iexplore.exe and winlogon.exe and others..

Alright. So, it all started with the red x pop up message from spysherriff or something like that. Then my computer started blue screening on me and doing memory dumps. I fixed those problems but now IEXPLORE.exe is constantly running in my task manager, it regenerates and is obviously not the real one. Also, winlogon.exe sticks around longer than it should, I've read that this may be related. And processes randomly start running that are just nine numbers.exe (like 689320987.exe) pop ups will start to open and then immediately close and my computer slows down. Had SPOOLSVV which was taking up a lot of CPU usage but I ended it and haven't seen it since. And there's probably other stuff as well.

Oh, and why do I have so many svchost.exe? Is that normal?

Thanks :whistling:

Logfile of HijackThis v1.99.1
Scan saved at 3:42:43 PM, on 10/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\windows\system32\_mzu_stonedrv3.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\zxhstn.exe
C:\WINDOWS\dsrss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\adirss.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUMENTS AND SETTINGS\AAA\DESKTOP\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00017.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {21643BFB-BC18-059A-CCF4-03E1D98C5557} - C:\WINDOWS\System32\lodkvcb.dll
O2 - BHO: (no name) - {5CB0C46D-7CA6-C598-8BA1-0BDE2BBA96BC} - C:\WINDOWS\System32\zsiejzk.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\System32\ipv6mons.dll
O2 - BHO: C:\WINDOWS\System32\211CEA.dll - {825875B5-93F3-429D-FF34-660B206D897C} - C:\WINDOWS\System32\211CEA.dll
O2 - BHO: C:\WINDOWS\System32\3EECC.dll - {945875B5-93F3-429D-FF34-660B206D897C} - C:\WINDOWS\System32\3EECC.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [win_drivr32] C:\WINDOWS\System32\zxhstn.exe
O4 - HKLM\..\Run: [nlmkqym.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\nlmkqym.dll,deduyrf
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [win_drivr32] C:\WINDOWS\System32\zxhstn.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00017.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\svch78m.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: qzasuWFoyk - {A8A30918-0209-A3B2-C7DF-A5B09DE7875E} - C:\WINDOWS\System32\sgnvy.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi2040410.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Hi ashleyk,

Sorry it took us so long. As you may have noticed it's pretty busy around here.

Before we get started, can you do us a huge favour?
Surf to:
http://www.thespykil...x.php?topic=5.0
and follow the instructions there to upload these files:
C:\WINDOWS\System32\211CEA.dll
C:\WINDOWS\System32\3EECC.dll

We suspect they are part of your problem, but want to take a closer look.
Please do this first before continuing!!

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00017.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: (no name) - {21643BFB-BC18-059A-CCF4-03E1D98C5557} - C:\WINDOWS\System32\lodkvcb.dll
O2 - BHO: (no name) - {5CB0C46D-7CA6-C598-8BA1-0BDE2BBA96BC} - C:\WINDOWS\System32\zsiejzk.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\System32\ipv6mons.dll
O2 - BHO: C:\WINDOWS\System32\211CEA.dll - {825875B5-93F3-429D-FF34-660B206D897C} - C:\WINDOWS\System32\211CEA.dll
O2 - BHO: C:\WINDOWS\System32\3EECC.dll - {945875B5-93F3-429D-FF34-660B206D897C} - C:\WINDOWS\System32\3EECC.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [win_drivr32] C:\WINDOWS\System32\zxhstn.exe
O4 - HKLM\..\Run: [nlmkqym.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\nlmkqym.dll,deduyrf
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [win_drivr32] C:\WINDOWS\System32\zxhstn.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00017.exe"
O20 - AppInit_DLLs: C:\WINDOWS\System32\svch78m.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: qzasuWFoyk - {A8A30918-0209-A3B2-C7DF-A5B09DE7875E} - C:\WINDOWS\System32\sgnvy.dll

Next step, surf here:
http://www.mvps.org/...p2002/hosts.htm
and download the hosts file offered for download there to replace your own, which can be found at:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

Reboot into safe mode and delete:
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00017.exe"
c:\windows\system32\_mzu_stonedrv3.exe
C:\WINDOWS\System32\zxhstn.exe
C:\WINDOWS\dsrss.exe

Boot back to normal and under Add/Remove Programs remove all ViewPoint software.

Post back with a new HijackThis log after doing all that.

Regards,

#1
ashleyk

Posted 25 October 2006 - 01:50 PM

Advertisements

#2
ashleyk

Posted 27 October 2006 - 07:48 PM

#3
Metallica

Posted 28 October 2006 - 02:16 AM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us