HijackThis log help

Many of these malicious programs attempt to either corrupt or shut down your anti-virus programs. Once you've clean the crap out of your system you might find that you'll have to actually reinstall your AV proggies.

I have to log off now so I can't follow up on your HJT log. Hopefully one of our HJT experts will pick up on this. In the mean time, definitely uninstall that PartyPoker gunk if possible; it's part of your problem.

Also- you need to read this article; you aren't runing HJT from a proper folder, and it doesn't look like you've closed your browser either- you need to do both.

I re-downloaded HJT into a folder (not the desktop) and reran the log with all programs and browser windows shut-down. If something still isn't right, then I guess I just don't get it.

Prior to running HJT again, I re-ran Adaware and Spybot and then ran the online AV scan from TrendMicro and Panda (after removing my other AV proggie). Both found infected files - TM said that it either couldn't clean or find one of them. It is a winkey.dll file located in the System32 folder and was infected with BKDR PRORAT.13 virus.

The new problem I'm having today is that I keep losing my Internet connection after every few minutes, and can only get it back by restarting my computer. At this point, I'm beginning to think I may have to start fresh, which I'd hate to do. At any rate, here is the new HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 3:34:30 PM, on 7/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
C:\Palm\HOTSYNC.EXE
C:\VSTASCAN\vsaccess.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Brad\My Documents\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/102b0c206c0f1f914e16/netzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks again for any help/advice.

Have HJT fix these:

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/102b0c206c0f1f...tzip/RdxIE2.cab

Reboot, and delete the C:\WINDOWS\system32\fservice.exe file.

Check your C:\Windows\system.ini file. If the Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe entry exists, edit the entry to read only: Shell=Explorer.exe and save the file.

Thanks for the continued help DMR. I had HJT fix the 6 items you specified, but this is where I ran into a problem. Rebooted and tried to do the next two steps. Now my Search function isn't working (which is what seems to be happening with everything -- use it once, then boom, not working any longer). Tried to find the fserver.exe file manually but could find no trace of it, then went to the system.ini file (opens in Notepad, correct?) and it made no mention of Shell= anything. I can paste the contents of that file here if that would be useful to you.

Tried to do these steps in both regular and safe mode, no success with either. Re-ran HJT before coming back here and the F0 and F2 things are still there (the other 4 are gone).

I'm assuming that this fserver file is hidden somehow...and is causing my problems. Any thoughts?

Empty the TIF (Temporary Internet Files)
To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

Set your Explorer up using the info in this link so that hidden and System files are visible
Also Uncheck the "Hide extensions for known file types" box

Set your Explorer up using the info in this link so that hidden and System files are visible
Also Uncheck the "Hide extensions for known file types" box

Yes. If the file is hidden, that should allow you to find (and delete) it.

Thanks crunchie and DMR - deleted the temp files as you reco'd and restarted into Safe mode after making the View files changes. Found the fservice.exe file and tried to delete, but it kept replicating itself after I would delete it. Did some searching around and found two other files that looked like the same thing (were created on the same day/time):

C:\Windows - services.exe
C:\Windows\System - sservice.exe

The sservice file would also replicate itself, the services.exe file wouldn't delete ("Cannot delete file. Access is denied...").

Any thoughts on how I can delete these? Since I never was able to make changes to my system.ini file as DMR recommended earlier, I figured I'd show you that file to see if you can notice anything wrong there:

; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[CineMac]
previousProjectorProcessID=2404

Thanks again for the help!

Read up on Symantec's description of this trojan infection; it sounds like it applies to you.

DMR, that link sounds exactly like the problem I've been having. Unfortunately I travel for business all the time and have been away from my home PC. Will hopefully fix it this weekend. My thanks for all of the help!

You're welcome. :)

Good luck luck; let us know whether that was the problem or not

Well, I was finally able to find some time to continue working on the problem and was able to remove all those nasty files using the info from Symantec.

Unfortunately, getting rid of those files hasn't corrected some of the problems I developed with IE and a few other programs. For example:

1. IE still "locks up" after about 10-15 minutes and returns the "page cannot be displayed" message.

2. Windows Media Player now doesn't work

3. Certain websites won't load even when IE is working (i.e. ESPN, the activescan on pandasoftware.com)

At this point, I might start a thread on the IE forum, but wanted to mention this here to see if anyone had any thoughts. It's certainly possible that I accidently deleted something important while trying to clean up that trojan during all this, so maybe I need to reintall? Are there any utilities that exist that can scan for missing files/components or whatever?

redownload IE from windows.com and redownload WMP from windows.com reinstall and see if they work.