Please Help...this is after the HijackThis Analyzer

crsd36 · 04-20-2005, 06:23 PM

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:20:19 PM, on 04/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\system32\winqc32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\sdkyi32.exe
C:\WINDOWS\System32\AEIWLSTA.EXE
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Documents and Settings\Craig\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A519ABD5-0403-D86B-DED9-9E0905A175C1} - C:\WINDOWS\crev.dll
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\StorageGuard\sgtray.exe" /r
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [97.tmp] C:\DOCUME~1\Craig\LOCALS~1\Temp\97.tmp.exe 0 28129
O4 - HKLM\..\Run: [sdkyi32.exe] C:\WINDOWS\system32\sdkyi32.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - Global Startup: hp psc 1000 series.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/game.../y/t21t0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/game...s/y/dot8_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/game.../y/fltt3_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/game...ts/y/nt1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101293684968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.com/egather/IbmEgath.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: ipvsmbf - {5FE39821-22AF-4893-6194-1307085016E7} - C:\WINDOWS\System32\wkoju32.dll (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcwx.exe (file missing)
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

End of KRC HijackThis Analyzer Log.
====================================================================

**blackduck30** · 04-20-2005, 07:25 PM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

crsd36 · 04-20-2005, 08:35 PM

Awesome...thanks for the quick reply!

**blackduck30** · 04-20-2005, 10:19 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download cwsserviceremove.zip.[*]Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.[*]Please do not do anything with it yet.

Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.zip and unzip it to a folder on your the Desktop. Do not run it yet.

Download CWShredder and install it. we will use this later.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results.

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it.we will use this later

Reboot into Safe Mode (hit F8 key until menu shows up).

Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\system32\winqc32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\sdkyi32.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Viewpoint

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mxvcc.dll/sp.html#28129
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {A519ABD5-0403-D86B-DED9-9E0905A175C1} - C:\WINDOWS\crev.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [97.tmp] C:\DOCUME~1\Craig\LOCALS~1\Temp\97.tmp.exe 0 28129
O4 - HKLM\..\Run: [sdkyi32.exe] C:\WINDOWS\system32\sdkyi32.exe

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1101293684968

O21 - SSODL: ipvsmbf - {5FE39821-22AF-4893-6194-1307085016E7} - C:\WINDOWS\System32\wkoju32.dll (file missing)

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcwx.exe (file missing)

Delete the following Files/Folders in RED (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\winqc32.exe
C:\Program Files\Viewpoint
C:\WINDOWS\system32\sdkyi32.exe
C:\WINDOWS\mxvcc.dll
C:\WINDOWS\crev.dll
C:\WINDOWS\System32\wkoju32.dll
C:\WINDOWS\mfcwx.exe

Run cwsserviceremove

Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Run Cwsshredder.exe

Run adaware.exe

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

04-20-2005, 06:23 PM	#1 (permalink)
crsd36 Registered User Join Date: Apr 2005 Posts: 5 OS: WinXP	Please Help...this is after the HijackThis Analyzer ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 7:20:19 PM, on 04/20/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe C:\WINDOWS\system32\winqc32.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\sdkyi32.exe C:\WINDOWS\System32\AEIWLSTA.EXE C:\Program Files\LogMeIn\LogMeInSystray.exe C:\Documents and Settings\Craig\Desktop\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {A519ABD5-0403-D86B-DED9-9E0905A175C1} - C:\WINDOWS\crev.dll O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server" O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\StorageGuard\sgtray.exe" /r O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [97.tmp] C:\DOCUME~1\Craig\LOCALS~1\Temp\97.tmp.exe 0 28129 O4 - HKLM\..\Run: [sdkyi32.exe] C:\WINDOWS\system32\sdkyi32.exe O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe" O4 - Global Startup: hp psc 1000 series.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O15 - Trusted Zone: .awmdabest.com O15 - Trusted Zone: .frame.crazywinnings.com O15 - Trusted Zone: .awmdabest.com (HKLM) O15 - Trusted Zone: .frame.crazywinnings.com (HKLM) O15 - Trusted IP range: 206.161.125.149 O16 - DPF: Tornado 21 - http://download.games.yahoo.com/game.../y/t21t0_x.cab O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/game...s/y/dot8_x.cab O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/game.../y/fltt3_x.cab O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/game...ts/y/nt1_x.cab O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101293684968 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.com/egather/IbmEgath.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O21 - SSODL: ipvsmbf - {5FE39821-22AF-4893-6194-1307085016E7} - C:\WINDOWS\System32\wkoju32.dll (file missing) O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcwx.exe (file missing) O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe End of KRC HijackThis Analyzer Log. ====================================================================

04-20-2005, 07:25 PM	#2 (permalink)
blackduck30 TSF Enthusiast Join Date: Sep 2004 Location: Wollongong/Australia Posts: 4,230 OS: XP pro SP3/Vista Ultimate My System	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time. __________________ Blackduck30 Time is like money and milk, It's always running out Any Donations Help Keep TSF Free For All

04-20-2005, 10:19 PM	#4 (permalink)
blackduck30 TSF Enthusiast Join Date: Sep 2004 Location: Wollongong/Australia Posts: 4,230 OS: XP pro SP3/Vista Ultimate My System	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download cwsserviceremove.zip.[]Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.[]Please do not do anything with it yet. Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.zip and unzip it to a folder on your the Desktop. Do not run it yet. Download CWShredder and install it. we will use this later. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it.we will use this later Reboot into Safe Mode (hit F8 key until menu shows up). Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper and double click on it. Click on the Stop button and under Startup type, choose Disabled. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\system32\winqc32.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\sdkyi32.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Viewpoint Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mxvcc.dll/sp.html#28129 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {A519ABD5-0403-D86B-DED9-9E0905A175C1} - C:\WINDOWS\crev.dll O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [97.tmp] C:\DOCUME~1\Craig\LOCALS~1\Temp\97.tmp.exe 0 28129 O4 - HKLM\..\Run: [sdkyi32.exe] C:\WINDOWS\system32\sdkyi32.exe O15 - Trusted Zone: .awmdabest.com O15 - Trusted Zone: .frame.crazywinnings.com O15 - Trusted Zone: .awmdabest.com (HKLM) O15 - Trusted Zone: .frame.crazywinnings.com (HKLM) O15 - Trusted IP range: 206.161.125.149 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1101293684968 O21 - SSODL: ipvsmbf - {5FE39821-22AF-4893-6194-1307085016E7} - C:\WINDOWS\System32\wkoju32.dll (file missing) O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcwx.exe (file missing) Delete the following Files/Folders in RED (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\winqc32.exe C:\Program Files\Viewpoint C:\WINDOWS\system32\sdkyi32.exe C:\WINDOWS\mxvcc.dll C:\WINDOWS\crev.dll C:\WINDOWS\System32\wkoju32.dll C:\WINDOWS\mfcwx.exe Run cwsserviceremove Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here. Run Cwsshredder.exe Run adaware.exe Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ Blackduck30 Time is like money and milk, It's always running out Any Donations Help Keep TSF Free For All

04-20-2005, 08:35 PM	#3 (permalink)
crsd36 Registered User Join Date: Apr 2005 Posts: 5 OS: WinXP	Awesome...thanks for the quick reply!