Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
12 replies to this topic

#1 Bob_Brown

Bob_Brown

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 15 April 2006 - 12:26 PM

Hey! Im not really sure what the problem is ... Whenever I click on a website from google (or any search engine) it redirects me. Is it some sort of IE search hook virus? Here's my log. Cheers in advance. Bob

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\Richard\My Documents\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R3 - URLSearchHook: (no name) - {9D16A330-670C-02BA-1FB5-20BE4195F5A2} - StartCpl.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [porka_] abrek.exe
O4 - HKLM\..\Run: [backorif] MsNetHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [exe.egwmd] C:\WINDOWS\system32\dmwge.exe
O4 - HKLM\..\Run: [exe.ezamd] C:\WINDOWS\system32\dmaze.exe
O4 - HKLM\..\Run: [exe.wiemd] C:\WINDOWS\system32\dmeiw.exe
O4 - HKLM\..\Run: [exe.tlwmd] C:\WINDOWS\system32\dmwlt.exe
O4 - HKLM\..\Run: [exe.xwrmd] C:\WINDOWS\system32\dmrwx.exe
O4 - HKLM\..\Run: [exe.bqomd] C:\WINDOWS\system32\dmoqb.exe
O4 - HKLM\..\Run: [exe.gdemd] C:\WINDOWS\system32\dmedg.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [exe.gcrmd] C:\WINDOWS\system32\dmrcg.exe
O4 - HKLM\..\Run: [exe.qximd] C:\WINDOWS\system32\dmixq.exe
O4 - HKLM\..\Run: [exe.shkmd] C:\WINDOWS\system32\dmkhs.exe
O4 - HKLM\..\Run: [exe.plumd] C:\WINDOWS\system32\dmulp.exe
O4 - HKLM\..\Run: [exe.bhhmd] C:\WINDOWS\system32\dmhhb.exe
O4 - HKLM\..\Run: [exe.fsdmd] C:\WINDOWS\system32\dmdsf.exe
O4 - HKLM\..\Run: [exe.crtmd] C:\WINDOWS\system32\dmtrc.exe
O4 - HKLM\..\Run: [exe.iupmd] C:\WINDOWS\system32\dmpui.exe
O4 - HKLM\..\Run: [exe.amvmd] C:\WINDOWS\system32\dmvma.exe
O4 - HKLM\..\Run: [exe.xbhmd] C:\WINDOWS\system32\dmhbx.exe
O4 - HKLM\..\Run: [exe.suhmd] C:\WINDOWS\system32\dmhus.exe
O4 - HKLM\..\Run: [exe.zqjmd] C:\WINDOWS\system32\dmjqz.exe
O4 - HKLM\..\Run: [exe.npgmd] C:\WINDOWS\system32\dmgpn.exe
O4 - HKLM\..\Run: [exe.pjmmd] C:\WINDOWS\system32\dmmjp.exe
O4 - HKLM\..\Run: [exe.kzwmd] C:\WINDOWS\system32\dmwzk.exe
O4 - HKLM\..\Run: [exe.pcpmd] C:\WINDOWS\system32\dmpcp.exe
O4 - HKLM\..\Run: [exe.tkpmd] C:\WINDOWS\system32\dmpkt.exe
O4 - HKLM\..\Run: [exe.njpmd] C:\WINDOWS\system32\dmpjn.exe
O4 - HKLM\..\Run: [exe.lutmd] C:\WINDOWS\system32\dmtul.exe
O4 - HKLM\..\Run: [exe.yjhmd] C:\WINDOWS\system32\dmhjy.exe
O4 - HKLM\..\Run: [exe.tgmmd] C:\WINDOWS\system32\dmmgt.exe
O4 - HKLM\..\Run: [exe.sirmd] C:\WINDOWS\system32\dmris.exe
O4 - HKLM\..\Run: [exe.kvgmd] C:\WINDOWS\system32\dmgvk.exe
O4 - HKLM\..\Run: [exe.juhmd] C:\WINDOWS\system32\dmhuj.exe
O4 - HKLM\..\Run: [exe.aeumd] C:\WINDOWS\system32\dmuea.exe
O4 - HKLM\..\Run: [exe.vqdmd] C:\WINDOWS\system32\dmdqv.exe
O4 - HKCU\..\Run: [zxc] pizda.exe
O4 - HKCU\..\Run: [CToolBar] Kargo.exe
O4 - HKCU\..\Run: [srbho] WTFCTF.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CF3D278-85E6-4693-A2C1-2ECF6AA2B9DC}: NameServer = 85.255.116.77,85.255.112.212
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA9EF9CC-8E06-4182-A21C-75256355052A}: NameServer = 85.255.116.77,85.255.112.212
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:12:39 PM

Posted 22 April 2006 - 06:17 AM

Welcome to the forum. I am checking your log now and will return as soon as I have researched all the items.

While we are working together, please ....
  • Reply to this thread. Do not start a new topic.
  • If you are unsure of what to do, stop and ask! Don't keep going on.
  • Be patient. HijackThis logs take some time to research.
Please note the following:
  • I will be working on your Malware issues: This may or may not, solve other issues you may have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine is clear. (Absence of symptoms does not mean that everything is clear.)
  • The process may take considerable time.

Mat2



Posted Image

#3 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:12:39 PM

Posted 22 April 2006 - 06:30 AM

Hi

===============

The header for HiJackThis is very important, please make sure you copy all of it: It helps to determine what steps might need to be taken to better secure your system, and provide more efficient cleanup procedures. For example, some files, which on standard on one platform, may indicate a virus or trojan on another. So, be sure to include this information with any future posts.

===============

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R3 - URLSearchHook: (no name) - {9D16A330-670C-02BA-1FB5-20BE4195F5A2} - StartCpl.dll (file missing)

O4 - HKLM\..\Run: [porka_] abrek.exe
O4 - HKLM\..\Run: [backorif] MsNetHelper.exe
O4 - HKLM\..\Run: [exe.egwmd] C:\WINDOWS\system32\dmwge.exe
O4 - HKLM\..\Run: [exe.ezamd] C:\WINDOWS\system32\dmaze.exe
O4 - HKLM\..\Run: [exe.wiemd] C:\WINDOWS\system32\dmeiw.exe
O4 - HKLM\..\Run: [exe.tlwmd] C:\WINDOWS\system32\dmwlt.exe
O4 - HKLM\..\Run: [exe.xwrmd] C:\WINDOWS\system32\dmrwx.exe
O4 - HKLM\..\Run: [exe.bqomd] C:\WINDOWS\system32\dmoqb.exe
O4 - HKLM\..\Run: [exe.gdemd] C:\WINDOWS\system32\dmedg.exe
O4 - HKLM\..\Run: [exe.gcrmd] C:\WINDOWS\system32\dmrcg.exe
O4 - HKLM\..\Run: [exe.qximd] C:\WINDOWS\system32\dmixq.exe
O4 - HKLM\..\Run: [exe.shkmd] C:\WINDOWS\system32\dmkhs.exe
O4 - HKLM\..\Run: [exe.plumd] C:\WINDOWS\system32\dmulp.exe
O4 - HKLM\..\Run: [exe.bhhmd] C:\WINDOWS\system32\dmhhb.exe
O4 - HKLM\..\Run: [exe.fsdmd] C:\WINDOWS\system32\dmdsf.exe
O4 - HKLM\..\Run: [exe.crtmd] C:\WINDOWS\system32\dmtrc.exe
O4 - HKLM\..\Run: [exe.iupmd] C:\WINDOWS\system32\dmpui.exe
O4 - HKLM\..\Run: [exe.amvmd] C:\WINDOWS\system32\dmvma.exe
O4 - HKLM\..\Run: [exe.xbhmd] C:\WINDOWS\system32\dmhbx.exe
O4 - HKLM\..\Run: [exe.suhmd] C:\WINDOWS\system32\dmhus.exe
O4 - HKLM\..\Run: [exe.zqjmd] C:\WINDOWS\system32\dmjqz.exe
O4 - HKLM\..\Run: [exe.npgmd] C:\WINDOWS\system32\dmgpn.exe
O4 - HKLM\..\Run: [exe.pjmmd] C:\WINDOWS\system32\dmmjp.exe
O4 - HKLM\..\Run: [exe.kzwmd] C:\WINDOWS\system32\dmwzk.exe
O4 - HKLM\..\Run: [exe.pcpmd] C:\WINDOWS\system32\dmpcp.exe
O4 - HKLM\..\Run: [exe.tkpmd] C:\WINDOWS\system32\dmpkt.exe
O4 - HKLM\..\Run: [exe.njpmd] C:\WINDOWS\system32\dmpjn.exe
O4 - HKLM\..\Run: [exe.lutmd] C:\WINDOWS\system32\dmtul.exe
O4 - HKLM\..\Run: [exe.yjhmd] C:\WINDOWS\system32\dmhjy.exe
O4 - HKLM\..\Run: [exe.tgmmd] C:\WINDOWS\system32\dmmgt.exe
O4 - HKLM\..\Run: [exe.sirmd] C:\WINDOWS\system32\dmris.exe
O4 - HKLM\..\Run: [exe.kvgmd] C:\WINDOWS\system32\dmgvk.exe
O4 - HKLM\..\Run: [exe.juhmd] C:\WINDOWS\system32\dmhuj.exe
O4 - HKLM\..\Run: [exe.aeumd] C:\WINDOWS\system32\dmuea.exe
O4 - HKLM\..\Run: [exe.vqdmd] C:\WINDOWS\system32\dmdqv.exe
O4 - HKCU\..\Run: [zxc] pizda.exe
O4 - HKCU\..\Run: [CToolBar] Kargo.exe
O4 - HKCU\..\Run: [srbho] WTFCTF.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{1CF3D278-85E6-4693-A2C1-2ECF6AA2B9DC}: NameServer = 85.255.116.77,85.255.112.212
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA9EF9CC-8E06-4182-A21C-75256355052A}: NameServer = 85.255.116.77,85.255.112.212
...(Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.)

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Using Windows Explorer (Start > All Programs > Accessories). Locate and delete the following item(s), if present.

files...

C:\WINDOWS\system32\dmwge.exe
C:\WINDOWS\system32\dmaze.exe
C:\WINDOWS\system32\dmeiw.exe
C:\WINDOWS\system32\dmwlt.exe
C:\WINDOWS\system32\dmrwx.exe
C:\WINDOWS\system32\dmoqb.exe
C:\WINDOWS\system32\dmedg.exe
C:\WINDOWS\system32\dmrcg.exe
C:\WINDOWS\system32\dmixq.exe
C:\WINDOWS\system32\dmkhs.exe
C:\WINDOWS\system32\dmulp.exe
C:\WINDOWS\system32\dmhhb.exe
C:\WINDOWS\system32\dmdsf.exe
C:\WINDOWS\system32\dmtrc.exe
C:\WINDOWS\system32\dmpui.exe
C:\WINDOWS\system32\dmvma.exe
C:\WINDOWS\system32\dmhbx.exe
C:\WINDOWS\system32\dmhus.exe
C:\WINDOWS\system32\dmjqz.exe
C:\WINDOWS\system32\dmgpn.exe
C:\WINDOWS\system32\dmmjp.exe
C:\WINDOWS\system32\dmwzk.exe
C:\WINDOWS\system32\dmpcp.exe
C:\WINDOWS\system32\dmpkt.exe
C:\WINDOWS\system32\dmpjn.exe
C:\WINDOWS\system32\dmtul.exe
C:\WINDOWS\system32\dmhjy.exe
C:\WINDOWS\system32\dmmgt.exe
C:\WINDOWS\system32\dmris.exe
C:\WINDOWS\system32\dmgvk.exe
C:\WINDOWS\system32\dmhuj.exe
C:\WINDOWS\system32\dmuea.exe
C:\WINDOWS\system32\dmdqv.exe

Search for...

abrek.exe
MsNetHelper.exe
pizda.exe
Kargo.exe
WTFCTF.exe

...using "Start | Search...". Once located, Just delete the files.

===============

Post back a new HJT log also the ewido log and let me know how everything goes. Thanks
Mat2



Posted Image

#4 Bob_Brown

Bob_Brown
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 22 April 2006 - 12:22 PM

Hi, I have completed the instructions but I cannot locate any of the files using windows explorer in order to delete them (I have tried making all files unhidden). Also, should I delete the other 'O4' files ... see log below ...

____________________________________________________

HJT Log
____________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 18:15:37, on 22/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\Richard\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [exe.yfsmd] C:\WINDOWS\system32\dmsfy.exe
O4 - HKLM\..\Run: [exe.auumd] C:\WINDOWS\system32\dmuua.exe
O4 - HKLM\..\Run: [exe.pqxmd] C:\WINDOWS\system32\dmxqp.exe
O4 - HKLM\..\Run: [exe.ustmd] C:\WINDOWS\system32\dmtsu.exe
O4 - HKLM\..\Run: [exe.cwymd] C:\WINDOWS\system32\dmywc.exe
O4 - HKLM\..\Run: [exe.mabmd] C:\WINDOWS\system32\dmbam.exe
O4 - HKLM\..\Run: [exe.fvzmd] C:\WINDOWS\system32\dmzvf.exe
O4 - HKLM\..\Run: [exe.iyimd] C:\WINDOWS\system32\dmiyi.exe
O4 - HKLM\..\Run: [exe.uohmd] C:\WINDOWS\system32\dmhou.exe
O4 - HKLM\..\Run: [exe.gprmd] C:\WINDOWS\system32\dmrpg.exe
O4 - HKLM\..\Run: [exe.ugnmd] C:\WINDOWS\system32\dmngu.exe
O4 - HKLM\..\Run: [exe.ssqmd] C:\WINDOWS\system32\dmqss.exe
O4 - HKLM\..\Run: [exe.mvgmd] C:\WINDOWS\system32\dmgvm.exe
O4 - HKLM\..\Run: [exe.crfmd] C:\WINDOWS\system32\dmfrc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

____________________________________________________

Ewido log
____________________________________________________

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 18:06:22, 22/04/2006
+ Report-Checksum: 4FBAFA94

+ Scan result:

[648] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning
[672] VM_00B20000 -> Downloader.Agent.uj : Error during cleaning
[3028] VM_008A0000 -> Downloader.Agent.uj : Error during cleaning
[3100] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning
[3260] VM_009C0000 -> Downloader.Agent.uj : Error during cleaning
[3340] VM_00910000 -> Downloader.Agent.uj : Error during cleaning
[3356] VM_00A40000 -> Downloader.Agent.uj : Error during cleaning
[3372] VM_003E0000 -> Downloader.Agent.uj : Error during cleaning
[3384] VM_00BE0000 -> Downloader.Agent.uj : Error during cleaning
[3448] VM_008D0000 -> Downloader.Agent.uj : Error during cleaning
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP603\A0225109.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP603\A0225110.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP606\A0225187.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP606\A0225200.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP608\A0225229.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP611\A0225273.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP611\A0225298.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP612\A0225395.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP613\A0225415.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP614\A0225436.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP615\A0225459.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP615\A0225483.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP616\A0225523.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP616\A0225542.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP617\A0225560.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP617\A0225589.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP618\A0225619.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP619\A0225645.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP620\A0226110.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP622\A0226181.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP622\A0226196.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP623\A0226233.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP624\A0226245.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP624\A0226260.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP625\A0227259.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP626\A0228261.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{54A925C9-0C15-42B3-947F-0CB7C31326CC}\RP627\A0229256.exe -> Downloader.Small : Cleaned with backup


::Report End

#5 Bob_Brown

Bob_Brown
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 22 April 2006 - 01:34 PM

I have had a quick search on google and it seems to be a wareout virus. Loads of other people have had difficulty removing Downloader.Agent.uj using Ewido. Should I download Fixwareout.exe?

#6 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:12:39 PM

Posted 22 April 2006 - 01:49 PM

Hi

Thanks for the new logs. You need to continue with the following. We will continue with the removal of the O4 in the after you have ran the following set of instructions.

==================

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

=================

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
Mat2



Posted Image

#7 Bob_Brown

Bob_Brown
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 22 April 2006 - 02:39 PM

Thanks. Here is the fizwareout log:


Fixwareout ver 1.003
Last edited 04/09/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\dpkmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tkmmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\kqomd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"exe.tkmmd"=-
"exe.yfsmd"=-
"exe.auumd"=-
"exe.pqxmd"=-
"exe.ustmd"=-
"exe.cwymd"=-
"exe.mabmd"=-
"exe.fvzmd"=-
"exe.iyimd"=-
"exe.uohmd"=-
"exe.gprmd"=-
"exe.ugnmd"=-
"exe.ssqmd"=-
"exe.mvgmd"=-
"exe.crfmd"=-
"exe.aybmd"=-
"exe.kqomd"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

Search by size and names...
C:\WINDOWS\SYSTEM32\DMOQK.EXE
C:\WINDOWS\SYSTEM32\DMOQK.EXE
* csr.exe C:\WINDOWS\System32\CSHQK.EXE

Misc files

Checking for older varients covered by the Rem3 tool

#8 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:12:39 PM

Posted 22 April 2006 - 02:47 PM

Hi

Thanks for the log.

Please can you re-run ewido and post the results along with a new Hijack this log.

Many thanks
Mat2



Posted Image

#9 Bob_Brown

Bob_Brown
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 22 April 2006 - 03:32 PM

Hi. Here are the new logs. Thank you so much for all your help. I think everything looks ok now. Bob

__________________________________________________

HJT Log
__________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 21:28:59, on 22/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Richard\My Documents\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

_____________________________________________

Ewido Log
_____________________________________________

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 21:27:52, 22/04/2006
+ Report-Checksum: 3741F019

+ Scan result:

C:\Documents and Settings\Richard\Cookies\richard@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\system32\dmoqk.exe -> Downloader.Small : Cleaned with backup


::Report End

#10 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:12:39 PM

Posted 22 April 2006 - 03:37 PM

Hi

Thanks for the new logs, You now need to clear out your temps, cookies Etc.

================

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Also how is your PC running now?

Thanks
Mat2



Posted Image

#11 Bob_Brown

Bob_Brown
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 22 April 2006 - 04:05 PM

Hi. I have run ATF. The computer seems to be running fine - there doesnt seem to be anything noticably wrong (its not slower than normal, etc). When I changed the DNS server to 'Obtain DNS servers automatically' it had the following IP addresses in there: 85.255.116.77 and 85.255.112.212 - is there any way of finding out who owns them, etc ... Im certain they are nothing to do with my ISP (Wanadoo). Thanks for all the help. Bob

#12 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:12:39 PM

Posted 22 April 2006 - 04:40 PM

Hi

When I changed the DNS server to 'Obtain DNS servers automatically' it had the following IP addresses in there: 85.255.116.77 and 85.255.112.212 - is there any way of finding out who owns them, etc ... Im certain they are nothing to do with my ISP (Wanadoo).


I have traced the Ip's you have mentioned to a hosting company. You can get more info from DnsStuff

Also i would suggest you look through your firewall logs for the above mentioned IP's to see what activity relating to them.

I hope this helps.
Mat2



Posted Image

#13 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:12:39 PM

Posted 10 May 2006 - 08:55 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Mat2



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users