Skip to main content

pskelley

933 Posts

March 27th, 2005 17:00


"An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: mad.dll,sockspy.dll)
Error #5 - Invalid procedure call or argument"

Please do your best to supply the information Merijn requested.  Thanks

Then complete the balance of the instructions and post a new log. 

Thanks...pskelley 

erikaform

8 Posts

March 27th, 2005 17:00

I'm not sure exactly what you mean, but I was trying to fix the problems you suggested. These included:
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINNT\system32\sfg_20c1.dll
O2 - BHO: CEngine Object - {B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} - C:\Program Files\SafeGuard Popup Blocker Pro\SGPopupBlocker.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Messenger Plus]
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [fsvgnsl] C:\WINNT\fsvgnsl.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINNT\system32\sfg_20c1.dll"
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINNT\system32\sfg_20c1.dll"
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O20 - AppInit_DLLs: mad.dll,sockspy.dll
 
If I run Hijackthis again, it is obvious some of the above problems have not been fixed. These include...
 
- HKLM\..\Run: [Messenger Plus]
- HKLM\..\Run: [fsvgnsl] C:\WINNT\fsvgnsl.exe
 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINNT\system32\sfg_20c1.dll"
 - Trusted Zone: *.musicmatch.com
 - Trusted Zone: *.musicmatch.com (HKLM)
 - AppInit_DLLs: mad.dll,sockspy.dll
 
I check these problems again and click "fix problems".  It still doesn't work. Here is my new log....
 
Logfile of HijackThis v1.99.1
Scan saved at 2:53:02 PM, on 3/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mercy.ky.schoolwebpages.com/education/components/scrapbook/default.php?sectiondetailid=2023
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Messenger Plus] 
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [fsvgnsl] C:\WINNT\fsvgnsl.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINNT\system32\sfg_20c1.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\unzipped\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINNT\system32\sfg_20c1.dll"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {D5770C25-E0F4-4bb9-BCB6-DB17F7BFBB7F} - C:\Program Files\SafeGuard Popup Blocker Pro\PBOptions.exe
O9 - Extra 'Tools' menuitem: Popup Blocker Options - {D5770C25-E0F4-4bb9-BCB6-DB17F7BFBB7F} - C:\Program Files\SafeGuard Popup Blocker Pro\PBOptions.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O20 - AppInit_DLLs: mad.dll,sockspy.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: BullGuard Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: BullGuard Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BullGuard\vsserv.exe (file missing)
O23 - Service: BullGuard Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
 
 

erikaform

8 Posts

March 27th, 2005 17:00

Ok. I did all that you said, but when I ran the "fix problems" this message came up:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: mad.dll,sockspy.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

Then, it said it was fixing a BHO and that I should close all windows for the best results, which I did and pressed OK. Then, it just dissapeared. Is that what was supposed to happen? I haven't run the CCleaner yet. The reason I was going through all of this in the first place was because my computer had started to randomly freeze in the last week or so. It's not when I am running a certain program or my web browser so I couldn't figure out why it was freezing. I ran spyware programs and ad-aware. Is there anything in the log to suggest why it has been freezing?

pskelley

933 Posts

March 27th, 2005 17:00

Hello erikaform, Welcome to Dell forum.  If you still need help please follow these directions:
 
Optional, I will remove it unles you say otherwise, I would not have it on my computer.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
http://www.kephyr.com/spywarescanner/library/viewpointmediaplayer/index.phtml
 
You have SafeguardProtect/Veevo = http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453082734
A random named trojan: C:\WINNT\fsvgnsl.exe  if you know what it is, do not remove it and let me know.  Does not Identify.   Some leftover from Messenger Plus which installs the LOP toolbar and some other junk. I suggest you follow these instructions.
 
Download CCleaner from here: http://www.ccleaner.com/
Take the time to read the instructions on the download page so you will know what you are doing.  I will tell you when to run it.
 
Open Add Remove Programs, locate and uninstall this item:
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
 
If you have any programs that will try to stop the change, you need to turn them off.  If you get requests from any you must allow the changes.
 
Open HJT and choose Scan only then put a check in front of these lines:
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINNT\system32\sfg_20c1.dll
O2 - BHO: CEngine Object - {B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} - C:\Program Files\SafeGuard Popup Blocker Pro\SGPopupBlocker.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Messenger Plus]
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [fsvgnsl] C:\WINNT\fsvgnsl.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINNT\system32\sfg_20c1.dll"
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINNT\system32\sfg_20c1.dll"
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
( do you really trust MM this much?  Access to your computer?)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O20 - AppInit_DLLs: mad.dll,sockspy.dll
 
Close all programs but HJT and all browser windows then click on "Fix Checked"
 
SHOW HIDDEN FILES: Follow the instructions in the follow link to enable hidden files for your operating system. 
You may wish to reverse this process if you have any concern about anyone getting into these hidden system files.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
 
RIGHT click on Start then click on Explore, locate and delete these files or folders:
 
C:\Program Files\ Viewpoint\ >>>folder
 
C:\WINNT\ fsvgnsl.exe >>> file
 
C:\WINNT\ system32\sfg_20c1.dll (check to see if this is three, if it is, delete it)
 
Now run CCleaner, then restart the computer and staying in this thread post a new log along with any comments you have. Let us know how your are running.
Thanks...pskelley
 
 
 

 

pskelley

933 Posts

March 27th, 2005 18:00

erikaform, I simply want you to use the email link merijn supplied to send him the information he needs to find out why you are getting the error message.  Here is the link to send the error message, what you can remember about the error and a copy of your HJT log to merijn: merijn@spywareinfo.com,
 
 
 
Something seems to be stopping the changes, I would like you to remove what you could not while in the safe mode.  Follow these directions to enter safe mode, then open HJT and check the items not yet removed including the 020, perhaps you will be able to remove the 020 item then.  Post another log when this is complete.
 
Here is you link to enter safe mode.  You may want to print the instructions as you won't see then in safe mode:

pskelley

933 Posts

March 30th, 2005 10:00

Hello erikaform,  I guess I was stupidly waiting for another log from you and I apologize.  If you still have issues and would post a fresh log, I will take another look at your problem.
Thanks...pskelley

erikaform

8 Posts

March 30th, 2005 19:00

Oh sorry, I did not realize you were waiting for another log. I think, however, that I have fixed all of the problems I was having! Thanks!

erika

pskelley

933 Posts

March 30th, 2005 19:00

That's good to hear, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.net-integration.net/index.php?showtopic=3051
http://russelltexas.com/malware/allclear.htm   
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
 
Good luck and safe surfing
pskelley

Was this post helpful?

View All

No Events found!

Top