Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT sthacker


  • Please log in to reply
11 replies to this topic

#1 sthacker

sthacker

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 06 July 2005 - 01:17 AM

This log is the result of thread in 'Antivirus, Firewall........etc' board. I'm not quite sure how to tie the two together and could find no tutorial that helped.

This computer is miserable, and very ill. I was able to get on the internet long enough to download HJT, but could not get updates for Ad-aware and Spybot, so don't know the exact level of them. They were loaded from disk, and this log file was moved to my computer by disk. I cannot run long enough to get connected to your site again.

I ran the requisite cleaners in safe mode and then HJT. Norton is on the computer, but I cannot start it!

On one startup, I got a message from Microsoft that it detected a virus and their new tool should be downloaded and run. I downloaded on my computer to disk then installed and ran it on the bad guy. It cleaned two viruses (virii ?), but I still cannot get on the internet. If this log doesn't help, I'm about to format the hard disk and reinstlall XP. I've forgotten how, but maybe I can learn again faster than I'm making progress now. This is so frustrating!!!!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 9:32:53 PM, on 7/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\Netlib.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.newsoftinc.com/nsiweb/register/...t_register.html
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitecme32.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AutoLoader3w0G1JNgcZLa] "C:\WINDOWS\System32\inpext40.exe"
O4 - HKLM\..\Run: [33rg37Q] inpext40.exe
O4 - HKLM\..\Run: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKLM\..\Run: [59ghupkk] C:\WINDOWS\System32\59ghupkk.exe
O4 - HKLM\..\Run: [Service Drivers] msnpg.exe
O4 - HKLM\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\Run: [Compd Service Drivrs] codq.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [VIEW POINT DRIVERS] phqghum.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Windows Registry Name] mscnfg.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] msnsvc.exe
O4 - HKLM\..\RunServices: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKLM\..\RunServices: [Service Drivers] msnpg.exe
O4 - HKLM\..\RunServices: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\RunServices: [Compd Service Drivrs] codq.exe
O4 - HKLM\..\RunServices: [VIEW POINT DRIVERS] phqghum.exe
O4 - HKLM\..\RunServices: [Windows Registry Name] mscnfg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKCU\..\Run: [Service Drivers] msnpg.exe
O4 - HKCU\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - HKCU\..\Run: [Compd Service Drivrs] codq.exe
O4 - HKCU\..\Run: [VIEW POINT DRIVERS] phqghum.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\RunServices: [Compaq Service Drivers] msnsvc.exe
O4 - HKCU\..\RunServices: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKCU\..\RunServices: [Service Drivers] msnpg.exe
O4 - HKCU\..\RunServices: [Compd Service Drivrs] codq.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...Bridge-c139.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Anything in here look like it causes multiple major disasters?? Thanks. Stan

BC AdBot (Login to Remove)

 


m

#2 sthacker

sthacker
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 06 July 2005 - 10:22 PM

Cannot get on the internet at all now. I get "Page Cannot Be Displayed" on any attempt. Removed Norton and Earthlink. At connect I get 5 quick Microsoft appearing Update windows with URL:
C:\WINDOWS\Update-SP1.html
C:\WINDOWS\Update-SP2.html
C:\WINDOWS\Update-SP3.html
C:\WINDOWS\Update-SP4.html
C:\WINDOWS\Update-SP5.html
Each then gives a pop-up telling me to go to a site for help. These were listed in original problem description. Hope this helps some.

I'm still going through Microsoft KB 326155 trying to see what I changed that stops internet access completely.

Stan

#3 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:47 AM

Posted 08 July 2005 - 05:52 PM

If you still need help, could you post a fresh log?

#4 sthacker

sthacker
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 09 July 2005 - 01:13 AM

Well, I still need help, but I fear you're too late. Among many others, I'm sure I have what Symantec calls W32.Wallz, which is the most egregious little bugger I've ever seen. Getting to where I am, I have the system pretty well screwed up, trying to repair, restore, and anything else I could think of to try. I've upgraded the system with the CD shipped by Dell, but cannot get enough drivers installed to run anything, and of course, cannot get onto the internet to get updated drivers online. The cursed critter keeps dialing and putting pop-up screens in the way that can't be deleted.

Tomorrow I'm going to format and reinstall XP to see if that will eradicate it.

Stan

#5 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:47 AM

Posted 09 July 2005 - 09:39 AM

It's up to you, but its possible that you just removed something from the Winsock that hosed your connection. Have you tried running a Winsock repair tool?

#6 sthacker

sthacker
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 09 July 2005 - 02:21 PM

No, I have not tried that, but I found a track for the operation that was constantly trying to make an internet connection. "owjgp.game2max.net". Through Google and a couple of discussion boards I wound up at
< https://www-secure.symantec.com/avcenter/ve....wallz.html>.
Based on the many runnings of Spybot and Ad-Aware trying for an HJT log, and the myriad of problems found every time, I feel there are many other bugs buried somewhere on the hard drive and I want to end this as soon as possible. I have to go to Mayo in a week and have other things that need to be done. I'd love an easier way, but think by running Dell reinstall with Windows disk, I've probably done as much damage to the system as the worms have!

Stan

#7 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:47 AM

Posted 09 July 2005 - 04:22 PM

Just for fun, see if you can download and run this tool:
http://www.snapfiles.com/get/lspfix.html

That may fix your winsock and get you back on the road to recovery. But at this point, I think youare going to be better off doing a full reinstall (including a reformat/repartition). If you just to a repair reinstall, it will keep coming back.

#8 sthacker

sthacker
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 10 July 2005 - 12:22 AM

Nice try, but no cigar! I ran the fix (I think). Is it really quick? There were 3 files listed on the left and none on the right. When I said 'Finish' it said done...
Kinda like, "This isn't going to hurt, did it?" Anyway, nothing changed. I don't think I mentioned this before, but a couple of strange things make me more wary of still hidden bugs. I cannot open the task manager. It pops up on the screen and goes away so quick you can't read anything. Then a green square appears in the system tray. If I try to open it again, another green square, etc. If I try to move the cursor to the green square, they disappear. Also, I was going to run Regedit to see if the documented tracks of W32.Wallz were in the registry. I cannot run Regedit!! Seems like someone(s) is keeping me out of my system.

Stan

#9 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:47 AM

Posted 10 July 2005 - 09:13 AM

Try running regedt32.exe instead... see if that will get you in there.

I hate to say this, but I think I will have to agree with you...reformat, and reinstall. I don't know all of what you have done, and you are describing some whacked out symptoms that I have never heard. If I was sitting right in front of your computer with you, I could probably get you going. It's a little hard from here whan I can't physically tinker with your machine.

#10 sthacker

sthacker
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 12 July 2005 - 08:24 AM

Well, Groovicus, I'm about to jump out the window. Did a format, install of XP, up to the point of installing software. No software from the original Dell disk has been installed yet. As soon as I had a running system with internet capability, I went to Microsoft to try to get up to current status, especially SP2. I've got a bunch of fixes installed, but Windows Update seems to hang now, or rather restart at the 36% level. I have an incident open, waiting for a reply from them.

While waiting, I decided to get some other work done, so I downloaded Ad=Aware and Spybot, updated both, and of course, wanting to make sure they would run, I ran them.

Ad-Aware found:
Alexa (8 objects total) TAC=5
Tracking Cookie (6 objects total) TAC=3

In the right pane it said:
1 Registry Key
7 Registry Values
6 Files

Spybot said Congrats, no problems found.

I was a bit dismayed, as internet activity has been very limited so far. Is there someplace inside the computer where these little buggers hide and evade a format of the hard drive?

Here's the HJT log after these runs. I did NOT stop and do all this in safe mode, but will if it may help.

Logfile of HijackThis v1.99.1
Scan saved at 8:02:21 AM, on 7/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://update.microsoft.com/windowsupdate/...t.aspx?ln=en-us
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121020431298
O17 - HKLM\System\CCS\Services\Tcpip\..\{B62DCA4E-7C61-47D1-9B7F-2CBDE4EAFEAE}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

#11 sthacker

sthacker
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 12 July 2005 - 08:35 AM

Sorry, I'm getting sleepy, but wanted to mention this in case it has a bearing.

When I logged on to your site the first time, I got some sort of 'Cookie report'.

It listed: www.google.com/............. Blocked
adfarm.mediaplex.com/............. Blocked

Haven't seen this before and don't know what it means.

Stan

#12 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:03:47 AM

Posted 12 July 2005 - 08:49 AM

Any place that has advertising on it is going to drop a cookie. So while you were downloading updates, spybot,and awdawre, there was advertising on those pages. Those ads will leave cookies. If you don't want cookies on your system, then you need to crank up your IE security settings. The downside is that you will have to manulayy add sites to trusted status if they use passwords, or you will not be able to log into sites. S there is a trade-off. Cookies are not malicious, they are only text files.

It listed: www.google.com/............. Blocked
adfarm.mediaplex.com/............. Blocked


That means that Adaware is blocking like it is supposed to be...and let the windows update run. If you are not getting any errors, then it is probably still working.

Your log is fine, but I don't see an anti-viruse on there. Check out the link in my sig for some other ideas.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users