
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector
Class) - http://www.pqprintcenter.com/plugin/axvers...ntquick1622.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj
Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety
Center Base Module) -
http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download
Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdat...b?1128537877381
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} -
http://entimg.msn.com/client/msnediag3606.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} -
http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) -
http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) -
http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) -
http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX
Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) -
http://entimg.msn.com/client/msnmusax3718.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) -
http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/iss-loc/...066/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -
http://chat.msn.com/bin/msnchat45.cab

After selecting these item click Fix selected Item and close the HijackThis
Reboot your machine in Safe Mode and perform a scan with McAfee (full scan) ,
also spybot and Lavasoft.

To get another opinion scan on-line from here:
Run a scan from here on-line:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Run disk Clean up and defrag and see if the printer is working okay, if not
then try to uninstall the software and then reinstall it again.

Note: there are three entries in spybot log will show again read this link
to exclude them from future scan:
http://forums.spybot.info/showthread.php?t=1059

 

[nybarton]

Nass.....

I followed your instructions, to a point. I ran Spybot again (it runs fine
in regular mode), fixed ALL the items found, and proceeded to run AdAwareSE
(Lavasoft). It produced the Page Fault both in regular mode and in Safe
mode. I closely watched the items being scanned and the fault occurred
during the registry scan. I ran the online version of McAfee Virus Scan
(viruses only) and no infections were found. I cannot run the full McAfee
scan, which also scans for spyware and malware, because it produces the Page
Fault screen.

Yesterday, I contacted Canon tech support and presented my problem to them,
especially the fact that my McAfee scanning problem appears to have begun at
the same time as the printer installation. They were very helpful, but said
there are absolutely no problems with the Canon installation disk and pretty
much advised me to do many of the same things you have. They had no idea
what WrtMon.exe or WrtMon.proc were, but they did a Google on it and
reported to me they believe it is spyware or malware which is what we
believe as well. They said many times when new hardware or software is
installed, something "bad" that was previously lurking can suddenly rear its
ugly head.

It certainly appears that the problem exists in the registry because scans
of the registry are causing the Page Fault shut down. During the Spybot
scan, it did pop up a warning window about problems in the "Includes" file
"C:\ProgramFiles/Spybot-Search_Destroy\Includes\Trojans.sbi". I found the
log for that, which reads as follows and which means absolutely nothing to
me:

C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi |
Zlob.DNSChanger |
(85\.255\.11[0-9]\.[1-2]?[0-9]{1,2}[,]?\s?)+(85\.255\.11[0-9]\.[1-2]?[0-9]{1,2}[,]?\s?)+

Nass, I'm just about ready to give up. It's been 3 days since I posted on
Coyote and I haven't received one reply even though it shows there were 51
reviews of my post. I'm just wondering if it's worth any more time and
energy trying to figure out what the problem is. I admit it's intriguing,
and "inquiring minds want to know", but I'm getting tired and I'm feeling
very guilty about bothering everyone else, especially you since you've gone
way beyond what anyone could be expected to do in these newsgroups. Your
assistance is very much appreciated. My computer is working fine, my printer
is working fine, the internet is working fine.......the only problem I have
is trying to perform a full system scan of my computer. I can check for
viruses via many different programs, including McAfee, but except for Spybot
so far, I cannot complete a scan of the registry and I'm not even sure that
Spybot did a deep scan of the registry.

So, this is where I'm at right now. Any other suggestions?

 

[Guest]

Nass.....

I followed your instructions, to a point. I ran Spybot again (it runs fine
in regular mode), fixed ALL the items found, and proceeded to run AdAwareSE
(Lavasoft). It produced the Page Fault both in regular mode and in Safe
mode. I closely watched the items being scanned and the fault occurred
during the registry scan. I ran the online version of McAfee Virus Scan
(viruses only) and no infections were found. I cannot run the full McAfee
scan, which also scans for spyware and malware, because it produces the Page
Fault screen.

Yesterday, I contacted Canon tech support and presented my problem to them,
especially the fact that my McAfee scanning problem appears to have begun at
the same time as the printer installation. They were very helpful, but said
there are absolutely no problems with the Canon installation disk and pretty
much advised me to do many of the same things you have. They had no idea
what WrtMon.exe or WrtMon.proc were, but they did a Google on it and
reported to me they believe it is spyware or malware which is what we
believe as well. They said many times when new hardware or software is
installed, something "bad" that was previously lurking can suddenly rear its
ugly head.

It certainly appears that the problem exists in the registry because scans
of the registry are causing the Page Fault shut down. During the Spybot
scan, it did pop up a warning window about problems in the "Includes" file
"C:\ProgramFiles/Spybot-Search_Destroy\Includes\Trojans.sbi". I found the
log for that, which reads as follows and which means absolutely nothing to
me:

C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi |
Zlob.DNSChanger |
(85\.255\.11[0-9]\.[1-2]?[0-9]{1,2}[,]?\s?)+(85\.255\.11[0-9]\.[1-2]?[0-9]{1,2}[,]?\s?)+

Nass, I'm just about ready to give up. It's been 3 days since I posted on
Coyote and I haven't received one reply even though it shows there were 51
reviews of my post. I'm just wondering if it's worth any more time and
energy trying to figure out what the problem is. I admit it's intriguing,
and "inquiring minds want to know", but I'm getting tired and I'm feeling
very guilty about bothering everyone else, especially you since you've gone
way beyond what anyone could be expected to do in these newsgroups. Your
assistance is very much appreciated. My computer is working fine, my printer
is working fine, the internet is working fine.......the only problem I have
is trying to perform a full system scan of my computer. I can check for
viruses via many different programs, including McAfee, but except for Spybot
so far, I cannot complete a scan of the registry and I'm not even sure that
Spybot did a deep scan of the registry.

So, this is where I'm at right now. Any other suggestions?

The canon people they are spot On, when we said about this Process we said
it is a malware and it is infected the system but it doesn't belong to the
canon printer, bear in mind any file/folder can be infected , Microsoft or
other third-party.
I would like you to perform the following:
Go to Add/Remove programs and see if there is a funny (or unfamiliar to you)
program you can search the net for the ones you don't know.

Then about the error, I think spybot is trying to get the definitions for
the zlob.DNSchanger to protect your machine from any malicious attacker may
in the future change your DNS to a bad one.
Open the Spybot and run the update engine and a pop-up will appear for you
to select from many one of them will be TCP/IP!, read here:
http://forums.spybot.info/showthread.php?t=14869

Download the free AVG on a removable disk or on the Desktop:
http://free.grisoft.com/doc/5390/lng/us/tpl/v5
Then disconnect completely from the Internet and uninstall mcafee, Reboot
and install AVG and scan first then connect and get the update and run a scan
again in normal mode & Safe Mode.
Scan on-line from here:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Run disk Clean up and defrag in Safe Mode, then run this command:
sfc /scannow click [OK] you will need your XP CD handy.
Run the HijackThis, do you see these entries again?.
HTH.
nass

 

[nybarton]

Nass......

I'll get to your instructions in a moment. I wanted to tell you that I did
run SuperAntispyware in regular mode and it did scan the registry without
problems. It also scanned the memory without problem, and it found some 57
threats (all cookies) when scanning the files. I eliminated those cookies.

Now, to your instructions:

Instruction: "I would like you to perform the following:
Go to Add/Remove programs and see if there is a funny (or unfamiliar to you)
program you can search the net for the ones you don't know."

I did this and there are no unfamiliar programs as far as I can tell.
However, I don't know if there is a way to make a copy of the Program list
for review. There is one program I do want to get rid of, a toolbar, but I
can't remove it. When I click on change/remove, nothing happens. The screen
flickers and the sound I have assigned for program closings is played. There
were a couple of other old programs I no longer use so I did remove them
without a problem. I don't know how to remove the toolbar and the program
does not appear in Start/All Programs.

Instruction: Then about the error, I think spybot is trying to get the
definitions for
the zlob.DNSchanger to protect your machine from any malicious attacker may
in the future change your DNS to a bad one.
Open the Spybot and run the update engine and a pop-up will appear for you
to select from many one of them will be TCP/IP!"

I downloaded the TCP/IPI update and ran Spybot again (in regular mode). That
apparently took care of the zlob problem. The warning message did not appear
again and I got a "congratulations" message that Spybot found no problems
during the scan.

I will attempt the balance of your instructions tomorrow (can't do it
tonight) regarding downloading AVG and uninstalling McAfee, etc.

Thanks and have a great evening. If you're in the UK, then no doubt you're
already asleep as of this writing. I'll communicate with you again tomorrow.