Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Major Problems [CLOSED]

  • This topic is locked This topic is locked



    New Member

  • Member
  • Pip
  • 1 posts
:tazz: My wife clicked on an innocuous email and I now have major problems. AVG, Spybot D&D, and AdAware will not start. Neither McAfee AV nor Norton IS will load. Downloaded and ran Trojan Hunter and cleaned 5 Trojans. Ran Housecalls and cleaned several more. Edited Registry and cleaned files associated with known trojan/viruses. On reboot they were back. On shutdown, Programs Win Min, WindowsFormsParking Window, and C_c93wiz are all halted. Removed all entries from computer and registry to all of these, escpecially from the run entries in registry. They came back on reboot. EI5 has a default page of w-find. edited that out of registry and sysconfig. came back on reboot.
Have also removed all the entries listed in the attached Hijack log under autorun entries. They came back on reboot. Also, all my Wallpaper is gone except for a warning about being infected with "Jojan-spy.HTML.Smitfraud.c". I managed to get rid of the wallpaper but the progam that generated the warning is still on my taskbar and I CAN'T get rid of it. The icon is a red dot with a white exclamation point in the middle. This seems to be associated with a file in System32 called 'Intel32.exe', which comes up on TrojanHunter as a possible trojan file. It also is listed by Microsoft (with the same icon) as a legitimate file.

Any suggestion, since I can't get any local removal tools to run on the computer? If I have to format, I'll be running LinSpire from now on.

here is my Hijack This log.

StartupList report, 7/3/2005, 1:50:32 AM
StartupList version: 1.52
Started from : D:\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options

Running processes:

F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
F:\Program Files\Internet Explorer\iexplore.exe


Listing of startup folders:

Shell folders Common Startup:
[F:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = F:\WINDOWS\system32\userinit.exe,F:\WINDOWS\System32\c_93cwiz.exe,F:\Documents and Settings\Cal Aylsworth.WHITEBOX\Application Data\Explorer\c_93cwiz.exe


Autorun entries from Registry:

Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
ATIPTA = F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
HP Component Manager = "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
QuickTime Task = "F:\Program Files\QuickTime\qttask.exe" -atboottime
intel32.exe = F:\WINDOWS\System32\intel32.exe
Browser Shedule = F:\WINDOWS\System32\c_93cwiz.exe


Autorun entries from Registry:

MSMSGS = "F:\Program Files\Messenger\msmsgs.exe" /background
uaribnx = f:\windows\fbduves.exe
ewvfycv = f:\windows\fbduves.exe
awwuobu = f:\windows\fbduves.exe
ripgumb = f:\windows\fbduves.exe
yeymuhq = f:\windows\fbduves.exe
ajbmvuo = f:\windows\fbduves.exe
rgkuhmv = f:\windows\fbduves.exe
jpwlgja = f:\windows\fbduves.exe
wgfqewp = f:\windows\fbduves.exe
lnbhemk = f:\windows\fbduves.exe
vjywngj = f:\windows\fbduves.exe
mmrmnwt = f:\windows\fbduves.exe
sovurxx = f:\windows\fbduves.exe
froppbn = f:\windows\fbduves.exe
ypsynro = f:\windows\lpmhhne.exe
dwneqhg = f:\windows\lpmhhne.exe
nrhwiba = f:\windows\lpmhhne.exe
vaicyab = f:\windows\epnqccm.exe
korkovc = f:\windows\epnqccm.exe
vvsryuo = f:\windows\epnqccm.exe
vvqhlvf = f:\windows\epnqccm.exe
nxmarau = f:\windows\tvvgspw.exe
rghxltq = f:\windows\tvvgspw.exe
uhkixop = f:\windows\tvvgspw.exe
gxrbhvq = f:\windows\tvvgspw.exe
grpvtqw = f:\windows\cwmkdwk.exe
eyctohy = f:\windows\cpujbsr.exe
Browser Shedule = F:\WINDOWS\System32\c_93cwiz.exe
icgkkhw = f:\windows\cpujbsr.exe
rxefpqn = f:\windows\cpujbsr.exe
nirncsn = f:\windows\cpujbsr.exe
cpfyohf = f:\windows\dmhecsb.exe


Shell & screensaver key from F:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Browser Helper Objects:

(no name) - C:\Programs\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Programs\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - (no file) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - f:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}


Enumerating Task Scheduler jobs:

Symantec NetDetect.job


Enumerating Download Program Files:

[Support.com Configuration Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\tgctlcm.dll
CODEBASE = http://www.comcastsu...oad/tgctlcm.cab

[Microsoft Office Template and Media Control]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.micros...tes/ieawsdc.cab

[QuickTime Object]
InProcServer32 = F:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[HouseCall Control]
InProcServer32 = F:\WINDOWS\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall60.t...all/xscan60.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = F:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....467&clcid=0x409

[Office Update Installation Engine]
InProcServer32 = F:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ntent/opuc2.cab

[RdxIE Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.r...ip/RdxIE601.cab

[WUWebControl Class]
InProcServer32 = F:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupd...b?1115009805390

[HouseCall Control]
InProcServer32 = F:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

CODEBASE = http://dm.screensave.../sinstaller.cab

InProcServer32 = F:\WINDOWS\Downloaded Program Files\PhxStudent15.ocx
CODEBASE = https://mycampus.pho...hxStudent15.CAB

[Shockwave Flash Object]
InProcServer32 = F:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab


Enumerating Winsock LSP files:

Protocol #1: F:\WINDOWS\System32\flsmngr.dll
Protocol #2: F:\WINDOWS\System32\flsmngr.dll
Protocol #14: F:\WINDOWS\System32\flsmngr.dll


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: F:\WINDOWS\system32\SHELL32.dll
CDBurn: F:\WINDOWS\system32\SHELL32.dll
WebCheck: F:\WINDOWS\System32\webcheck.dll
SysTray: F:\WINDOWS\System32\stobject.dll
Browser Messenger: *Registry value not found*

End of report, 8,391 bytes
Report generated in 0.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0




    Malware Expert

  • Retired Staff
  • 148 posts
Hello ccaylsw, I am sorry it took so long for you to get a reply.

If you still need help please follow the directions in Step Five HERE for posting a HijackThis log. Make sure you post the log in a reply to this topic so that I am notified.
  • 0



    Malware Expert

  • Retired Staff
  • 148 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP