1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Unable to login WINXP - Logon Loop

Discussion in 'Virus & Other Malware Removal' started by HOBOcs, Feb 10, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,528
    First Name:
    Jim
    I've closed a thread in Operating systems and moved it over to here to Security

    Issue started as a result that the user could not login to WinXP pro - accessing the user account would present a screen and then logoff immediately.. an endless loop, same for safe mode...loops.
    See original thread: http://forums.techguy.org/t328781.html

    I've been able to user the Recovery Console and get to a command prompt.
    I then renamed login.scr to cmd.exe (trick WinXP so I can get in) and waited for the screen saver to start and in it's place now gives me cmd.exe.

    I can now enter c:\windows\explorer.exe and have gotten in and to a desk top. I've loaded some of the utilities spybots, adaware etc and just ran stringer.. which showed 7 viruses

    I'm displaying the first HiJack THis I've been able to get. I have not fixed anything. Because this one looks like a lot of fun!!?!?

    Note: I have not looged off as yet to see if I can get back in. Reduced the Screen save wait to one minute so I can get back in quickly (cmd.exe).

    The big issue as I see it is the looping but this HJT might give me (us) some clues.

    Hope you can help.


    HIJAck this for review
    Logfile of HijackThis v1.99.0
    Scan saved at 3:23:37 PM, on 2/10/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\logonui.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\CxtPls\CxtPls.exe
    C:\WINDOWS\System32\logon.scr
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\SVPHOST.exe
    C:\Program Files\NaviSearch\bin\nls.exe
    C:\Program Files\CashBack\bin\cashback.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\Utilities\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sympatico.ca/iesearchpane.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/homepage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit32.exe,
    O1 - Hosts: 222.89.98.219 www.wo365.com
    O1 - Hosts: 222.89.98.219 cmfu.com
    O1 - Hosts: 222.89.98.219 www.cmfu.com
    O1 - Hosts: 222.89.98.219 9i0.com
    O1 - Hosts: 222.89.98.219 www.9flash.com
    O1 - Hosts: 222.89.98.219 9flash.com
    O1 - Hosts: 222.89.98.219 www.nowok.net
    O1 - Hosts: 222.89.98.219 nowok.net
    O1 - Hosts: 222.89.98.219 wisa.com.cn
    O1 - Hosts: 222.89.98.219 www.sia.com.cn
    O1 - Hosts: 222.89.98.219 www.wisa.cn
    O1 - Hosts: 222.89.98.219 wisa.cn
    O1 - Hosts: 222.89.98.219 www.zhao99.com
    O1 - Hosts: 222.89.98.219 zhao99.com
    O1 - Hosts: 222.89.98.219 www.wo123.com
    O1 - Hosts: 222.89.98.219 wo123.com
    O1 - Hosts: 222.89.98.219 wo99.com
    O1 - Hosts: 222.89.98.219 www.wo99.com
    O1 - Hosts: 222.89.98.219 www.page.com.cn
    O1 - Hosts: 222.89.98.219 page.com.cn
    O1 - Hosts: 222.89.98.219 www.432.cn
    O1 - Hosts: 222.89.98.219 432.cn
    O1 - Hosts: 222.89.98.219 wysw.com
    O1 - Hosts: 222.89.98.219 14.com.cn
    O1 - Hosts: 222.89.98.219 www.14.com.cn
    O1 - Hosts: 222.89.98.219 cnww.net
    O1 - Hosts: 222.89.98.219 www.mv99.com
    O1 - Hosts: 222.89.98.219 mv99.com
    O1 - Hosts: 222.89.98.219 www.youav.com
    O1 - Hosts: 222.89.98.219 www.mtvav.com
    O1 - Hosts: 222.89.98.219 www.98983.com
    O1 - Hosts: 222.89.98.219 98983.com
    O1 - Hosts: 222.89.98.219 www.114.com.cn
    O1 - Hosts: 222.89.98.219 114.com.cn
    O1 - Hosts: 222.89.98.219 www.net114.com
    O1 - Hosts: 222.89.98.219 www.skywz.com
    O1 - Hosts: 222.89.98.219 skywz.com
    O1 - Hosts: 222.89.98.219 www.hao6.com
    O1 - Hosts: 222.89.98.219 hao6.com
    O1 - Hosts: 222.89.98.219 www.678a.com
    O1 - Hosts: 222.89.98.219 678a.com
    O1 - Hosts: 222.89.98.219 www.7510.com
    O1 - Hosts: 222.89.98.219 7510.com
    O1 - Hosts: 222.89.98.219 www.zzkan.com
    O1 - Hosts: 222.89.98.219 zzkan.com
    O1 - Hosts: 222.89.98.219 www.ca183.com
    O1 - Hosts: 222.89.98.219 ca183.com
    O1 - Hosts: 222.89.98.219 3tom.com
    O1 - Hosts: 222.89.98.219 www.yhjm.com
    O1 - Hosts: 222.89.98.219 yhjm.com
    O1 - Hosts: 222.89.98.219 www.k369.com
    O1 - Hosts: 222.89.98.219 www.xxwww.com
    O1 - Hosts: 222.89.98.219 xxwww.com
    O1 - Hosts: 222.89.98.219 www.fm1000.net
    O1 - Hosts: 222.89.98.219 fm1000.net
    O1 - Hosts: 222.89.98.219 www.ok135.com
    O1 - Hosts: 222.89.98.219 ok135.com
    O1 - Hosts: 222.89.98.219 www.link999.com
    O1 - Hosts: 222.89.98.219 link999.com
    O1 - Hosts: 222.89.98.219 www.001wz.com
    O1 - Hosts: 222.89.98.219 001wz.com
    O1 - Hosts: 222.89.98.219 www.7t7t.com
    O1 - Hosts: 222.89.98.219 7t7t.com
    O1 - Hosts: 222.89.98.219 www.7k7k.com
    O1 - Hosts: 222.89.98.219 7k7k.com
    O1 - Hosts: 222.89.98.219 www.webcool.net
    O1 - Hosts: 222.89.98.219 webcool.net
    O1 - Hosts: 222.89.98.219 www.51sobu.com
    O1 - Hosts: 222.89.98.219 51sobu.com
    O1 - Hosts: 222.89.98.219 cy.51sobu.com
    O1 - Hosts: 222.89.98.219 www.fj3721.com
    O1 - Hosts: 222.89.98.219 fj3721.com
    O1 - Hosts: 222.89.98.219 www.msncn.com
    O1 - Hosts: 222.89.98.219 msncn.com
    O1 - Hosts: 222.89.98.219 www.6235.com
    O1 - Hosts: 222.89.98.219 6235.com
    O1 - Hosts: 222.89.98.219 www.8goo.com
    O1 - Hosts: 222.89.98.219 8goo.com
    O1 - Hosts: 222.89.98.219 www.baimin.com
    O1 - Hosts: 222.89.98.219 baimin.com
    O1 - Hosts: 222.89.98.219 www.bwwz.com
    O1 - Hosts: 222.89.98.219 bwwz.com
    O1 - Hosts: 222.89.98.219 www.howow.net
    O1 - Hosts: 222.89.98.219 howow.net
    O1 - Hosts: 222.89.98.219 www.tongchi.com
    O1 - Hosts: 222.89.98.219 tongchi.com
    O1 - Hosts: 222.89.98.219 www.65658.com
    O1 - Hosts: 222.89.98.219 65658.com
    O1 - Hosts: 222.89.98.219 www.7o7o.com
    O1 - Hosts: 222.89.98.219 7o7o.com
    O1 - Hosts: 222.89.98.219 5126.net
    O1 - Hosts: 222.89.98.219 www.5126.net
    O1 - Hosts: 222.89.98.219 www.wangzhiku.com
    O1 - Hosts: 222.89.98.219 wangzhiku.com
    O1 - Hosts: 222.89.98.219 www.soyeah.com
    O1 - Hosts: 222.89.98.219 soyeah.com
    O1 - Hosts: 222.89.98.219 www.sowang.cn
    O1 - Hosts: 222.89.98.219 sowang.cn
    O1 - Hosts: 222.89.98.219 www.77177.com
    O1 - Hosts: 222.89.98.219 77177.com
    O1 - Hosts: 222.89.98.219 www.look8.net
    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~2.DLL
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O2 - BHO: Flash Enhancer - {7CD20E91-1F31-41da-8379-479EA31DF969} - c:\Program Files\XML\XML.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
    O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
    O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: FavoriteMan Class - {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} - C:\WINDOWS\System32\mmview_101.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
    O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfatx.exe
    O4 - HKLM\..\Run: [Windows Compliant] bvxxwx.exe
    O4 - HKLM\..\Run: [Microsoft NT Update] winexec32.exe
    O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    O4 - HKLM\..\Run: [pF7j36R] phorc32r.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\SANDYS~1\LOCALS~1\Temp\svcmm32.exe" /startup
    O4 - HKLM\..\Run: [Device] C:\socks4.exe
    O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
    O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\SANDYS~1\LOCALS~1\Temp\27.exe\27.exe"
    O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
    O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
    O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
    O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
    O4 - HKLM\..\Run: [oqkscmcsqmwjwp] C:\WINDOWS\System32\gwwkzfead.exe
    O4 - HKLM\..\Run: [Spool] C:\WINDOWS\system32\msvc32.exe
    O4 - HKLM\..\Run: [MMSystem] c:\windows\rundll32.exe "c:\windows\system32\mmsystem.dll"", RunDll32
    O4 - HKLM\..\Run: [Windows TM] SVPHOST.exe
    O4 - HKLM\..\Run: [sxadqnet] C:\WINDOWS\sxadqnet.exe
    O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\windns.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
    O4 - HKLM\..\Run: [Ynvzrb] C:\Program Files\Evpgczx\Ugjdzfh.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
    O4 - HKLM\..\Run: [6] C:\windows\system32\6.exe
    O4 - HKLM\..\Run: [Gzmw.exe] c:\windows\system32\Gzmw.exe
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
    O4 - HKLM\..\Run: [aredixqd] C:\WINDOWS\aredixqd.exe
    O4 - HKLM\..\RunServices: [Windows Compliant] bvxxwx.exe
    O4 - HKLM\..\RunServices: [Microsoft NT Update] winexec32.exe
    O4 - HKLM\..\RunServices: [oqkscmcsqmwjwp] C:\WINDOWS\System32\gwwkzfead.exe
    O4 - HKLM\..\RunServices: [Windows TM] SVPHOST.exe
    O4 - HKLM\..\RunOnce: [Windows TM] SVPHOST.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Windows Compliant] bvxxwx.exe
    O4 - HKCU\..\Run: [Microsoft NT Update] winexec32.exe
    O4 - HKCU\..\Run: [Windows TM] SVPHOST.exe
    O4 - HKCU\..\RunOnce: [Windows TM] SVPHOST.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: LimeWire 4.2.6.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c7.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} (FavoriteMan Class) - http://fad-408.mtl4.targetnet.com/a...url=http://www.ouchvideo.com/mmviewer_101.cab
    O23 - Service: DvpApi - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
     
  2. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,528
    First Name:
    Jim
    HJT After fixes
    Logfile of HijackThis v1.99.0
    Scan saved at 2:41:59 PM, on 2/11/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    C:\Program Files\Admanager Controller\AdManCtl.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Admanager Controller\AdManKeep.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Utilities\hijack this\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
    O4 - HKLM\..\RunServices: [Windows Compliant] bvxxwx.exe
    O4 - HKLM\..\RunServices: [Microsoft NT Update] winexec32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108094874753
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
     
  3. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,528
    First Name:
    Jim
    Still appear to be getting some websites that are trying to be accessed.

    Note sure about the things in Red

    New HJT
    Logfile of HijackThis v1.99.0
    Scan saved at 5:30:44 PM, on 2/11/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\wuauclt.exe

    C:\Utilities\hijack this\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    O4 - HKLM\..\RunServices: [Microsoft NT Update] winexec32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O23 - Service: DvpApi - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
     
  4. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Looks like this line C:\WINDOWS\System32\devldr32.exe is

    devldr32.exe is installed with Creative Labs audio hardware. Installed to start automatically by default, this process is crucial to Creative Labs AudioHQ, Creative Mixer and audio input. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems

    And on this line C:\WINDOWS\System32\wuauclt.exe


    wuauclt.exe - This is used by the automatic update tool in Windows to check the Windows Update site every so often to see if any updates need to be installed.
    The original wuauclt.exe from Microsoft gets placed in the Located at C:\WINDOWS\System32\wuauclt.exe . If you find it anywhere else then you should be suspicious for sure.


    This line was Added by a variant of the RBOT WORM!

    O4 - HKLM\..\RunServices: [Microsoft NT Update] winexec32.exe

    This line seems to be ok it is from Command Software Systems, Inc. - anti Virus

    O23 - Service: DvpApi - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
     
  5. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,528
    First Name:
    Jim
    Thanks I just googled on the winexec32 myself. Fixed it.
    Everything else look ok.
    I will run the tds-3 tool and check for anything else.
     
  6. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
  7. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,528
    First Name:
    Jim
    Still Problems.. Internet connection slow to initiate ... suspect stuff still running.
    ..Suspects in red..

    Logfile of HijackThis v1.99.0
    Scan saved at 10:48:58 AM, on 2/12/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\defragfatx.exe
    C:\WINDOWS\system32\windns.exe
    C:\WINDOWS\System32\wuauclt.exe

    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Utilities\hijack this\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfatx.exe
    O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\windns.exe

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
     
  8. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,528
    First Name:
    Jim
    Still appear to be having a problem with unauthorized websites trying to get accessed..
    I have cleaned-up a malware "upme - dllman" from the registry. but something is still running. I'm having troubles getting the windows critical updates to work.. and suspect the wuauclt.exe program may be corrupted or have been replaced...

    Latest HJT
    Logfile of HijackThis v1.99.0
    Scan saved at 2:57:55 PM, on 2/14/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Utilities\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: DvpApi - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
     
  9. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,528
    First Name:
    Jim
    Logfile of HijackThis v1.99.0
    Scan saved at 3:14:20 PM, on 2/15/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    NOt Convinced on these ones
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\WINDOWS\System32\devldr32.exe

    C:\Utilities\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    Fixed
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: DvpApi - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
     
  10. HOBOcs

    HOBOcs Thread Starter

    Joined:
    Jan 5, 2004
    Messages:
    8,528
    First Name:
    Jim
    Final Post:
    Was able to fix the windows critical update by re-installing IE6. (This worked for me in the past). Many Wincritical updates and downloaded everything..OK.

    ....Then went that one step further and downloaded Service Pack 2... mistake. Get a blank screen.. on restart.. appears something has affected the video. Backed out SP2 and everything looks OK again.

    I still suspect remnants of the worm or something trying to access some websites. The firewall (Freedom - not sure how good this really is) is reporting some activity trying to access some urls.

    Regardless, I've had enough of this one. Closing this Thread. - marking resolved.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/329054

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice