Author Topic: WSEM32, PLEASE HELP (Read 1596 times)

Guest_mike · « **on:** November 14, 2004, 01:11:42 PM »

Please help, I somehow have nasty spywares installed on my computer. The log is listed below:

Logfile of HijackThis v1.97.7
Scan saved at 1:20:01 PM, on 11/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\WINDOWS\System32\PL15Co2K.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\WS_FTP\WS_FTP95.exe
C:\Documents and Settings\User4\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ccfgnt.exe

O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [PC Alarm Clock] C:\PROGRA~1\PCALAR~1\pac.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [USPTO Direct Recovery] "C:\Program Files\USPTO\etdirrcv.exe"
O4 - HKCU\..\Run: [ccfgnt] C:\WINDOWS\System32\ccfgnt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj03.rightnowtech.com/6030-b462...l/java/RntX.cab

guestolo · « **Reply #1 on:** November 14, 2004, 01:20:44 PM »

Hi Mike
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or later
If you don't have this version, uninstall yours and install this one
This is yours to keep for free
After installation-CHECK FOR UPDATES
Download the updates
Do a Full system scan----Remove All Critical objects by right clicking in the Critical's pane and Selecting All objects
RESTART your computer to finish the cleaning process

Could you also delete your copy of Hijackthis--It is outdated

Create a permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from HERE or HERE
Save it to that new folder

Post back a fresh hijackthis log after you have done the above

Guest · « **Reply #2 on:** November 14, 2004, 04:42:32 PM »

I updated ad-aware but it just freezes and I have to close it ctrl,alt,delete/

Heres is the updated log:

Logfile of HijackThis v1.98.2
Scan saved at 4:50:46 PM, on 11/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\WINDOWS\System32\PL15Co2K.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Aware.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ccfgnt.exe
C:\HJT\HijackThis.exe

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [PC Alarm Clock] C:\PROGRA~1\PCALAR~1\pac.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [USPTO Direct Recovery] "C:\Program Files\USPTO\etdirrcv.exe"
O4 - HKCU\..\Run: [ccfgnt] C:\WINDOWS\System32\ccfgnt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj03.rightnowtech.com/6030-b462...l/java/RntX.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\wdmjbpi.dll

guestolo · « **Reply #3 on:** November 14, 2004, 04:56:32 PM »

Have you tried Ad-Aware in safe mode?

Link will show you how to start in Safe Mode

Let me know if it works in safe mode
I was also going to recommend this spyware remover
Another free one that is yours to hold onto

Download and Install Spybot S&D 1.3
After installation--SEARCH FOR UPDATES
Download all updates
Check for Problems---FIX everything in RED

Restart your computer to finish the cleaning process

Try to run one or both of those spyware removers
and then Post back with a Fresh hijackthis log

We will manually clean you up after that

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />

cmubigboy · « **Reply #4 on:** December 02, 2004, 10:47:40 AM »

I would recommend using SpyBot Search and Destroy (a.k.a. SpyBot S&D).You can download it at:

http://www.safer-networking.org/en/index.html

You can find a review at http://www.pcworld.com/downloads/file_desc...id,22262,00.asp

It is freeware, but I recommend making a donation, since it works much better than AdAware.

AdAware doesn't remove spyware if you technically agreed to have it installed by accepting an end user license agreement. For example, when you install AOL Instant Messenger, you get the WildTangent software "for free". Wild Tangent, is software which indeed goes off on a tangent and uses your valuable system resources.)

Good luck!

Bryan Alexander Meyer

TheTechGuide Forum

News:

Author Topic: WSEM32, PLEASE HELP (Read 1596 times)

Guest_mike

WSEM32, PLEASE HELP

guestolo

WSEM32, PLEASE HELP

Guest

WSEM32, PLEASE HELP

guestolo

WSEM32, PLEASE HELP

cmubigboy

WSEM32, PLEASE HELP