ywiwop.exe

[wojo629]

well only one hit on google so i'll ask the pros here...has anyone dealt with this nasty?...laptop that was left running on broadband 24/7 w/ expired AV, and zero spyware protection i.e.: spyware blaster, spybot and the kicker, no fire wall installed!..the machine was dead in the water, 10 minute boot, access to internet after the first 10,000 popups....an ugly situation....i remove about 500 pieces of adware/spyware and 84 trojans/viruses...can't shake this one though...any ideas?

[fink]

First try doing whatever scans or removal techniques you've tried in safe mode. (F8 key during boot will get you there)

[wojo629]

will try that...like the cat links!

[wojo629]

fink, the more i look into this mess, the more problems i find...alot of programs no longer work i.e.: system info for example, try to open and nothing happens..IE has no info on the about screen...think i will back up everything to EHD, run AV on backup and see what shows up-if anything...and the do a system repair...thank god they have XP disc...o yeah, sfc /scannow did nothing, went through motions but did not repair a thing, there's got to be a ton of messed files judging by behavoir...any more ideas? thanks.

[fink]

I'd suggest having a look through this thread...

http://discussions.virtualdr.com/sho...d.php?t=167915

and do all of the things it suggests then copy the Hijackthis log into this thread and then we'll move it to the Hijack forum where one of our experts can have a look at it and advise further. It does sound like that unremoveable malware could be causing the problem(s) and hopefully removing it will fix all of them.

[wojo629]

fink: doing trend scan right now..have multiple pc's/connections going..i did disable NAV while scan running..NAV was buggy also...ran a scan on the back up and nothing bad was there..this has me baffled, have dealt w/ multiple infected pc's, but never this bad...i feel stupid!

[wojo629]

nothing found by trend....

[wojo629]

bit defender won't work....hmmmm...

[wojo629]

panda wil not work either...scan your PC link is inactive...

[wojo629]

shocking, e-trust wil not work either, once again start scan link does not work...

[wojo629]

and yet more fun, MS update will not open....

[wojo629]

Logfile of HijackThis v1.99.1
Scan saved at 12:39:42 PM, on 11/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Linksys\WUSBF54G\NICServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys\WUSBF54G\wlMonitor.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ywiwop.exe reg_run
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Linksys Wireless Network Monitor.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...l/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123697661981
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: NICSer_WUSBF54G - Unknown owner - C:\Program Files\Linksys\WUSBF54G\NICServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinPPPoverEthernet - Unknown owner - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE (file missing)

[wojo629]

i know this HJT log has a bunch of baddies on it, just keep on coming at me.

[wojo629]

fink: thanks for the help, i think i will try repair option...if that doesn't work i'll reinstall...needs to be updated(SP1 to SP2) and IE6 SP2(his choice)....thanks for your help....know any good sites w/ instructions on repair/reinstall?...thanks

[wojo629]

fink: did the repair installation...everything works!..as the virus replicated on re-boot it must of been deleting system files randomly...time to update everything on laptop...thanks for help!