[Shadowfire]

It might be a day or so before I respond. Busy with Finals.

Just got a new program too. It won't even install. I click the .exe to install, mouse goes hourglass and then nothing. Can't install Firefox or Norton antivirus for the same reason.

HAXFIX logfile - by Marckie
--------------
version 2.41
Sat 05/06/2006 18:13:09.54

checking for a3d files....
a3d files found
ps.a3d

checking for matching notify keys....
matching notify keys found
twpR

checking for matching services....
matching services found
Aspi32
twpR32
twpR64

checking for matching safeboot services....
matching safeboot services found
twpR32.sys
twpR64.sys







Logfile of HijackThis v1.99.1
Scan saved at 6:15:24 PM, on 5/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Benson Copenhaver\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: twpR32 - C:\WINDOWS\SYSTEM32\twpR32.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

[Advertisements]

Hi Shadowfire, welcome to geekstogo.

Please read this post completely and print it so that you can follow along.

• Open the folder c:\program files\haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
• Close all other open windows since this step requires a reboot
• Select option 3. Run manual fix by typing 3 and then pressing Enter

This message will appear:

Insert the haxdoorkey,
and then press Enter:

• Type twpR and press enter.
  When this is a valid choice, the key will be added to delete.
• You will see the following message:
  

  Haxdoorkey twpR added to delete.
  
  Do you want to add a new haxdoorkey?
  
  Press Y for YES or N for NO and then press Enter:

• Press Y
• Type Aspi and press enter.
• At the subsequent Yes/No question, type N for No and press Enter
• The computer will reboot
• After reboot a logfile will open > (c:\haxfix.txt)
• Post the contents of the logfile together with a new HijackThis log. Thanks.

[taher]

Hi Shadowfire, welcome to geekstogo.

Please read this post completely and print it so that you can follow along.

• Open the folder c:\program files\haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
• Close all other open windows since this step requires a reboot
• Select option 3. Run manual fix by typing 3 and then pressing Enter

This message will appear:

Insert the haxdoorkey,
and then press Enter:

• Type twpR and press enter.
  When this is a valid choice, the key will be added to delete.
• You will see the following message:
  

  Haxdoorkey twpR added to delete.
  
  Do you want to add a new haxdoorkey?
  
  Press Y for YES or N for NO and then press Enter:

• Press Y
• Type Aspi and press enter.
• At the subsequent Yes/No question, type N for No and press Enter
• The computer will reboot
• After reboot a logfile will open > (c:\haxfix.txt)
• Post the contents of the logfile together with a new HijackThis log. Thanks.

[Shadowfire]

Thank you very much for helping. Please bare with me I am moving at the moment and my girlfriend is graduating so I will be out of town this weekend.

I really need to figure this out because I can't connect to my new houses internet because my Netgear wizard will no longer initialize when I try to start the program. So I can't set up a an internet connection.

I also can not access this webpage on my computer. It will let me go to geekstogo.com but I can't get to the forums. The page just comes up blank and it says...Done


HAXFIX logfile - by Marckie
--------------
version 2.41
Wed 05/10/2006 22:29:42.43

Manual Haxdoorfix

Adding haxdoorkeys to delete...
Aspi


haxdoor key: twpR
searching for services....
services found
deleting services.....
[SWSC] DeleteService SUCCESS
[SWSC] DeleteService SUCCESS

haxdoor key: Aspi
searching for services....
services found
deleting services.....
[SWSC] DeleteService FAIL

haxdoor key: twpR
searching for services....
services not found, haxdoorkey twpR not added to delete

haxdoor key: twpR
searching for services....
services not found, haxdoorkey twpR not added to delete

haxdoor key: twpR
searching for services....
services not found, haxdoorkey twpR not added to delete

haxdoor key: twpR
searching for services....
services not found, haxdoorkey twpR not added to delete

haxdoor key: twpR
searching for services....
services not found, haxdoorkey twpR not added to delete

haxdoor key: twpR
searching for services....
services not found, haxdoorkey twpR not added to delete


rebooting the computer.....


haxdoor key: twpR
searching for services....
services not found

checking if files are found.....
twpR32.dll
twpR64.sys

deleting files.....

checking if files are deleted.....


haxdoor key: Aspi
searching for services....
services found

checking if files are found.....
Aspi32.dll

deleting files.....

checking if files are deleted.....


checking for other files.....
zq.dll
zq.sys
ps.a3d
seDS.a3d

deleting other files.....

checking if the files are deleted.....


Finished


Logfile of HijackThis v1.99.1
Scan saved at 10:36:49 PM, on 5/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Benson Copenhaver\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

[taher]

Hi Shadowfire,

Your HijackThis log is clean. Let's do a few steps to check if anything is hiding.

Please read this post completely and print it so that you can follow along.



Step 1

First, let's make sure the haxdoor infection is gone:

• Open haxfix
• A red "dos window" (dos box) will open with options:
  1. Make logfile
  2. Run auto fix
  3. Run manual fix
  E. Exit Haxfix
  
• Select option 1. Make logfile by typing 1 and then pressing Enter
• Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
• Copy the contents of that logfile and paste it into this thread in your next reply.

Step 2

Let's do an ewido scan:

• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.





Step 3

And finally, please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Step 4

Please post back with the Haxfix log, the ewido log, and the ActiveScan report. Thanks.

[Shadowfire]

Ok. There is a problem with all of that.

I can not connect to the internet. I have a wireless card Netgear WG311T. It is run with its own little Netgear wizard program that sets up internet connections.

The program no longer works. I double click the .exe and nothing happens. The mouse does the hourglass for about 2 secs. Then nothing happens. This also happens with other programs.

So I can not connect to the internet until I can figure out why I can't initialize the program. I haven't had a chance to reinstall the wizard, but I don't think that is the problem because I have a new game I bought and it has the same problem. Won't initialize the program.


Ideas?

(I did an Eiwdo scan btw and it found 41 things and removed them, still can't use the wizard or initialize some programs)


Going out of town for a day. Will check up on reply soon as I can.

[taher]

Hi Shadowfire,

Have you tried reinstalling the Netgear software (not just the wizard, the whole software package)? Is it an internal or external wireless card?

Can you also tell me what other programs aren't initializing? Is it a problem with every program? And also, if you remember, did the problem arise with Netgear and spread to other programs, or the reverse? Or did it happen at the same time?

Also, could you please post the ewido log from:

• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Thanks.