Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Internet Hijack?


  • Please log in to reply
3 replies to this topic

#1 marco d

marco d

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 04 December 2005 - 12:41 PM

hey guys, i've posted on this site before, and you were all very helpful, so i've come back with yet some more news of internet hijinks! hooray!

I keep getting a "Win Fixer 2005" pop-up in my browser, urging me to download Win Fixer 2005 to help clean up the registry. it's really annoying....here's my hijackthis log, any help is greatly appreciated :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 12:31:52 PM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\awtqr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer 2005\UWFX5.exe" /scan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE3E1756-DF89-427A-93AF-3D5ED25477A4}: NameServer = 206.47.244.43 207.164.234.41
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thank you all.

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:14 AM

Posted 04 December 2005 - 04:04 PM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link for "SpySweeper" to download the program. NOTE: DO NOT click the Free Spyware Scan link.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Then reboot your computer - IMPORTANT
Then post a new HJT log

David

#3 marco d

marco d
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 06 December 2005 - 10:37 AM

hey there, everything was followed as asked, and here's the spysweeper log (following it will be the hijackthis log) :

date/time : 2005-12-06, 10:25:06, 171ms
computer name : MARK-0X9PCSKLS0
user name : SYSTEM
operating system : Windows XP Service Pack 2 build 2600
system language : English
system up time : 38 minutes 38 seconds
program up time : 23 minutes 53 seconds
processor : Intel® Pentium® 4 CPU 2.00GHz
physical memory : 55/255 MB (free/total)
free disk space : (C:) 42.46 GB
display mode : 800x600, 32 bit
process id : $a70
allocated memory : 13.10 MB
executable : WRSSSDK.exe
exec. date/time : 2005-11-16 14:38
version : 2.0.7.456
madExcept version : 2.7g
exception class : EAccessViolation
exception message : Access violation at address 0000000B. Read of address 0000000B.

thread $1708 (TSpyDriverCallbackThread):
0000000b ???
00535b7b WRSSSDK.exe SpyDriver 762 TSpyDriverCallbackThread.DoOnEvent
00535bf1 WRSSSDK.exe SpyDriver 784 TSpyDriverCallbackThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $700 (TSpyDriverThread) at:
00535ad7 WRSSSDK.exe SpyDriver 734 TSpyDriverCallbackThread.Create

main thread ($a64):
7c90eb94 ntdll.dll KiFastSystemCallRet
77d49416 user32.dll WaitMessage
00487c98 WRSSSDK.exe Forms TApplication.Idle
004872ef WRSSSDK.exe Forms TApplication.HandleMessage
0048adab WRSSSDK.exe SvcMgr TServiceApplication.Run
00589b10 WRSSSDK.exe WRSSSDK 282 initialization

thread $944 (TCSIDLRefreshThread):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
004ce3c2 WRSSSDK.exe CSIDLRefreshThread 90 TCSIDLRefreshThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($a64) at:
004ce2dc WRSSSDK.exe CSIDLRefreshThread 56 TCSIDLRefreshThread.Create

thread $954 (TDirectoryWatcher):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9a9 ntdll.dll NtWaitForMultipleObjects
7c8094ec kernel32.dll WaitForMultipleObjectsEx
7c809c81 kernel32.dll WaitForMultipleObjects
0051336e WRSSSDK.exe Watcher 141 TCustomWatcher.WaitForEvent
00513403 WRSSSDK.exe Watcher 164 TCustomWatcher.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($a64) at:
00513178 WRSSSDK.exe Watcher 72 TCustomWatcher.Create

thread $700 (TSpyDriverThread): <priority:2>
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90d85a ntdll.dll NtDelayExecution
7c8023e7 kernel32.dll SleepEx
7c80244c kernel32.dll Sleep
005357f5 WRSSSDK.exe SpyDriver 536 TSpyDriverThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($a64) at:
0053568b WRSSSDK.exe SpyDriver 488 TSpyDriverThread.Create

thread $68c (TWinlogonMgr):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
005379c1 WRSSSDK.exe WinlogonNotifierMgr 251 TWinlogonMgr.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($a64) at:
005376ee WRSSSDK.exe WinlogonNotifierMgr 190 TWinlogonMgr.Create

thread $614 (TServiceStartThread):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e286 ntdll.dll NtReadFile
7c80186f kernel32.dll ReadFile
77e37dc7 advapi32.dll StartServiceCtrlDispatcherA
0048abe7 WRSSSDK.exe SvcMgr TServiceStartThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($a64) at:
0048ab7f WRSSSDK.exe SvcMgr TServiceStartThread.Create

thread $324:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
0044c560 WRSSSDK.exe Classes TThread.WaitFor
0048a0b9 WRSSSDK.exe SvcMgr TService.DoStart
00489fe8 WRSSSDK.exe SvcMgr TService.Main
0048a4cb WRSSSDK.exe SvcMgr TServiceApplication.DispatchServiceMain
0048a2ea WRSSSDK.exe SvcMgr ServiceMain
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $614 (TServiceStartThread) at:
77deb355 advapi32.dll

thread $688 (TServiceThread):
7c90eb94 ntdll.dll KiFastSystemCallRet
77d5107d user32.dll GetMessageA
00489853 WRSSSDK.exe SvcMgr TServiceThread.ProcessRequests
0049f90a WRSSSDK.exe WRSSSDKService 132 TsvcWRSSSDK.ServiceExecute
004896c3 WRSSSDK.exe SvcMgr TServiceThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $324 at:
004895d3 WRSSSDK.exe SvcMgr TServiceThread.Create

thread $f48:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e397 ntdll.dll NtReplyWaitReceivePortEx
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $688 (TServiceThread) at:
77e8760d RPCRT4.dll

thread $460:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e397 ntdll.dll NtReplyWaitReceivePortEx
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $f48 at:
77e8760d RPCRT4.dll

thread $6e0 (TDefFileRefreshThread):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
004c146a WRSSSDK.exe DefFileRefreshThread 79 TDefFileRefreshThread.Execute
0042c5da WRSSSDK.exe madExcept HookedTThreadExecute
0044c028 WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $f48 at:
004c1388 WRSSSDK.exe DefFileRefreshThread 47 TDefFileRefreshThread.Create

thread $708:
7c90eb94 ntdll.dll KiFastSystemCallRet
77d491ec user32.dll GetMessageW
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $f48 at:
7750cc4a ole32.dll

thread $22c:
>> stack not accessible

thread $b4:
>> stack not accessible

thread $fb0:
>> stack not accessible

thread $b4c:
>> stack not accessible

thread $b50:
>> stack not accessible

thread $534:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90d85a ntdll.dll NtDelayExecution
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $f48 at:
77e8760d RPCRT4.dll

thread $608:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90d85a ntdll.dll NtDelayExecution
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $f48 at:
77e8760d RPCRT4.dll

thread $1f20:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90d85a ntdll.dll NtDelayExecution
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $460 at:
77e8760d RPCRT4.dll

thread $1fd8:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90d85a ntdll.dll NtDelayExecution
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $460 at:
77e8760d RPCRT4.dll

thread $1920:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90d85a ntdll.dll NtDelayExecution
7c8023e7 kernel32.dll SleepEx
7c80244c kernel32.dll Sleep
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $b50 at:
7750cc4a ole32.dll

thread $10b0:
>> stack not accessible

thread $12a0:
7c90eb94 ntdll.dll KiFastSystemCallRet
00443063 WRSSSDK.exe Classes TList.Clear
00443017 WRSSSDK.exe Classes TList.Destroy
00403cc8 WRSSSDK.exe System TObject.Free
004cd9de WRSSSDK.exe WideCacheStringList 111 TWideCacheStringList.Destroy
00403cc8 WRSSSDK.exe System TObject.Free
004367f0 WRSSSDK.exe SysUtils FreeAndNil
004d2742 WRSSSDK.exe TraceFileProvider 84 TTraceFileProvider.Destroy
00403cc8 WRSSSDK.exe System TObject.Free
004cb0ac WRSSSDK.exe DefFile 246 TDefFile.Destroy
00403cc8 WRSSSDK.exe System TObject.Free
004367f0 WRSSSDK.exe SysUtils FreeAndNil
0056842a WRSSSDK.exe SSEngine 346 TSSEngine.Destroy
00403cc8 WRSSSDK.exe System TObject.Free
004367f0 WRSSSDK.exe SysUtils FreeAndNil
005849e2 WRSSSDK.exe Engine 300 TEngine.Destroy
0048cc09 WRSSSDK.exe ComObj TComObject.ObjRelease
0042c56f WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $534 at:
77e8760d RPCRT4.dll

modules:
00400000 WRSSSDK.exe 2.0.7.456 C:\Program Files\Webroot\Spy Sweeper
10000000 MsgPlusLoader.dll 3.50.2.0 C:\WINDOWS\system32
20000000 xpsp2res.dll 5.1.2600.2180 C:\WINDOWS\system32
5ad60000 vdmdbg.dll 5.1.2600.2180 C:\WINDOWS\system32
5ad70000 uxtheme.dll 6.0.2900.2180 C:\WINDOWS\system32
5b860000 netapi32.dll 5.1.2600.2180 C:\WINDOWS\system32
5d090000 comctl32.dll 5.82.2900.2180 C:\WINDOWS\system32
5edd0000 olepro32.dll 5.1.2600.2180 C:\WINDOWS\system32
71aa0000 WS2HELP.dll 5.1.2600.2180 C:\WINDOWS\system32
71ab0000 WS2_32.dll 5.1.2600.2180 C:\WINDOWS\system32
71ad0000 wsock32.dll 5.1.2600.2180 C:\WINDOWS\system32
71b20000 mpr.dll 5.1.2600.2180 C:\WINDOWS\system32
71bf0000 SAMLIB.dll 5.1.2600.2180 C:\WINDOWS\System32
71c10000 ntlanman.dll 5.1.2600.2180 C:\WINDOWS\System32
71c80000 NETRAP.dll 5.1.2600.2180 C:\WINDOWS\System32
71c90000 NETUI1.dll 5.1.2600.2180 C:\WINDOWS\System32
71cd0000 NETUI0.dll 5.1.2600.2180 C:\WINDOWS\System32
71d40000 ACTXPRXY.DLL 6.0.2900.2180 C:\WINDOWS\system32
75e90000 SXS.DLL 5.1.2600.2180 C:\WINDOWS\system32
75f60000 drprov.dll 5.1.2600.2180 C:\WINDOWS\System32
75f70000 davclnt.dll 5.1.2600.2180 C:\WINDOWS\System32
763b0000 comdlg32.dll 6.0.2900.2180 C:\WINDOWS\system32
76400000 NETSHELL.dll 5.1.2600.2180 C:\WINDOWS\system32
769c0000 USERENV.dll 5.1.2600.2180 C:\WINDOWS\system32
76b20000 ATL.DLL 3.5.2284.0 C:\WINDOWS\system32
76bf0000 PSAPI.dll 5.1.2600.2180 C:\WINDOWS\system32
76c00000 credui.dll 5.1.2600.2180 C:\WINDOWS\system32
76c90000 IMAGEHLP.DLL 5.1.2600.2180 C:\WINDOWS\system32
76d60000 iphlpapi.dll 5.1.2600.2180 C:\WINDOWS\system32
76e80000 rtutils.dll 5.1.2600.2180 C:\WINDOWS\system32
76f20000 dnsapi.dll 5.1.2600.2180 C:\WINDOWS\system32
76fd0000 CLBCATQ.DLL 2001.12.4414.308 C:\WINDOWS\system32
77050000 COMRes.dll 2001.12.4414.258 C:\WINDOWS\system32
77120000 oleaut32.dll 5.1.2600.2180 C:\WINDOWS\system32
771b0000 wininet.dll 6.0.2900.2753 C:\WINDOWS\system32
77260000 urlmon.dll 6.0.2900.2753 C:\WINDOWS\system32
773d0000 comctl32.dll 6.0.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
774e0000 ole32.dll 5.1.2600.2726 C:\WINDOWS\system32
77920000 SETUPAPI.dll 5.1.2600.2180 C:\WINDOWS\system32
77a80000 CRYPT32.dll 5.131.2600.2180 C:\WINDOWS\system32
77b20000 MSASN1.dll 5.1.2600.2180 C:\WINDOWS\system32
77b40000 Apphelp.dll 5.1.2600.2180 C:\WINDOWS\system32
77c00000 version.dll 5.1.2600.2180 C:\WINDOWS\system32
77c10000 msvcrt.dll 7.0.2600.2180 C:\WINDOWS\system32
77d40000 user32.dll 5.1.2600.2622 C:\WINDOWS\system32
77dd0000 advapi32.dll 5.1.2600.2180 C:\WINDOWS\system32
77e70000 RPCRT4.dll 5.1.2600.2180 C:\WINDOWS\system32
77f10000 GDI32.dll 5.1.2600.2770 C:\WINDOWS\system32
77f60000 SHLWAPI.dll 6.0.2900.2753 C:\WINDOWS\system32
77fe0000 secur32.dll 5.1.2600.2180 C:\WINDOWS\system32
7c800000 kernel32.dll 5.1.2600.2180 C:\WINDOWS\system32
7c900000 ntdll.dll 5.1.2600.2180 C:\WINDOWS\system32
7c9c0000 shell32.dll 6.0.2900.2763 C:\WINDOWS\system32

hardware:
+ Computer
- ACPI Uniprocessor PC
+ Disk drives
- WDC WD800JB-00ETA0
+ Display adapters
- NVIDIA GeForce4 MX 440 (driver 5.2.1.6)
+ DVD/CD-ROM drives
- ARTEC WRA-WA48
- Generic DVD-ROM SCSI CdRom Device
- TOSHIBA DVD-ROM SD-M1002
+ Floppy disk controllers
- Standard floppy disk controller
+ Floppy disk drives
- Floppy disk drive
+ Human Interface Devices
- Logitech USB iFeel MouseMan
+ IDE ATA/ATAPI controllers
- Intel® 82801BA Bus Master IDE Controller
- Primary IDE Channel
- Secondary IDE Channel
+ Keyboards
- Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
+ Mice and other pointing devices
- Logitech USB iFeel MouseMan
+ Monitors
- Plug and Play Monitor
+ Network adapters
- D-Link DL10050-based Ethernet Adapter (Generic)
+ Ports (COM



And here's the Hijack this Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:32:57 AM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\awtqr.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE3E1756-DF89-427A-93AF-3D5ED25477A4}: NameServer = 206.47.244.43 207.164.234.41
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:14 AM

Posted 06 December 2005 - 11:42 AM

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\awtqr.dll (file missing)
O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll (file missing)


Clean Log!! Posted Image
How's everything running?

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users