Jump to content


Suspect Log

  • Please log in to reply
3 replies to this topic

#1 Niantic



  • New Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 02:56 PM


This is my first post. For 24 hours I have been trying to clean my computer. I successfully used Ad Aware, Spy Nuker and CW Shredder. Now when I run any program they say my computer is clean.

But, my computer runs very slowly. Often I cannot move from link to link. The page says: "The program is not responding."

Some basic links even are not responding well (e.g. Yahoo) I cannot download 'Dreamweaver'.

When I click IE on the START Menu, a strange search page still appears.

And so, I think my computer is suspect, even though the Spy Removal Programs say that my computer is clean.

I am posting my log from 'Hijack This' in the hopes that one of you (my new friends) will recognize something.

And so:

Logfile of HijackThis v1.97.7
Scan saved at 3:39:53 PM, on 6/15/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\documents and settings\michael carroll\local settings\temp\uz7HMki.exe
C:\documents and settings\michael carroll\local settings\temp\L1tQYhodO.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael Carroll\Local Settings\Temporary Internet Files\Content.IE5\PJZRXD8E\HijackThis[1].exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\afwxk.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://afwxk.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://afwxk.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\afwxk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://afwxk.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\afwxk.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A264AC9-2381-8AF5-4412-1FA65E5E70C2} - C:\WINDOWS\atlbb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [uz7HMki] C:\documents and settings\michael carroll\local settings\temp\uz7HMki.exe
O4 - HKLM\..\Run: [L1tQYhodO] C:\documents and settings\michael carroll\local settings\temp\L1tQYhodO.exe
O4 - HKLM\..\Run: [d3qj.exe] C:\WINDOWS\d3qj.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvsu.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenu...WNInstaller.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc3.webrespo...p/TLIEFlash.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...AB?38097.865625
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cybersourcec...bex/ieatgpc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

Are any of them suspect? Which ones should I Fix? (Delete)
Thank you in advance.

#2 Niantic



  • New Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 03:50 PM

I am just being patient. In the meanwhile, I am reading all the other logs with similar problems. But maybe someone has the vision to spot something.


#3 Niantic



  • New Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 05:03 PM

I am about to take drastic action and begin to prune my registry. But first I want to run it by the pros.

When I check my home page, a strange URL appears: It says:

I did a file search for afwxk, found 1 file, turned off System Restore and deleted it. But it came back.

Then I ran 'Hijack This' again. I saw in the suspicious afwxk five times in the registry.

Should I prune (FIX) all of them? Will my computer still work afterwards.


#4 Niantic



  • New Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 06:25 PM

I am answering myself.

Well, I pruned them all. At first they seemed to disappear and all was well. But later when I checked, the home page was still hijacked with the afwxk etc. URL.

What do I do?

I ran Spybot again. Found another 5 bad things. (DOS Exploit). Deleted them.

Are the word that are running at the bottom of the page when I run Spybot, on MY computer?? Because a lot of bad words are there. (Like Cool Web Search,). Or are the words just trying to run a match on my computer against these words?

The reason I want to know is because if all the words that I spotted on the bottom of the page when Spybot was running are, in fact, on my computer, then it is seriously infected and all the Spyware is not identifying it.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button