Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Drwtsn32.exe problems (log included)


  • This topic is locked This topic is locked

#16
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Sad Man

We will need to skip that just continue with the fix the malware is using Dr Watson to stop you removing it we will need to do this a number off time's, but we will get it in the end

Kc :tazz:
  • 0

Advertisements


#17
ora

ora

    New Member

  • Member
  • Pip
  • 7 posts
Edited, if you want to help on the forums please see this topic

http://www.geekstogo...here-t4817.html

thanks the geeks to go team

Edited by Efwis, 24 March 2005 - 09:50 AM.

  • 0

#18
Sad Man

Sad Man

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi,

I went through the whole process; I hope I did it all correctly.

I was unable to run the housecall virus scan, for some unknown reason it wouldn't load up on my browser.

Here is the HJT file and the Panda scan:

---------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 16:19:34, on 24/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wlancfg.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\NORMAN\nvc\BIN\NVCSCHED.EXE
C:\NORMAN\nvc\BIN\NJEEVES.EXE
C:\NORMAN\nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Norman\NVC\BIN\ZLH.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\qed1_qc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\NORMAN\nvc\BIN\NIP.EXE
C:\NORMAN\nvc\BIN\cclaw.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Marc Becker\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROVL400:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\AddOn\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\NVC\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKCU\..\Run: [eB4ERWJpj] qed1_qc.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...VSR/index.jhtml
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098888057156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/5/load.exe
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norman NJeeves - Unknown owner - C:\NORMAN\nvc\BIN\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\nvc\BIN\NVCSCHED.EXE
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\WINDOWS\wlancfg.exe

-----------------------------------------------------------------------------------------------




-----------------------------------------------------------------------------------------------

PANDA active scan:


Incident Status Location

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\qed1_qc.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\system32\pup.exe
Adware:Adware/MemoryWatcher No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\auto_update_uninstall.???
Adware:Adware/SearchAid No disinfected Windows Registry
Adware:Adware/WinTools No disinfected C:\Program Files\Toolbar
Spyware:Spyware/TVMedia No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/SideSearch No disinfected C:\Program Files\sep
Adware:Adware/IEDriver No disinfected C:\Program Files\MaxSpeed
Spyware:Spyware/Overpro No disinfected C:\Overpro-*
Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msxmidi.exe
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Marc Becker\Favoris\Sites about\Ab scissor.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Marc Becker\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-7c728-6f169001.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Marc Becker\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-30e13bf9-53373b91.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Marc Becker\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-30e13bf9-53373b91.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Marc Becker\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-30e13bf9-53373b91.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Marc Becker\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-30e13bf9-53373b91.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Marc Becker\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\proc.jar-571bc93f-222fb0ca.zip[MainApp.class]
Adware:Adware/IEDriver No disinfected C:\Overpro-347.exe
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Toolbar\nzqlihv.wzg
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Toolbar\PIB.exe
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Toolbar\TBPS.exe
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Toolbar\TBPS.exe_tobedeleted
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Toolbar\TBPSSvc.exe
Adware:Adware/SearchAid No disinfected C:\RECYCLER\S-1-5-21-139688431-677230114-2246800759-1005\Dc16.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apiry32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appnr.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlxr.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\bzjle.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3ym.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\fxebf.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\jjulr.dll
Adware:Adware/OneMore.A No disinfected C:\WINDOWS\lchox.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\msxmidi.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\npjpx.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\nrtuy.dll
Adware:Adware/OneMore.A No disinfected C:\WINDOWS\nszpc.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_idvhcc.log
Adware:Adware/HT401 No disinfected C:\WINDOWS\opmtl.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\pxkpb.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\raxcq.dll
Adware:Adware/OneMore.A No disinfected C:\WINDOWS\sjanf.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\skppp.dll
Adware:Adware/Envolo No disinfected C:\WINDOWS\system32\auto_update_uninstall.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\system32\bpbrs.dll
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\catsrv91.exe
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\cfgbkend.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\system32\dcyes.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\system32\hdopv.dll
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\system32\khkcy.dll
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\system32\lfuir.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mssa32.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mtwearts.exe
Adware:Adware/Winshow No disinfected C:\WINDOWS\system32\ndxvi.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\qed1_qc.exe
Adware:Adware/Winshow No disinfected C:\WINDOWS\system32\risae.dll
Adware:Adware/Winshow No disinfected C:\WINDOWS\ufqfr.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\xslqb.dll

-------------------------------------------------------------------------------------------

I can open my folders again!!

Sad man
  • 0

#19
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Sad Man

Looks like a bit off improvement, please do not reboot your system, the next fix will take a bit off time.

Will post back soon.

Kc :tazz:
  • 0

#20
romik

romik

    New Member

  • Member
  • Pip
  • 5 posts
help.. the computer on which i have this drwtsn problem (no files at all will open & system keeps on crashing) does not currently have internet access... anything can be done?
  • 0

#21
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi romik

Please don't post into Sad Man topic, start your own thread in the malware forum.

Please do not ignore this polite warnning.

Thatman
  • 0

#22
mtnewbie

mtnewbie

    Member

  • Member
  • PipPip
  • 27 posts
Sad Man,

As I wait for help, here's a way to get to it (I have the same issues as you with the debugger and freezes/no folder access)...

on your desktop:
1. right click on a program shortcut (MS Word works)
2. select "Create Shortcut" - it puts a second one on your desktop
3. right click on the second shortcut and click "delete"
4. you will get a windows prompt that says you are deleting the shortcut, not the program and if you want to delete the program to go to Add/Remove Programs. It gives a link. Click on the link and you will go there.

Only way i've been able to get there :tazz:

Fun times when you have to navigate through the Start>Run>Browse feature - or thru any program "open" dialog to see/manipulate your files.

Good luck!!!

Chris
  • 0

#23
Sad Man

Sad Man

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Hi Sad Man

Looks like a bit off improvement, please do not reboot your system, the next fix will take a bit off time. 

Will post back soon.

Kc  :tazz:

View Post


Hey,

So I shouldn't turn my computer off?

Is that good for a laptop?

Sad man
  • 0

#24
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Sad Man

Download Pocket Killbox and unzip it; save it to your Desktop.

Please boot into Safemode

Find and delete the following files and folders. If found

C:\Documents and Settings\Marc Becker\Favoris\Sites about\Ab scissor.url<--delete this filie
C:\Documents and Settings\Marc Becker\ Application cache\javapi\v1.0\file\[b[SecurityClassLoader.class-7c728-6f169001.class[/b]<--delete thid file

C:\Program Files\Toolbar<--Delete the whole folder
C:\Program Files\sep<--Delete the whole folder
C:\Program Files\MaxSpeed<--Delete the whole folder
C:\Overpro-347.exe<--Delete the whole folder
C:\keys.ini<--Delete the whole folder

C:\RECYCLER\S-1-5-21-139688431-677230114-2246800759-1005\Dc16.dll

Run killbox and click the radio button that says Delete a file on reboot.
Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.
C:\WINDOWS\apiry32.exe
C:\WINDOWS\appnr.exe
C:\WINDOWS\atlxr.exe
C:\WINDOWS\bzjle.dll
C:\WINDOWS\d3ym.dll
C:\WINDOWS\fxebf.dll
C:\WINDOWS\jjulr.dll
C:\WINDOWS\lchox.dll
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\npjpx.dll
C:\WINDOWS\nrtuy.dll
C:\WINDOWS\nszpc.dll
C:\WINDOWS\n_idvhcc.log
C:\WINDOWS\opmtl.dll
C:\WINDOWS\pxkpb.dll
C:\WINDOWS\raxcq.dll
C:\WINDOWS\sjanf.dll
C:\WINDOWS\skppp.dll
C:\WINDOWS\ufqfr.dll
C:\WINDOWS\xslqb.dll
C:\WINDOWS\system32\auto_update_uninstall.exe
C:\WINDOWS\system32\bpbrs.dll
C:\WINDOWS\system32\catsrv91.exe
C:\WINDOWS\system32\cfgbkend.exe
C:\WINDOWS\system32\dcyes.dll
C:\WINDOWS\system32\hdopv.dll
C:\WINDOWS\system32\khkcy.dll
C:\WINDOWS\system32\lfuir.dll
C:\WINDOWS\system32\mssa32.dll
C:\WINDOWS\system32\mtwearts.exe
C:\WINDOWS\system32\ndxvi.dll
C:\WINDOWS\system32\qed1_qc.exe
C:\WINDOWS\system32\risae.dll
C:\WINDOWS\system32\qed1_qc.exe
C:\WINDOWS\system32\pup.exe
C:\WINDOWS\system32\auto_update_uninstall.???
C:\WINDOWS\msxmidi.exe
End off killbox files

Reboot into normal mode.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

[color=red]Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.


Kc :tazz:
  • 0

#25
Rico750

Rico750

    Member

  • Member
  • PipPip
  • 93 posts
Please dont post help until you've been trained at GeekU

-Avohir

Edited by Avohir, 31 March 2005 - 08:25 PM.

  • 0

Advertisements


#26
lostsoul4findin

lostsoul4findin

    New Member

  • Member
  • Pip
  • 1 posts
i have found there is a way to get to your add remove program file, by accessing start menu and goin to all programs, some where in accessories.
  • 0

#27
Cybergeek

Cybergeek

    New Member

  • Member
  • Pip
  • 1 posts
Cybergeek do you have a reading problem.

Click Here before posting a Hijack This log.
Please do not post your logs in someone else's thread. Start a new thread by clicking on New Topic. Do not post your problems into other open logs saying "I have the same issue, here is my log" etc. This is too confusing for everyone involved. Also, please stay with your original topic when posting follow ups.
The "Topic Title" should contain the name of the infection that you are having a problem with e.g. WinTools, http://...sp.html etc. Use the "Topic Description" to include more details. This will help you get faster responses as some people are more familiar with certain infections.
ONLY Geeks to Go Staff members are allowed to reply to topics in this forum. This is due to damage that can be caused by improper advice.
Please only post your topic once. Duplicate posts will be closed, and just create additional work for the staff members trying to help you. Do not 'bump' or reply to your topic. We look first for posts with no replies, and we start with the oldest posts and work forward.

Kc :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP