re-occurring trojan

[GTX_SlotCar]

I just installed XP on 3 computers. 2 are fine, but one of them has a
re-occurring Trojan every time I start IE.
In the C:\ directory it seems to create lsass.exe and 124787.exe, both of
which can be deleted. (it's not the lsass.exe in the system32 directory).
I have spybot 1.3, Adaware 6.0, AVG, Zone Alarm and even installed "A
squared". When I start IE, I get the message that 124787 is infected and a
bunch of popups come on the screen. The files (lsass.exe and 124787.exe)
appear in the C:\ directory. I run any of the anti-virus or anti-malware
programs and it gets rid of the problem and the files disappear. I open IE
and they come right back.
I have "restore" disabled and messenger (or alerter?) disabled.
If I use Crazy Browser instead of IE, I don't get the Trojan, but for some
reason (on this computer) I can't get links to open with Crazy Browser, only
IE.

Any ideas on how I can get rid of this Trojan permanently?

Gary

 

[Chris]

Run hijackthis, save your log and paste the log into your next post.

hijackthis can be downloaded from
http://www.download.com/HijackThis/3000-8022-10307556.html?tag=lst-0-1

The log will be useful for us to indentify any problems.

 

[GTX_SlotCar]

Thanks, Chris. I'll do that when I get home. Should I run hijack this before
or after I get rid of the trojan?

Gary

 

[Chris]

Gary

If you run hijackthis as the starting point. We can take a look at the log
and indentify the problems.

You may also want to download trojanhunter from http://www.trojanhunter.com/
You get 30 days free trial.

Alternatively you may want to download a2 from
http://www.emsisoft.com/en/software/free/

These are trojan hunters and may well help as we deal with the problem. But
start with hijackthis log.

If you'd prefer to post in a forum rather than newsgroup go to
http://forums.thetechguys.com/index.php

Chris

 

[GTX_SlotCar]

I downloaded and installed Trojanhunter. It found all kinds of entries in
the registry and some files. I had it fix the ones it could, then manually
deleted the registry entries it found (it wouldn't do that automatically in
the trial version, I guess). I also deleted 2 files it said were possible
trojans but wouldn't delete on it's own.
It's funny that I ran spybot1.3, adaware6.0 and A2 (a squared). I also ran
begin2search remover (got it from their web site) because it's one thing I
had before. Finally, I ran AVG. All these were up to date. I ran
trojanhunter last, but it found a bunch of things when I ran it even though
the others said my system was clear.
A2 and trojanhunter seem to close IE or MyIE2 (which I just installed) if
either one is active, so I have to close them. This may indicate some other
problem, but otherwise things are going OK now and I'm not getting any more
re-occurring trojans.
Here's a list of some of the registry entries that trojanhunter found and I
deleted.

Registry scan

Registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browse
r Helper Objects\{4D568F0F-8AC9-40AB-88B7-415134C78777} (matches
Adawre.Begin2Search.Toolbar.100)

Registry key exists: HKEY_CURRENT_USER\Software\msbb (matches
Adware.180SearchAssistant.100)

Registry key exists:
HKEY_CLASSES_ROOT\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} (matches
Adware.BargainBuddy.101)

Registry key exists:
HKEY_CLASSES_ROOT\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} (matches
Adware.BargainBuddy.101)

Registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browse
r Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} (matches
Adware.BargainBuddy.101)

Registry key exists:
HKEY_CLASSES_ROOT\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3} (matches
Adware.BargainBuddy.101)

Registry key exists:
HKEY_CLASSES_ROOT\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678} (matches
Adware.BargainBuddy.101)

Registry key exists: HKEY_CURRENT_USER\Software\LocalNRD (matches
Adware.LocalNRD.100)

Registry key exists:
HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} (matches
Adware.WindUpdates.SyncroAd.100)

If things mess up again, I'll post again, but otherwise I'll assume
everything is OK now. It would probably be nice to let A2 or trojanhunter
remain active on my computer, but like I said, they close IE as soon as it
starts.
Should I still post a hijackthis log??

Thanks
Gary

 

[GTX_SlotCar]

Should I still post a hijackthis log??

I tried running hijackthis anyway, but I get an error when I do and it
doesn't finish. Error #62, input past end of file.

 

[Chris]

GTX
Its good that you have run the trojanhunter and taken some steps to remove
the trojans from your machine.

However the error that you get when you try to run hijackthis is normally a
symptom of continued activity of a trojan.

If you scroll down the thread I have posted here, you will see several posts
from a poster called mmxx66 that addresses the problem you have running
hijackthis.

Run through the steps indicated. Once we have a log from hijackthis we will
be in a great position to deal with the nasty on your machine.

Chris

 

[Chris]

The thread you need is
http://forums.spywareinfo.com/lofiversion/index.php/t27222.html

 

[GTX_SlotCar]

Thanks for the link, Chris. I finally got HijackThis running. I thought
TrojanHunter cleared everything up, but I upgraded to Ad-aware SE from vers.
6, and it found another 115 problems! Then, while going to your link, the
124787.exe problem popped up again. Anyway, here's my log, and thanks again.

Logfile of HijackThis v1.98.2
Scan saved at 12:50:12 AM, on 10/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Tclock229B\TClock.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
E:\WebDL\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://www.maine.rr.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {7E1085A1-2C34-73B4-491E-102D04E21E28} -
C:\WINNT\Tniebhaj.dll
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} -
C:\WINNT\System32\mscb.dll (file missing)
O2 - BHO: (no name) - {ED43DCA8-E45D-2AA2-C95C-168AEB0EDED2} -
C:\WINNT\Tniebhaj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Search - {1F7B105E-1FA1-666D-B548-4FB5CB236CDC} -
C:\WINNT\Tniebhaj.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround
Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program
Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [winltmpv] c:\winnt\system32\winln.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program
Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Startup: TClock.lnk = E:\Tclock229B\TClock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program
Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: Corel Network monitor worker -
{280EAB85-B650-4766-AAA2-BA03D65B2E47} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker -
{280EAB85-B650-4766-AAA2-BA03D65B2E47} - (no file)
O9 - Extra button: Your PC is infected with Spyware - click here to fix your
PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} -
https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O9 - Extra button: Corel Network monitor worker -
{280EAB85-B650-4766-AAA2-BA03D65B2E47} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker -
{280EAB85-B650-4766-AAA2-BA03D65B2E47} - (no file) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet
Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://public.windupdates.com/get_f...13b668fec7d7:270d2288487988400edd713985bb0eab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} -
http://download.overpro.com/WildApp.cab
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} -
%SystemRoot%\System32\mshtml.dll (file missing)


Gary

--

Tweaks & Reviews
www.slottweak.com

 

[Chris]

Gary, I have posted your log for a forum of experts to look at and will give
you an indication of the steps to take soon.

Certainly it would be worthwhile updating your internet explorer as the
version is out of date and of course applying all available windows updates
would be sensible to the operating system you use.

The entries that immediately stand out to me that need to be fixed are
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} -

and

O4 - HKCU\..\Run: [winltmpv] c:\winnt\system32\winln.exe

There are several question marks on other entries that the experts will be
able to indentify more clearly than myself.

Once I get the details of the action you should take I'll post back for you
and you can carry the steps out all in one go.

Regards

Chris

Thanks for the link, Chris. I finally got HijackThis running. I thought
TrojanHunter cleared everything up, but I upgraded to Ad-aware SE from
vers.
6, and it found another 115 problems! Then, while going to your link, the
124787.exe problem popped up again. Anyway, here's my log, and thanks
again.

Logfile of HijackThis v1.98.2
Scan saved at 12:50:12 AM, on 10/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Tclock229B\TClock.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
E:\WebDL\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://www.maine.rr.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {7E1085A1-2C34-73B4-491E-102D04E21E28} -
C:\WINNT\Tniebhaj.dll
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} -
C:\WINNT\System32\mscb.dll (file missing)
O2 - BHO: (no name) - {ED43DCA8-E45D-2AA2-C95C-168AEB0EDED2} -
C:\WINNT\Tniebhaj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Search - {1F7B105E-1FA1-666D-B548-4FB5CB236CDC} -
C:\WINNT\Tniebhaj.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround
Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program
Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter
4.0\THGuard.exe"
O4 - HKCU\..\Run: [winltmpv] c:\winnt\system32\winln.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program
Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Startup: TClock.lnk = E:\Tclock229B\TClock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program
Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: Corel Network monitor worker -
{280EAB85-B650-4766-AAA2-BA03D65B2E47} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker -
{280EAB85-B650-4766-AAA2-BA03D65B2E47} - (no file)
O9 - Extra button: Your PC is infected with Spyware - click here to fix
your
PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} -
https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O9 - Extra button: Corel Network monitor worker -
{280EAB85-B650-4766-AAA2-BA03D65B2E47} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker -
{280EAB85-B650-4766-AAA2-BA03D65B2E47} - (no file) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet
Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://public.windupdates.com/get_f...13b668fec7d7:270d2288487988400edd713985bb0eab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} -
http://download.overpro.com/WildApp.cab
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} -
%SystemRoot%\System32\mshtml.dll (file missing)


Gary

--

Tweaks & Reviews
www.slottweak.com

The thread you need is
http://forums.spywareinfo.com/lofiversion/index.php/t27222.html

 

[GTX_SlotCar]

The entries that immediately stand out to me that need to be fixed are

O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} -
and
O4 - HKCU\..\Run: [winltmpv] c:\winnt\system32\winln.exe

Thanks, Chris. I told hijackthis to fix the first one, but left the 2nd. I'm
not sure what winln.exe is and all I can find on it says to fix it if it's
in my c:\winnt folder. Since it's in my system32 folder, I didn't dare
chance it. Do you think I should?
I also "fixed" the entries that said they had a missing file or no filename.
I also have a lot of entries relating to Tniebhaj.dll. I can't find anything
on this file. I wonder if I dare to "fix" this too.

Anyway, fixing the entries I mentioned has enabled me to run CrazyBrowser
while TrojanHunter is enabled, so I'm making progress. Now let's see if it
stops 124787.exe from appearing again.

Gary

 

[GTX_SlotCar]

Hey Chris, I think I got it.
I did some research and cleaned things up. The hard one was the 09
Spydeleter which didn't want to stay cleared when I "fixed" it. I guess
there's a bug in hijackthis that doesn't handle the 09's very well, but I
merged a line into the registry and that cleared it up. (thanks to Calamity
Jane for the tip.)
I'm still not certain about fixing the winln.exe entry. I'd appreciate any
help you can find on it. I'm not sure, but it may be legit if it's in the
system32 folder.
Here's my new log:

Logfile of HijackThis v1.98.2
Scan saved at 12:58:07 AM, on 10/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Tclock229B\TClock.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Outlook Express\msimn.exe
E:\WebDL\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://www.maine.rr.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround
Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program
Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [winltmpv] c:\winnt\system32\winln.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program
Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Startup: TClock.lnk = E:\Tclock229B\TClock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program
Files\Stardock\ObjectDock\ObjectDock.exe
O12 - Plugin for .pdf: C:\Program Files\Internet
Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Right now things seem to be running well.

Gary

 

[Chris]

Gary,

You certainly do seem to have made progress, great stuff. The concerns I can
see are that if you run Windows XP it should really be running SP2 or SP1 at
the very least. Otherwise you are very vulnerable to numerous attacks. I
would certainly recommend you update that and inturn that will upgrade your
internet explorer, even if you don't use internet explorer it is worth
making sure it us uptodate, purely because it forms part of the operating
system. So by closing that point of entry can only help.

From my research the advice appears to be certain that the line winln.exe
and the subsequent file are deleted.

Generally it is best to do this whilst in safe mode. It is also recommended
that you turn off system restore so that no temp file clone of winln.exe
exists that will restore itself. Once all the nasties are gone, system
restore can be put back on.

So - Reboot in safe mode, run hijackthis and fix the line
O4 - HKCU\..\Run: [winltmpv] c:\winnt\system32\winln.exe

Whilst in safe mode.
You may need to show hidden files to delete them. Which you can learn how to
do here http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Search and delete the file winln.exe or any folder called that.
The following DIRECTORY CONTENTS (But not the directory) need to be deleted
while in safe mode.
* C:\Winnt\temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet
Files\ <=This will delete all your cached internet content including
cookies. This is recommended and strongly suggested.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local
Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Then reboot in normal mode and run hijackthis to see your log. Finally to
help prevent future attack, my personal advice you may want to follow is
install the following applications and create a schedule task to run every
week or so to run and update themselves.
*SpywareBlaster
*SpywareGuard
*Spybot search and destroy
*Ad-Aware SE Personal
Keep Windows up to date by getting latest Service Pack
Run disk cleanup and empty your recycle bin
and use a firewall such as Sygate.

Its alot to take in, I know, but let us know how it goes.

Chris

Hey Chris, I think I got it.
I did some research and cleaned things up. The hard one was the 09
Spydeleter which didn't want to stay cleared when I "fixed" it. I guess
there's a bug in hijackthis that doesn't handle the 09's very well, but I
merged a line into the registry and that cleared it up. (thanks to
Calamity
Jane for the tip.)
I'm still not certain about fixing the winln.exe entry. I'd appreciate any
help you can find on it. I'm not sure, but it may be legit if it's in the
system32 folder.
Here's my new log:

Logfile of HijackThis v1.98.2
Scan saved at 12:58:07 AM, on 10/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Tclock229B\TClock.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Outlook Express\msimn.exe
E:\WebDL\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://www.maine.rr.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround
Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program
Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter
4.0\THGuard.exe"
O4 - HKCU\..\Run: [winltmpv] c:\winnt\system32\winln.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program
Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Startup: TClock.lnk = E:\Tclock229B\TClock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program
Files\Stardock\ObjectDock\ObjectDock.exe
O12 - Plugin for .pdf: C:\Program Files\Internet
Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

Right now things seem to be running well.

Gary

 

[GTX_SlotCar]

Its alot to take in, I know, but let us know how it goes.

It's not too much to handle Thanks for the help, Chris.
I'll take care of the SPs. It's a new XP install and I want to get it
running right before putting in the big stuff. It's got all the updates that
it will take without the SP, though.

Things are running great and the log looks clean to me. Here's the final.

Logfile of HijackThis v1.98.2
Scan saved at 7:00:05 PM, on 10/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
E:\Tclock229B\TClock.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\wuauclt.exe
E:\WebDL\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://www.maine.rr.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround
Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program
Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program
Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Startup: TClock.lnk = E:\Tclock229B\TClock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program
Files\Stardock\ObjectDock\ObjectDock.exe
O12 - Plugin for .pdf: C:\Program Files\Internet
Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

 

[Chris]

Gary,

Yes that log appears clean. The protection I implement on desktops is pretty
standard on any I look after, its about getting that protection in place,
updating it and keeping it that. It like many things these days is a
constant challenge to remain fully protected against malacious acts. But
with more people helping out each other it makes it just that little bit
easier I think. Hope everything goes okay. By all means post back if any
further problems.

Its alot to take in, I know, but let us know how it goes.

It's not too much to handle Thanks for the help, Chris.
I'll take care of the SPs. It's a new XP install and I want to get it
running right before putting in the big stuff. It's got all the updates
that
it will take without the SP, though.

Things are running great and the log looks clean to me. Here's the final.

Logfile of HijackThis v1.98.2
Scan saved at 7:00:05 PM, on 10/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
E:\Tclock229B\TClock.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\wuauclt.exe
E:\WebDL\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://www.maine.rr.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround
Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program
Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter
4.0\THGuard.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program
Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Startup: TClock.lnk = E:\Tclock229B\TClock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program
Files\Stardock\ObjectDock\ObjectDock.exe
O12 - Plugin for .pdf: C:\Program Files\Internet
Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll

 

[GTX_SlotCar]

Hey Chris, I pared the log down even more by taking out all the R1 entries.
All operations still work great. I'm quite sure I know what the rest of the
entries are for, so they belong in the log. I've actually cut this log in
half since we started. IE is even a little snappier.
I appreciate the help. I'm not a novice at getting rid of these things and
I'm usually on the other end, giving help. This one almost had me, though,
and I'm not that familiar with HJT. I'm more comfortable using it now.
I always run (and keep up to date) spybot, adaware and AVG, and just
switched to Zone Alarm from Sygate. Somehow this one just got by me. I even
know when and where. On Sunday, 9/26/04, I was Googling for song lyrics and
opened the first site I came to. About 100 things starting popping up, and
I'm using Crazy Browser which has a pop-up stopper.
Sometimes they just get by.

Gary

--

Tweaks & Reviews
www.slottweak.com

Gary,

Yes that log appears clean. The protection I implement on desktops is pretty
standard on any I look after, its about getting that protection in place,
updating it and keeping it that. It like many things these days is a
constant challenge to remain fully protected against malacious acts. But
with more people helping out each other it makes it just that little bit
easier I think. Hope everything goes okay. By all means post back if any
further problems.

Its alot to take in, I know, but let us know how it goes.

It's not too much to handle Thanks for the help, Chris.
I'll take care of the SPs. It's a new XP install and I want to get it
running right before putting in the big stuff. It's got all the updates
that
it will take without the SP, though.

Things are running great and the log looks clean to me. Here's the final.

Logfile of HijackThis v1.98.2
Scan saved at 7:00:05 PM, on 10/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
E:\Tclock229B\TClock.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\wuauclt.exe
E:\WebDL\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
C:\WINNT\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
C:\WINNT\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://www.maine.rr.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround
Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program
Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter
4.0\THGuard.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program
Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Startup: TClock.lnk = E:\Tclock229B\TClock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program
Files\Stardock\ObjectDock\ObjectDock.exe
O12 - Plugin for .pdf: C:\Program Files\Internet
Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll