Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 1 of 1 Posts

·
Registered
Joined
·
9 Posts
Discussion Starter · #1 ·
Hello, i have a problem with the following processes:
explorer.exe
dwwin.exe
drwtsn32.exe
i think they are infected or something, since dwwin.exe and drwtsn32.exe, cause explorer.exe to crash.
Well, here's my HijackThis! log:

Logfile of HijackThis v1.99.1
Scan saved at 3:03:33 AM, on 7/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Telstra\Cable Login\bpcService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Naruto.Haruno\Desktop\Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [CAFIX] "C:\WINDOWS\system32\ZONELABS\cafix.exe" /IgnoreAll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.windowsupdate.com
O15 - Trusted Zone: http://z4.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: McAfee Application Installer Cleanup (0122791168083615) (0122791168083615mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\NARUTO~1.HAR\LOCALS~1\Temp\012279~1.EXE
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Well, here's the story anyway:
I get this Zone alarm message, red pop up saying:

SUSPICIOS BEHAVIOR

Microsoft Application Error Reporting is trying to communicate with c:\windows\explorer.exe by opening a thread
Application: dwwind.exe
View Properties
Allow Deny

So i press Deny, then i got another message, not from Zone Alarm but a windows one saying:

Windows Explorer

Windows Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.

If you were in the middle of something, the information you were working on might be lost.
Close

So i press Close, then i get another Zone alarm message, red pop up saying:

SUSPICIOS BEHAVIOR

Dr Watson Postmortem Debugger is trying to communicate with c:\windows\explorer.exe by opening its process (explorer.exe is already open, Not zone alarm message)

Application: drwtsn32.exe
View Properties
Allow Deny

So i press Deny, then my explorer just crashes ( goes away, btw its the background, taskbar, etc) then it re-opens, and at the same time it re-opens, i get the same first message:

SUSPICIOS BEHAVIOR

Microsoft Application Error Reporting is trying to communicate with c:\windows\explorer.exe by opening a thread
Application: dwwind.exe
View Properties
Allow Deny

So this time i press Allow, then i get another message, not from Zone Alarm but a windows one saying:

Windows Explorer

Windows Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.

If you were in the middle of something, the information you were working on might be lost.

For more information about this error, click here.
Close
So i click, click here, then i get this message:

Windows Explorer

Error signature

AppName: explorer.exe AppVer: 6.0.2900.2180 ModeNAme: comctl32.dll
ModVer: 6.0.2900.2982 Offset: 0006f38e

To view technical information about the error report, click here.
Close
So i click close, then close on the message before that, then i get the same second Zone Alarm message saying:

SUSPICIOS BEHAVIOR

Microsoft Application Error Reporting is trying to communicate with c:\windows\explorer.exe by opening a thread
Application: dwwind.exe
View Properties
Allow Deny

So this time i press Allow, then i get another message, not from Zone Alarm but a windows one saying:

Windows Explorer

Windows Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.

If you were in the middle of something, the information you were working on might be lost.
Close

So i press Close, then i get another Zone alarm message, red pop up saying:

SUSPICIOS BEHAVIOR

Dr Watson Postmortem Debugger is trying to communicate with c:\windows\explorer.exe by opening its process (explorer.exe is already open, Not zone alarm message)

Application: drwtsn32.exe
View Properties
Allow Deny

So this time i press Allow, then i get this message:

Windows Explorer

Windows Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.

If you were in the middle of something, the information you were working on might be lost.

For more information about this error, click here.
Close
So i click, click here, then i get this message:

DrWatson Postmortem Debugger

Error signature

EventType: BEX P1: drwtsn32.exe P2: 5.1.2600.0 P3: 3b7d84a2
P4: dbghelp.dll P5: 5.1.2600.2180 P6: 4110969a P7: 0001295d

To view technical information about the error report, click here.
Close
So i click close, then close on the other window, then i get a weird message from Zone Alarm saying:

SUSPICIOS BEHAVIOR

Dr Watson Postmortem Debugger is trying to communicate with c:\windows\system32\drwtsn32.exe by opening its process

Application: drwtsn32.exe
View Properties
Allow Deny

Now im thinking why would a program open itself?
So i press Allow, then it just lags until i go to task manager and end process on drwtsn32.exe
So i re-do what i just said, then get to this part and press Deny, then explorer.exe crashes again, then same thing over again.
So, i go to task manager (Ctrl + Alt + Del), then i go to processes, then i end process of explorer.exe, and then press Deny to all the dwwind.exe and drwtsn32.exe alerts, then there isnt any more alerts, but my explorer.exe is closed, so i re-open explorer.exe, and the alerts come back again.

Here are some pictures:

Here is my first alert from Zone Alarm about dwwin.exe:
http://img168.imageshack.us/img168/8017/dwwinexplorer1stzv7.jpg

Here is my alert from windows explorer after i click Deny:
http://img529.imageshack.us/img529/9337/explorer2ndbydwwinbe3.jpg

Here is my alert from Zone Alarm about drwtsn32.exe once i click close:
http://img508.imageshack.us/img508/5287/drwtsn32explorer3rdsm6.jpg

Once i click Deny on that message, windows crashes and re-opens, and a new alert from Zone Alarm about dwwin.exe comes up.

Here is my alert from Zone Alarm about dwwin.exe:
http://img168.imageshack.us/img168/8017/dwwinexplorer1stzv7.jpg

Here is my alert from windows explorer once i click Allow:
http://img171.imageshack.us/img171/6086/explorer4thallowdwwinze0.jpg

Here is my alert from Zone Alarm about drwtsn32.exe once i click close:
http://img508.imageshack.us/img508/5287/drwtsn32explorer3rdsm6.jpg

Here is my alert from windows explorer once i click Allow:
http://img231.imageshack.us/img231/5787/explorer5thallowdrwtsn3fy8.jpg

Here is my alert from Zone Alarm once i click close:
http://img172.imageshack.us/img172/2316/drwtsn32itselfcm7.jpg

Once i click Allow, my computer lags, so i go to task manager and i see two drwtsn32.exe, so i pressed end process on one, and the other went away with it. Then, while drwtsn32.exe goes, so does explorer.exe, then explorer.exe re-opens, and i get another dwwin.exe Zone Alarm alert from the start.

Here is my alert from Zone Alarm about dwwin.exe:
http://img168.imageshack.us/img168/8017/dwwinexplorer1stzv7.jpg

Please help me, i cant get it away.
 
1 - 1 of 1 Posts
Status
Not open for further replies.
Top