HijackThis shows 01 entries - can't remove

All:

Seems that my recycle bin, though it has entries, is also not showing those entries when opened and will not delete
Thanks
agavzy

Can you try the Symantec removal tool first. I need to see if it's any good :D. That's if you do not mind me experimenting with you?
http://securityresponse.symantec.com/avcenter/venc/data/pf/spyware.look2me.html
Follow the instructions from Symantec.
Once done, please do the following;

Reboot.

Download and run VX2Finder(.exe).
http://www.downloads.subratam.org/VX2Finder.exe

Open the program and click the 'Click to Find VX2.aBetterInternet' button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. To create a logfile, click the button named: 'Make Log'. This will open logfile using Notepad. Please post (copy/paste) the results and post them in this topic.

Download these two tools:

http://www.downloads.subratam.org/DllCompare.exe
&
http://www.downloads.subratam.org/KillBox.exe

Run Dllcompare by clicking the "Run Locate.com" then click Compare button... when done post that log here.

Crunchie:

Good to hear from you again - this one has been a real pain in the butt! And the pop-ups are becoming VERY annoying!

Downloaded the Symantic tool and tried to run - it kept getting hung on the mcshield.exe process. Would not let me kill the program and had to reboot so that I could run the others.

Also - I've been to c:\windows\system32\drivers\etc\hosts and have found the following entries:
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch

Everytime I erase them and then close and open the file - they're baaaacck!

In any event, as promised, here are the VX2Finder and Dllcompare logs.
Also - I did run DllCompare earlier and tried to get rid of some of the files it listed, even tried it under safeboot, but the system would not allow it:
------------------------------------------------------------
Log for VX2.BetterInternet File Finder
Files Found---

Guardian Key--- is called:
Asynchronous 000
DllName
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Shutdown WinShutdown
User Agent String---
{1D835F6F-CC2F-4717-91B7-25039AF29AC1}
---------------------------------------------------------
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\k4620e~1.dll Thu Feb 3 2005 5:16:20p ..S.R 231,189 225.77 K
C:\WINDOWS\SYSTEM32\o0lu0a~1.dll Thu Feb 3 2005 5:11:36p ..S.R 231,189 225.77 K
C:\WINDOWS\SYSTEM32\r46u0e~1.dll Thu Feb 3 2005 1:15:02p ..S.R 230,991 225.57 K
________________________________________________
1,272 items found: 1,272 files (3 H/S), 0 directories.
Total of file sizes: 237,433,624 bytes 226.43 M
Administrator Account = True
--------------------End log---------------------

THANKS CRUNCHIE!!!!

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Crunchie:

Did what you had asked (and also did some other things last night).
Last nite - enabled system restore boot. Went in this morning and erased EVERYTHING that had a creation date of 2/03/05 (date of infection). Erased hosts file as well. Did an extra search and finally found gurard.tmp - erased that one too!

Downloaded file as requested, attached are logs from L2Mfix and HJT. By the by - recycle bin now shows files.

Thanks
agavzy

__________________________________________________________
L2Mfix 1.02a

Running From:
C:\Documents and Settings\GavzyA\Desktop\l2mfix


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url="http://www.heysoft.de"]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Read         BUILTIN\Power Users
(ID-IO) ALLOW  Read         BUILTIN\Power Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER


Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url="http://www.heysoft.de"]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
 - adding new ACCESS DENY entry

Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url="http://www.heysoft.de"]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------    Everyone
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Read         BUILTIN\Power Users
(ID-IO) ALLOW  Read         BUILTIN\Power Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER


Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\GavzyA\Desktop\l2mfix 
System Rebooted! 

Running From:
C:\Documents and Settings\GavzyA\Desktop\l2mfix

killing explorer and rundll32.exe 
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email="Craig.Peacock@beyondlogic.org"]Craig.Peacock@beyondlogic.org[/email]
Killing PID 1096 'explorer.exe'
Killing PID 1096 'explorer.exe'
Killing PID 1096 'explorer.exe'
Killing PID 1096 'explorer.exe'
Killing PID 1096 'explorer.exe'
Killing PID 1096 'explorer.exe'
Killing PID 1096 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email="Craig.Peacock@beyondlogic.org"]Craig.Peacock@beyondlogic.org[/email]
Killing PID 1476 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed 

Second Pass Scanning 

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dykquoui.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\izetppui.dll
        1 file(s) copied.
deleting: C:\WINDOWS\system32\dykquoui.dll  
Successfully Deleted: C:\WINDOWS\system32\dykquoui.dll
deleting: C:\WINDOWS\system32\izetppui.dll  
Successfully Deleted: C:\WINDOWS\system32\izetppui.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
  adding: dykquoui.dll (200 bytes security) (deflated 4%)
  adding: izetppui.dll (200 bytes security) (deflated 5%)
  adding: clear.reg (200 bytes security) (deflated 46%)
  adding: echo.reg (200 bytes security) (deflated 8%)
  adding: desktop.ini (200 bytes security) (deflated 13%)
  adding: direct.txt (200 bytes security) (stored 0%)
  adding: lo2.txt (200 bytes security) (deflated 74%)
  adding: readme.txt (200 bytes security) (deflated 49%)
  adding: test.txt (200 bytes security) (deflated 36%)
  adding: test2.txt (200 bytes security) (deflated 27%)
  adding: test3.txt (200 bytes security) (deflated 27%)
  adding: test5.txt (200 bytes security) (deflated 27%)
  adding: xfind.txt (200 bytes security) (deflated 31%)
  adding: backregs/1E35D77C-450F-45DC-AAC8-6812C14F93EA.reg (200 bytes security) (deflated 70%)
  adding: backregs/68BC2DCF-74EF-497A-A903-FF508BB7EBDD.reg (200 bytes security) (deflated 70%)
  adding: backregs/6981F636-98BA-496D-8259-AD0B8651D71B.reg (200 bytes security) (deflated 70%)
  adding: backregs/shell.reg (200 bytes security) (deflated 73%)

Restoring Registry Permissions: 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url="http://www.heysoft.de"]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url="http://www.heysoft.de"]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Read         BUILTIN\Power Users
(ID-IO) ALLOW  Read         BUILTIN\Power Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER

Restoring Sedebugprivilege:

 Granting SeDebugPrivilege to Administrators   ... successful

deleting local copy: dykquoui.dll   
deleting local copy: izetppui.dll   

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SecuRemote_UnInstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k6jslg1716.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

The following are the files found: 
****************************************************************************
C:\WINDOWS\system32\dykquoui.dll 
C:\WINDOWS\system32\izetppui.dll 

Registry Entries that were Deleted: 
Please verify that the listing looks ok.  
If there was something deleted wrongly there are backups in the backreg folder. 
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{1E35D77C-450F-45DC-AAC8-6812C14F93EA}"=-
"{68BC2DCF-74EF-497A-A903-FF508BB7EBDD}"=-
"{6981F636-98BA-496D-8259-AD0B8651D71B}"=-
[-HKEY_CLASSES_ROOT\CLSID\{1E35D77C-450F-45DC-AAC8-6812C14F93EA}]
[-HKEY_CLASSES_ROOT\CLSID\{68BC2DCF-74EF-497A-A903-FF508BB7EBDD}]
[-HKEY_CLASSES_ROOT\CLSID\{6981F636-98BA-496D-8259-AD0B8651D71B}]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1D835F6F-CC2F-4717-91B7-25039AF29AC1}"=-
****************************************************************************
Desktop.ini Contents: 
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{1D835F6F-CC2F-4717-91B7-25039AF29AC1}</IDone>
<IDtwo>DS4</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

____________________________________________________________
Logfile of HijackThis v1.99.0
Scan saved at 9:04:44 AM, on 2/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wiwqww.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\WINDOWS\Temp\WZQKPICK.EXE
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O16 - DPF: Sametime Meeting Room Client ST31 - [url="http://sbursametime.cognos.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab"]http://sbursametime.cognos.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab[/url]
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - [url="http://www.ipix.com/download/ipixx.cab"]http://www.ipix.com/download/ipixx.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url="http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab"]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - [url="http://carlson2.centra.com/SiteRoots/CWT/Install/CentraDownloader.cab"]http://carlson2.centra.com/SiteRoots/CWT/Install/CentraDownloader.cab[/url]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - [url="https://cognos.webex.com/client/v_r14sp7ep2/webex/ieatgpc.cab"]https://cognos.webex.com/client/v_r14sp7ep2/webex/ieatgpc.cab[/url]
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - [url="http://fdl.msn.com/zone/datafiles/heartbeat.cab"]http://fdl.msn.com/zone/datafiles/heartbeat.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GravitixService.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: IBM KCU Service - Unknown - C:\WINDOWS\system32\TpKmpSVC.exe

Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
wiwqww.exe

Go to C:\WINDOWS\System32 and delete that file manually.

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

Process killed and deleted. File downloaded and run - here's the log:

By the way - why is it that when you have 'spyware' on your pc, the pop-ups you get are for spyware cleaners? Makes you wonder who put them there in the first place.

Really, though, do you know of a dowload manager that does not come with spy-adware? Curious to see if one exists.

Anyway - here's the log:

"Silent Runners.vbs", revision 30
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sametime Connect" = ""C:\Program Files\Lotus\Sametime Client\Connect.exe"" ["Lotus Development Corporation"]
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]
"BMMGAG" = "RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor" [MS]
"BMMLREF" = "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [null data]
"EZEJMNAP" = "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" ["IBM Corp."]
"TPHOTKEY" = "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [null data]
"TPKMAPHELPER" = "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper" ["IBM Corp."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"THGuard" = ""C:\Program Files\TrojanHunter 4.0\THGuard.exe"" ["Mischel Internet Security"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Narrator" = "C:\WINDOWS\System32\wiwqww.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
"1a5fd708-03a9-4db5-a1ad-a7054fd32123\(Default)" = (no title provided)
                                     \StubPath   = "C:\WINDOWS\System32\hzhxhh.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\TEMP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\TEMP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\TEMP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\TEMP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.0\contmenu.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "SecuRemote_UnInstall\DLLName" = "C:\WINDOWS\system32\k6jslg1716.dll" [file not found]
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\0
DisplayName = "Workstation Policy"
\0 -> launches: "[url="file://\ent.ad.cognos.comsysvolent.ad.cognos.comPolicies{0AB3DEBB-53D0-495F-B9A1-E8F73DA8E3AA}MachineScriptsStartupWrksta_Start.cmd"]\\ent.ad.cognos.com\sysvol\ent.ad.cognos.com\Policies\{0AB3DEBB-53D0-495F-B9A1-E8F73DA8E3AA}\Machine\Scripts\Startup\Wrksta_Start.cmd[/url]" [file not found]

Startup items in "GavzyA" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\GavzyA\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE" ["Palm, Inc."]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"huhfhh.exe" [null data]
"Instant Wireless Configuration Utility" -> shortcut to: "C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe" ["The Linksys Group, Inc."]
"WinZip Quick Pick" -> shortcut to: "C:\WINDOWS\Temp\WZQKPICK.EXE" ["WinZip Computing, Inc."]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVSync Manager, AvSynMgr, ""C:\Program Files\Network Associates\VirusScan\avsynmgr.exe"" ["Network Associates, Inc."]
Check Point SecuRemote Service, SR_Service, ""C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"" ["Check Point Software Technologies"]
Check Point SecuRemote WatchDog, SR_WatchDog, ""C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe"" ["Check Point Software Technologies"]
IBM KCU Service, TpKmpSVC, "C:\WINDOWS\system32\TpKmpSVC.exe" [null data]
IBM PM Service, IBMPMSVC, "C:\WINDOWS\System32\ibmpmsvc.exe" [null data]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
McShield, McShield, ""C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe"" ["Network Associates, Inc."]
PatchLink Update, PatchLink Update, "C:\Program Files\Patchlink\Update Agent\GravitixService.exe" ["Patchlink Corporation"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

I'm looking at the file and it seems to indicate that wiwqww is still there, I've checked, its not.

Also, should I be questioning the existance of hzhxhh.exe as well?
As always - thanks Crunchie

agavzy

Also - found this file when I did a search for wiwqww:

WIWQWW.EXE-0CBA861F.pf under the c:\windows\prefetch subdirectory - what the blue blazes is a prefetch?

Looks like you have/had the qoologic trojan.

Please go here and download Find_qoologic.zip by baskar1234. Unzip the folder and go to the new qoologic folder and doubleclick on qoologic.bat to run it. It will take a few minutes to scan your drive so be patient. When it has finished, open My Computer, doubleclick on C: and copy and paste the contents of the below logs in this thread.

C:\log.txt
C:\win.txt
C:\start.txt

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

Crunchie -

Downloaded and ran as instructed. Qoologic.bat only created one file: log.txt:
+++++++++++++++++++++++++++++++++++++++++++++++++++++
C:\Documents and Settings\GavzyA\Desktop
+++++++++++++++++++++++++++++++++++++++++++++++++++++

Find.bat created a series of files, however none were called 'output.txt'. All are listed here:

Guard.txt:
------------ Files Named "Guard" ---------------
Volume in drive C has no label.
Volume Serial Number is 6081-B894
Directory of C:\WINDOWS\System32

Header.txt:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Documents and Settings\GavzyA\Desktop

Hidden.txt
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 6081-B894
Directory of C:\WINDOWS\System32
02/04/2005 03:13 AM <DIR> vmss
02/03/2005 01:21 PM <DIR> dllcache
02/01/2005 05:24 PM <DIR> GroupPolicy
12/15/2004 11:35 AM 1,020 Rydo84k.lat
12/05/2004 12:57 PM 7,305 sikhu.dat
12/04/2004 03:09 AM 7,305 tarvv.log
12/02/2004 09:25 PM 7,305 phzwr.log
12/02/2004 07:18 AM 7,305 opdkc.log
12/02/2004 04:00 AM 3,347 aikgn.log
11/24/2004 03:30 PM 7,305 knhie.dat
11/20/2004 11:51 PM 7,305 kkjps.txt
11/17/2004 03:25 AM 3,347 axlec.txt
12/15/2003 12:59 PM 488 logonui.exe.manifest
12/15/2003 12:59 PM 488 WindowsLogon.manifest
12/15/2003 12:59 PM 749 cdplayer.exe.manifest
12/15/2003 12:59 PM 749 wuaucpl.cpl.manifest
12/15/2003 12:59 PM 749 ncpa.cpl.manifest
12/15/2003 12:59 PM 749 nwc.cpl.manifest
12/15/2003 12:59 PM 749 sapi.cpl.manifest
16 File(s) 56,265 bytes
3 Dir(s) 47,041,380,352 bytes free

Locate.txt:

------------- Locate.com Results -------------
-------- Strings.exe Qoologic Results --------

Notify.txt:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SecuRemote_UnInstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k6jslg1716.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

System.txt:
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 6081-B894
Directory of C:\WINDOWS\System32
02/03/2005 01:21 PM <DIR> dllcache
12/15/2004 11:35 AM 1,020 Rydo84k.lat
12/05/2004 12:57 PM 7,305 sikhu.dat
12/04/2004 03:09 AM 7,305 tarvv.log
12/02/2004 09:25 PM 7,305 phzwr.log
12/02/2004 07:18 AM 7,305 opdkc.log
12/02/2004 04:00 AM 3,347 aikgn.log
11/24/2004 03:30 PM 7,305 knhie.dat
11/20/2004 11:51 PM 7,305 kkjps.txt
11/17/2004 03:25 AM 3,347 axlec.txt
12/15/2003 03:14 PM <DIR> Microsoft
9 File(s) 51,544 bytes
2 Dir(s) 47,041,384,448 bytes free

Temp.txt:
------ Temp Files in System32 Directory ------
Volume in drive C has no label.
Volume Serial Number is 6081-B894
Directory of C:\WINDOWS\System32
08/03/2004 11:56 PM 1,236,480 msxml3.dll.tmp
08/29/2002 07:00 AM 2,577 CONFIG.TMP
2 File(s) 1,239,057 bytes
0 Dir(s) 47,041,380,352 bytes free
------------------ User Agent ----------------

Useragent.txt:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------- Keys Under Notify -------------

That findit log does not look right. Appears to have been cut short. Do this in the meantime, then re-run Findit and post the log. It should only put one log out.

Run Pocket Killbox and paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

C:\WINDOWS\System32\wiwqww.exe
C:\WINDOWS\System32\hzhxhh.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\huhfhh.exe

Reboot afterwards if the files are successfully deleted.

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

Have uploaded a reg fix for you to use once you have rebooted. Unzip the file to your desktop and double click to run it. When asked if you want to merge it with your registry, click yes.

Reboot and post another HJT log and a silent runners log, as well as the Find_it log.

EDIT. Have uploaded the output.txt log from my PC to show you what it should look like.

All done as requested, though the Find-it still created a number of output logs. I did look at the file and you're right, it doesn't look as if it completed - interesting. Also - when I went into my root directory to locate the findit subdirectory. I found a subdirectory called !Submit. Have no idea what this one is, but thought I would mention it.

In any event, here are the logs:

HJT - SilentRunner - FindIt(s)

Man - this one is a PAIN!!!!!!!!!!!!
agavzy
Logfile of HijackThis v1.99.0
Scan saved at 11:10:04 AM, on 2/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wiwqww.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\WINDOWS\Temp\WZQKPICK.EXE
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O16 - DPF: Sametime Meeting Room Client ST31 - [url="http://sbursametime.cognos.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab"]http://sbursametime.cognos.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab[/url]
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - [url="http://www.ipix.com/download/ipixx.cab"]http://www.ipix.com/download/ipixx.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url="http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab"]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - [url="http://carlson2.centra.com/SiteRoots/CWT/Install/CentraDownloader.cab"]http://carlson2.centra.com/SiteRoots/CWT/Install/CentraDownloader.cab[/url]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - [url="https://cognos.webex.com/client/v_r14sp7ep2/webex/ieatgpc.cab"]https://cognos.webex.com/client/v_r14sp7ep2/webex/ieatgpc.cab[/url]
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - [url="http://fdl.msn.com/zone/datafiles/heartbeat.cab"]http://fdl.msn.com/zone/datafiles/heartbeat.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GravitixService.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: IBM KCU Service - Unknown - C:\WINDOWS\system32\TpKmpSVC.exe

+++++++++++++++++++++++++++++++++++++++++++++++++++
"Silent Runners.vbs", revision 30
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sametime Connect" = ""C:\Program Files\Lotus\Sametime Client\Connect.exe"" ["Lotus Development Corporation"]
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]
"BMMGAG" = "RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor" [MS]
"BMMLREF" = "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [null data]
"EZEJMNAP" = "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" ["IBM Corp."]
"TPHOTKEY" = "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [null data]
"TPKMAPHELPER" = "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper" ["IBM Corp."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"THGuard" = ""C:\Program Files\TrojanHunter 4.0\THGuard.exe"" ["Mischel Internet Security"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Narrator" = "C:\WINDOWS\System32\wiwqww.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
"1a5fd708-03a9-4db5-a1ad-a7054fd32123\(Default)" = (no title provided)
                                     \StubPath   = "C:\WINDOWS\System32\hzhxhh.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\TEMP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\TEMP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\TEMP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\TEMP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.0\contmenu.dll" [null data]
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\0
DisplayName = "Workstation Policy"
\0 -> launches: "[url="file://\ent.ad.cognos.comsysvolent.ad.cognos.comPolicies{0AB3DEBB-53D0-495F-B9A1-E8F73DA8E3AA}MachineScriptsStartupWrksta_Start.cmd"]\\ent.ad.cognos.com\sysvol\ent.ad.cognos.com\Policies\{0AB3DEBB-53D0-495F-B9A1-E8F73DA8E3AA}\Machine\Scripts\Startup\Wrksta_Start.cmd[/url]" [file not found]

Startup items in "GavzyA" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\GavzyA\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE" ["Palm, Inc."]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Instant Wireless Configuration Utility" -> shortcut to: "C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe" ["The Linksys Group, Inc."]
"WinZip Quick Pick" -> shortcut to: "C:\WINDOWS\Temp\WZQKPICK.EXE" ["WinZip Computing, Inc."]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVSync Manager, AvSynMgr, ""C:\Program Files\Network Associates\VirusScan\avsynmgr.exe"" ["Network Associates, Inc."]
Check Point SecuRemote Service, SR_Service, ""C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"" ["Check Point Software Technologies"]
Check Point SecuRemote WatchDog, SR_WatchDog, ""C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe"" ["Check Point Software Technologies"]
IBM KCU Service, TpKmpSVC, "C:\WINDOWS\system32\TpKmpSVC.exe" [null data]
IBM PM Service, IBMPMSVC, "C:\WINDOWS\System32\ibmpmsvc.exe" [null data]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
McShield, McShield, ""C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe"" ["Network Associates, Inc."]
PatchLink Update, PatchLink Update, "C:\Program Files\Patchlink\Update Agent\GravitixService.exe" ["Patchlink Corporation"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
+++++++++++++++++++++++++++++++++++++++++++++++++++
Guard:
 ------------ Files Named "Guard" ---------------
 Volume in drive C has no label.
 Volume Serial Number is 6081-B894
 Directory of C:\WINDOWS\System32

Header:
Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Documents and Settings\GavzyA\Desktop

Hidden:
 ------- Hidden Files in System32 Directory -------
 Volume in drive C has no label.
 Volume Serial Number is 6081-B894
 Directory of C:\WINDOWS\System32
02/04/2005  03:13 AM    <DIR>          vmss
02/03/2005  01:21 PM    <DIR>          dllcache
02/01/2005  05:24 PM    <DIR>          GroupPolicy
12/15/2004  11:35 AM             1,020 Rydo84k.lat
12/05/2004  12:57 PM             7,305 sikhu.dat
12/04/2004  03:09 AM             7,305 tarvv.log
12/02/2004  09:25 PM             7,305 phzwr.log
12/02/2004  07:18 AM             7,305 opdkc.log
12/02/2004  04:00 AM             3,347 aikgn.log
11/24/2004  03:30 PM             7,305 knhie.dat
11/20/2004  11:51 PM             7,305 kkjps.txt
11/17/2004  03:25 AM             3,347 axlec.txt
12/15/2003  12:59 PM               488 logonui.exe.manifest
12/15/2003  12:59 PM               488 WindowsLogon.manifest
12/15/2003  12:59 PM               749 cdplayer.exe.manifest
12/15/2003  12:59 PM               749 wuaucpl.cpl.manifest
12/15/2003  12:59 PM               749 ncpa.cpl.manifest
12/15/2003  12:59 PM               749 nwc.cpl.manifest
12/15/2003  12:59 PM               749 sapi.cpl.manifest
              16 File(s)         56,265 bytes
               3 Dir(s)  47,038,812,160 bytes free

Locate:

 ------------- Locate.com Results -------------
 -------- Strings.exe Qoologic Results --------

Notify:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

System:
 ------- System Files in System32 Directory -------
 Volume in drive C has no label.
 Volume Serial Number is 6081-B894
 Directory of C:\WINDOWS\System32
02/03/2005  01:21 PM    <DIR>          dllcache
12/15/2004  11:35 AM             1,020 Rydo84k.lat
12/05/2004  12:57 PM             7,305 sikhu.dat
12/04/2004  03:09 AM             7,305 tarvv.log
12/02/2004  09:25 PM             7,305 phzwr.log
12/02/2004  07:18 AM             7,305 opdkc.log
12/02/2004  04:00 AM             3,347 aikgn.log
11/24/2004  03:30 PM             7,305 knhie.dat
11/20/2004  11:51 PM             7,305 kkjps.txt
11/17/2004  03:25 AM             3,347 axlec.txt
12/15/2003  03:14 PM    <DIR>          Microsoft
               9 File(s)         51,544 bytes
               2 Dir(s)  47,038,816,256 bytes free

Temp:
 ------ Temp Files in System32 Directory ------
 Volume in drive C has no label.
 Volume Serial Number is 6081-B894
 Directory of C:\WINDOWS\System32
08/03/2004  11:56 PM         1,236,480 msxml3.dll.tmp
08/29/2002  07:00 AM             2,577 CONFIG.TMP
               2 File(s)      1,239,057 bytes
               0 Dir(s)  47,038,812,160 bytes free
 ------------------ User Agent ----------------

Useragent:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 ------------- Keys Under Notify -------------

Will run the FindIt lines 1 at a time if you think it would help under the ms-dos window - no problem - let me know if you think it would help

Off for the next few hours
agavzy

Will run the FindIt lines 1 at a time if you think it would help under the ms-dos window - no problem - let me know if you think it would help

I know nothing of Dos, so I am no help to you there. If you think you can get better results that way though, by all means, try it :).

Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
wiwqww.exe

Please download The Killbox from here: http://www.computercops.biz/zx/phoenix22/KillBox.zip

Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following on at a time:

C:\WINDOWS\System32\wiwqww.exe
C:\WINDOWS\System32\hzhxhh.exe

Place a ckeck in the "End Explorer.exe when killing file" box and hit the "kill file" button. Repeat for both files.

Reboot and check again for those files. If they are still there, try again in safe mode.

Crunchie:

Here's the deal:
I go in an kill all running tasks that include wiwqww, hzhxhh and huhfhh.
I then delete all of these files and the eoesee.dll. I then run adaware se and everything is clean.

I wait a few minutes and: eoesee.dll has returned to system32 as has wiwqww. In addition, a subdirectory - c:\!submit has appeared and it contains both the wiwqww and eoesee. I go into safe mode and kill everything again, reboot into xp and its back.

Adaware se indicates that CoolWebSearch is present due to the eoesee.dll
It also indicates that VX2 is present due to registry keys and wiwqww. I downloaded the vx2 add-on from lava-soft, but it didn't delete anything.

There must be another file in there someplace that is causing all of this, but I can't seem to find it. Is there anyway to prevent the system from executing a command without telling me that it is doing so?

Okay - May have found the culprit but am running some tests to find out. Seems that one of the anti-spyware apps on the next looked at everything running in memory and tells you who created it, if it thinks its malware, etc. Said that wiwqww was being run from a program - get this - called HiJackTHis v1.98 !!! Looked at my ad/remove programs under control panel and it was in there (how did that happen?) Removed it and am running some tests to see what the story is - will let you know what I find out. Will also supply name and link to program if this works - Keep your eyes crossed!

Weird. isubmit is created by the killbox :). Keep us posted.

Okay - what a nightmare thisone has been.

Finally got a copy off of the MS website of a product called Microsoft-AntiSpyware. I ran it first, then ran the SE addition of AdAware.

Antispyware fopund a number of items and got rid of them - it then STAYS RESIDENT. When I was running AdAware, the Antispyware put up a message indicating that the VX2 was trying to reload itself and asked if I wanted to allow it to do so! What - are they kidding! Told it no way, it removed the last vestiges and then indicated that it needed to reboot. I let AdAware complete and then reboted. Seem to be clean at this point. Good program - go check it out.

Aslo - another hidden gem in HJT v1.99. Go to the config key on the lower right, then go to misc tools (top right) and finally select "open Process Manager". Gives the same info you would get if you hit ctrl-alt-del and asked for the processes under the task manager. Here's the hidden bonus - on the top right of the screen is a checkmark for "Show DLLs". Check the box and the screen splits in half. When you select a process in the top half of the window, you get to see what DLLs it is running in the bottom half! GREAT way to see what nast is running the dll you are trying to get rid of!

In any event - this one is closed
Thanks for the help
agavzy:cheesy:

Glad you got it sorted :D.