I was using IE for a bit, and with my luck I got hit with a massive invasion, and because I normaly use firefox, my IE was not prepared. Tons of active x controls went off, and I got a handful of spyware. TeaTimer alerted me to most of It and I have almost completely cleared it out except for a few remaining problems.

Originally Posted by Hijack Log

Logfile of HijackThis v1.99.0
Scan saved at 2:01:49 AM, on 1/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\tg\Desktop\mbprobe\MBProbe.exe
D:\WhatPulse\WhatPulse.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\tg\Desktop\hijackthis\hijackthis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MBprobe.exe] C:\Documents and Settings\tg\Desktop\mbprobe\MBProbe.exe
O4 - HKCU\..\Run: [WhatPulse] D:\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0897D2D-FC58-424F-B1F6-A43FD75590C2}: NameServer = 167.206.3.228,167.206.3.227
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

First problem (highlighted in red) are these stray BHO and DPF files that automaticly appear everytime I boot after deleting them. Everything else in the log I recognize to be valid processes. I was jsut reading about the BHO exploit, Im not to sure about it but could this be it?

Second problem is when I run a scan on CWShredder. The scan reports that CWS.HomeSearch has been found. I then attempt to run a fix, and the moment it gets to fixing homesearch, explorer.exe dies, then starts back up and the cwshredder program is closed along with any other open windows. If I rescan again the problem is still there.

Im looking through the getservice log and there are two things that are questionable. They are:

SERVICE_NAME: Wintab32
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\Wintab32.exe
LOAD_ORDER_GROUP : Pointer Class
TAG : 0
DISPLAY_NAME : Wintab32
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem


SERVICE_NAME: �%AF夶À¨
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME :
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Security Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

Thats all I have collected so far. If you need any more information jsut ask. Thank you for your help and time.

I too have this problem. I have been scaning thr Internet all day for a fix. Everytime I think I have it fixed. it re-appears!! Very Frustrating. Will monitor replies to your request for information.

Help!

Apparently WinTab32 is related to this:
"wintab32.exe- Wintab Digitizer Services 32-bit Server App. LCS/Telegraphics Wintab Digitizer Services"

Go to C:\Windows\Downloaded Program Files. You should then be able to delete the files related to the entries. You can check you are deleting the right file by right clicking, selecting Properties and next to the ID, check that the ID (looks like "{D27CDB6E-AE6D-11CF-96B8-444553540000}") matches the IDs of the obsolete entries in the log.

To get rid of the Obsolete O2 entries, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects in the Registry (Go to Start> Run, type regedit and then hit enter to access the Registry).

Expand the Browser Helper Objects key and underneath will be more ID's. Right click the ones related to those in the log and click Delete.

The "SERVICE_NAME: �%AF夶À¨" entry from the GetActiveService's is related to a Home Search Spyware Infection. This is obsolete and you don't have an infection, so this is just a leftover entry. To remove it:

Go to "Start" => "Run" and type in regedit and press "Enter"

Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\%AF夶À¨.

If %AF夶À¨ exists , right click on it and choose delete from the menu.

Now navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_%AF夶À¨

If LEGACY_%AF夶À¨ exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control".

Redler, if you want help, I suggest you start your own thread, instead of posting in another users.

First off, removing the service worked fine, thank you.

The other entries still came back though. Just a quick note though. Going to the downlaoding program files did not work, this is because they are blank values so their programs do not exist anymore. I did find their values in the registry through search and deleted them manualy. Then I deleted the O16s like you said. Neither provided success. Hijack this does the same exact thing when you fix. MY only guess is that a dll is being loaded and trying to start these programs but they dont exist anymore (hence the blank entires?)

I checked rundll32.exe for whats its executing. here are the results. I see lots of things that dont look legit. Im looking up the files now. Ill post if I find anything. The only problem is that I dont know how to remove these from booting on load.

Code:

Image Name                   PID Modules                                      
========================= ====== =============================================
rundll32.exe                 252 ntdll.dll, kernel32.dll, msvcrt.dll,         
                                 GDI32.dll, USER32.dll, ADVAPI32.dll,         
                                 RPCRT4.dll, IMAGEHLP.dll, IMM32.DLL,         
                                 LPK.DLL, USP10.dll, NvMcTray.dll,            
                                 SHELL32.dll, SHLWAPI.dll, COMCTL32.dll,      
                                 comctl32.dll, PSAPI.DLL, uxtheme.dll,        
                                 msctfime.ime, ole32.dll, MSCTF.dll

I finished looking through all of those and LPK.DLL was the only bad one: http://research.pestpatrol.com/Searc...PVT=1353318519

Only site I could find with info on it, but they label it as a trojan, but with a risk of 0.
Im going to delete it but I will need to do it from outside windows, so I will do it later.

LPK.DLL is legitimate, along with all the other loaded modules. Just leave the entries, it does not matter to be honest. They are just blank entries and its not worth worrying about them.

One thing I do suggest, is upgrading to the latest Windows XP Service Pack from http://windowsupdate.microsoft.com. This could possibly fix the blank errors, but if it doesn't, not to worry. They are not dangerous, just obsolete.

If they still bother you, I recommend trying a registry cleaning program. I personally use RegSupreme from www.macecraft.com. You can download a fully functional 30 day trial.

Okay, thank you. I do run a registry cleaner quite often, and the one you psoted I find the best

I do not plan on upgrading to sp2. I have read a lot of information about it and I find it useless. Its generaly made for outlook and IE users. They do claim a new security center but further reading proves it just provides easy access to settings that can already be handled. I am more satisfied with my 3rd party software for handling the tasks posted in sp2.

Thank you anyway and that is all.