[jsfitz]

Hi -

Every antispyware program I've run finds/detects dialer.winupd, but not one has been able to remove it. I also keep getting DrWaton Postmortem Debugger errors, but I can still use my computer a little even with them (it does not hang the PC).

Here is my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 3:23:08 PM, on 3/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe
C:\WINDOWS\surfmonkey\smproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\fqjwvsf.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\n3vasap23.exe
C:\WINDOWS\System32\MDNZ.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\System32\drwtsn32.exe
C:\WINDOWS\System32\dwwin.exe
C:\John\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\drwtsn32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe"
O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKLM\..\Run: [MDN] MDNZ.exe
O4 - HKLM\..\Run: [fqjwvsf] C:\WINDOWS\fqjwvsf.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\RunServices: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Svhost.exe
O4 - HKLM\..\RunServices: [MDN] MDNZ.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKCU\..\Run: [Microsoft Update] Svhost.exe
O4 - HKCU\..\Run: [MDN] MDNZ.exe
O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: SCA (Service Control Application) - Unknown owner - C:\WINDOWS\System32\SYSTEM.EXE (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


Looking for help! obviously...

[Advertisements]

Hi jsfitz

Sorry for the delay in response. The forum has been very busy lately.

Since your original post is over a week old, could you please post a fresh Hijack This log for review.

If you have already fixed your machine or received help elsewhere please post back and let us know.

Thank you

[ilago]

Hi jsfitz

Sorry for the delay in response. The forum has been very busy lately.

Since your original post is over a week old, could you please post a fresh Hijack This log for review.

If you have already fixed your machine or received help elsewhere please post back and let us know.

Thank you

[jsfitz]

thanks for the reply ilago...

I did a lot more research and did a lot of actions to try to fix it. Many of the steps here helped, but there was still some virus or worm that I just couldn't get rid of. I finally downloaded and ran a trial version of Counterspy - it is, from what I read, from the same base as the Microsoft antispyware.

Anyways, it managed to detect *and* remove a variant of a Beagle trojan (don't have the specifics). anyway, it removed it but the PC was in a bad state after. The DrWatson popups were gone, but I had a hard time logging in (I had to restore the Windows/System32/userinit.exe file), and then once I could log in to WinXP a lot of other things would not work right.

To make a long story short, there was not a lot of stuff on the PC (It was my brother in law's), so I just copied his relevant data - mostly digital pictures and a few other files - and then reinstalled XP from scratch. It works like a charm now

Thanks for the reply.

[ilago]

Hi there

Thanks for letting us know