1. Sophos antivirus found and removed the trojan Troj/StartPa-FK from several locations. I could not remove it from one, but the warnings went away after I followed their manual removal method for trojans which included removing a registry setting.
2. The computer WAS experiencing a system shutdown (it said it was shutting down in x seconds...save all of your work.) It did that a few times when I was working on it, but is not currently. Sometimes, it will freeze, reboot by itself without warning or go to that screen which looks like a bad monitor connection (a bunch of multi-colored lines across the screen.).
3. While working on it, I was slammed by pop-ups and it seems to download a bunch of junk. A bunch of icons appeared on the desktop...free games, etc. It also had an icon or two in the systray indicating that it was downloading something from the internet.
4. I ran Adaware and it found over 1000 pieces of spyware. I removed them and ran it again, but it must have rebooted when I walked away because it was sitting at the login screen when I went back to it. The same when I tried to run a Sophos scan.
5. After the computer boots up and I log in, I get a runtime error in C:/WINNT/System32/psoft1.exe. I also get illegal operations in exp.exe and wintask.exe.
Here is the Hijack This log file..
Logfile of HijackThis v1.99.1
Scan saved at 8:07:02 AM, on 5/2/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\bcchkkwk\hxwhu.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SWEEPSRV.SYS
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\Remote Management System\ALCAgent.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PspContr.Exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\exp.exe
C:\WINNT\System32\xejne\snued.exe
C:\WINNT\System32\idaxv\nhham.exe
C:\WINNT\System32\tkdemlvt\tpxo.exe
C:\WINNT\System32\winupdt.exe
C:\WINNT\System32\RUNDLL32.exe
C:\WINNT\System32\vzpkzl.exe
C:\WINNT\System32\GSMedia3.exe
C:\WINNT\system\qffc.exe
C:\WINNT\System32\lodsetup.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\WINNT\System32\drwtsn32.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mlb.mlb.com/N...lb_homepage.jsp
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINNT\dlmax.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr51.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PspContr] PspContr.Exe
O4 - HKLM\..\Run: [PspUsbCf] PspUsbCf.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSoft1] C:\WINNT\System32\psoft1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINNT\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [uuhchw] c:\winnt\system32\uuhchw.exe
O4 - HKLM\..\Run: [snued] C:\WINNT\System32\xejne\snued.exe
O4 - HKLM\..\Run: [hxwhu] C:\WINNT\System32\bcchkkwk\hxwhu.exe
O4 - HKLM\..\Run: [nhham] C:\WINNT\System32\idaxv\nhham.exe
O4 - HKLM\..\Run: [tpxo] C:\WINNT\System32\tkdemlvt\tpxo.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\vzpkzl.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [GMedia2] C:\WINNT\System32\GSMedia3.exe
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [Yw09RhYpO] lodsetup.exe
O4 - HKCU\..\Run: [MBKWBarManager] C:\Program Files\MBKWBar\TManager.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = C:\Program Files\Corel\WordPerfect Office 2002\Programs\CCWin10.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: VWDAT.LNK = C:\Program Files\Digital Voice\Voicewave Dictate\VWDAT.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.41...etzip/RdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hhr.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{36F46FD9-E645-463B-AA3E-8AE41E0CA8A0}: NameServer = 65.106.1.196,65.106.7.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hhr.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hhr.local
O23 - Service: Sophos AutoUpdate Service (ActiveLinkClient) - Unknown owner - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: hxwhubcchkkwk - Unknown owner - C:\WINNT\System32\bcchkkwk\hxwhu.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\System32\r_server.exe" /service (file missing)
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ALCAgent.exe" -service -name ALC (file missing)
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router (file missing)
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SWEEPSRV.SYS
O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)
This one is driving me nuts! Usually, there is a clear-cut symptom and I can figure out what the problem is, but this one has so many symptoms that I don't know where to begin.
Thanks in advance!
Dave
Edited by dmg1969, 02 May 2005 - 07:59 AM.
Sign In
Create Account
