Spyware infection or what - is all hope lost? Check my hijackthis log please!

Discussion in 'Computer Support' started by Mike_B, Nov 21, 2004.

  1. Mike_B

    Mike_B Guest

    Running Win98SE with up to date Norton Antivirus and Zone Alarm. Despite
    this I got CoolWebSearch crap somehow.
    I thought I'd cleared it all out using Ad-Aware, Spybot S&D, X-Cleaner,
    CWShredder (yes it took them all!) but now my comp is going slower and
    slower. Zone Alarm keeps telling me every few minutes that WUCRTUPD.EXE and
    WULOADER.EXE want to connect. Norton registry tracker tells me that
    C:\Windows\SchedLog.txt is being changed by C:\Windows\System\MSGSRVR32.exe
    every 5 minutes. This file is MSGSRVR32.exe is dated 23/04/99 so it seems to
    have been on my system since purchase.

    The file Schedlog.txt is full of entries like this:
    "Windows Critical Update Notification.job" (WUCRTUPD.EXE)
    Started 21/11/04 21:37:01
    "Windows Critical Update Notification.job" (WUCRTUPD.EXE)
    Finished 21/11/04 21:37:08
    Result: The task completed with an exit code of (0).
    Is all this normal? It seems very frequent.

    Finally for those of you who understand these things here is my Hijackthis
    log. Means shit-all to me!

    Logfile of HijackThis v1.98.2
    Scan saved at 22:30:06, on 21/11/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
    C:\PROGRAM FILES\HANDSPRING\HOTSYNC.EXE
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\REGTRK.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\MY DOCUMENTS\DOWNLOADS\UNZIPPED\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program
    Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
    Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec
    Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec
    Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton
    Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
    Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec
    Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common
    Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton
    SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton
    SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program
    Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [TrueVector]
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunOnce: [Setup] "C:\Program Files\Norton SystemWorks\Norton
    CleanSweep\csinsm32.exe" -s "C:\Program Files\Norton SystemWorks\Norton
    CleanSweep\IM013320.CIL" "C:\PROGRAM FILES\JASC SOFTWARE INC\SETUP
    FILES\PAINT SHOP PRO 7 TRY AND BUY\SETUP.EXE" /t"C:\PROGRAM FILES\JASC
    SOFTWARE INC\SETUP FILES\PAINT SHOP PRO 7 TRY AND BUY" /m"Paint Shop Pro 7
    Try And Buy.msi" /v""
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program
    Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HotSync.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: Norton Registry Tracker.LNK = C:\Program Files\Norton
    SystemWorks\Norton Utilities\REGTRK.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -
    http://sc.communities.msn.com/controls/chat/msnchat45.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
    Class) -
    http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
     
    Mike_B, Nov 21, 2004
    #1
    1. Advertisements

  2. Mike_B

    °Mike° Guest

    Have HijackThis fix the above.

    Have HijackThis fix the above and DELETE the wucrtupd.exe
    file. Empty your recycle bin.

    Have HijackThis fix the above.
     
    °Mike°, Nov 21, 2004
    #2
    1. Advertisements

  3. Mike_B

    Mike_B Guest

    Thanks Mike!
    Mike

    --
    Mike
    (reply address is anti-spammed but if you extract the digit you can email
    me)

    c:\windows\SYSTEM\wucrtupd.exe -startup
     
    Mike_B, Nov 21, 2004
    #3
  4. Mike_B

    °Mike° Guest

    You're welcome.


     
    °Mike°, Nov 21, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.