Jump to content


Photo

WRTService


  • This topic is locked This topic is locked
6 replies to this topic

#1 Horace

Horace

    Member

  • New Member
  • Pip
  • 4 posts

Posted 22 May 2004 - 01:14 PM

I got my browser hijacked (iSearch and the like...) and I spent the last couple of days cleaning up all I could with Ad-Aware, Spybot, HijackThis etc.

Everything seems to work fine now, but I am still left with to minor issues: one is the DSO Exploit recurrence problem after removal with Spybot that I've found already documented elsewhere.

The second one is the following warning that I get from CWShredder:

"The following file could be part of CWS.Control.3 which uses random filenames. If the file displayed below has a filename that looks like a random string of characters it should be deleted...If you're not sure ...ask someone for help...

C:\WINDOWS\WRTService.exe"

Now, I clearly understand that this is not a random string of characters, but, for my peace of mind, can somebody tell me what this file is and if keepong it it's ok ?

Many thanks!

#2 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 22 May 2004 - 11:41 PM

Hi Horace.
This is the best explanation I have seen for your DSO question-
http://forums.net-in...ST&f=28&t=15308

As for C:\WINDOWS\WRTService.exe - I can find no info on it. Rename it C:\WINDOWS\WRTService.old and see if it is missed by anything. After a few days if it is not needed you can probably delete it with no problems.

#3 Horace

Horace

    Member

  • New Member
  • Pip
  • 4 posts

Posted 23 May 2004 - 02:32 AM

Ok, I'll try that. Many thanks!

#4 Horace

Horace

    Member

  • New Member
  • Pip
  • 4 posts

Posted 23 May 2004 - 07:27 AM

PS: just to complete the job, could you have a look at my hjt log and let me know if there is anything else suspicious I should get rid of?
Here it is. Many thanks

Logfile of HijackThis v1.97.7
Scan saved at 14.23.40, on 23/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\progra~1\c4ebreg\c4ebreg.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\PROGRA~1\Ericsson\COMMUN~1\MOBILE~1\DbgOut.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\PROGRA~1\Intuwave\Shared\MROUTE~1\mRouterRuntime.exe
C:\Program Files\IBM\Mobility Client\artdhcp.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Ericsson\COMMUN~1\MOBILE~1\EPMWOR~1.EXE
c:\sdwork\issimsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\WRTService.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\Drivers\ldlcserv.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\IBM\checker\checkerr.exe
C:\Program Files\c4ebreg\isamsmt.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Documents and Settings\Administrator\Desktop\isearch\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://w3.ibm.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=proxy.it.ibm.com:8080;http=proxy.it.ibm.com:8080;ftp=proxy.it.ibm.com:8080
gopher=proxy.it.ibm.com:8080;
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = w3-501.ibm.com; w3;<local>
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://w3.ibm.com/do...andardsoftware/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\c4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [GC75-Manager-Class] "C:\Program Files\Sony Ericsson\Wireless Manager\GC75 Manager.exe" -startup
O4 - HKLM\..\Run: [NPDTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com
O16 - DPF: IBMWW - https://w3-1.ibm.com...xpenses/exc.cab
O16 - DPF: LotusMenu - http://www.computerg...nu/menudisp.cab
O16 - DPF: Sametime Meeting Room Client ST20 - https://d02db540.sou...gRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST20H3 - https://d02db541.sou...gRoomClient.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://www.villaserb...ideo/svideo.cab
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bl...lnwebassist.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7728.4312152778
O16 - DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} (gpwsx.plugin) - http://w3-3.ibm.com/...lugin/gpwsx.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = italy.ibm.com
O17 - HKLM\Software\..\Telephony: DomainName = italy.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{44E1F50D-C88C-4917-B781-D16F8EC9C074}: Domain = italy.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4969B692-D249-4704-B7BD-BBC8C4B6AEF9}: Domain = italy.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AE7205E-EADB-4E3A-B834-FDD5EF92199D}: Domain = italy.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B660C95-6E7A-495E-B371-EA797ABA104C}: Domain = italy.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E823E02-6411-4EC8-9345-648405427C9D}: Domain = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E823E02-6411-4EC8-9345-648405427C9D}: NameServer = 9.139.236.2,9.139.236.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = italy.ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = italy.ibm.com,ibm.com,raleigh.ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = italy.ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = italy.ibm.com,ibm.com,raleigh.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = italy.ibm.com,ibm.com,raleigh.ibm.com

#5 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 23 May 2004 - 08:42 AM

HI Horace-
I think your log is OK. I don't see any problems.

#6 Horace

Horace

    Member

  • New Member
  • Pip
  • 4 posts

Posted 23 May 2004 - 08:50 AM

Great! Thanks a lot.

#7 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 23 May 2004 - 09:41 AM

You are welcome. Glad we could help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button