home hardware prices news articles forums photos user reviews
Go Back   Tech Support Forums - TechIMO.com > PC Hardware and Tech > Security and Privacy Issues
Join TechIMO for Free!
Register Blogs FAQ Members List Calendar Search Today's Posts Mark Forums Read
Reply Get bargains at  »  Dealighted.com
 
Thread Tools
Currently Active Users: 1907
Discussions: 188,470, Posts: 2,244,181, Members: 232,725
Old March 1st, 2005, 02:58 PM   Digg it!   #1 (permalink)
Member
 
SunDizzle's Avatar
 
Join Date: Feb 2003
Location: Eastern PA
Posts: 394
Angry
Find It log and Hijack This Log (wayyyq.exe??)

all, I have this pc that is acting up and I have tried to fix it but it keeps coming back!!! I have deleted this wayyyq.exe repeatedly (in safe mode and not) and it keeps coming back!! I ran hijack this and cleared up all the bho's and such but I still can't get rid of that damn file!!

Also am attaching Find it log because I can't find a website out there that lists a tutorial for this product...........

Thanks in advance.....


Find It Log
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Chris Laubach\Desktop\FindIt_NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3CEE-EE05

Directory of C:\WINDOWS\System32

03/01/2005 11:35 AM <DIR> dllcache
02/26/2005 07:27 AM 240,624 h9etcfo.exe
02/26/2005 07:26 AM 308,121 1hce61.sys
02/26/2005 07:26 AM 577,470 f6ytu1v.dll
02/26/2005 07:26 AM 182,665 uf2u3.exe
07/29/2003 01:31 PM <DIR> Microsoft
02/28/2003 07:51 PM 12,288 Thumbs.db
5 File(s) 1,321,168 bytes
2 Dir(s) 35,436,097,536 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3CEE-EE05

Directory of C:\WINDOWS\System32

03/01/2005 11:35 AM <DIR> dllcache
02/26/2005 07:27 AM 240,624 h9etcfo.exe
02/26/2005 07:26 AM 308,121 1hce61.sys
02/26/2005 07:26 AM 577,470 f6ytu1v.dll
02/26/2005 07:26 AM 182,665 uf2u3.exe
07/29/2003 12:57 PM 488 WindowsLogon.manifest
07/29/2003 12:57 PM 488 logonui.exe.manifest
07/29/2003 12:57 PM 749 sapi.cpl.manifest
07/29/2003 12:57 PM 749 nwc.cpl.manifest
07/29/2003 12:57 PM 749 ncpa.cpl.manifest
07/29/2003 12:57 PM 749 cdplayer.exe.manifest
07/29/2003 12:57 PM 749 wuaucpl.cpl.manifest
02/28/2003 07:51 PM 12,288 Thumbs.db
12 File(s) 1,325,889 bytes
1 Dir(s) 35,436,093,440 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 3CEE-EE05

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 3CEE-EE05

Directory of C:\WINDOWS\System32

08/29/2002 07:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 35,436,093,440 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c, 00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c, 6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c, 6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEven t"
"Logoff"="UnregisterTicketExpiredNotificationEvent "
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
1hce61.sys Sat Feb 26 2005 7:26:30a ..SHR 308,121 300.90 K
f6ytu1v.dll Sat Feb 26 2005 7:26:30a ..SHR 577,470 563.93 K
h9etcfo.exe Sat Feb 26 2005 7:27:34a ..SHR 240,624 234.98 K
uf2u3.exe Sat Feb 26 2005 7:26:30a ..SHR 182,665 178.38 K

4 items found: 4 files, 0 directories.
Total of file sizes: 1,308,880 bytes 1.25 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\cugggi.dll: updates.qoologic.com
C:\WINDOWS\system32\erqqqs.dll: updates.qoologic.com
C:\WINDOWS\system32\hupppx.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\1hce61.sys: .aspack
C:\WINDOWS\system32\dqinstaller.exe: .aspack
C:\WINDOWS\system32\mirka2bb: .aspack
C:\WINDOWS\system32\mirka2e.exe: .aspack
C:\WINDOWS\system32\money2.exe: .aspack
C:\WINDOWS\system32\puqqqg.dat: .aspack
C:\WINDOWS\system32\uf2u3.exe: .aspack
C:\WINDOWS\system32\wayyyq.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hgy yyf.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"Narrator"="C:\\WINDOWS\\System32\\wayyyq.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 1:38:11 PM, on 3/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\wayyyq.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Chris Laubach\Application Data\Mozilla\Profiles\default\es3zh62u.slt\prefs.j s)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Chris Laubach\Application Data\Mozilla\Profiles\default\es3zh62u.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
__________________
Fill cups like Double D's!!

SunDizzle is offline   Reply With Quote
Old March 1st, 2005, 03:48 PM     #2 (permalink)
Member
 
SunDizzle's Avatar
 
Join Date: Feb 2003
Location: Eastern PA
Posts: 394
Anyone>??? Please

SunDizzle is offline   Reply With Quote
Old March 1st, 2005, 07:41 PM     #3 (permalink)
Member
 
SunDizzle's Avatar
 
Join Date: Feb 2003
Location: Eastern PA
Posts: 394
Hello???

SunDizzle is offline   Reply With Quote
Old March 2nd, 2005, 12:10 AM     #4 (permalink)
Member
 
SunDizzle's Avatar
 
Join Date: Feb 2003
Location: Eastern PA
Posts: 394
You mean to tell me that No One has any clue what this is????
SunDizzle is offline   Reply With Quote
Old March 2nd, 2005, 03:29 AM     #5 (permalink)
Ultimate Member
 
Kuasimodem's Avatar
 
Join Date: Oct 2001
Location: Holmen, Wisconsin US
Posts: 2,852
Send a message via MSN to Kuasimodem Send a message via Yahoo to Kuasimodem
Rule number one when removing spyware/adware/malware from your computer...

Disable System Restore. Many of these programs hide installers in the restore files and reinstall themselves when you reboot.

1. Click Start, right click My Computer and select "Properties."
2. Click on the "System Restore" tab.
3. Click the box marked "Turn off System Restore" and click "Apply" then "OK".

Now run all the spyware and antivirus programs that you have to remove the garbage.

Reboot and run them again to make sure that the system is clean.

Once the computer is clean, you can follow the directions above again and uncheck the box marked "Shut off System Restore."
__________________
What did a tornado sound like before freight trains were invented?
Kuasimodem is offline   Reply With Quote
Old March 2nd, 2005, 12:05 PM     #6 (permalink)
Supporting our military
 
Bill in SD, CA's Avatar
 
Join Date: Oct 2002
Location: Bottom left of U.S.
Posts: 9,194
__________________
*****
It is easy to be conspicuously "compassionate" if others are being forced to pay the cost. – Murray N. Rothbard
Bill in SD, CA is offline   Reply With Quote
Old March 2nd, 2005, 12:14 PM     #7 (permalink)
27
Ultimate Member
 
27's Avatar
 
Join Date: Jun 2004
Location: England
Posts: 1,377
27 is offline   Reply With Quote
Old March 2nd, 2005, 12:17 PM     #8 (permalink)
27
Ultimate Member
 
27's Avatar
 
Join Date: Jun 2004
Location: England
Posts: 1,377
According to the second link, you have two pieces of eeevil on your computer.
Also you don't seem to be running antivirus.
27 is offline   Reply With Quote
Old March 2nd, 2005, 12:27 PM     #9 (permalink)
Supporting our military
 
Bill in SD, CA's Avatar
 
Join Date: Oct 2002
Location: Bottom left of U.S.
Posts: 9,194
27, I like the Help2Go site.

Thanks,

Bill
Bill in SD, CA is offline   Reply With Quote
Old March 2nd, 2005, 12:49 PM     #10 (permalink)
27
Ultimate Member
 
27's Avatar
 
Join Date: Jun 2004
Location: England
Posts: 1,377
Quote:
Originally Posted by Bill in SD, CA
27, I like the Help2Go site.

Thanks,

Bill
I've used it a few times. I think it's constantly updated with new definitions.

However, I SLAMMED this geeza's log there and didn't get a report.
27 is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with HijackThis Log bhath19 Technical Support 11 July 5th, 2004 05:41 PM
Kernel32.dll error message BluesMan1 General Tech Discussion 5 February 26th, 2004 04:37 AM
How to kill a critical process? impulce Applications and Operating Systems 8 January 10th, 2004 09:53 PM
What the?!?! Aaron_J Technical Support 44 November 24th, 2003 09:48 AM
Excel doesn't play well with others somecallmetim Technical Support 7 September 17th, 2002 02:54 PM

Most Active Discussions
Is It Just Me? (3000)
"mastermind" of London at.. (65)
Intel Pentium 4 531 (7)
AMD Phenom II X4 940 Black Edition (11)
nVidia GTX 295 now available (21)
Replacing integrated video card (5)
Folderchat Weekday thread (458)
building a gaming computer, input p.. (14)
I think I just killed my computer w.. (26)
Recent Discussions
WD Hard drive reading the wrong.. (1)
P4MAM2-V Mobo Support For Dual .. (1)
can't add picture to this forum (1)
NTVDM CPU has encountered an il.. (8)
canon eos20d problem (1)
I cant sign into msn messenger,.. (8)
nVidia GTX 295 now available (21)
Folderchat Weekday thread (458)
Could I run this set-up (15)
Blackberry Storm, Gears of War .. (2)
Core 2 Quad Q9550 system (3)
COWBOOM Ripoff! Used Laptop w/$.. (4)


All times are GMT -4. The time now is 07:19 AM.
TechIMO Copyright 2008 All Enthusiast, Inc.



1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28