Jump to content


Photo

winupdt.exe,iwar.exe, blaze?? help


  • Please log in to reply
2 replies to this topic

#1 donm207

donm207

    Member

  • New Member
  • Pip
  • 1 posts

Posted 12 July 2004 - 10:07 PM

recently came in contact with a few bugs(winupdt.exe,iwar.exe, blaze?? ) , ran adware, spybot, and cwshredder,, picked up a few and removed. already searched and deleted references to "windows sa" and a few others,,,, below is hijack this log ran just a few minutes ago.

can someone take a look see,,, and tell me if i have anything else that should be removed. Thanx


Logfile of HijackThis v1.98.0
Scan saved at 11:07:58 PM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\RivaTuner\RivaTuner.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Norton CleanSweep\csinsmNT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Don Murphy\Desktop\Anti-Virus\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.altavista.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 64.240.156.246:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AC109D01-32D6-4EB5-8300-D3C5EBAC7C83} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner\RivaTuner.exe" /S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner\RivaTuner.exe" /T
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton CleanSweep\csinsmNT.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.c...119/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/...Scan/SyScan.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.../diskhealth.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter...00/SYSsfitb.cab
O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.c...12119/CTPID.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab
O20 - AppInit_DLLs: apitrap.dll

thanx for your help,,,,

Edited by donm207, 12 July 2004 - 10:07 PM.


#2 daveai

daveai

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,214 posts

Posted 23 July 2004 - 01:24 AM

donm207

Thanks for sending in your HijackThis log.

Logfile analysis shows evidence of I-Lookup malware, an unknown browser button, and some malware in the activex downloads. There is also an optional fix for you to consider.

1 -- Since you have these programs already, run AdAware and then Spybot again just to be sure, after checking yourself against the following instructions.

Please see How to use Ad-Aware to remove Spyware for instructions on how to download, install and then use this software.

Please see How to use Spybot to remove Spyware for instructions on how to download, install and then use this software, which may catch things that Ad-Aware misses.

2-- Since you are running NAV, please be sure you are fully updated, and re-scan your system.

3 -- You might want to move your copy of HijackThis into its own folder (e.g. c:\HJT) and run it from there. This will ensure preservation of any HJT backup files that are created.

Run the program, press Scan, and put a check against the following entries, if they still show up.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 64.240.156.246:80
O2 - BHO: (no name) - {AC109D01-32D6-4EB5-8300-D3C5EBAC7C83} - (no file)
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter...00/SYSsfitb.cab
O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab

Now you may decide about an optional item:

Application Scheduler is installed along with RealOne Player and is running in startup, and is not needed. Once installed, it runs independently of RealOne Player. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself: (1) Start RealOne Player (2) Tools -> Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK

This is the item to fix in HJT:

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

Once you have selected all the items for HJT to fix, make sure all browsers and program windows are closed except for HijackThis, and click fix checked.

4 -- Since your notes say you have already cleaned some other items before contacting us, let's also clean out two common "hide outs" that malware might try to re-install itself from.

To prevent any hidden copies of malware from reinstalling on your system, we now need to clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.

To prevent any remnants of the problems hiding out in your restore files, please disable Windows System Restore, then reboot, then re-enable Windows System Restore by following the instructions at: "How to turn off or turn on Windows XP System Restore"

5 -- Finally, please run HijackThis to create a new logfile. Repost it here, and if you had any problems with the steps outlined above, please let us know what they were. If we need to take additional steps, your response and the new logfile will indicate what they may be.

So donm207...all that was our "pound of cure".

Let's take a moment now for "an ounce of prevention" :)

Please take a moment to review the following prevention steps to avoid repeated spyware infections. You have already taken some of the steps (Spybot S&D, AdAware, NAV, Sygate).

An excellent overview is: So how did I get infected in the first place? which you should read if you haven't already. Be sure to visit the browser test link at the end of the article to really see how secure your system is!!

1 -- It is most important to make sure that both Internet Explorer and XP are kept current with the latest critical security patches from Microsoft.

To do this just start Internet Explorer and select Tools > Windows Update. You’ll be connected to “Welcome to Windows Update” where you should press the Scan for updates link. Once the scan completes you will be asked to Pick updates to install. In the left-hand panel, select “Critical Updates and Service Packs and then press Review and install updates in the right-hand panel. Review the descriptions and press the ADD button for any security updates for either Internet Explorer or XP. Then press the Review and install updates link just above the descriptions.

2 -- To reduce re-infection potential for malware in the future, I strongly recommend installing three free programs: SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster will prevent spyware from being installed and consumes no system resources.
SpywareGuard offers realtime protection from spyware installation attempts.
IE/Spyad places over 4000 websites and domains in the IE Restricted list which will several impair attempts to infect your system.

3 -- You already have installed AdAware in addition to the Spybot S&D utility. Use both of these programs regularly to scan your system for and remove many forms of spyware/malware.
If you found our service worthwhile, and want to help keep SpwareInfo running please consider donating here.

"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#3 daveai

daveai

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,214 posts

Posted 24 July 2004 - 04:29 PM

donm207

Here are some additional instructions to my first post to you about your HijackThis log.

In that post, in Step #4, you were asked to use HijackThis to fix the following line:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 64.240.156.246:80

If you know for certain the you ARE running with a proxy server, then DO NOT fix this line in HJT.

If you know for certain that you ARE NOT running with a proxy server, then in additon to fixing the line in HJT, please execute the following instructions immediately before Step #5:

Step 4.5 -- Next, open up Internet Explorer and navigate to Tools > Internet Options > Connections > LAN Settings and uncheck the box next to "Use Proxy Settings for your LAN...", then "OK".

Please let us know in your followup post whether or not you are using a proxy server.

Thanks
daveai
If you found our service worthwhile, and want to help keep SpwareInfo running please consider donating here.

"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button