Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

OMG soo frustrated


  • Please log in to reply

#1
meh

meh

    Member

  • Member
  • PipPip
  • 15 posts
Ok, I'm having problems with the DRWTSN32.EXE thing. I can't get into my folders - every time i try, everything freezes, and the error box pops up saying that the debugger program has encountered a problem and needs to close. I've searched online for similar cases, and found quite a few. I uninstalled the Xp SP2 and it was all ok, but then my comp was runnign really really slowly, and people told me to re-install it, so I did. Then i proceeded to scan and rid my comp of viruses and adwares, insall all new windows updates, and even the new windows media player 10 (because that fixed someone else's problems with DRWTSN). After installing the windows media player the problem seemed to go away, but it's back! and i dont know why! and it's KILLING me!! Please help!

Here's the log:

Logfile of HijackThis v1.99.0
Scan saved at 11:40:37 PM, on 2/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iPod\bin\iPodManager.exe
C:\WINDOWS\ieql.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\mskc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\O Great One\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eevfx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eevfx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\eevfx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eevfx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\eevfx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eevfx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eevfx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {E38BBEC2-8E70-3C46-43FC-DD9D8553C2B0} - C:\WINDOWS\system32\atluc.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [ieql.exe] C:\WINDOWS\ieql.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\uigmgmfv.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\mskc.exe

--------------------------------------------------

What's wrong with my computer??? :tazz: :thumbsup: ;)

Thanks!

-Meh
  • 0

Advertisements


#2
Windsun

Windsun

    Member

  • Member
  • PipPip
  • 20 posts
If you installed SP2 while infected, you may have to uninstall it, clean up the computer, and then reinstall it. See the info in the sticky message.
  • 0

#3
meh

meh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
No it was infected first so I uninstalled it, then ran virus/adware checks, and then re-installed it. The problem disappeared when i uninstalled it, but my comp ran really slow. And i was told that I should have it installed, because it has critical updates and such. But the re-install re-added the problem :tazz: .
  • 0

#4
Windsun

Windsun

    Member

  • Member
  • PipPip
  • 20 posts
Have you tried all the usual stuff, like cleaning out old files, defragging, etc?
  • 0

#5
mpfeif101

mpfeif101

    Member 1K

  • Retired Staff
  • 1,411 posts
Windsub, we appreciate the help, but this is a complex malware infection. Someone will be along shortly to help you.
  • 0

#6
meh

meh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok thanks. Winsub, I appreciate you trying to help, thanks a lot! :tazz:

...omg "complex malware infection"?? ;) that doesnt sound good.... eep! :thumbsup:
  • 0

#7
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Prepare CWShredder for use:
    • Download CWShredder.
    • Save CWShredder.exe to a convenient location.
    • Please do not do anything with it yet.
  • Prepare AboutBuster for use:
    • Download AboutBuster.
    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update".
    • You should not run the program yet so click "Exit".
  • Prepare cwsserviceremove.reg for use:
    • Download cwsserviceremove.zip.
    • Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
    • Please do not do anything with it yet.
Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
  • Run CWShredder:
    • Double-click on CWShredder.exe.
    • Click "Fix ->" and click "OK" at the prompt.
    • CWShredder will scan and clean your system of CWS files.
    • Click "Next->" and then "Exit".
  • Remove the offending service:
    • Double-click on cwsserviceremove.reg you downloaded earlier.
    • When it asks you to merge the information to the registry click "Yes".
  • Run AboutBuster and save the logs:
    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click OK at the directions prompt.
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
  • Clean out temporary files:
    • Start | Run | type cleanmgr | OK
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Click "OK" to remove them.
    • Click "Yes" to confirm the deletion.
  • Restart your computer normally to return to normal mode.
  • Free TrendMicro Housecall scan:
    • Vist the TrendMicro Housecall website.
    • Select your country from the drop-down list and click "Go".
    • Choose "Yes" at the ActiveX Security Warning prompt.
    • Please wait while the Housecall engine is updated.
    • Select the drives to be scanned by placing a check in their respective boxes.
    • Check the "Auto Clean" box.
    • Click "SCAN" in order to begin scanning your system.
    • Please be patient while Housecall scans your system for malicious files.
    • If not auto-cleaned, remove anything it finds.
    • Click "Close" to exit the Housecall scanner.
    • Choose "Yes" at the HouseCall message prompt.
  • Prepare your reply:
    • Please post a fresh HijackThis log
    • Please post the AboutBuster log.
    • Please note any complications you had.

  • 0

#8
meh

meh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
OK i followed the directions. Had problems with reconfiguring windows to show hidden files, so i did it after i was on safe mode. Everything ran smoothly in safe mode, here's the AboutBuster log:

Scanned at: 1:26:02 PM on: 2/10/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23


Removed Data Streams:
C:\WINDOWS\BOOTSTAT.DAT:ywggv
C:\WINDOWS\Coffee Bean.bmp:jxrqr
C:\WINDOWS\Coffee Bean.bmp:jxrqr
C:\WINDOWS\DELL.BMP:belzz
C:\WINDOWS\DJBDRV.LOG:ufeeb
C:\WINDOWS\erjsw.dll:qffym
C:\WINDOWS\FaxSetup.log:igydg
C:\WINDOWS\Gone Fishing.bmp:npwem
C:\WINDOWS\Greenstone.bmp:iajcj
C:\WINDOWS\idzlc.dll:yrhwi
C:\WINDOWS\ieuninst.exe:nfnwu
C:\WINDOWS\IFinst25.exe:rrrcc
C:\WINDOWS\KB826939.log:pdmwz
C:\WINDOWS\kwtgk.dat:kfiuq
C:\WINDOWS\msoffice.ini:nrcvs
C:\WINDOWS\nnnal.dat:qchzz
C:\WINDOWS\nsreg.dat:srfci
C:\WINDOWS\ntzh32.dll:ksxpk
C:\WINDOWS\otzxv.dat:ejvfa
C:\WINDOWS\pebble-irda.reg:ojgkc
C:\WINDOWS\Q328213.log:fgmqy
C:\WINDOWS\Q329112.log:zlrdz
C:\WINDOWS\Q811789.log:slbit
C:\WINDOWS\Q811789.log:slbit
C:\WINDOWS\Q816486.log:ffvrm
C:\WINDOWS\Rhododendron.bmp:epfuu
C:\WINDOWS\River Sumida.bmp:anwpa
C:\WINDOWS\rnobe.dat:pibzz
C:\WINDOWS\setupapi.log:ojygl
C:\WINDOWS\setuperr.log:vbhcw
C:\WINDOWS\setuperr.log:vbhcw
C:\WINDOWS\snapg.dll:rkcnd
C:\WINDOWS\sql70.MIF:twnvl
C:\WINDOWS\sqlstp.log:klmsx
C:\WINDOWS\Sti_Trace.log:mxxao
C:\WINDOWS\svcpack.log:naryy
C:\WINDOWS\TASKMAN.EXE:cmfxz
C:\WINDOWS\uwdir.txt:nnair
C:\WINDOWS\vmuninst.log:brspd
C:\WINDOWS\WIN.INI:ayaqm
C:\WINDOWS\WindowsUpdate.log:srtvo
C:\WINDOWS\WINNT256.BMP:izvkl


Removed 6 Random Key Entries
Removed! : C:\WINDOWS\agfou.dat
Removed! : C:\WINDOWS\auwfp.dll
Removed! : C:\WINDOWS\dehug.dat
Removed! : C:\WINDOWS\dkhwp.dat
Removed! : C:\WINDOWS\erjsw.dll
Removed! : C:\WINDOWS\faytz.dll
Removed! : C:\WINDOWS\fldrv.dat
Removed! : C:\WINDOWS\flwqs.dat
Removed! : C:\WINDOWS\fvyur.dat
Removed! : C:\WINDOWS\gmdsq.dat
Removed! : C:\WINDOWS\haoxp.dat
Removed! : C:\WINDOWS\hkblw.dll
Removed! : C:\WINDOWS\hllvw.dat
Removed! : C:\WINDOWS\hzovn.dll
Removed! : C:\WINDOWS\idzlc.dll
Removed! : C:\WINDOWS\ihqvv.dat
Removed! : C:\WINDOWS\jjidp.dll
Removed! : C:\WINDOWS\jjkyw.dll
Removed! : C:\WINDOWS\khvcr.dat
Removed! : C:\WINDOWS\kpfay.dat
Removed! : C:\WINDOWS\kpxdz.dll
Removed! : C:\WINDOWS\kwtgk.dat
Removed! : C:\WINDOWS\lxgve.dat
Removed! : C:\WINDOWS\mhuou.dll
Removed! : C:\WINDOWS\mosbv.dll
Removed! : C:\WINDOWS\nivlh.dat
Removed! : C:\WINDOWS\nnnal.dat
Removed! : C:\WINDOWS\nysqw.dll
Removed! : C:\WINDOWS\otzxv.dat
Removed! : C:\WINDOWS\pacjo.dat
Removed! : C:\WINDOWS\pjyvi.dat
Removed! : C:\WINDOWS\qlviw.dll
Removed! : C:\WINDOWS\qpzzz.dat
Removed! : C:\WINDOWS\qsfbb.dll
Removed! : C:\WINDOWS\rfwtn.dll
Removed! : C:\WINDOWS\rnobe.dat
Removed! : C:\WINDOWS\rwail.dat
Removed! : C:\WINDOWS\sioqx.dat
Removed! : C:\WINDOWS\snapg.dll
Removed! : C:\WINDOWS\szvja.dat
Removed! : C:\WINDOWS\tjmsb.dll
Removed! : C:\WINDOWS\tydmc.dat
Removed! : C:\WINDOWS\tyrth.dat
Removed! : C:\WINDOWS\ubwjp.dat
Removed! : C:\WINDOWS\untlo.dat
Removed! : C:\WINDOWS\veetr.dat
Removed! : C:\WINDOWS\vjfgq.dll
Removed! : C:\WINDOWS\vyfyv.dat
Removed! : C:\WINDOWS\wxmhm.dll
Removed! : C:\WINDOWS\xriem.dat
Removed! : C:\WINDOWS\zlypy.dat
Removed! : C:\WINDOWS\system32\afmwt.dll
Removed! : C:\WINDOWS\system32\akbtd.dll
Removed! : C:\WINDOWS\system32\aoilk.dat
Removed! : C:\WINDOWS\system32\cbbxr.dll
Removed! : C:\WINDOWS\system32\cjgdz.dat
Removed! : C:\WINDOWS\system32\crbix.dll
Removed! : C:\WINDOWS\system32\dlmis.dll
Removed! : C:\WINDOWS\system32\eaecf.dat
Removed! : C:\WINDOWS\system32\ekizj.dat
Removed! : C:\WINDOWS\system32\emlei.dat
Removed! : C:\WINDOWS\system32\epadm.dat
Removed! : C:\WINDOWS\system32\esxpk.dat
Removed! : C:\WINDOWS\system32\exnwm.dat
Removed! : C:\WINDOWS\system32\fvilf.dll
Removed! : C:\WINDOWS\system32\gcgte.dat
Removed! : C:\WINDOWS\system32\gdctc.dll
Removed! : C:\WINDOWS\system32\gglob.dll
Removed! : C:\WINDOWS\system32\gmery.dll
Removed! : C:\WINDOWS\system32\gvfkp.dat
Removed! : C:\WINDOWS\system32\gxwau.dat
Removed! : C:\WINDOWS\system32\hizql.dll
Removed! : C:\WINDOWS\system32\ijaqk.dll
Removed! : C:\WINDOWS\system32\iyxhc.dat
Removed! : C:\WINDOWS\system32\jdxhp.dat
Removed! : C:\WINDOWS\system32\jgdzn.dll
Removed! : C:\WINDOWS\system32\jgeeb.dll
Removed! : C:\WINDOWS\system32\jipjn.dat
Removed! : C:\WINDOWS\system32\jqewh.dat
Removed! : C:\WINDOWS\system32\jtuly.dat
Removed! : C:\WINDOWS\system32\kizjt.dll
Removed! : C:\WINDOWS\system32\kuuaz.dat
Removed! : C:\WINDOWS\system32\kvyve.dll
Removed! : C:\WINDOWS\system32\lenhl.dat
Removed! : C:\WINDOWS\system32\lfwfo.dat
Removed! : C:\WINDOWS\system32\lqfrk.dll
Removed! : C:\WINDOWS\system32\lrjjd.dll
Removed! : C:\WINDOWS\system32\miobb.dat
Removed! : C:\WINDOWS\system32\mknye.dat
Removed! : C:\WINDOWS\system32\nczif.dat
Removed! : C:\WINDOWS\system32\omyxq.dll
Removed! : C:\WINDOWS\system32\orzpd.dll
Removed! : C:\WINDOWS\system32\pkvfr.dat
Removed! : C:\WINDOWS\system32\pyxwy.dat
Removed! : C:\WINDOWS\system32\qbqtl.dat
Removed! : C:\WINDOWS\system32\qewhd.dll
Removed! : C:\WINDOWS\system32\qmirc.dat
Removed! : C:\WINDOWS\system32\rafcq.dat
Removed! : C:\WINDOWS\system32\rdhmo.dll
Removed! : C:\WINDOWS\system32\rxvxp.dll
Removed! : C:\WINDOWS\system32\rzmef.dll
Removed! : C:\WINDOWS\system32\sgtvp.dat
Removed! : C:\WINDOWS\system32\snzwv.dat
Removed! : C:\WINDOWS\system32\sofcw.dll
Removed! : C:\WINDOWS\system32\ssrvm.dat
Removed! : C:\WINDOWS\system32\tdcsh.dat
Removed! : C:\WINDOWS\system32\tdyzl.dll
Removed! : C:\WINDOWS\system32\tijaq.dat
Removed! : C:\WINDOWS\system32\ujxvs.dat
Removed! : C:\WINDOWS\system32\umbcq.dll
Removed! : C:\WINDOWS\system32\uujzu.dll
Removed! : C:\WINDOWS\system32\uyply.dll
Removed! : C:\WINDOWS\system32\vbhcw.dat
Removed! : C:\WINDOWS\system32\vhstt.dat
Removed! : C:\WINDOWS\system32\wlrjj.dat
Removed! : C:\WINDOWS\system32\wmhfc.dat
Removed! : C:\WINDOWS\system32\wuhrf.dll
Removed! : C:\WINDOWS\system32\wwnlt.dll
Removed! : C:\WINDOWS\system32\xehmt.dat
Removed! : C:\WINDOWS\system32\xloig.dll
Removed! : C:\WINDOWS\system32\xukgh.dat
Removed! : C:\WINDOWS\system32\xzbgp.dll
Removed! : C:\WINDOWS\system32\ycbag.dat
Removed! : C:\WINDOWS\system32\yjgee.dat
Removed! : C:\WINDOWS\system32\yjwgw.dat
Removed! : C:\WINDOWS\system32\zbdei.dll
Removed! : C:\WINDOWS\system32\zhaio.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23


Removed Data Streams:
C:\WINDOWS\BOOTSTAT.DAT:ywggv
C:\WINDOWS\Coffee Bean.bmp:jxrqr
C:\WINDOWS\Coffee Bean.bmp:jxrqr
C:\WINDOWS\DELL.BMP:belzz
C:\WINDOWS\DJBDRV.LOG:ufeeb
C:\WINDOWS\erjsw.dll:qffym
C:\WINDOWS\FaxSetup.log:igydg
C:\WINDOWS\Gone Fishing.bmp:npwem
C:\WINDOWS\Greenstone.bmp:iajcj
C:\WINDOWS\idzlc.dll:yrhwi
C:\WINDOWS\ieuninst.exe:nfnwu
C:\WINDOWS\IFinst25.exe:rrrcc
C:\WINDOWS\KB826939.log:pdmwz
C:\WINDOWS\kwtgk.dat:kfiuq
C:\WINDOWS\msoffice.ini:nrcvs
C:\WINDOWS\nnnal.dat:qchzz
C:\WINDOWS\nsreg.dat:srfci
C:\WINDOWS\ntzh32.dll:ksxpk
C:\WINDOWS\otzxv.dat:ejvfa
C:\WINDOWS\pebble-irda.reg:ojgkc
C:\WINDOWS\Q328213.log:fgmqy
C:\WINDOWS\Q329112.log:zlrdz
C:\WINDOWS\Q811789.log:slbit
C:\WINDOWS\Q811789.log:slbit
C:\WINDOWS\Q816486.log:ffvrm
C:\WINDOWS\Rhododendron.bmp:epfuu
C:\WINDOWS\River Sumida.bmp:anwpa
C:\WINDOWS\rnobe.dat:pibzz
C:\WINDOWS\setupapi.log:ojygl
C:\WINDOWS\setuperr.log:vbhcw
C:\WINDOWS\setuperr.log:vbhcw
C:\WINDOWS\snapg.dll:rkcnd
C:\WINDOWS\sql70.MIF:twnvl
C:\WINDOWS\sqlstp.log:klmsx
C:\WINDOWS\Sti_Trace.log:mxxao
C:\WINDOWS\svcpack.log:naryy
C:\WINDOWS\TASKMAN.EXE:cmfxz
C:\WINDOWS\uwdir.txt:nnair
C:\WINDOWS\vmuninst.log:brspd
C:\WINDOWS\WIN.INI:ayaqm
C:\WINDOWS\WindowsUpdate.log:srtvo
C:\WINDOWS\WINNT256.BMP:izvkl


Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 1:32:01 PM on: 2/10/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-----------------------------------------------------------------------------------------------




After the reboot, i got an error messages saying that CWShredder encountered a problem and had to close, so i clicked ok, and sent an error report. When doing to the TrendMicro Housecall site, it said i didn't have the required components, and lead me to a download link. I downloaded it, but when trying to run it, it said "cannot find shell.dll". I clicked ok, and it went back to running, but then it was looking for a Netscape directory (which i don't have because i don't use netscape), so i clicked "exit". Should i dowload netscape? Or..whatever component seems to be missing? I still can't get into my file folders. Here's my new hijack log:





Logfile of HijackThis v1.99.0
Scan saved at 1:40:41 PM, on 2/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\ieql.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\mskc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\O Great One\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D6C341F6-6A72-BA75-4844-5F1A7649C3EC} - C:\WINDOWS\system32\mfcjn32.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ieql.exe] C:\WINDOWS\ieql.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\uigmgmfv.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\O Great One\Desktop\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\mskc.exe


--------------------------------------------------------------------------------------------


What to do, what to do? Thanks for your help!

-me
  • 0

#9
meh

meh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
bump

:tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP