Find It log and Hijack This Log (wayyyq.exe??)

SunDizzle · March 1st, 2005, 02:58 PM

all, I have this pc that is acting up and I have tried to fix it but it keeps coming back!!! I have deleted this wayyyq.exe repeatedly (in safe mode and not) and it keeps coming back!! I ran hijack this and cleared up all the bho's and such but I still can't get rid of that damn file!!

Also am attaching Find it log because I can't find a website out there that lists a tutorial for this product...........

Thanks in advance.....

Find It Log
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Chris Laubach\Desktop\FindIt_NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3CEE-EE05

Directory of C:\WINDOWS\System32

03/01/2005 11:35 AM <DIR> dllcache
02/26/2005 07:27 AM 240,624 h9etcfo.exe
02/26/2005 07:26 AM 308,121 1hce61.sys
02/26/2005 07:26 AM 577,470 f6ytu1v.dll
02/26/2005 07:26 AM 182,665 uf2u3.exe
07/29/2003 01:31 PM <DIR> Microsoft
02/28/2003 07:51 PM 12,288 Thumbs.db
5 File(s) 1,321,168 bytes
2 Dir(s) 35,436,097,536 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3CEE-EE05

Directory of C:\WINDOWS\System32

03/01/2005 11:35 AM <DIR> dllcache
02/26/2005 07:27 AM 240,624 h9etcfo.exe
02/26/2005 07:26 AM 308,121 1hce61.sys
02/26/2005 07:26 AM 577,470 f6ytu1v.dll
02/26/2005 07:26 AM 182,665 uf2u3.exe
07/29/2003 12:57 PM 488 WindowsLogon.manifest
07/29/2003 12:57 PM 488 logonui.exe.manifest
07/29/2003 12:57 PM 749 sapi.cpl.manifest
07/29/2003 12:57 PM 749 nwc.cpl.manifest
07/29/2003 12:57 PM 749 ncpa.cpl.manifest
07/29/2003 12:57 PM 749 cdplayer.exe.manifest
07/29/2003 12:57 PM 749 wuaucpl.cpl.manifest
02/28/2003 07:51 PM 12,288 Thumbs.db
12 File(s) 1,325,889 bytes
1 Dir(s) 35,436,093,440 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 3CEE-EE05

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 3CEE-EE05

Directory of C:\WINDOWS\System32

08/29/2002 07:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 35,436,093,440 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c, 00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c, 6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c, 6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEven t"
"Logoff"="UnregisterTicketExpiredNotificationEvent "
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
1hce61.sys Sat Feb 26 2005 7:26:30a ..SHR 308,121 300.90 K
f6ytu1v.dll Sat Feb 26 2005 7:26:30a ..SHR 577,470 563.93 K
h9etcfo.exe Sat Feb 26 2005 7:27:34a ..SHR 240,624 234.98 K
uf2u3.exe Sat Feb 26 2005 7:26:30a ..SHR 182,665 178.38 K

4 items found: 4 files, 0 directories.
Total of file sizes: 1,308,880 bytes 1.25 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\cugggi.dll: updates.qoologic.com
C:\WINDOWS\system32\erqqqs.dll: updates.qoologic.com
C:\WINDOWS\system32\hupppx.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\1hce61.sys: .aspack
C:\WINDOWS\system32\dqinstaller.exe: .aspack
C:\WINDOWS\system32\mirka2bb: .aspack
C:\WINDOWS\system32\mirka2e.exe: .aspack
C:\WINDOWS\system32\money2.exe: .aspack
C:\WINDOWS\system32\puqqqg.dat: .aspack
C:\WINDOWS\system32\uf2u3.exe: .aspack
C:\WINDOWS\system32\wayyyq.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hgy yyf.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"Narrator"="C:\\WINDOWS\\System32\\wayyyq.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 1:38:11 PM, on 3/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\wayyyq.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Chris Laubach\Application Data\Mozilla\Profiles\default\es3zh62u.slt\prefs.j s)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Chris Laubach\Application Data\Mozilla\Profiles\default\es3zh62u.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe

SunDizzle · March 1st, 2005, 03:48 PM

Anyone>??? Please

SunDizzle · March 1st, 2005, 07:41 PM

Hello???

SunDizzle · March 2nd, 2005, 12:10 AM

You mean to tell me that No One has any clue what this is????

Kuasimodem · March 2nd, 2005, 03:29 AM

Rule number one when removing spyware/adware/malware from your computer...

Disable System Restore. Many of these programs hide installers in the restore files and reinstall themselves when you reboot.

1. Click Start, right click My Computer and select "Properties."
2. Click on the "System Restore" tab.
3. Click the box marked "Turn off System Restore" and click "Apply" then "OK".

Now run all the spyware and antivirus programs that you have to remove the garbage.

Reboot and run them again to make sure that the system is clean.

Once the computer is clean, you can follow the directions above again and uncheck the box marked "Shut off System Restore."

Bill in SD, CA · March 2nd, 2005, 12:05 PM

http://www.fileresearchcenter.com/W/....EXE-1169.html

From: File Research Center - Find out what's really running on your PC!

Bill

27 · March 2nd, 2005, 12:14 PM

Slam your hijack this log here
http://www.help2go.com/modules.php?name=HJTDetective

or here

http://hijackthis.de/index.php?langselect=english

27 · March 2nd, 2005, 12:17 PM

According to the second link, you have two pieces of eeevil on your computer.
Also you don't seem to be running antivirus.

Bill in SD, CA · March 2nd, 2005, 12:27 PM

27, I like the Help2Go site.

Thanks,

Bill

27 · March 2nd, 2005, 12:49 PM

Quote:

Originally Posted by Bill in SD, CA

27, I like the Help2Go site.

Thanks,

Bill

I've used it a few times. I think it's constantly updated with new definitions.

However, I SLAMMED this geeza's log there and didn't get a report.