Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

told to post log here [RESOLVED]


  • This topic is locked This topic is locked

#1
michaelrush

michaelrush

    New Member

  • Member
  • Pip
  • 8 posts
problem:

hi i just reformatted my computer... reinstalled windows xp...

and no i am expierencing problems whenever i load internet explorer and/or fire fox...

connect to aim, yahoo or outlook, i will get disconnected from the internet for a short period of time... about 10-15 seconds which means i cant use aim, yahoo, or outlook. let alone some of the online games i play....

ive ran CWShredder, Adaware SE, Spybot Search&Destroy, & Grisoft AntiVirus... ive cleaned all the spyware out on my comp but it still does come back randomly.......


i dont know what else there is to try.. i see everyone posting hijack this files but im not to sure on how to use that...


if this has happened to anyone before and they have fixed the problem please let me know what to do.. cause its really frustrating me... thanks -.-;


log:

Logfile of HijackThis v1.99.1
Scan saved at 1:09:11 AM, on 6/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\omgwtfbbq\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WinStat - {F007E221-018D-4baf-924A-B0E9092F3853} - C:\WINDOWS\System32\WinStat11.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [wxzhmto] C:\WINDOWS\System32\wxzhmto.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118022919654
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe


if you can give me easy explanations if not.. complicated ones are fine to im sure ill figure it out biggrin.gif

thanks in advance.
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi michaelrush

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. we may need this later

Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an check in the boxes, only next to these following items:
R3 - Default URLSearchHook is missing
O2 - BHO: WinStat - {F007E221-018D-4baf-924A-B0E9092F3853} - C:\WINDOWS\System32\WinStat11.dll
O4 - HKLM\..\Run: [wxzhmto] C:\WINDOWS\System32\wxzhmto.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab

Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Using Windows Explorer, locate the following files/folders, and delete them: If found
C:\WINDOWS\System32\WinStat11.dll<--Delete this file
C:\WINDOWS\System32\wxzhmto.exe<--Delete this file
Exit Explorer.

Reboot as normal.

For your information:
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
It is a dedicated chip----hardware Firewall Built into the NF4 chipset...
Supposed to use lot's less resources...
But clearly doesn't.Knowen to cause problems
http://forums.nvidia...?showtopic=2137

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
michaelrush

michaelrush

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
NEW high jack this log
_____________________
Logfile of HijackThis v1.99.1
Scan saved at 2:25:40 PM, on 6/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\omgwtfbbq\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118022919654
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe





ewido log file
____________
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:22:33 PM, 6/7/2005
+ Report-Checksum: E7DD9314

+ Date of database: 6/7/2005
+ Version of scan engine: v3.0

+ Duration: 7 min
+ Scanned Files: 30234
+ Speed: 63.59 Files/Second
+ Infected files: 17
+ Removed files: 17
+ Files put in quarantine: 17
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\omgwtfbbq\Cookies\omgwtfbbq@22423912[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\omgwtfbbq\Cookies\omgwtfbbq@5296924[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\omgwtfbbq\Cookies\omgwtfbbq@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\omgwtfbbq\Cookies\omgwtfbbq@ar.atwola[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\omgwtfbbq\Cookies\omgwtfbbq@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\omgwtfbbq\Cookies\omgwtfbbq@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\omgwtfbbq\Cookies\omgwtfbbq@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\omgwtfbbq\Cookies\omgwtfbbq@www.liveperson[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\omgwtfbbq\Cookies\omgwtfbbq@www.themmorpgexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\omgwtfbbq\Cookies\omgwtfbbq@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\LastGood\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\LastGood\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\system32\fcqwtv.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\WinStat11.dll -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\system32\wxzhmtondw30104lib.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup


::Report End


Panda Log File
____________


Incident Status Location

Virus:Trj/Downloader.CZM Disinfected Operating system
Adware:Adware/Ndware No disinfected C:\WINDOWS\System32\wxzhmto.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick*
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\omgwtfbbq\Application Data\Sskknwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\omgwtfbbq\Local Settings\Temporary Internet Files\Ssk.log
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\omgwtfbbq\SSK3_B5 Verticlick 8.exe
Adware:Adware/Ndware No disinfected C:\WINDOWS\system32\wxzhmto.exe
Virus:Trj/Downloader.CZM Disinfected C:\WINDOWS\system32\wxzhmtondw30104lib.dll



i keep seeing that wxzhmto.exe i looked on my computer for it and could not find anything.. O.o;
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi michaelrush

Your HJT.log has been scanned in safemode allways scan with HJT in normal mode thanks.

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
C:\WINDOWS\System32\wxzhmto.exe
C:\Program Files\SurfSideKick*
C:\Documents and Settings\omgwtfbbq\Application Data\Sskknwrd.dll
C:\Documents and Settings\omgwtfbbq\Local Settings\Temporary Internet Files\Ssk.log
C:\Documents and Settings\omgwtfbbq\SSK3_B5 Verticlick 8.exe
C:\WINDOWS\system32\wxzhmto.exe
C:\WINDOWS\system32\wxzhmtondw30104lib.dll
Let the system reboot.

Try downloading the Service Pack from here and install it from your desktop.
http://www.softpedia...Pack-SP1a.shtml
Remember do not install Service Pack 2, as you will have major problems if you install that service pack without being clean first.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
michaelrush

michaelrush

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
hrmm.. well i tried to rerun panda but my internet is disconnecting now to fast for it to load. so it wont load properly...

although.. i did get a hjt...

Logfile of HijackThis v1.99.1
Scan saved at 9:00:19 PM, on 6/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118022919654
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe


theres my new one...
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi michaelrush

Yor HJT.log is not showing any malware.

Please download this scanner – mwav exe http://www.spywarein...wnload/mwav.exe

Please post a new HJT.log and scan.log from mwav

kc :tazz:
  • 0

#7
Guest_thatman_*

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP