Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

CWS, Trojans and Keylogger havin' a party [CLOSED]

Started by ruthyntrouble , Aug 24 2005 05:37 PM

This topic is locked

#1
ruthyntrouble

Posted 24 August 2005 - 05:37 PM

Member

Member
39 posts

OK, I have went through the steps recommended with sweeping, ad-aware , CWShredder and spybot. I have Norton and spysweeper, but something is wrong.

I am posting my log(ok, I hope) because IE keeps shutting down when I remove all spyware and Favorites with spysweeper. Been at this for 2 days and I posted but a senior person said I was in the wrong forum, for that I apologize. So, I am trying again. Here is my log, and thanks in advance for all your help.

Logfile of HijackThis v1.99.1
Scan saved at 6:28:32 PM, on 8/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\winqm32.exe
C:\WINNT\System32\procsystem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ruth\Local Settings\Temporary Internet Files\Content.IE5\KHIBKH27\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://messenger.yah...elp/themes.html
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1318A56C-DE91-433D-FDEE-CF1CBD77B3F4} - C:\WINNT\system32\crno32.dll
O2 - BHO: Class - {1F27ABCB-13DE-3A22-6A2E-FA2FC65683C7} - C:\WINNT\netcs.dll
O2 - BHO: Class - {368DFA68-72D7-88C7-24B1-A24C7FBA651E} - C:\WINNT\system32\d3hg.dll
O2 - BHO: Class - {55C44D53-4CC5-038E-B86E-7F327238F826} - C:\WINNT\system32\javant32.dll
O2 - BHO: Class - {901D063E-F548-B038-B35E-09357A9905BB} - C:\WINNT\winta32.dll
O2 - BHO: Class - {A68EC69F-46D2-0A67-E96E-741AFE86C8A3} - C:\WINNT\ntwh32.dll
O2 - BHO: Class - {A9603122-BBEE-8287-CEEA-5A1760205805} - C:\WINNT\netht.dll
O2 - BHO: Class - {CC478517-684A-908C-011A-C7729819B4D6} - C:\WINNT\d3zh32.dll
O2 - BHO: Class - {F988DED8-5173-11C9-BE67-4A84B0FA2E38} - C:\WINNT\system32\ipsw32.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysxu32.exe] C:\WINNT\system32\sysxu32.exe
O4 - HKLM\..\Run: [netpi.exe] C:\WINNT\netpi.exe
O4 - HKLM\..\Run: [msyn32.exe] C:\WINNT\msyn32.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [winqm32.exe] C:\WINNT\winqm32.exe
O4 - HKLM\..\RunOnce: [winvi32.exe] C:\WINNT\winvi32.exe
O4 - HKLM\..\RunOnce: [msyg32.exe] C:\WINNT\system32\msyg32.exe
O4 - HKLM\..\RunOnce: [ntbj32.exe] C:\WINNT\ntbj32.exe
O4 - HKLM\..\RunOnce: [ipit.exe] C:\WINNT\system32\ipit.exe
O4 - HKLM\..\RunOnce: [mfcku.exe] C:\WINNT\mfcku.exe
O4 - HKLM\..\RunOnce: [ipli.exe] C:\WINNT\ipli.exe
O4 - HKLM\..\RunOnce: [ipqt.exe] C:\WINNT\system32\ipqt.exe
O4 - HKLM\..\RunOnce: [winwd.exe] C:\WINNT\system32\winwd.exe
O4 - HKLM\..\RunOnce: [d3yk.exe] C:\WINNT\system32\d3yk.exe
O4 - HKLM\..\RunOnce: [crmr.exe] C:\WINNT\crmr.exe
O4 - HKLM\..\RunOnce: [ipmi32.exe] C:\WINNT\system32\ipmi32.exe
O4 - HKLM\..\RunOnce: [appxb32.exe] C:\WINNT\appxb32.exe
O4 - HKLM\..\RunOnce: [d3lc32.exe] C:\WINNT\d3lc32.exe
O4 - HKLM\..\RunOnce: [syski32.exe] C:\WINNT\system32\syski32.exe
O4 - HKLM\..\RunOnce: [sdkpd.exe] C:\WINNT\system32\sdkpd.exe
O4 - HKLM\..\RunOnce: [d3pi32.exe] C:\WINNT\d3pi32.exe
O4 - HKLM\..\RunOnce: [addjo.exe] C:\WINNT\addjo.exe
O4 - HKLM\..\RunOnce: [nettm32.exe] C:\WINNT\system32\nettm32.exe
O4 - HKLM\..\RunOnce: [addzh32.exe] C:\WINNT\system32\addzh32.exe
O4 - HKLM\..\RunOnce: [cred32.exe] C:\WINNT\cred32.exe
O4 - HKLM\..\RunOnce: [netfs32.exe] C:\WINNT\system32\netfs32.exe
O4 - HKLM\..\RunOnce: [winuy32.exe] C:\WINNT\winuy32.exe
O4 - HKLM\..\RunOnce: [apiay32.exe] C:\WINNT\system32\apiay32.exe
O4 - HKLM\..\RunOnce: [ntdb.exe] C:\WINNT\system32\ntdb.exe
O4 - HKLM\..\RunOnce: [sdkvl32.exe] C:\WINNT\system32\sdkvl32.exe
O4 - HKLM\..\RunOnce: [sdkwj32.exe] C:\WINNT\system32\sdkwj32.exe
O4 - HKLM\..\RunOnce: [atlbe.exe] C:\WINNT\atlbe.exe
O4 - HKLM\..\RunOnce: [ielw32.exe] C:\WINNT\ielw32.exe
O4 - HKLM\..\RunOnce: [sdkrz32.exe] C:\WINNT\system32\sdkrz32.exe
O4 - HKLM\..\RunOnce: [addzh.exe] C:\WINNT\addzh.exe
O4 - HKLM\..\RunOnce: [netjv.exe] C:\WINNT\netjv.exe
O4 - HKLM\..\RunOnce: [iesd.exe] C:\WINNT\iesd.exe
O4 - HKLM\..\RunOnce: [ntxf32.exe] C:\WINNT\system32\ntxf32.exe
O4 - HKLM\..\RunOnce: [mshy32.exe] C:\WINNT\system32\mshy32.exe
O4 - HKCU\..\Run: [bbxmtzl] c:\WINDOWS\System32\bbxmtzl.exe
O4 - HKCU\..\Run: [procsystem] C:\WINNT\System32\procsystem.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Grouper.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.amctv.com
O15 - Trusted Zone: www.hotmail.com
O15 - Trusted Zone: www.JoinHyundai.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: www.worldwinner.com
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Tornado 21 - http://download.game...s/y/t21t0_x.cab
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct2_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! GoStop - http://download.game...ts/y/gst1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photopara...ll/phpsetup.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v..._faliro_coastal
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122861135035
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwin...ed/wwlaunch.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.2...sCamControl.ocx
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{225E7E60-D36F-4D91-8256-B7677C95778D}: NameServer = 192.168.1.1
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\winwd.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: service - Unknown owner - C:\WINNT\SERVICE.EXE (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#2
Kat

Posted 24 August 2005 - 05:45 PM

Retired

Retired Staff
19,711 posts

Hello and welcome to GeeksToGo! My name is Kat, and I will be helping you get your computer fixed back up and on the go! You should either print these instructions, or save them to a Notepad file on your desktop. Part of the fix may require you to be in Safe Mode, and you will be unable to access the internet at that time!

Please download ewido security suite it is a trial version of the program.

Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

Reboot into SAFE MODE . Do this by repeatedly tapping the F8 key as the computer begins to boot up. You will be taken to a screen where you can use your keyboard "arrow" keys to move the cursor and highlight "Safe Mode", then click the "enter" button.
Once in Safe Mode, you are going to run Ewido as follows. It is VERY IMPORTANT that you do not "multi task" while Ewido runs. Please do not open/run ANYTHING else during the scan...this includes all files, programs, folders, games, etc. ONLY have Ewido running.
Click on scanner
Click on Complete System Scan and the scan will begin.
- You will need to step through the process of cleaning files one-by-one.
- If ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.

Now close ewido security suite.

Make a reply here with a copy of the Ewido report, along with a new HijackThis log taken after the Ewido scan, and we'll finish cleaning you up! :tazz:

#3
ruthyntrouble

Posted 24 August 2005 - 09:18 PM

Member

Topic Starter
Member
39 posts

Hi Kat,

Thanks for responding. I am sorry it took awhile to get back to you.

I downloaded ewido, and scanned but I made a goof. While in safe mode, my fonts and page was sooo large that I had a hard time going to the top and bottom, etc. AND, I could not get to the save report in the first scan. Also, I checked the wrong thing and it deleted all the malware that it found. That sucker was fast. I couldn't stop it...sooo. Will just have to wait and see if any files were deleted that I really need.

Here is ewido scan..
And following that will be the new Hijackthis log.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:34:23 PM, 8/24/2005
+ Report-Checksum: 60CF922D

+ Scan result:

C:\Documents and Settings\Ruth\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Error during cleaning
C:\WINNT\$NtServicePackUninstall$\hh.exe:fqahk -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\$NtServicePackUninstall$\hh.exe:qqyas -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\$NtServicePackUninstall$\twain_32.dll:scilh -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\$NtServicePackUninstall$\winhlp32.exe:vrusn -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\$NtServicePackUninstall$\winhlp32.exe:yndxy -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\$_hpcst$.hpc:ewvhn -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\$_hpcst$.hpc:ouchl -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\$_hpcst$.hpc:pebxm -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\$_hpcst$.hpc:uyhee -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\$_hpcst$.hpc:vhton -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\adavwp.dat -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\addam32.dll -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\crmr.exe -> Trojan.Agent.bi : Cleaned without backup
C:\WINNT\_ISREG32.DLL:fxtfy -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:fxtfya -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:fyyuh -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:fzetn -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:fzmsh -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gahid -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gboja -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gbudd -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gcrsp -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gdvch -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:geeew -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gfygt -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:ggway -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gikcn -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gjkaa -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:glort -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gmcbb -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gmplu -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gnwdb -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gpbbg -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gtduo -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gxymr -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:gywwj -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hbpet -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hcqae -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hcufj -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hcveb -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hcxau -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hetxn -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hfkhx -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hfwtm -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hhabz -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hizbo -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hjlntq -> Trojan.Agent.bi : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hkdlw -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hkspx -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hlfead -> Trojan.Agent.bi : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hmggr -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hqbno -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hravq -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hreix -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hrgyi -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hsbhe -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:htkrn -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:hxrcld -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:iajzj -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:icuey -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:ifkbj -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:ikfvu -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:ikrts -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:illhm -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:imiqx -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:intyh -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:iphcs -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:iqcqa -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:irgum -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:irhpq -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:itfkw -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:izxcf -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:jenfw -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:jgjyp -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:jipha -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:jivkk -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINNT\_ISREG32.DLL:jjplz -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:jkhyv -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:jojoe -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:jrxlu -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINNT\_ISREG32.DLL:juhmc -> TrojanDownloader.Agent.bq : Cleaned without backup

::Report End

HIJACKTHIS.LOG

Logfile of HijackThis v1.99.1
Scan saved at 10:08:49 PM, on 8/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\System32\procsystem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ruth\Local Settings\Temporary Internet Files\Content.IE5\2JS1GZIV\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://messenger.yah...elp/themes.html
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {01E31490-0283-33BA-A2D6-6BFE1432119A} - C:\WINNT\ipuy32.dll (file missing)
O2 - BHO: Class - {1318A56C-DE91-433D-FDEE-CF1CBD77B3F4} - C:\WINNT\system32\crno32.dll (file missing)
O2 - BHO: Class - {1D25BCAD-9D52-D9E5-0DB3-347A0F8B6BC8} - C:\WINNT\system32\winfl32.dll (file missing)
O2 - BHO: Class - {1F27ABCB-13DE-3A22-6A2E-FA2FC65683C7} - C:\WINNT\netcs.dll (file missing)
O2 - BHO: Class - {35146036-E2EB-F18E-6D6F-942AD29032FD} - C:\WINNT\apikn32.dll (file missing)
O2 - BHO: Class - {368DFA68-72D7-88C7-24B1-A24C7FBA651E} - C:\WINNT\system32\d3hg.dll (file missing)
O2 - BHO: Class - {4602477E-5428-D8F2-0714-C991F8536B10} - C:\WINNT\ipin32.dll (file missing)
O2 - BHO: Class - {55C44D53-4CC5-038E-B86E-7F327238F826} - C:\WINNT\system32\javant32.dll (file missing)
O2 - BHO: Class - {8F55D9E5-49FC-13A0-FC8E-39DD6D4849B4} - C:\WINNT\system32\windj32.dll (file missing)
O2 - BHO: Class - {901D063E-F548-B038-B35E-09357A9905BB} - C:\WINNT\winta32.dll (file missing)
O2 - BHO: Class - {A68EC69F-46D2-0A67-E96E-741AFE86C8A3} - C:\WINNT\ntwh32.dll (file missing)
O2 - BHO: Class - {A9603122-BBEE-8287-CEEA-5A1760205805} - C:\WINNT\netht.dll (file missing)
O2 - BHO: Class - {CC478517-684A-908C-011A-C7729819B4D6} - C:\WINNT\d3zh32.dll (file missing)
O2 - BHO: Class - {F988DED8-5173-11C9-BE67-4A84B0FA2E38} - C:\WINNT\system32\ipsw32.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysxu32.exe] C:\WINNT\system32\sysxu32.exe
O4 - HKLM\..\Run: [netpi.exe] C:\WINNT\netpi.exe
O4 - HKLM\..\Run: [msyn32.exe] C:\WINNT\msyn32.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [bbxmtzl] c:\WINDOWS\System32\bbxmtzl.exe
O4 - HKCU\..\Run: [procsystem] C:\WINNT\System32\procsystem.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Grouper.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.amctv.com
O15 - Trusted Zone: www.hotmail.com
O15 - Trusted Zone: www.JoinHyundai.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: www.worldwinner.com
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Tornado 21 - http://download.game...s/y/t21t0_x.cab
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct2_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! GoStop - http://download.game...ts/y/gst1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photopara...ll/phpsetup.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v..._faliro_coastal
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122861135035
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwin...ed/wwlaunch.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.2...sCamControl.ocx
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{225E7E60-D36F-4D91-8256-B7677C95778D}: NameServer = 192.168.1.1
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\winwd.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: service - Unknown owner - C:\WINNT\SERVICE.EXE (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#4
Kat

Posted 25 August 2005 - 01:05 AM

Retired

Retired Staff
19,711 posts

1. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: Class - {01E31490-0283-33BA-A2D6-6BFE1432119A} - C:\WINNT\ipuy32.dll (file missing)
O2 - BHO: Class - {1318A56C-DE91-433D-FDEE-CF1CBD77B3F4} - C:\WINNT\system32\crno32.dll (file missing)
O2 - BHO: Class - {1D25BCAD-9D52-D9E5-0DB3-347A0F8B6BC8} - C:\WINNT\system32\winfl32.dll (file missing)
O2 - BHO: Class - {1F27ABCB-13DE-3A22-6A2E-FA2FC65683C7} - C:\WINNT\netcs.dll (file missing)
O2 - BHO: Class - {35146036-E2EB-F18E-6D6F-942AD29032FD} - C:\WINNT\apikn32.dll (file missing)
O2 - BHO: Class - {368DFA68-72D7-88C7-24B1-A24C7FBA651E} - C:\WINNT\system32\d3hg.dll (file missing)
O2 - BHO: Class - {4602477E-5428-D8F2-0714-C991F8536B10} - C:\WINNT\ipin32.dll (file missing)
O2 - BHO: Class - {55C44D53-4CC5-038E-B86E-7F327238F826} - C:\WINNT\system32\javant32.dll (file missing)
O2 - BHO: Class - {8F55D9E5-49FC-13A0-FC8E-39DD6D4849B4} - C:\WINNT\system32\windj32.dll (file missing)
O2 - BHO: Class - {901D063E-F548-B038-B35E-09357A9905BB} - C:\WINNT\winta32.dll (file missing)
O2 - BHO: Class - {A68EC69F-46D2-0A67-E96E-741AFE86C8A3} - C:\WINNT\ntwh32.dll (file missing)
O2 - BHO: Class - {A9603122-BBEE-8287-CEEA-5A1760205805} - C:\WINNT\netht.dll (file missing)
O2 - BHO: Class - {CC478517-684A-908C-011A-C7729819B4D6} - C:\WINNT\d3zh32.dll (file missing)
O2 - BHO: Class - {F988DED8-5173-11C9-BE67-4A84B0FA2E38} - C:\WINNT\system32\ipsw32.dll (file missing)

O4 - HKLM\..\Run: [sysxu32.exe] C:\WINNT\system32\sysxu32.exe
O4 - HKLM\..\Run: [netpi.exe] C:\WINNT\netpi.exe
O4 - HKLM\..\Run: [msyn32.exe] C:\WINNT\msyn32.exe
O4 - HKCU\..\Run: [bbxmtzl] c:\WINDOWS\System32\bbxmtzl.exe
O4 - HKCU\..\Run: [procsystem] C:\WINNT\System32\procsystem.exe

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v..._faliro_coastal
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\winwd.exe" /s (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

2. Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

3. Be sure you can view hidden files and folders:

Click Start
Double click on “My Computer”
Select Tools menu, and click on Folder Options..then click the View tab
Under Hidden Files and Folders heading, select “Show hidden files and folders”
uncheck the “hide protected operating systems files” options.
Click “yes” to confirm, then click “ok”

4. Please delete these files using Windows Explorer(if present):
C:\WINNT\system32\sysxu32.exe
C:\WINNT\netpi.exe
C:\WINNT\msyn32.exe
c:\WINDOWS\System32\bbxmtzl.exe
C:\WINNT\System32\procsystem.exe

5. Disable a bad running service:

Go to Start | Run
Then type services.msc
This will lauch a new window, scroll down on the list and search for (Workstation NetLogon Service ) or ( 11Fßä#·ºÄÖ`I)
Right click on this entry and select stop
Now right click and select properties, you will get new box with tabs.
In the General Tab, look for Start Up Type: in the drop down box select Disabled
Click Apply then OK and close out of the console.

6. Deleting an NT service:

Reboot into SafeMode and do the following:
Open HJT and click the "Open misc tools" section. Then click "Delete an NT service". In the text box paste or type ( 11Fßä#·ºÄÖ`I) (make sure there IS a space in front of the first 1) and click OK. Then let the machine reboot!

7. Re-hide system files and folders:

Click Start
Double click on “My Computer”
Select Tools menu, and click on Folder Options..then click the View tab
Under Hidden Files and Folders heading, unselect “Show hidden files and folders”
check the “hide protected operating systems files” options.
Click “yes” to confirm, then click “ok”

8. Please go to Active Scan and run a complete system scan. SAVE the log report from it.

9. Make a reply here with a copy of the ActiveScan report, and a fresh HJT log. Also, please let me know how things are running. :tazz:

#5
ruthyntrouble

Posted 26 August 2005 - 01:18 PM

Member

Topic Starter
Member
39 posts

Hi Kat,

I tried numerous times, but, couldn't get "active scan" to load. So no scan from Panda but, here is newest HijackThis log.

Question? What is ATI hotkey poller?

I am havving a few probs with advertisement pictures on their web pages showing but, I don't really care about those anyway. Good riddance. I haven't had much of a chance to do anything but what I am doing now on the computer. So, I really don't know about any problems yet except IE has shut down a couple of times. The last said the problem was regarding Dr. Watson Postmortem Debugger...what ever program that is I don't know.

Thanks for the help and will be Waiting for your reply,

Ruthy

Logfile of HijackThis v1.99.1
Scan saved at 1:57:13 PM, on 8/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINNT\system32\HPZipm12.exe
C:\DOCUME~1\Ruth\LOCALS~1\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://messenger.yah...elp/themes.html
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [winqm32.exe] C:\WINNT\winqm32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Grouper.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.amctv.com
O15 - Trusted Zone: www.hotmail.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: www.worldwinner.com
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Tornado 21 - http://download.game...s/y/t21t0_x.cab
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct2_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! GoStop - http://download.game...ts/y/gst1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photopara...ll/phpsetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122861135035
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwin...ed/wwlaunch.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.2...sCamControl.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{225E7E60-D36F-4D91-8256-B7677C95778D}: NameServer = 192.168.1.1
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: service - Unknown owner - C:\WINNT\SERVICE.EXE (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#6
Kat

Posted 26 August 2005 - 03:20 PM

Retired

Retired Staff
19,711 posts

Hello and welcome back! :tazz:

The ATI Hotkey is part of your audio driver. Leave that entry alone.

There is an entry in your log now that is related to CWS infection that wasn't there before. There are several steps in the process of cleaning this up, but if you dont do it now, this infection can and will mutate itself into something very very nasty...rendering your computer useless. Let's get to work, ok?

~Downloads~

1. Download CleanUpInstall the program, dont run it yet, we will use it later.
2. Download SpSeHjfix
Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)
3. Download AboutBuster .
4. Download CWShredder .

~Update~

1. Update About:Buster

Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster

2. Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

~Instructions~
1. Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

2. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

3. Please run about:buster by RubbeRDuckY:[/b]

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

4. Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

5. Now run CleanUp!

6. Reboot normally

7. Post a reply here. I would like to see a copy of the AboutBuster log, a copy of the SpSeHjfix log, and a new HijackThis scan taken after all above steps are completed!

Also, please let me know how the computer is running now! :ph34r:

#7
ruthyntrouble

Posted 26 August 2005 - 07:39 PM

Member

Topic Starter
Member
39 posts

Hi Kat,

Ran the above programs and here are the logs...

The only problem I encountered so is when i rebooted an error stating that "Wireless G'''access violationist address 0012D610. Write of address 1000F98B. The Wireless icon didn't/doesn't show in my taskbar but I got online ok.

The computer does seem a little slow..

I trashed 2 gigs of junk b4 I did this for you.

LOGS:

BUSTER:

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 31

Removed Data Streams:
C:\WINNT\AMS2INST.LOG:gebsp
C:\WINNT\avpjd.log:frsoa
C:\WINNT\Basic Math 2 Setup Log.txt:bcusu
C:\WINNT\Blue Lace 16.bmp:fzljz
C:\WINNT\cnbabeie(4).exe:yorrr
C:\WINNT\Coffee Bean.bmp:ewqqs
C:\WINNT\comsetup.log:qocwt
C:\WINNT\control.ini:ihvkn
C:\WINNT\gwhotkey.ini:sklxf
C:\WINNT\GWMDMMSG(4).exe:kncdq
C:\WINNT\ieuninst.exe:txffj
C:\WINNT\iis6.log:kwera
C:\WINNT\KB820291.log:fkuws
C:\WINNT\KB824146.log:eagys
C:\WINNT\KB893086.log:kphlo
C:\WINNT\ODBCINST.INI:bynju
C:\WINNT\orun32.isu:ydsxy
C:\WINNT\Q314147.log:cblnk
C:\WINNT\Q323255.log:jlpxi
C:\WINNT\slingox.INI:mzlzf
C:\WINNT\svcpack.log:fmngo
C:\WINNT\system.ini:mjacr
C:\WINNT\tabletoc.log:qfmbb
C:\WINNT\videoimp.ini:lscoj
C:\WINNT\winnt256.bmp:kcbwn

Removed 4 Random Key Entries
Removed! : C:\WINNT\brfcu.dat
Removed! : C:\WINNT\chxqr.dat
Removed! : C:\WINNT\rcsrs.dat
Removed! : C:\WINNT\rcswv.dat
Removed! : C:\WINNT\rnirb.dat
Removed! : C:\WINNT\ubxiy.dat
Removed! : C:\WINNT\udbtm.dat
Removed! : C:\WINNT\ytbjr.dat
Removed! : C:\WINNT\zhlqr.dat
Removed! : C:\WINNT\system32\bafuw.dat
Removed! : C:\WINNT\system32\euvkj.dat
Removed! : C:\WINNT\system32\judbp.dat
Removed! : C:\WINNT\system32\lmxny.dat
Removed! : C:\WINNT\system32\qhotx.dat
Removed! : C:\WINNT\system32\uwpmc.dat
Removed! : C:\WINNT\system32\vdwna.dat
Removed! : C:\WINNT\system32\vjkuy.dat
Removed! : C:\WINNT\system32\ycumi.dat
Removed! : C:\WINNT\system32\zzgao.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 31

Removed Data Streams:
C:\WINNT\AMS2INST.LOG:gebsp
C:\WINNT\avpjd.log:frsoa
C:\WINNT\Basic Math 2 Setup Log.txt:bcusu
C:\WINNT\Blue Lace 16.bmp:fzljz
C:\WINNT\cnbabeie(4).exe:yorrr
C:\WINNT\Coffee Bean.bmp:ewqqs
C:\WINNT\comsetup.log:qocwt
C:\WINNT\control.ini:ihvkn
C:\WINNT\gwhotkey.ini:sklxf
C:\WINNT\GWMDMMSG(4).exe:kncdq
C:\WINNT\ieuninst.exe:txffj
C:\WINNT\iis6.log:kwera
C:\WINNT\KB820291.log:fkuws
C:\WINNT\KB824146.log:eagys
C:\WINNT\KB893086.log:kphlo
C:\WINNT\ODBCINST.INI:bynju
C:\WINNT\orun32.isu:ydsxy
C:\WINNT\Q314147.log:cblnk
C:\WINNT\Q323255.log:jlpxi
C:\WINNT\slingox.INI:mzlzf
C:\WINNT\svcpack.log:fmngo
C:\WINNT\system.ini:mjacr
C:\WINNT\tabletoc.log:qfmbb
C:\WINNT\videoimp.ini:lscoj
C:\WINNT\winnt256.bmp:kcbwn

Attempted Clean Of Temp folder.
Pages Reset... Done!

SpSeHjfix log:

(8/26/05 8:07:04 PM) SPSeHjFix started v1.1.2
(8/26/05 8:07:04 PM) OS: WinXP Service Pack 2 (5.1.2600)
(8/26/05 8:07:04 PM) Language: english
(8/26/05 8:07:04 PM) Win-Path: C:\WINNT
(8/26/05 8:07:04 PM) System-Path: C:\WINNT\system32
(8/26/05 8:07:04 PM) Temp-Path: C:\DOCUME~1\Ruth\LOCALS~1\Temp\
(8/26/05 8:07:10 PM) Disinfection started
(8/26/05 8:07:10 PM) Bad-Dll(IEP): (not found)
(8/26/05 8:07:10 PM) Bad-Dll(IEP) in BHO: (not found)
(8/26/05 8:07:10 PM) UBF: 7 - UBB: 0 - UBR: 4
(8/26/05 8:07:10 PM) UBF: 7 - UBB: 0 - UBR: 4
(8/26/05 8:07:10 PM) Bad IE-pages: (none)
(8/26/05 8:07:10 PM) Stealth-String not found
(8/26/05 8:07:10 PM) Not infected->END

HiJack Log:

* HijackThis v1.99.1 *
Written by Merijn - [email protected]
http://www.merijn.or.../hijackthis.zip
http://www.merijn.org/index.html

See bottom for version history.

The different sections of hijacking possibilities have been separated into the following groups.
You can get more detailed information about an item by selecting it from the list of found items OR highlighting the relevant line below, and clicking 'Info on selected item'.

R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services

Command-line parameters:
* /autolog - Automatically scan the system, save a logfile and open it
* /ihatewhitelists - ignore all internal whitelists
* /uninstall - remove all HijackThis Registry entries, backups and quit

* Version history *

[v1.99.1]
* Added Winlogon Notify keys to O20 listing
* Fixed crashing bug on certain Win2000 and WinXP systems at O23 listing
* Fixed lots and lots of 'unexpected error' bugs
* Fixed lots of inproper functioning bugs (i.e. stuff that didn't work)
* Added 'Delete NT Service' function in Misc Tools section
* Added ProtocolDefaults to O15 listing
* Fixed MD5 hashing not working
* Fixed 'ISTSVC' autorun entries with garbage data not being fixed
* Fixed HijackThis uninstall entry not being updated/created on new versions
* Added Uninstall Manager in Misc Tools to manage 'Add/Remove Software' list
* Added option to scan the system at startup, then show results or quit if nothing found
[v1.99]
* Added O23 (NT Services) in light of newer trojans
* Integrated ADS Spy into Misc Tools section
* Added 'Action taken' to info in 'More info on this item'
[v1.98]
* Definitive support for Japanese/Chinese/Korean systems
* Added O20 (AppInit_DLLs) in light of newer trojans
* Added O21 (ShellServiceObjectDelayLoad, SSODL) in light of newer trojans
* Added O22 (SharedTaskScheduler) in light of newer trojans
* Backups of fixed items are now saved in separate folder
* HijackThis now checks if it was started from a temp folder
* Added a small process manager (Misc Tools section)
[v1.96]
* Lots of bugfixes and small enhancements! Among others:
* Fix for Japanese IE toolbars
* Fix for searchwww.com fake CLSID trick in IE toolbars and BHO's
* Attributes on Hosts file will now be restored when scanning/fixing/restoring it.
* Added several files to the LSP whitelist
* Fixed some issues with incorrectly re-encrypting data, making R0/R1 go undetected until a restart
* All sites in the Trusted Zone are now shown, with the exception of those on the nonstandard but safe domain list
[v1.95]
* Added a new regval to check for from Whazit hijack (Start Page_bak).
* Excluded IE logo change tweak from toolbar detection (BrandBitmap and SmBrandBitmap).
* New in logfile: Running processes at time of scan.
* Checkmarks for running StartupList with /full and /complete in HijackThis UI.
* New O19 method to check for Datanotary hijack of user stylesheet.
* Google.com IP added to whitelist for Hosts file check.
[v1.94]
* Fixed a bug in the Check for Updates function that could cause corrupt downloads on certain systems.
* Fixed a bug in enumeration of toolbars (Lop toolbars are now listed!).
* Added imon.dll, drwhook.dll and wspirda.dll to LSP safelist.
* Fixed a bug where DPF could not be deleted.
* Fixed a stupid bug in enumeration of autostarting shortcuts.
* Fixed info on Netscape 6/7 and Mozilla saying '%shitbrowser%' (oops).
* Fixed bug where logfile would not auto-open on systems that don't have .log filetype registered.
* Added support for backing up F0 and F1 items (d'oh!).
[v1.93]
* Added mclsp.dll (McAfee), WPS.DLL (Sygate Firewall), zklspr.dll (Zero Knowledge) and mxavlsp.dll (OnTrack) to LSP safelist.
* Fixed a bug in LSP routine for Win95.
* Made taborder nicer.
* Fixed a bug in backup/restore of IE plugins.
* Added UltimateSearch hijack in O17 method (I think).
* Fixed a bug with detecting/removing BHO's disabled by BHODemon.
* Also fixed a bug in StartupList (now version 1.52.1).
[v1.92]
* Fixed two stupid bugs in backup restore function.
* Added DiamondCS file to LSP files safelist.
* Added a few more items to the protocol safelist.
* Log is now opened immediately after saving.
* Removed rd.yahoo.com from NSBSD list (spammers are starting to use this, no doubt spyware authors will follow).
* Updated integrated StartupList to v1.52.
* In light of SpywareNuker/BPS Spyware Remover, any strings relevant to reverse-engineers are now encrypted.
* Rudimentary proxy support for the Check for Updates function.
[v1.91]
* Added rd.yahoo.com to the Nonstandard But Safe Domains list.
* Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18).
* Added listing of programs/links in Startup folders (O4).
* Fixed 'Check for Update' not detecting new versions.
[v1.9]
* Added check for Lop.com 'Domain' hijack (O17).
* Bugfix in URLSearchHook (R3) fix.
* Improved O1 (Hosts file) check.
* Rewrote code to delete BHO's, fixing a really nasty bug with orphaned BHO keys.
* Added AutoConfigURL and proxyserver checks (R1).
* IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected.
* Added check for extra protocols (O18).
[v1.81]
* Added 'ignore non-standard but safe domains' option.
* Improved Winsock LSP hijackers detection.
* Integrated StartupList updated to v1.4.
[v1.8]
* Fixed a few bugs.
* Adds detecting of free.aol.com in Trusted Zone.
* Adds checking of URLSearchHooks key, which should have only one value.
* Adds listing/deleting of Download Program Files.
* Integrated StartupList into the new 'Misc Tools' section of the Config screen!
[v1.71]
* Improves detecting of O6.
* Some internal changes/improvements.
[v1.7]
* Adds backup function! Yay!
* Added check for default URL prefix
* Added check for changing of IERESET.INF
* Added check for changing of Netscape/Mozilla homepage and default search engine.
[v1.61]
* Fixes Runtime Error when Hosts file is empty.
[v1.6]
* Added enumerating of MSIE plugins
* Added check for extra options in 'Advanced' tab of 'Internet Options'.
[v1.5]
* Adds 'Uninstall & Exit' and 'Check for update online' functions.
* Expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service)
[v1.4]
* Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer
* A few bugfixes/enhancements
[v1.3]
* Adds detecting of extra MSIE context menu items
* Added detecting of extra 'Tools' menu items and extra buttons
* Added 'Confirm deleting/ignoring items' checkbox
[v1.2]
* Adds 'Ignorelist' and 'Info' functions
[v1.1]
* Supports BHO's, some default URL changes
[v1.0]
* Original release

A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes.

Will await your next instructions.

Ruthy

#8
Kat

Posted 26 August 2005 - 09:44 PM

Retired

Retired Staff
19,711 posts

Hello again! :tazz:

Could you please use HijackThis to scan for a log similar to the first ones you did for me and paste it here? Thanks!!

#9
ruthyntrouble

Posted 26 August 2005 - 09:58 PM

Member

Topic Starter
Member
39 posts

So Sorry. That was a version of HJT I downloaded in Feb.

LOG

Logfile of HijackThis v1.99.1
Scan saved at 10:56:13 PM, on 8/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\alg.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ruth\Desktop\P'uter Tips\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://messenger.yah...elp/themes.html
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [winqm32.exe] C:\WINNT\winqm32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Grouper.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.worldwinner.com
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Tornado 21 - http://download.game...s/y/t21t0_x.cab
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct2_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! GoStop - http://download.game...ts/y/gst1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photopara...ll/phpsetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122861135035
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwin...ed/wwlaunch.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.2...sCamControl.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{225E7E60-D36F-4D91-8256-B7677C95778D}: NameServer = 192.168.1.1
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: service - Unknown owner - C:\WINNT\SERVICE.EXE (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#10
Kat

Posted 26 August 2005 - 10:16 PM

Retired

Retired Staff
19,711 posts

Little more to do! :tazz:

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
Once in Safe Mode, please run Killbox.
Select "Delete on Reboot".
Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\winqm32.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Open HijackThis and scan for a log. Place a check next to the following entries only (if present)

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN << resource hog, not needed
O4 - HKLM\..\Run: [winqm32.exe] C:\WINNT\winqm32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe << resource hog, not needed

Be sure all other programs are closed, and click the "Fix Selected" button.

Let's take a look at your startup list so we can trim it down some to help speed you back up!

Create StartupList log:

Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Click on the button "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post

Make a reply here with the copy of the StartupList as well as a new HijackThis log!

#11
Kat

Posted 26 August 2005 - 10:27 PM

Retired

Retired Staff
19,711 posts

Hi again! After looking through the log again, there is another thing you need to do. There's still an 023 service running that is not legitimate. I missed it before because of the "file missing" after the service name. DOn't let that fool you though. That service is still there most likely! Let's kill it! :tazz:

Fix this line in HijackThis like you do the others, then reboot and let me know if it is gone or came back!

O23 - Service: service - Unknown owner - C:\WINNT\SERVICE.EXE (file missing)

#12
ruthyntrouble

Posted 26 August 2005 - 10:49 PM

Member

Topic Starter
Member
39 posts

Will do that now. I saw that and wondered what it was...going to take pleasure in swatting all these little pests...grrr...

#13
Kat

Posted 26 August 2005 - 10:56 PM

Retired

Retired Staff
19,711 posts

#14
ruthyntrouble

Posted 26 August 2005 - 11:11 PM

Member

Topic Starter
Member
39 posts

"Fixed it", rebooted, saw no signs of it....

Question?

023 Stopzilla and 023 Picturetaker....are they imp or can I zp them off?

Thanks Ruthy

Here's the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 12:06:35 AM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ruth\Desktop\P'uter Tips\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://messenger.yah...elp/themes.html
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [winqm32.exe] C:\WINNT\winqm32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Grouper.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.worldwinner.com
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Tornado 21 - http://download.game...s/y/t21t0_x.cab
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct2_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! GoStop - http://download.game...ts/y/gst1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photopara...ll/phpsetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122861135035
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwin...ed/wwlaunch.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.2...sCamControl.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{225E7E60-D36F-4D91-8256-B7677C95778D}: NameServer = 192.168.1.1
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#15
Kat

Posted 26 August 2005 - 11:15 PM

Retired

Retired Staff
19,711 posts

YOu can zap them both if you want. They may not fix in HJT, b/c they still have legit files. If they don't, I can show you how to disable and kill them.

Did you run the instructions for Killbox?? For this line??

O4 - HKLM\..\Run: [winqm32.exe] C:\WINNT\winqm32.exe

If so, the sucker didn't die.

Let me know. If you didn't, please run it. It's in the post above where I told you to fix that 023 service. If you did...we'll find another way. :tazz: