Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

drwtsn32.exe[CLOSED]

Started by jmaden , Apr 22 2005 02:26 PM

  • This topic is locked This topic is locked

#1
jmaden
Posted 22 April 2005 - 02:26 PM

jmaden

    New Member

  • Member
  • Pip
  • 9 posts
Please someone help me. The dr watson file won't let me open anything on my start button or in my documents. I tried everything that was suggested like downloading Ad-aware, CWShredder, Spybit, Windows updates and all the other stuff but nothing has helped. Please someone help me as soon as possible. Thanks, and here is my latest hijack log!

Logfile of HijackThis v1.99.1
Scan saved at 3:24:14 PM, on 4/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\ntap32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\sdkvx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\webshots.scr
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lxjwg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lxjwg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lxjwg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lxjwg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lxjwg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lxjwg.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lxjwg.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53930D97-4532-1E91-B33D-519D9E5AEB30} - C:\WINDOWS\system32\crwl32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sdkvx.exe] C:\WINDOWS\sdkvx.exe
O4 - HKLM\..\RunOnce: [ntap32.exe] C:\WINDOWS\ntap32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {63B3EC14-9F70-4129-B935-46EFB37013E8} (HPStamper Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ieny.exe" /s (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
Kat
Posted 18 May 2005 - 12:04 AM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hi there! My name is Kat and I will be helping you! I am sorry that it has taken so long for someone to get to you!

Since such a long time has passed now, could you please post a fresh HJT log here for me? I am getting ready to go to bed now, but I will be back in the morning. I am subscribed to this thread now, so I will know as soon as you make a reply and we'll get busy fixing you up! :tazz:
  • 0

#3
jmaden
Posted 19 May 2005 - 09:41 PM

jmaden

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you so much for helping me, and sorry it has taken me so long to get back. Here is my latest hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 10:41:14 PM, on 5/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ieem32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\smhrg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\smhrg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\smhrg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\smhrg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\smhrg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\smhrg.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\smhrg.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F9611D23-F7B8-A44B-E962-46EE65E5DBA4} - C:\WINDOWS\sysne32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [mfchc.exe] C:\WINDOWS\system32\mfchc.exe
O4 - HKLM\..\Run: [ieem32.exe] C:\WINDOWS\system32\ieem32.exe
O4 - HKLM\..\RunOnce: [systp32.exe] C:\WINDOWS\system32\systp32.exe
O4 - HKLM\..\RunOnce: [winfj.exe] C:\WINDOWS\system32\winfj.exe
O4 - HKLM\..\RunOnce: [apiix32.exe] C:\WINDOWS\apiix32.exe
O4 - HKLM\..\RunOnce: [javavh32.exe] C:\WINDOWS\system32\javavh32.exe
O4 - HKLM\..\RunOnce: [sdkel32.exe] C:\WINDOWS\system32\sdkel32.exe
O4 - HKLM\..\RunOnce: [atlfq32.exe] C:\WINDOWS\atlfq32.exe
O4 - HKLM\..\RunOnce: [winzr32.exe] C:\WINDOWS\winzr32.exe
O4 - HKLM\..\RunOnce: [syscs.exe] C:\WINDOWS\system32\syscs.exe
O4 - HKLM\..\RunOnce: [msmy.exe] C:\WINDOWS\msmy.exe
O4 - HKLM\..\RunOnce: [ntlo32.exe] C:\WINDOWS\system32\ntlo32.exe
O4 - HKLM\..\RunOnce: [iegy.exe] C:\WINDOWS\system32\iegy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {63B3EC14-9F70-4129-B935-46EFB37013E8} (HPStamper Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ieny.exe" /s (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
Kat
Posted 19 May 2005 - 10:01 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Prepare CWShredder for use:
    • Download CWShredder.
    • Save CWShredder.exe to a convenient location.
    • Please do not do anything with it yet.
  • Prepare AboutBuster for use:
    • Download AboutBuster.
    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update".
    • You should not run the program yet so click "Exit".
  • Prepare cwsserviceremove.reg for use:
    • Download cwsserviceremove.zip.
    • Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
    • Please do not do anything with it yet.
Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
  • Run CWShredder:
    • Double-click on CWShredder.exe.
    • Click "Fix ->" and click "OK" at the prompt.
    • CWShredder will scan and clean your system of CWS files.
    • Click "Next->" and then "Exit".
  • Remove the offending service:
    • Double-click on cwsserviceremove.reg you downloaded earlier.
    • When it asks you to merge the information to the registry click "Yes".
    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click OK at the directions prompt.
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
  • Clean out temporary files:
    • Start | Run | type cleanmgr | OK
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Click "OK" to remove them.
    • Click "Yes" to confirm the deletion.
  • Restart your computer normally to return to normal mode.
  • Free TrendMicro Housecall scan:
    • Vist the TrendMicro Housecall website.
    • Select your country from the drop-down list and click "Go".
    • Choose "Yes" at the ActiveX Security Warning prompt.
    • Please wait while the Housecall engine is updated.
    • Select the drives to be scanned by placing a check in their respective boxes.
    • Check the "Auto Clean" box.
    • Click "SCAN" in order to begin scanning your system.
    • Please be patient while Housecall scans your system for malicious files.
    • If not auto-cleaned, remove anything it finds.
    • Click "Close" to exit the Housecall scanner.
    • Choose "Yes" at the HouseCall message prompt.
  • Prepare your reply:
    • Please post a fresh HijackThis log
    • Please note any complications you had.
**There WILL be more to clean up after this step is complete!
  • 0

#5
jmaden
Posted 23 May 2005 - 07:27 PM

jmaden

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Okay, so I tried to do everything that you told me to and I ran into a few problems. Everything was good until I restarted my computer and a little box popped up that said "Error Report, Runtime Error, Invaild BackWeb Application id "137903"". But then I closed the box and it went away, but I didn't know if you needed to know that. Anyway so the main problem was that I followed all the steps but everytime I tried to open the trendmicro housecall scan. It will let me do anything on the internet, but when I try to open that scan page, it tells me that internet explorer has encountered a problem and has to close, and would I like to send and error report. So, after a few times, I tried to restart my computer and the same box appeared when I tried to restart and then the same box appeared when I tried to open the web page. So, long story later, I did everything you told me to except the last step on the TrendMicro Housecall website. Thanks again for all that you do and I will look soon for your next reply.

Here is my hiJack log

Logfile of HijackThis v1.99.1
Scan saved at 8:26:23 PM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sysqt32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\webshots.scr
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vhajh.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vhajh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vhajh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vhajh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vhajh.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vhajh.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vhajh.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {38A50B9E-E5A2-B073-8A50-BFA236D3901E} - C:\WINDOWS\system32\mfclz.dll
O2 - BHO: Class - {6F5238D0-58CA-ADF4-63DE-FD4A5FF51173} - C:\WINDOWS\mfciq32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {BB35FD19-38F4-89DC-FA76-BA6507A5C6D7} - C:\WINDOWS\system32\ieok32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FAA44DA8-BC87-EAF8-DE08-0B6C7CABB256} - C:\WINDOWS\sdkvn.dll
O2 - BHO: Class - {FF5B4CBC-CE93-4290-8860-69D7C23478BE} - C:\WINDOWS\system32\mfcue32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [winvm.exe] C:\WINDOWS\winvm.exe
O4 - HKLM\..\Run: [apiyd.exe] C:\WINDOWS\apiyd.exe
O4 - HKLM\..\Run: [winrf.exe] C:\WINDOWS\system32\winrf.exe
O4 - HKLM\..\Run: [sysqt32.exe] C:\WINDOWS\sysqt32.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\RunOnce: [apphr32.exe] C:\WINDOWS\system32\apphr32.exe
O4 - HKLM\..\RunOnce: [apifz32.exe] C:\WINDOWS\system32\apifz32.exe
O4 - HKLM\..\RunOnce: [winlg.exe] C:\WINDOWS\winlg.exe
O4 - HKLM\..\RunOnce: [crqi32.exe] C:\WINDOWS\crqi32.exe
O4 - HKLM\..\RunOnce: [ieit32.exe] C:\WINDOWS\system32\ieit32.exe
O4 - HKLM\..\RunOnce: [iegr32.exe] C:\WINDOWS\iegr32.exe
O4 - HKLM\..\RunOnce: [sdknx32.exe] C:\WINDOWS\sdknx32.exe
O4 - HKLM\..\RunOnce: [atlqi.exe] C:\WINDOWS\system32\atlqi.exe
O4 - HKLM\..\RunOnce: [netwi32.exe] C:\WINDOWS\netwi32.exe
O4 - HKLM\..\RunOnce: [addcc.exe] C:\WINDOWS\system32\addcc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {63B3EC14-9F70-4129-B935-46EFB37013E8} (HPStamper Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apphr32.exe" /s (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
Kat
Posted 23 May 2005 - 08:49 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
ok. Deep breath. breathe in..........breathe out. Ok, now no strangling the Helper! :tazz:

I am sorry. When I posted your fix, I did not know that this was a different type of About.Buster infection. The reason it has replicated and gotten worse is there are several different things we have to do, or it will just keep getting worse and worse. Please follow these steps EXACTLY in the order they appear, so we can kill this off for you, ok? I double checked these steps with another Expert, and I assure you they are correct.


Please read through the instructions before you start (you
may want to print this out).

Please download and install these programs - don't run them yet!!

Please download and install
AD-Aware.
Check
Here on how setup and use it - please make sure you update it first.

Download and unzip cwsserviceremove to your desktop. use either link
below:
http://computercops....ownload&id=3002
http://www.mytechsup...rviceremove.zip


Open Windows Explorer & Go to Tools > Folder Options. Click on the View
tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide
extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

For anyone using Windows XP, 'Search' will not automatically show
hidden files even if your folder options settings are set to do that. Do
this so you can see hidden files and folders - click here
http://www.davehigha...ds/xphidden.zip
to download xphidden.zip. Extract xphidden.reg from the zip file and
save it to the desktop. When done, double-click the xphidden.reg and when
asked to merge say yes.

+++++++++++++++++++++++++++++++++++++++++++++++++



Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit
Ok
Scroll down and find the service called:(if found)

sdkvx.exe
ntap32.exe
winvm.exe
apiyd.exe
winrf.exe
sysqt32.exe
apphr32.exe
apifz32.exe
winlg.exe
crqi32.exe
ieit32.exe
iegr32.exe
sdknx32.exe
atlqi.exe
netwi32.exe
addcc.exe


When you find it, double-click on it. In the next window that opens,
click the Stop button, then click on properties and under the General
Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and
close any open windows. If you don´t find this service listed go ahead
with the next steps.

2. Reboot into
SafeMode.
<---MAKE SURE YOU KNOW HOW TO DO THIS!!

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the
Processes tab => Double-click the Image Name column header to alphabetically
sort the processes => Scroll through the list and look for:

PROCESSES TO BE STOPPED
Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) (whichever of the three ways it shows up!)

If you find the files, click on them, and then click End Process =>
Exit the Task Manager.


4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks
next to all the following, then click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vhajh.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vhajh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vhajh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vhajh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vhajh.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vhajh.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vhajh.dll/sp.html#37049

O2 - BHO: Class - {38A50B9E-E5A2-B073-8A50-BFA236D3901E} - C:\WINDOWS\system32\mfclz.dll
O2 - BHO: Class - {6F5238D0-58CA-ADF4-63DE-FD4A5FF51173} - C:\WINDOWS\mfciq32.dll
O2 - BHO: Class - {BB35FD19-38F4-89DC-FA76-BA6507A5C6D7} - C:\WINDOWS\system32\ieok32.dll
O2 - BHO: Class - {FAA44DA8-BC87-EAF8-DE08-0B6C7CABB256} - C:\WINDOWS\sdkvn.dll
O2 - BHO: Class - {FF5B4CBC-CE93-4290-8860-69D7C23478BE} - C:\WINDOWS\system32\mfcue32.dll

O4 - HKLM\..\Run: [winvm.exe] C:\WINDOWS\winvm.exe
O4 - HKLM\..\Run: [apiyd.exe] C:\WINDOWS\apiyd.exe
O4 - HKLM\..\Run: [winrf.exe] C:\WINDOWS\system32\winrf.exe
O4 - HKLM\..\Run: [sysqt32.exe] C:\WINDOWS\sysqt32.exe
O4 - HKLM\..\RunOnce: [apphr32.exe] C:\WINDOWS\system32\apphr32.exe
O4 - HKLM\..\RunOnce: [apifz32.exe] C:\WINDOWS\system32\apifz32.exe
O4 - HKLM\..\RunOnce: [winlg.exe] C:\WINDOWS\winlg.exe
O4 - HKLM\..\RunOnce: [crqi32.exe] C:\WINDOWS\crqi32.exe
O4 - HKLM\..\RunOnce: [ieit32.exe] C:\WINDOWS\system32\ieit32.exe
O4 - HKLM\..\RunOnce: [iegr32.exe] C:\WINDOWS\iegr32.exe
O4 - HKLM\..\RunOnce: [sdknx32.exe] C:\WINDOWS\sdknx32.exe
O4 - HKLM\..\RunOnce: [atlqi.exe] C:\WINDOWS\system32\atlqi.exe
O4 - HKLM\..\RunOnce: [netwi32.exe] C:\WINDOWS\netwi32.exe
O4 - HKLM\..\RunOnce: [addcc.exe] C:\WINDOWS\system32\addcc.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apphr32.exe" /s (file missing)


5. Delete the following files if present:
If you get an error when deleting a file. Right click on the file and
check to see if the read only attribute is checked. if it is uncheck it
and try again.
C:\WINDOWS\winvm.exe
C:\WINDOWS\apiyd.exe
C:\WINDOWS\system32\winrf.exe
C:\WINDOWS\sysqt32.exe
C:\WINDOWS\system32\apphr32.exe
C:\WINDOWS\system32\apifz32.exe
C:\WINDOWS\winlg.exe
C:\WINDOWS\crqi32.exe
C:\WINDOWS\system32\ieit32.exe
C:\WINDOWS\iegr32.exe
C:\WINDOWS\sdknx32.exe
C:\WINDOWS\system32\atlqi.exe
C:\WINDOWS\netwi32.exe
C:\WINDOWS\system32\addcc.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe


(and any other files with the same name that end in .dll, .exe or .dat,
you may find them right next to each other, example - appsw.exe,
appsw.dll, appsw.dat)

6. Run AboutBuster . This will scan your computer for the bad files and
delete them.

7. Scan with AdAware and let it remove any bad files found.

8. Clean out temporary and TIF files. Go to Start > Run and type in the
box: cleanmgr. Let it scan your system for files to remove. Make sure
these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin


9. Double click on the cwsserviceremove and when asked to merge say
yes.

10. Run CW-Shredder - Hit the FIX button - let it run and fix what it
finds.

11. Reboot into normal mode.

12. Download the Hoster from
Here Press
"Restore Original Hosts" and press "OK". Exit Program


13. Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
then reboot and post a fresh Hijack This log and a copy of the Ewido log to see how we did.
  • 0

#7
jmaden
Posted 26 May 2005 - 06:32 AM

jmaden

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Okay, first of all thanks for all your help. Second, I followed all the steps and did not run into problems until the end. After, I ran the Ewido scan, it automatically closed when it finished, so I could not hit the save button. When I reopened it, I was able to save a few lists when I will post below. I tried to run the scan again, so I could save it, but it closed at the end again automatically. So, here is my new hijack log and the reports I was able to save once I reopened Ewindo. Let me know what's next, and thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 7:31:35 AM, on 5/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\webshots.scr
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E3708A67-0AF9-BAD5-D11A-A1478BEC083E} - C:\WINDOWS\system32\mspa.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\RunOnce: [wincx32.exe] C:\WINDOWS\wincx32.exe
O4 - HKLM\..\RunOnce: [iexg32.exe] C:\WINDOWS\system32\iexg32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {63B3EC14-9F70-4129-B935-46EFB37013E8} (HPStamper Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crvt32.exe" /s (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------

+ Created on: 6:44:30 AM, 5/26/2005
+ Report-Checksum: 8B72BB8E

0: System Process
4: System Process
224: C:\Program Files\Softex\OmniPass\OPXPApp.exe
372: C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
404: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
468: \SystemRoot\System32\smss.exe
496: C:\WINDOWS\Explorer.EXE
524: \??\C:\WINDOWS\system32\csrss.exe
548: \??\C:\WINDOWS\system32\winlogon.exe
592: C:\WINDOWS\system32\services.exe
604: C:\WINDOWS\system32\lsass.exe
608: C:\WINDOWS\ALCXMNTR.EXE
640: C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
708: C:\WINDOWS\System32\alg.exe
720: C:\WINDOWS\system32\ps2.exe
752: C:\WINDOWS\system32\svchost.exe
808: C:\WINDOWS\system32\svchost.exe
856: C:\Program Files\QuickTime\qttask.exe
880: C:\WINDOWS\System32\svchost.exe
908: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
940: C:\WINDOWS\System32\svchost.exe
988: c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
1044: C:\WINDOWS\System32\svchost.exe
1084: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
1140: C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
1156: C:\WINDOWS\system32\spoolsv.exe
1312: C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
1360: C:\Program Files\Messenger\msmsgs.exe
1412: C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
1488: C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
1500: c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1532: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
1560: c:\Program Files\Norton AntiVirus\navapsvc.exe
1588: C:\WINDOWS\System32\nvsvc32.exe
1612: C:\WINDOWS\system32\rundll32.exe
1640: C:\Program Files\Softex\OmniPass\Omniserv.exe
1796: C:\WINDOWS\System32\svchost.exe
1860: C:\WINDOWS\system32\wdfmgr.exe
1896: C:\WINDOWS\system32\NOTEPAD.EXE
1964: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
2072: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
2080: C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
2144: C:\WINDOWS\system32\NOTEPAD.EXE
2216: C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
2468: C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
2484: C:\WINDOWS\webshots.scr
2544: C:\Program Files\ewido\security suite\SecuritySuite.exe
2548: C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
2656: C:\Program Files\ewido\security suite\ewidoctrl.exe
3044: C:\WINDOWS\System32\HPZipm12.exe
3236: C:\Program Files\ewido\security suite\ewidoguard.exe

---------------------------------------------------------
ewido security suite - Connection report
---------------------------------------------------------

+ Created on: 6:44:15 AM, 5/26/2005
+ Report-Checksum: 7CEACF13

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 68.52.215.67:139 0.0.0.0:0 LISTENING
TCP 68.52.215.67:1057 207.46.106.32:1863 ESTABLISHED
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445
UDP 0.0.0.0:500
UDP 0.0.0.0:1030
UDP 0.0.0.0:1032
UDP 0.0.0.0:1360
UDP 0.0.0.0:1396
UDP 0.0.0.0:4500
UDP 68.52.215.67:123
UDP 68.52.215.67:137
UDP 68.52.215.67:138
UDP 68.52.215.67:1900
UDP 127.0.0.1:123
UDP 127.0.0.1:1051
UDP 127.0.0.1:1058
UDP 127.0.0.1:1147
UDP 127.0.0.1:1900

---------------------------------------------------------
ewido security suite - Startup report
---------------------------------------------------------

+ Created on: 6:43:50 AM, 5/26/2005
+ Report-Checksum: 6FFF700

Reg\HKLM\Run HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
Reg\HKLM\Run CamMonitor c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
Reg\HKLM\Run Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
Reg\HKLM\Run Share-to-Web Namespace Daemon c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
Reg\HKLM\Run PS2 C:\WINDOWS\system32\ps2.exe
Reg\HKLM\Run HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
Reg\HKLM\Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Reg\HKLM\Run TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Reg\HKLM\Run MMTray "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
Reg\HKLM\Run AlcxMonitor ALCXMNTR.EXE
Reg\HKLM\Run Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
Reg\HKLM\Run MimBoot C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
Reg\HKLM\Run NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Reg\HKLM\Run UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
Reg\HKLM\RunOnce wincx32.exe C:\WINDOWS\wincx32.exe
Reg\HKLM\RunOnce iexg32.exe C:\WINDOWS\system32\iexg32.exe
Reg\HKCU\Run MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Reg\HKCU\Run Weather C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
Reg\HKCU\Run Acme.PCHButton C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
Reg\HKCU\Run NVIEW rundll32.exe nview.dll,nViewLoadHook
Shell\CommonStartup APC UPS Status.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
Shell\CommonStartup HP Digital Imaging Monitor.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
Shell\CommonStartup Image Transfer.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
Shell\CommonStartup Microsoft Office.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
Shell\CommonStartup Quicken Scheduled Updates.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
Shell\UserStartup spamsubtract.lnk C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
Shell\UserStartup Webshots.lnk C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
  • 0

#8
Kat
Posted 26 May 2005 - 01:14 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello again! This is being tough on us, eh? Let's get this wiped out once and for all! :tazz:

Please print these directions, or save them to Notepad on the desktop!

Click Start>Run and type in "services.msc" (without the quotes) and hit Ok. Locate the following, right click,
and choose to Stop Service:
Network Security Service (or possible this: 11Fßä#·ºÄÖ`I)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

11Fßä#·ºÄÖ`I

*NOTE* Make sure there is a SPACE before the first "1" when entered into that field otherwise it may not work.

It should pull up information about the service, when it asks if you want to reboot now click YES.

Reboot into Safe Mode, open HJT and scan for a log. Place a check next to all of the following:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fcjgg.dll/sp.html#37049

O2 - BHO: Class - {E3708A67-0AF9-BAD5-D11A-A1478BEC083E} - C:\WINDOWS\system32\mspa.dll

O4 - HKLM\..\RunOnce: [wincx32.exe] C:\WINDOWS\wincx32.exe
O4 - HKLM\..\RunOnce: [iexg32.exe] C:\WINDOWS\system32\iexg32.exe


O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crvt32.exe" /s (file missing)


Make sure all other windows are closed and click "Fix Selected"

While still in Safe Mode, locate the following files and delete them:

C:\WINDOWS\wincx32.exe
C:\WINDOWS\system32\iexg32.exe

Reboot normally, and post a fresh HJT log here in a reply.
  • 0

#9
jmaden
Posted 30 May 2005 - 11:26 PM

jmaden

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Okay, so I tried to do everything but again I ran into problems. Everytime I try to fix things through hijack this, they don't fix or they change name. Like all of the names begining with R1-HKCU reappear even after I delete them just with part of the name different. Like the fcjgg.dll changes to ojazz.dll or gjilk.dll or something else. But it is always the ___.dll part that changes. But at first they appear to have been deleted, but then when I restart the computer and log onto the internet, then I run another log and they are back but just a little different. I think that they only reappear after I have gotten onto the internet though, but I am not sure.
Then I delete the 023 - Service: Network Sercurity Service one, and then I do another scan and it is still there. Also, I cannot locate C:\WINDOWS\wincx32.exe or C:\WINDOWS\system32\iexg32.exe anywhere on the computer. They will not list in my hijack log and when I seached from the start list, it said they could not be found. Sorry this is so difficult but htanks for your dedication to my problem. Here is my hijack this log...

Logfile of HijackThis v1.99.1
Scan saved at 12:22:54 AM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\appwk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\webshots.scr
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gjilk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gjilk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gjilk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gjilk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gjilk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gjilk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gjilk.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {33C77152-B550-0E68-4A8C-A73A3B6FA8D1} - C:\WINDOWS\ntki.dll
O2 - BHO: Class - {452CE4BD-6993-E987-C954-8D53652EE101} - C:\WINDOWS\system32\atlpc32.dll
O2 - BHO: Class - {5458BAA3-A40F-AB9F-E72F-77F8C6801EAA} - C:\WINDOWS\system32\ntmr.dll
O2 - BHO: Class - {5952B661-A49F-07C2-2FD6-A5C20926F8DF} - C:\WINDOWS\iejy32.dll
O2 - BHO: Class - {5D05AE8D-FCC9-7DFB-55FF-DED6BCC19A8B} - C:\WINDOWS\system32\sdkyc.dll
O2 - BHO: Class - {66BE36B4-FD1C-B850-4827-ECA932D53C44} - C:\WINDOWS\system32\atldw.dll
O2 - BHO: Class - {A26538B0-8F5F-F0E6-7B55-44FA9E707CF1} - C:\WINDOWS\apino.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {B10CD072-DA68-EDA5-0AC5-F4CADA122CDB} - C:\WINDOWS\msen.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D30E97DE-8322-41D2-604F-4B7E5C0AECE3} - C:\WINDOWS\mfcfg.dll
O2 - BHO: Class - {E897B7A0-EBE4-3A18-7DD3-77E65116B006} - C:\WINDOWS\atlrl32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [appwk.exe] C:\WINDOWS\appwk.exe
O4 - HKLM\..\RunOnce: [mslo32.exe] C:\WINDOWS\system32\mslo32.exe
O4 - HKLM\..\RunOnce: [syslz.exe] C:\WINDOWS\syslz.exe
O4 - HKLM\..\RunOnce: [netaw.exe] C:\WINDOWS\netaw.exe
O4 - HKLM\..\RunOnce: [mfcgu32.exe] C:\WINDOWS\mfcgu32.exe
O4 - HKLM\..\RunOnce: [atlct.exe] C:\WINDOWS\system32\atlct.exe
O4 - HKLM\..\RunOnce: [ntam.exe] C:\WINDOWS\ntam.exe
O4 - HKLM\..\RunOnce: [javaon32.exe] C:\WINDOWS\javaon32.exe
O4 - HKLM\..\RunOnce: [crut32.exe] C:\WINDOWS\system32\crut32.exe
O4 - HKLM\..\RunOnce: [ntlw32.exe] C:\WINDOWS\ntlw32.exe
O4 - HKLM\..\RunOnce: [ntju32.exe] C:\WINDOWS\ntju32.exe
O4 - HKLM\..\RunOnce: [syswr32.exe] C:\WINDOWS\syswr32.exe
O4 - HKLM\..\RunOnce: [winbw32.exe] C:\WINDOWS\winbw32.exe
O4 - HKLM\..\RunOnce: [d3xc32.exe] C:\WINDOWS\system32\d3xc32.exe
O4 - HKLM\..\RunOnce: [addiy.exe] C:\WINDOWS\system32\addiy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {63B3EC14-9F70-4129-B935-46EFB37013E8} (HPStamper Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mslo32.exe" /s (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#10
Kat
Posted 31 May 2005 - 11:21 AM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello again, jmaden! I'm sorry this is being so difficult. As you may have guessed, this is a very nasty (newer) strain of CWS. There are several Experts working hard to get a fix together for this that will nail it in one swoop. I have put up a white flag to them just now, asking for some help. I don't want to keep having to make you run through the same things over and over, I want to get you cleaned up!

If you have rebooted or turned off the machine and back on since this last HJT log, please post me a new HJT log. Then....please do not turn off the machine or reboot it again until we tell you to do so in the fix I will get posted for you later this afternoon!!

Hang in there, ok? We WILL get this! :tazz:
  • 0

#11
Kat
Posted 31 May 2005 - 04:01 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello again! Please download the FireFox browser here

Until we get you cleaned up, please do NOT use Internet Explorer or reboot your computer. Doing either of these can and will cause your infection to replicate itself!
  • 0

#12
Kat
Posted 01 June 2005 - 12:15 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello again! I am sorry this is being so stubborn. We have a feeling this is a new strain of CWS. THere are several active cases being worked on right now. Please don't give up on me! We have been successful in cleaning a few of these now, it's just a matter of pulling it all together to be able to clean it first try every time! I promise if you hang in there with me, we will get you cleaned up! :tazz:

The first thing I want you to do is to delete the About.Buster program you have. There was a new version released over the weekend, and it has some updated definitions that we are going to need!

1. Download about:buster by RubbeRDuckY Here.
Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
2. Please download the latest version of Ad-aware. If you're using an older version (or don’t have AdAware yet), download Ad-aware SE Personal and install it.
Before scanning with Ad-aware SE Free:
Update your version using the following configuration below
  • Update[list]
  • Select Check for updates.
  • Then Connect and download the newest update .
Close the program, we will use it later!

3. Download the eScan Antivirus Toolkit here.
Save it to the desktop. This program is 9.9MB in size.
Don't run it yet, we will use it later.

4. Download and install the Ewido Security Suite 3.0.
1.) Download and install the Ewido Security Suite 3.0 here
2.) Double-click on the new e Ewido shortcut on the desktop to open the program.
3.) On the upper LH side column, click on the Update button.
(This will update the program with all the latest signature files.)
Don't run it yet, we will use it later.

5. you must first STOP and DISABLE the rogue service:
There are different Display Names to look for:

* Workstation NetLogon Service
* Remote Procedure Call (RPC) Helper
* Remote Access Service
* Network Security Service (NSS)

Go to Start => Run and type "Services.msc" (without quotes) then click Ok.

1.) Scroll down and find one of the bad services described above such as: Remote Procedure Call (RPC) Helper
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.

6. copy the contents of the Code Box below to Notepad. Name the file as cwsresfix.reg. Change the Save as Type to All Files, Save this file on the desktop. 
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11Fßä_#·ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11Fßä #•ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_?_%AFå___¤À¨]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?_’ŽrtñåȲ$_Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_½O.#ž‚„?õØ´_â]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F฿ไ #ทบฤึ`I] 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11Fßä_#·ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11Fßä #•ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?_%AFå___¤À¨]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?_’ŽrtñåȲ$_Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\½O.#ž‚„?õØ´_â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11Fßä_#·ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11Fßä #•ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_?_%AFå___¤À¨]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?_’ŽrtñåȲ$_Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_½O.#ž‚„?õØ´_â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11Fßä_#·ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11Fßä #•ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\?_%AFå___¤À¨]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?_’ŽrtñåȲ$_Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\½O.#ž‚„?õØ´_â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11Fßä_#·ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11Fßä #•ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_?_%AFå___¤À¨]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O?_’ŽrtñåȲ$_Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_½O.#ž‚„?õØ´_â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11Fßä_#·ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11Fßä #•ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\?_%AFå___¤À¨]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O?_’ŽrtñåȲ$_Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\½O.#ž‚„?õØ´_â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11Fßä_#·ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11Fßä #•ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_?_%AFå___¤À¨]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O?_’ŽrtñåȲ$_Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_½O.#ž‚„?õØ´_â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11Fßä_#·ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11Fßä #•ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\?_%AFå___¤À¨]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O?_’ŽrtñåȲ$_Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\½O.#ž‚„?õØ´_â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11Fßä_#·ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11Fßä #•ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_?_%AFå___¤À¨]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O?_’ŽrtñåȲ$_Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_½O.#ž‚„?õØ´_â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11Fßä_#·ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11Fßä #•ºÄÖ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\?_%AFå___¤À¨]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O?_’ŽrtñåȲ$_Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\½O.#ž‚„?õØ´_â]

7. Reboot into Safe Mode

8. From Safe Mode, double-click on CWShredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

9. From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for rogue files and automatically run a second time.

10. From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:
1.) Double-click on the mwav.exe file saved to the desktop. A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "168 file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again.

11. From Safe Mode, run the Ewido Security Suite 3.0.
NOTE: Windows 2000 and XP only.
1.) Double-click on the e Ewido shortcut on the desktop to open the program.
2.) On the upper LH side column, click on Scanner.
3.) Click on the + Everything button.
4.) Click on the Start button.
5.) Have the program delete everything it finds.

12. From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.

13. From Safe Mode, double-click on the cwsresfix.reg you created earlier and when it prompts to merge say yes, and this will clear some registry entries left behind by the process. Now reboot the PC back into Normal Mode (Windows).

14. Go to Start, Run, type in %temp% click OK.
Click Edit, Select All, click File, Delete, now click Yes to send items to Recycle Bin. Now empty Recycle Bin.

15. Please post a fresh HJT log here for review so we can clean out any remnants of infection.
  • 0

#13
Kat
Posted 08 June 2005 - 01:15 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP