Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

my hjt log


  • This topic is locked This topic is locked
3 replies to this topic

#1 Zer0_II

Zer0_II

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 04 January 2005 - 08:16 AM

I've been trying to clean out my system for several days now. Unfortunately my winlog.exe application keeps trying to connect to a remote computer. Any suggestions, or am I posting in the wrong place for this?

EDIT: Sorry about the topic format... I just read the post about it

Logfile of HijackThis v1.99.0
Scan saved at 9:09:15 AM, on 1/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVGANT~1\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\AVGANT~1\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wualcts.exe
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\PROGRA~1\AVGANT~1\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\winlog.exe
C:\Program Files\WinCustomize\CursorXP\CursorXP.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&af...ODQ6NTo5&Terms=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Shockw4ve Explorer
O1 - Hosts: com #fwav
O1 - Hosts: date.com #fwav
O1 - Hosts: rus.com #fwav
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVGANT~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Task Help] wualcts.exe
O4 - HKLM\..\Run: [Windows Logger] winlog.exe
O4 - HKLM\..\RunServices: [Task Help] wualcts.exe
O4 - HKLM\..\RunServices: [Windows Logger] winlog.exe
O4 - HKLM\..\RunOnce: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\WinCustomize\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [Windows Logger] winlog.exe
O4 - HKCU\..\RunOnce: [Task Help] wualcts.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\AVGANT~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\AVGANT~1\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Edited by Zer0_II, 04 January 2005 - 09:13 AM.


BC AdBot (Login to Remove)

 


#2 Zer0_II

Zer0_II
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 04 January 2005 - 07:17 PM

I booted up in safe mode and was able to delete the wualcts.exe application which was attempting to remotely access another computer. I tried to locate winlog.exe which is doing the same thing, but when I searched for it I didn't come up with any results for the application itself. I did however find this in an Adaware log file which might explain why I can't find it with a normal search.


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 11-23-2003 3:03:06 PM
BasePriority : High

\??\C:\WINDOWS\system32\

Is that where I would find the file, and if so how would I access that area?

#3 Zer0_II

Zer0_II
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 04 January 2005 - 09:02 PM

bump... still needing assistance when someone gets a chance

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:58 PM

Posted 05 January 2005 - 09:32 AM

Zer0_II

It is not a good ideea to "Bump" your post, it will only delay
help for your log. When selecting logs we generally use two criteria to
look for unanswered logs.

1. We started from the oldest to the most recent. That means if you
keep bumping, your log is at the top of the list, and since we do not work
from the top, it will be looked at last!!

2. We look first for posts with no replies. A bump is a reply so
you get pushed further down the response ladder.


Please be patient. Everyone who helps you here does it as a volunteer and will try to help you as soon as possible.


Duplicate
http://www.bleepingcomputer.com/forums/ind...wtopic=8161&hl=

This topic is closed.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users