PDA

View Full Version : www.errorplace.com on browser - spyware?



nomad
31-08-2004, 11:41 AM
Hiya

Sometimes when I bumped onto a wrong url or a lost link the error page of IE appears and sometimes this www.errorplace.com appears. I have done a spyware check on it and then a few days later I see it again.

Does anyone know how to get rid of this thing?

nomad
31-08-2004, 11:42 AM
i think when a pop up box appears too saying you must click ok or something like that.

johnboy
31-08-2004, 11:44 AM
There is a uninstaller here (http://www.errorplace.com/)
hth

Jim B
31-08-2004, 12:01 PM
If the uninstaller from johnboy does not work run Ad-Aware and Spybot
Failing that use Hijackthis and post your log for experts to check the entries.

For those using Hijackthis or having spyware or hijack problems there is some good information at this link.
http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm

nomad
31-08-2004, 11:41 PM
Logfile of HijackThis v1.98.0
Scan saved at 10:50:03 p.m., on 31/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\Program Files\Thinkpad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\Thinkpad\UTILIT~1\tphkmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\WINNT\system32\ltcm000c.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Thinkpad\Utilities\tponscr.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\ICQ\Icq.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ray\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clear.net.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=29126
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: jimmyhelp.CBrowserHelper - {9C9327A0-8B21-473C-B851-45B70B36E1FF} - C:\WINNT\hhsfqcg.dll
O2 - BHO: Adobe Acrobat Control for ActiveX - {CA8A9780-280D-11CF-A24D-444553540000} - C:\PROGRA~1\Adobe\ACROBA~1.0\Acrobat\ActiveX\pdf.o cx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [FastCache] C:\Program Files\AnalogX\FastCache\fc.exe
O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg"
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\Thinkpad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\Thinkpad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\system32\iexplorer.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpywareGuard] C:\WINNT\system32\winprc64.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\syihidco.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/189b1c377e9da4cff405/netzip/RdxIE601.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E153CCE8-7C3B-4FE7-9B29-93478277FBC7}: NameServer = 203.97.33.14 203.97.37.14

nomad
01-09-2004, 07:19 PM
does anyone know how to fix this?
that stupid uninstaler does not work .. as others have had this too with my google search.

now i updated lavasoft i get like 30 found and i just did a scan yesterday. when i open my homepage www.clear.net.nz 3 or 4 popups come up, something got copied onto my desktop without my attention. this errorplace.com page does not close, I need to press ALT CRTL DEL.

I am gonna update McAfee now.

nomad
01-09-2004, 08:30 PM
my computer has been hijacked!!
my favourites menu of IE now list only the folder "media"
everything else is gone. but if I go to the start menu fav's is still all there...

i have got mcafee update, lavasoft with update, spybot with update and a couple of websties. hope this fix it, does anyone have exp with this.

what i think wbout this thing is it reinstalls itself when u are logged on or when it simply detects a active internet line. i had www.clear.net.nz and i saw 4 pop and zonealarm was requesting me to give authority for it to pass ....... so i did a lavasoft immediately after restarting it found another 12 bugs.

Pheonix
01-09-2004, 09:06 PM
You have the DAP disease. First try the method described here (http://www.spyany.com/program/article_spw_rm_Download_Accelerator_Plus.html) then run Adaware (http://www.majorgeeks.com/download.php?det=506)

Pheonix
01-09-2004, 09:09 PM
Also pay, before restarting PC to run Ccleaner (http://www.ccleaner.com/) which will clean out your Internet cache, where it has been known for trojans to hide. The only thing to change from standard install is tick the "delete index.dat file"

tweak\'e
01-09-2004, 09:12 PM
sounds like it missed a bit and the installer is still on your pc. clean out ALL temp files.
make sure you do a full system scan with adaware and spybot in SAFE MODE, you might also want to try running CWshredder.

then check with hijackthis for anythind werid.

johnboy
01-09-2004, 09:18 PM
Here are some more programs to stop things installing without your permission plus two online trojan scans at the bottom
BhoDemon= here (http://www.siena.edu/antivirus/spyware/bhodemon.asp)
A2 here (http://www.emsisoft.com/en/software/free/)
SpywareBlaster
here (http://www.javacoolsoftware.com/spywareblaster.html)
cwshredder
here (http://www.spywareinfo.com/~merijn/cwschronicles.html)
onlinescan (http://www.anti-trojan.net/en/onlinecheck.aspx)
scan (http://www.windowsecurity.com/trojanscan/)
hth

Susan B
01-09-2004, 09:55 PM
I can see two or three entries there that look a bit suss but I'm too tired to go through your HijackThis list properly after having just done my fourth cleanup in two days.

Do what the others have suggested regarding cleaners - I agree with Pheonix about DAP, that would be one of the first to go in my opinion. I would also give Stinger a run in safe mode after the AV, etc.

After that, do another HJT scan and get onto Google and do a search for all the entries to find out what they are. If they come up as spyware or whatever put the tick in to remove them. HJT is the last thing you need to do to "mop up" after running everything else first. Stay offline after getting all the updates until you have fixed it.

Two of the computers I have just done needed the entire works thrown at them before I got rid of everything - one or two tools just can't get them all.

tweak\'e
01-09-2004, 10:25 PM
DAP is no biggee. just an adware supported program. debatable if its spyware or not. certainly not a nasty that would cause problems, at worse a privacy concern.

nomad
01-09-2004, 11:16 PM
oh .. crap. i updated virus scan, my old one was only a month or so old found nothing. now it found 6 viruses when i initialised spybot on bootup. i have wmplayer.exe, winproc32.exe, atn_4_mm.exe, ccaa.exe, yloc.exe (spelling?).

nomad
01-09-2004, 11:19 PM
i can't clean any of the files, delete or quarantine... ok .. time to listen and take do the advice i received. thanks guys A+!! safe mode too.

Pheonix
01-09-2004, 11:31 PM
Nice little virus killer, Stinger (http://vil.nai.com/vil/stinger/),that doesn't need to install, just run. Gets most new and common virus and worms. Then you can use your updated AV or an Online AV scan (http://housecall.antivirus.com/housecall/start_frame.asp) .

johnboy
01-09-2004, 11:47 PM
Removal info for winproc32.exe
here (http://www.pestpatrol.com/PestInfo/t/trojan_win32_pulez.asp)
Wmplayer is windows media player have you spelled the others correctly??
Pest patrol search site just copy and paste the files name in
here (http://pestpatrol.com/Search/default.asp?qu=yloc.exe+&sc=%2FPestInfo%2F&Action=Go)
hth

johnboy
01-09-2004, 11:52 PM
Sorry wmplayer could also be part of a trojan here (http://pestpatrol.com/zks/pestinfo/t/trojandropper_win32_siboco_a.asp)

nomad
02-09-2004, 12:12 AM
cwshredder got rid of WMplayer i think.
i really don't know how many viruses i do have.
6 was picked up with spybot and mcafee.
mcafee has picked up more. those i think are right spelling except perhaps the last one. mcafee has picked up also 911 virus that is , also e9xr(1).chm

911 IS => 9-1(1).exe they in the windows directory.
mcafee can't even clean them or delete, with that link i cannot get rid of winproc32 (delete) its not running. i checked process. i gonna do the safe mode now and the boot disk mcafee.

Rob99
02-09-2004, 12:23 AM
If you can find the file you want deleted and you are unable to you may want to try this.

This info is for XP but should apply to 2000 depending on your shut down procedure.

-Open a Command Prompt window.

-Close any open windows.

-Close explorer.exe there are two ways
-1--start > Turn off computer, hold down CTRL+SHIFT+ALT and press the CANCEL button.
-2--CTRL+ALT+DEL and End task in the process tab

-Go back to the Command Prompt window and change to the directory where the undeletable file is located in. At the command prompt type del <filename>.

-Go back to Task Manager, click File, New Task and enter EXPLORER.EXE to restart the GUI shell.

nomad
02-09-2004, 11:51 AM
i did spybot and ad aware yesterday then again in safe mode and again in normal mode, all clean.
spybot always locate "DSO exploit" after each reboot then a spybot scan while it was before not on the internet? huh?

mcafee picked up win32proc.exe and cleaned it and deleted. the others were also deleted but i weren't notified. i just checked mcafee's log file.

this morning i tested this stupid errorplace.com, I can confirm its the source of the issue. When I had my internet line live with a webpage opened. nothing happened when i had a clean system. however when i purposely pop into the first wrong address URL it gave MSN error page - fine. then i redid a mistype URL the 2nd time and it linked me to errorplace.com. this page just won't go away. then i was again bombed by more viruses.

they as follows the last one on the list took a while to load, must be a decent size i guess. 9-2(1).exe, vwzpl.exe ast_4_mm(1).exe

I have mcafee version 6. does anyone know if it supports a restricted site feature? I know IE does but it does not explicitly warn you. I think mcafee had this feature back in their older versions.

tweak\'e
02-09-2004, 12:03 PM
>this morning i tested this stupid errorplace.com

i assume you cleaned out your pc and you checked you where not getting any popups or errorplace.com pages. then after you went to errorplace.cam you the problems came back ??

is your windows fully uptodate ? java uptodate?

btw i just went to the errorplace.com site, it looks like its been taken down.

you can add the addy to your host file and that will stop your pc from going there.

nomad
02-09-2004, 12:52 PM
hi there,

umm.. i tried it and i just got bombed again.
if you go to www.errorplace.com you should see two lines of text with a uninstaller available. this is safe thou, no viruses., don't install it! i scan it after i downloaded it was safe. however i did not run the file. i did run it last time as i thought it would fix it. but don't just dont do it, maybe it gave me all those issues last time.

if i type a wrong url it brings me to this.
certainly do not go here .. i got infected again:
the linked page is:
http://www.errorplace.com/red.php?c=&aff=&q=net

re:the updates, no i am not updated, i am dialup. i am aware of that java fix thou i was linked after running CWShreder.

yes i cleaned it then i went onto the net. nothing happened until i bumped onto that page when i mistyped a url address. there was no pop ups until i was redirected. zonealarm was blocking it.

i just tried that link now, it now appears nothing is happening but the IE logo is spinning around endlessly. the page is just empty. not sure if i am already full of this junk its stopped giving me more. webhancer customer companion did pop up thou (blocked by ZA)

i have set my IE security to high. yesterday.

tweak\'e
02-09-2004, 01:09 PM
>re:the updates, no i am not updated

proberly explains why you got infected.

Rob99
02-09-2004, 02:15 PM
Have you reset zone alarm to only allow the internet browser and ask for everything else, this would be advisable while you are trying to rid your computer of nasties.

nomad
02-09-2004, 02:57 PM
its fixed! thanks guys.
i located the redirected URL thing via CCleaner there is a unusual BHO .. one was acrobat and the other was spybot. the other had something like BHO {no name} ... ... ... ... i deleted that. some guys had success on the google search. now its fixed, i am not getting the redirection anymore.

i am going to update java now via that CWShredder link after the scan/fix. thanks again.

nomad
02-09-2004, 02:59 PM
yeah i got the ZA resetted to the softwares i know are safe. i am gonna upgrade ZA too.

nomad
02-09-2004, 03:00 PM
sorry the BHO thing was located and deleted by "hijackthis."