Popup ads attacking my desktop.. HJT Log PLease Check

8th July 2004

This morning was getting attacked by spyware junk. Here are the list of programs I am using. I have windows xp.
Adaware 6.0, spybot search and destroy, Oops popup blocker, avast4 virus program which killed some viruses I got earlier today and I downloaded webroot window washer , which is only a 30 day trial then I try something else in place and it really cleaned up and freed up my memory as what every ads landing on my desktop sucked it up and couldnt even get in my browser. Working better but still a few bugs hiding so just need to see what needs to be deleted out so here is my hijack log.

Logfile of HijackThis v1.98.0
Scan saved at 8:08:00 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\PopOops\PopOops.exe
C:\WINDOWS\System32\svsipconfig.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\HJThis\HijackThis1980.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PopOops] C:\PROGRA~1\PopOops\PopOops.exe
O4 - HKLM\..\Run: [Microsoft Update Clinic] svsipconfig.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [hdwej.exe] C:\Documents and Settings\Owner\Desktop\hdwej.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\ddiszn.exe
O4 - HKLM\..\RunServices: [Microsoft Update Clinic] svsipconfig.exe
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Owner"
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{42E7E5F1-10E9-4C71-9150-38E4A1E2AC43}: NameServer = 65.38.224.6 64.63.192.17

I also go to housecall at trend micro and run virus check there as well.

I do updates all the time and I also had to reload my windows xp and so I do still have some critical updates to windows to finish downloading.

Turned off messenger in windows. Had to reset it a few times then it finally stop.. But for about four hours now I have not had any junk landing on my desktop.

Seems like every three weeks I go through this. IE browse gotta go.
I rid of my outlook express email and now using thunderbird email. Much better. Controls more of the junk.

Soon be switching to mozilla, as hear that is better. I was told to lose IE browser was in some view that has to many bugs and Microsoft is not fixing there windows stuff. Well, enough of this .

I think there still a few bugs that need tweaked out so highlight it in red so I know which one to delete, or different marking so I know. I will get confused.

Thanks.. Sandy

**Lonny Jones** · 8th July 2004

Hello Welcome to the forums.
What was this something else you tried ?
There has been a small update for hijackthis 1.98 download the newer
here replacing the other one, http://radiosplace.com/

Start Hijackthis and place a check next to these items, then
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders)
Then Hit fix checked.
O4 - HKLM\..\Run: [Microsoft Update Clinic] svsipconfig.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\ddiszn.exe
O4 - HKLM\..\Run: [hdwej.exe] C:\Documents and Settings\Owner\Desktop\hdwej.exe
O4 - HKLM\..\RunServices: [Microsoft Update Clinic] svsipconfig.exe
==========

Reboot then PC and then go submit those files
Online malware scan-Submit a file: http://virusscan.jotti.dhs.org/

If possible send a zipped copy of them to
This address<<
attach it to the email and in the email itself include a link back to this thread please

then rename them and leave them there for now
just change the exe to "OLD"(rightclick on them choose rename)
C:\Documents and Settings\Owner\Desktop\hdwej.exe
C:\WINDOWS\System32\svsipconfig.exe
C:\WINDOWS\System32\ddiszn.exe
they might be hidden so in folder options >

Quote:

Open your My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" are checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders" Click "Apply" then "OK"

Then Post another log please

8th July 2004

My hijack program is up to date.

Anyways you confused me. lol

Sandy

**Lonny Jones** · 8th July 2004

LOL sorry

No its not, there was first version 1.98 then a small update, but its still version 1.98