Slow Computer, Gliches, Help.

ampshock · October 7, 2005

Logfile of HijackThis v1.99.1

Scan saved at 3:06:18 PM, on 10/7/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\Program Files\ASUS\Ai Booster\OverClk.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\winsupdater\winsupdater.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ProSiteFinder\ProSiteFinder.exe

C:\Program Files\ISTsvc\istsvc.exe

C:\Program Files\winupdates\winupdates.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Common Files\services.exe

C:\Program Files\Common Files\Windows\services32.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\Program Files\Common Files\Windows\services32.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Common Files\services.exe

C:\Program Files\ProSiteFinder\prositefinderh.exe

C:\Program Files\ProSiteFinder\ProSiteFinder.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Tyler.me\Desktop\tools\HijackThis-1.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:83

O2 - BHO: (no name) - {00000000-0000-436A-B96F-84A0C2FA4969} - C:\Program Files\ProSiteFinder\ProSiteFinder.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [] winlog.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Launch Ai Booster] C:\Program Files\ASUS\Ai Booster\OverClk.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto

O4 - HKLM\..\Run: [180sa] c:\program files\180search assistant\180sa.exe

O4 - HKLM\..\Run: [ProSiteFinder] "C:\Program Files\ProSiteFinder\ProSiteFinder.exe"

O4 - HKLM\..\Run: [aXRcE] C:\WINDOWS\xwwebhfa.exe

O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [KmeOkbvF5] C:\WINDOWS\sudfpt.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [KmeOkbvÃ¹ÃµÅ¡/â€šÂ²â€˜Ã†ÃŸfÃC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sudfpt.exe

O4 - HKLM\..\Run: [ÃÂ³# Ã«"h'Ã¾9Ã“Å“W3rÃ…Â°WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sudfpt.exe

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\RunServices: [] winlog.exe

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000137.exe

O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000137.exe

O4 - HKCU\..\Run: [GoogleDCClient] C:\Program Files\GoogleDCC\GoogleDCC.exe -startup

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RAID Manager.lnk = ?

O4 - Global Startup: Sam.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

This is my first time doing a log, but here it is. My computer has been having gliches :wacko: and isnt very stable, I was wondering if yall could help.

Edited October 7, 2005 by ampshock

ampshock · October 7, 2005

And if I press Ctrl-Alt-Delete and click task manager it wont come up. It was working a few days ago.

tj416 · October 7, 2005

Hi ampshock,

Since HijackThis does not scan the entire system and only certain areas are scanned to help diagnose the presence of undetected malware in some of the telltale places it hides. It is extremely important that you run a full system scan tool like an online virus scan, Ad-aware SE and Spybot S&D. I would like to START with those steps and finish the cleanup of strays or undetected items with HJT. I have provided instructions on how to run scans with a Online virus scanner, Ad-aware SE and Spybot S&D in this post.

1) Run one of these Online virus scanners:

2) Download, install, update and run a scan with Spybot S&D:

Download and Install Spybot S&D, accepting the Default Settings.
In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
Close ALL windows except Spybot S&D
Click the button to â€˜Search for Updatesâ€™ and then download and install all available Updates.
Next click the button â€˜Check for Problemsâ€™
When Spybot is complete, it will be showing â€˜REDâ€™ entries bold 'Black' entries and â€˜GREENâ€™ entries in the window.
Make certain there is a check mark beside all of the RED entries ONLY.
Choose â€˜Fix Selected Problemsâ€™ and allow Spybot to fix the RED entries.
REBOOT to complete the scan and clear memory.

3) Download, install, update, configure and run a scan with Ad-aware SE:

Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan.
Close ALL windows except Ad-Aware SE.
Click on theâ€˜worldâ€™ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
Once the update is finished click on the â€˜Gearâ€™ icon (second from the left at the top of the window) to access the preferences/settings window:
2. In the â€˜Generalâ€™ window make sure the following are selected in green:
  1. Under Safety:
    - Automatically save log-file
    - Automatically quarantine objects prior to removal
    - Safe Mode (always request confirmation)

[*]Under Definitions:

Prompt to update outdated definitions - set the number of days

[*]Click on the â€˜Scanningâ€™ button on the left and select in green :

Under Driver, Folders & Files:
- Scan Within Archives

[*]Under Select drives & folders to scan:

choose all hard drives

[*]Under Memory & Registry: all green

Scan Active Processes
Scan Registry
Deep Scan Registry
Scan my IE favorites for banned URLâ€™s
Scan my Hosts file

[*]Click on the â€˜Advancedâ€™ button on the left and select in green:

Under Shell Integration:
- Move deleted files to recycle bin

[*]Under Logfile Detail Level: (all green)

include addtional object information
DESELECT - include negligible objects information
include environment information

[*]Under Alternate Data Streams:

Don't log streams smaller than 0 bytes
Don't log ADS with the following names: CA_INOCULATEIT

[*]Click the â€˜Tweakâ€™ button and select in green:

Under â€˜Scanning Engineâ€™:
- Unload recognized processes during scanning
- Scan registry for all users instead of current user only

[*]Under â€˜Cleaning Engineâ€™:

Let Windows remove files in use at next reboot

[*]Under Log Files:

Include basic Ad-aware SE settings in logfile
Include additional Ad-aware SE settings in logfile
Please do not check: Include Module list in logfile

[*]Click on â€˜Proceedâ€™ to save the settings.

[*]Click â€˜Startâ€™

[*]Choose 'Perform Full System Scan'

[*]DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

[*]Click â€˜Nextâ€™ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

[*]If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

[*]Save the log file when it asks and then click â€˜Finishâ€™

[*]REBOOT to complete the removal of what Ad-Aware SE found.

4) Prepare in your reply:

A fresh HijackThis log.

Edited October 7, 2005 by tj416

ampshock · October 8, 2005

Logfile of HijackThis v1.99.1

Scan saved at 1:45:21 PM, on 10/8/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\Program Files\ASUS\Ai Booster\OverClk.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Windows\services32.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Common Files\services.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\My Documents\tools\HijackThis-1.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:83

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [] winlog.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

O4 - HKLM\..\Run: [Launch Ai Booster] C:\Program Files\ASUS\Ai Booster\OverClk.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto

O4 - HKLM\..\Run: [aXRcE] C:\WINDOWS\xwwebhfa.exe

O4 - HKLM\..\Run: [KmeOkbvF5] C:\WINDOWS\sudfpt.exe

O4 - HKLM\..\Run: [KmeOkbvÃ¹ÃµÅ¡/â€šÂ²â€˜Ã†ÃŸfÃC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sudfpt.exe

O4 - HKLM\..\Run: [ÃÂ³# Ã«"h'Ã¾9Ã“Å“W3rÃ…Â°WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sudfpt.exe

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\RunServices: [] winlog.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000140.exe

O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe

O4 - HKCU\..\Run: [GoogleDCClient] C:\Program Files\GoogleDCC\GoogleDCC.exe -startup

O4 - HKCU\..\Run: [WinRoll] C:\Program Files\WinRoll\winroll.exe

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RAID Manager.lnk = ?

O4 - Global Startup: Sam.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

Thanks for the clean out. I think it got rid of some junk. Here is the new one, I am able to use the task manager again. :thumbsup:

So, is it bad Doc?

Edited October 8, 2005 by ampshock

tj416 · October 9, 2005

Hi ampshock,

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Go to Add/Remove Programs and uninstall (if present):

winsupdater

winupdates

ISTsvc

DNS

Then, open HijackThis, run a scan and check these items:

O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll

O4 - HKLM\..\Run: [] winlog.exe

O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto

O4 - HKLM\..\Run: [aXRcE] C:\WINDOWS\xwwebhfa.exe

O4 - HKLM\..\Run: [KmeOkbvF5] C:\WINDOWS\sudfpt.exe

O4 - HKLM\..\Run: [KmeOkbvÃ¹ÃµÅ¡/â€šÂ²â€˜Ã†ÃŸfÃC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sudfpt.exe

O4 - HKLM\..\Run: [ÃÂ³# Ã«"h'Ã¾9Ã“Å“W3rÃ…Â°WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sudfpt.exe

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\RunServices: [] winlog.exe

O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000140.exe

O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe

Now please close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.

Then, reboot in Safe mode. To reboot in Safe mode:

Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

You will need to configure Windows XP to show all files and folders.

Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Then, delete these files:

C:\Program Files\Common Files\mc-58-12-0000140.exe

C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe

C:\Program Files\Common Files\Windows\services32.exe

C:\Program Files\Common Files\services.exe

C:\WINDOWS\xwwebhfa.exe

C:\WINDOWS\sudfpt.exe

Then, search for this file and delete it:

winlog.exe

Thesn, delete these folders:

C:\Program Files\winsupdater

C:\Program Files\winupdates

C:\Program Files\ISTsvc

C:\Program Files\DNS

Then, clean out temporary files:

Start | Run | type cleanmgr | OK
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Click "OK" to remove them.
Click "Yes" to confirm the deletion.

Then, reboot (in the normal mode) and post a fresh log in this thread.

ampshock · October 9, 2005

Logfile of HijackThis v1.99.1

Scan saved at 6:25:18 PM, on 10/9/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\ASUS\WLAN Card Utilities\Center.exe

C:\Program Files\ASUS\Ai Booster\OverClk.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe