Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Keeps Being Redirected


  • This topic is locked This topic is locked
10 replies to this topic

#1 dalcbys1

dalcbys1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 09 January 2006 - 02:54 PM

I have followed the procedure outlined by the team here to get to this point of posting my hijackthis file. My problem is that my browser keeps getting hijacked and taken to various websites. This problem all started after my son was downloading songs on our home computer from Kazaa. I deleted Kazaa from the computer using the Kazza Eliminate force file. After doing this and running all the system scans I still have the problem of browser redirect. Any help would be greatly appreciated. I am a mid 40's gentlemen so I may not know all of the computer lingo you guys use on this forum but I can follow directions very well.

Thanks in advance,
MRod


Logfile of HijackThis v1.99.1
Scan saved at 1:47:53 PM, on 1/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [dmmor.exe] C:\WINDOWS\system32\dmmor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104834912828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B74FA255-6AED-487A-85C1-87C620F09916}: NameServer = 85.255.116.67,85.255.112.178
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 15 January 2006 - 12:37 PM

Hello & welcome to Bleepings.

It's been a while since you last posted the HJT log. If you still require assistance, please post a fresh HJT log.
I'm subscribed to this thread & will receive almost immediate notification once that comes in.

Thanks.
sUBs

#3 dalcbys1

dalcbys1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 15 January 2006 - 01:24 PM

Here is my new post that you requested. I appreciate all the help.

MRod



Logfile of HijackThis v1.99.1
Scan saved at 12:21:12 PM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104834912828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B74FA255-6AED-487A-85C1-87C620F09916}: NameServer = 85.255.116.67,85.255.112.178
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 15 January 2006 - 01:33 PM

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download and install Ewido Security Suite
  • When installing, under "Additional Options",
    • uncheck - Install background guard
  • Have Ewido update itself & then exit the program.
If you are having problems with the updater, you can use this link to manually update Ewido


* * * * * *


Please download & Install - FixWareout.exe

When you reach the final page of the installation process, make sure "Run fixit" is checked.
Follow the on-screen prompts & reboot your computer when instructed to do so.

**Do not be alarmed if your computer takes longer than usual to load.

After you have restarted, wait for HijackThis to launch automatically.
With HiJackThis & place a check next to these items and select "Fix checked":

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B74FA255-6AED-487A-85C1-87C620F09916}: NameServer = 85.255.116.67,85.255.112.178


Close HijackThis, and click OK to proceed.

FixWareOut will produce a logfile, report.txt located within the C:\fixwareout folder


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *


Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:
  • ViewPoint
Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders:
  • C:\Program Files\Viewpoint\
    C:\WINDOWS\system32\dmmor.exe
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • FixWareout's log
  • HiJackThis log
  • Online Scan
  • Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

#5 dalcbys1

dalcbys1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 15 January 2006 - 04:29 PM

I had problems booting into safe mode. I also could not find the file c:\windows\system32\dmmor.exe file to remove. The Kapernsky online scan found some problems as well. Here are all the logs you asked for. Thank you so much for your help so far. The computer seems to be running back to normal in some aspects however I did get a browser redirect when trying to get to this forum. It sent me to a google search.

MRod

Fixwareouts log


Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\vctmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Search by size and names...
C:\WINDOWS\SYSTEM32\CSLBF.EXE
C:\WINDOWS\SYSTEM32\DMTCV.EXE
C:\WINDOWS\SYSTEM32\IPSEC6.EXE

Misc files

Checking for older varients covered by the Rem3 tool



Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 1:27:24 PM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dmrha.exe] C:\WINDOWS\system32\dmrha.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104834912828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Kapernsky online scan log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, January 15, 2006 15:24:27
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/01/2006
Kaspersky Anti-Virus database records: 171493
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 36402
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 1615 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP396\A0030935.EXE Infected: not-a-virus:AdWare.Win32.BetterInternet.az
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP406\A0036227.exe Infected: not-a-virus:AdWare.Win32.Bestofer.b
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP406\A0036229.exe Infected: not-a-virus:AdWare.Win32.Bestofer.b
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP406\A0036231.exe Infected: Trojan.Win32.Small.fb
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP406\A0036236.exe Infected: Trojan.Win32.Small.fb

Scan process completed.


Ewido Scan log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:04:04 PM, 1/15/2006
+ Report-Checksum: 5491F4C0

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-1482476501-1390067357-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3} -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-1482476501-1390067357-682003330-1003\Software\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-1482476501-1390067357-682003330-1003\Software\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
[1952] VM_01470000 -> Trojan.Pakes : Error during cleaning
C:\Program Files\TBONBin -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\TBONBin\tbon.exe -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\TBONBin\tboninst.cfg -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\TBONBin\TBONUnst.htm -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\TBONBin\Uninstall.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP385\A0029418.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP385\A0029422.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP386\A0029452.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP386\A0029459.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP386\A0029631.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP386\A0029637.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP389\A0029668.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP389\A0030668.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP389\A0030674.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP389\A0030675.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP389\A0030694.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP389\A0030702.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP389\A0030705.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP389\A0030725.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP389\A0030731.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP389\A0030734.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP390\A0030743.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP390\A0030747.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP390\A0030752.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP391\A0030773.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP391\A0030774.exe -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP391\A0030778.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP391\A0030783.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP391\A0030786.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP394\A0030872.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP394\A0030882.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP394\A0030892.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP394\A0030898.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP394\A0030904.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP395\A0030919.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP396\A0030938.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP396\A0030947.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP396\A0030955.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP396\A0030970.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP396\A0030978.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0031114.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0031141.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0031198.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0031210.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0031214.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0031222.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0031271.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0031273.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0031274.DLL -> Spyware.MySearch : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0031275.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0031284.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0031290.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0032283.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0032289.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0033284.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0033290.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0033297.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0033303.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0033307.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0033313.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0034307.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP397\A0034313.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP398\A0034584.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP398\A0034589.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034598.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034604.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034607.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034634.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034640.exe -> Adware.Bestofer : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034643.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034646.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034647.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034648.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034650.exe -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034667.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034673.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034677.dll -> Spyware.MySearch : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034683.DLL -> Spyware.MySearch : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034752.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034765.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0034863.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0035862.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0035868.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0035887.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP399\A0035893.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP400\A0035979.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP400\A0035985.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP406\A0036142.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP406\A0036148.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP406\A0036160.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP406\A0036181.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP406\A0036201.exe -> Trojan.Favadd.an : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP406\A0036202.exe -> Hijacker.Small : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP406\A0036203.exe -> Trojan.Qhost.df : Cleaned with backup
C:\System Volume Information\_restore{7A981DF6-0F9B-45EB-B004-EAD08A8A4E32}\RP406\A0036204.exe -> Spyware.Msnagent : Cleaned with backup
C:\WINDOWS\system32\cslbf.exe -> Downloader.Agent.uj : Cleaned with backup
C:\WINDOWS\system32\dmrha.exe -> Trojan.Pakes : Cleaned with backup


::Report End

#6 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 16 January 2006 - 05:51 PM

Have HijackThis fix this entry:

O4 - HKLM\..\Run: [dmrha.exe] C:\WINDOWS\system32\dmrha.exe

Then reboot & post a fresh log. Let me know if you're still getting redirects.

#7 dalcbys1

dalcbys1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 16 January 2006 - 09:37 PM

here it is. I wonder if the virus that Kapernsky found is having anything to do with this? I deleted the file you asked and restarted the computer and ran the Hijack this again. I did get a browser redirect to google search again. Man I hate google. Thanks again for all your help so far.

MRod


Logfile of HijackThis v1.99.1
Scan saved at 8:32:52 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dmivl.exe] C:\WINDOWS\system32\dmivl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104834912828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 16 January 2006 - 11:12 PM

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dmivl.exe] C:\WINDOWS\system32\dmivl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104834912828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Allright, we're gonna do this a bit different now. Take a look at the log listed above. The baddie is the one in red. Checkmark all the entries highlighted in blue & hit the "add checked to ignore list".

Then do a rescan & you should have only 1 entry left ...the baddie. "Fix checked" that & close Hijackthis.


* * * * * *


We'll need to run FixWareOut again. Go to Start > Run - type C:\fixwareout\FixIt.bat <Press Enter>
This will run the tool again.
Follow the on-screen prompts & reboot your computer when instructed to do so.

After you have restarted, wait for HijackThis to launch automatically.
With HiJackThis & place a check next to any baddies you see, and select "Fix checked". Close HijackThis, and click OK to proceed.


FixWareOut will produce a logfile, report.txt located within the C:\fixwareout folder. Open the log file & it should look similar to the previous round...

C:\WINDOWS\SYSTEM32\CSLBF.EXE
C:\WINDOWS\SYSTEM32\DMTCV.EXE

C:\WINDOWS\SYSTEM32\IPSEC6.EXE

The blue file, ipsec6.exe is legit. All others are bad. Locate & delete them.


* * * * * *


Then run CleanUp! using the settings from before & reboot your machine. Do some Google searches & see if you still get redirected. Post a new HJT log

Edited by sUBs, 16 January 2006 - 11:13 PM.


#9 dalcbys1

dalcbys1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 17 January 2006 - 07:31 PM

Ok I deleted the file from the first HiJack this that you said to delete. I can not find the file C:\WINDOWS\SYSTEM32\DMPES.EXE that the fixwareout program you wanted me to delete. I ran a search even in all files and folders and it does not find it anywhere. I am still being redirected when running yahoo or google searches to other sites. I also have another problem now that my printer keeps asking me for the driver. When I try and install it says that I need to delete all the previous ones to install it. First however the web browser being redirected.

Here is the latest HiJack this file and the fixwareout file.


Hi Jack this log

Logfile of HijackThis v1.99.1
Scan saved at 6:28:46 PM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dmepu.exe] C:\WINDOWS\system32\dmepu.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104834912828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Fixwareout report


Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\sepmd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Search by size and names...
C:\WINDOWS\SYSTEM32\DMPES.EXE
C:\WINDOWS\SYSTEM32\IPSEC6.EXE

Misc files

Checking for older varients covered by the Rem3 tool

#10 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 18 January 2006 - 02:58 AM

I wish there was an easier way to do this but unfortunately, none of the malware scanners are picking up on this virus.

Download this tool - KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Then, print out the rest of these instructions.


* * * * * *


Do the previous step again. Go to Start > Run - type C:\fixwareout\FixIt.bat
Follow the on-screen prompts & reboot your computer when instructed to do so.

After you have restarted, wait for HijackThis to launch automatically.
With HiJackThis & place a check next to any baddies you see, and select "Fix checked". Close HijackThis, and click OK to proceed.


FixWareOut will produce a logfile, report.txt located within the C:\fixwareout folder. Open the log file & it should look similar to the previous round...

C:\WINDOWS\SYSTEM32\DMPES.EXE
C:\WINDOWS\SYSTEM32\IPSEC6.EXE

The blue file, ipsec6.exe is legit. All others are bad. Locate & delete them using Killbox.


Run KillBox & type the following locations into KillBox one at a time:
  • C:\WINDOWS\SYSTEM32\DMPES.EXE
  • Checkmark the following boxes :
    • Standard file kill
  • Click the RED X button
After you have done that, do not reboot yet.
Run Ewido & allow it to do full system scan. I shall need the log it produces after this scan.

#11 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 24 January 2006 - 01:22 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users