Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked


  • Please log in to reply
9 replies to this topic

#1 GPasak

GPasak

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 07 June 2006 - 04:03 PM

I have spyware trouble.

1. I have a red circle with a white x in the systray that gives a message that "Your computer is infected" "Windows has dectected spyware infection".

2. My desktop is hijacked and I cannot see my desktop picture.

3. My task manager is locked. When I try to open it "your task manager has been disabled by your administer."

Here is my list from Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 4:00:02 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\G-VGA.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\0445bfa1.exe
C:\WINDOWS\system32\per.exe
C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\winstall.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Pasak Family\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.wcnet.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - (no file)
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus Pro 2006\winpgi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Program Files\WinAntiVirus Pro 2006\iefwbho.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [0445bfa1.exe] C:\WINDOWS\system32\0445bfa1.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe" /silent
O4 - HKLM\..\Run: [dmqbe.exe] C:\WINDOWS\system32\dmqbe.exe
O4 - HKLM\..\Run: [WinAntiVirusPro2006] C:\Program Files\WinAntiVirus Pro 2006\winav.exe /min
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [7039ecc1.exe] C:\Documents and Settings\Pasak Family\Local Settings\Application Data\7039ecc1.exe
O4 - HKCU\..\Run: [0445bfa1.exe] C:\Documents and Settings\Pasak Family\Local Settings\Application Data\0445bfa1.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: restart_vs.lnk = D:\Viewsonic.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01BAE8A2-02C2-7264-B3A8-41C56450B45B} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {03B271AB-3123-3757-260F-27C93CE10715} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {24CC390B-87A2-4726-D93B-053F77C2A3EA} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {2A255745-C0C1-2890-3FAA-1B203361612E} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {2BBF30A5-39CA-031C-2BD8-4EC50CE14ED2} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {325744DB-5CCF-0726-FAA1-402E3188D032} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {387734E1-6C21-0ED9-B10A-374B68EB27D8} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {388DE921-0C25-0162-F773-7A6C3D17D1FD} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {3AF83D45-D573-6534-E64F-6C7146E09697} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {3B8A8C56-BD6A-717D-F06C-7DEF5E702544} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {515ECF39-1952-4C9A-FA8F-33BB47013C3E} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {52096DA7-8F0E-65CB-3865-38316F7489DE} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145759993745
O16 - DPF: {6739BBE1-708B-4A76-0856-18F6741F4DAD} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6C4839A1-3C29-289F-AAF6-114B0081B279} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145759930517
O16 - DPF: {6FB5EED3-8DBC-2E95-0705-7E7D026E1985} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {7862B8F3-1159-501D-51C7-24446AB12852} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {7A82D592-1F64-1F37-926F-766731D32997} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F07208F-F058-43E3-9B61-4DAEEF5AC188}: NameServer = 85.255.116.107,85.255.112.64
O17 - HKLM\System\CCS\Services\Tcpip\..\{64624E29-2EF4-4305-8196-BB50D06D23B4}: NameServer = 85.255.116.107,85.255.112.64
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Thanks for the help.

Greg

BC AdBot (Login to Remove)

 


m

#2 GPasak

GPasak
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 07 June 2006 - 05:46 PM

Update

I restarted in safe mode. I ran Adware SE, Ewido, WinAntiVirus, Spybot. The Red circle with the white x is gone!, but when I try to open task manager it says it is disabled by my administrator. Also I cannot change my desk top. It will not let me select a picture or change it in any way.

Help!

Here is the new Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 9:57:06 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\G-VGA.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\0445bfa1.exe
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\Program Files\WinAntiVirus Pro 2006\winav.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Pasak Family\Desktop\HijackThis.exe
C:\Program Files\WinAntiVirus Pro 2006\Updater.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.wcnet.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - (no file)
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus Pro 2006\winpgi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Program Files\WinAntiVirus Pro 2006\iefwbho.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [0445bfa1.exe] C:\WINDOWS\system32\0445bfa1.exe
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe" /silent
O4 - HKLM\..\Run: [WinAntiVirusPro2006] C:\Program Files\WinAntiVirus Pro 2006\winav.exe /min
O4 - HKLM\..\Run: [dmqyb.exe] C:\WINDOWS\system32\dmqyb.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [7039ecc1.exe] C:\Documents and Settings\Pasak Family\Local Settings\Application Data\7039ecc1.exe
O4 - HKCU\..\Run: [0445bfa1.exe] C:\Documents and Settings\Pasak Family\Local Settings\Application Data\0445bfa1.exe
O4 - Startup: restart_vs.lnk = D:\Viewsonic.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01BAE8A2-02C2-7264-B3A8-41C56450B45B} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {03B271AB-3123-3757-260F-27C93CE10715} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {24CC390B-87A2-4726-D93B-053F77C2A3EA} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {2A255745-C0C1-2890-3FAA-1B203361612E} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {2BBF30A5-39CA-031C-2BD8-4EC50CE14ED2} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {325744DB-5CCF-0726-FAA1-402E3188D032} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {387734E1-6C21-0ED9-B10A-374B68EB27D8} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {388DE921-0C25-0162-F773-7A6C3D17D1FD} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {3AF83D45-D573-6534-E64F-6C7146E09697} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {3B8A8C56-BD6A-717D-F06C-7DEF5E702544} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {515ECF39-1952-4C9A-FA8F-33BB47013C3E} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {52096DA7-8F0E-65CB-3865-38316F7489DE} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145759993745
O16 - DPF: {6739BBE1-708B-4A76-0856-18F6741F4DAD} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6C4839A1-3C29-289F-AAF6-114B0081B279} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145759930517
O16 - DPF: {6FB5EED3-8DBC-2E95-0705-7E7D026E1985} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {7862B8F3-1159-501D-51C7-24446AB12852} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {7A82D592-1F64-1F37-926F-766731D32997} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F07208F-F058-43E3-9B61-4DAEEF5AC188}: NameServer = 85.255.116.107,85.255.112.64
O17 - HKLM\System\CCS\Services\Tcpip\..\{64624E29-2EF4-4305-8196-BB50D06D23B4}: NameServer = 85.255.116.107,85.255.112.64
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Thanks,

GPasak

Edited by GPasak, 07 June 2006 - 10:00 PM.


#3 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 08 June 2006 - 11:19 AM

Add remove programs - remove Winantivirus - it is a rogue program

Get the free AVG 7 install it, check for updates and run a full scan

AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/


For a firewall get Zone Alarm - Free

http://www.zonelabs.com/store/content/cata....jsp?lid=nav_za

=============================

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout

http://downloads.subratam.org/Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed. )

Fix these with HJT – mark them, close IE, click fix checked

O17 - HKLM\System\CCS\Services\Tcpip\..\{3F07208F-F058-43E3-9B61-4DAEEF5AC188}: NameServer = 85.255.116.107,85.255.112.64
O17 - HKLM\System\CCS\Services\Tcpip\..\{64624E29-2EF4-4305-8196-BB50D06D23B4}: NameServer = 85.255.116.107,85.255.112.64
If you have connection problems after this

* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .
· Double-click the Network Connections icon
· Right-click the Local Area Connection icon and select Properties.
· Hilight Internet Protocol (TCP/IP) and click the Properties button.
· Be sure Obtain DNS server address automatically is selected.
· OK your way out.


* Go to Start > Run and type in cmd
· Click OK.
· This will open a commad prompt.
· Type or copy and paste the following line in the command window:

ipconfig /flushdns
· Hit Enter
· Exit the command window

Do that before you restart.

=============
At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.

==================================
If you get an Autoexec nt error do the following

XP Fix - http://www.visualtour.com/downloads/

Scroll down to get XP Fix

And run FixWareout again.

=============================================

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). We’ll get them next step.
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#4 GPasak

GPasak
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 08 June 2006 - 01:01 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:55:49 PM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\G-VGA.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\0445bfa1.exe
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [0445bfa1.exe] C:\WINDOWS\system32\0445bfa1.exe
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe" /silent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [7039ecc1.exe] C:\Documents and Settings\Pasak Family\Local Settings\Application Data\7039ecc1.exe
O4 - HKCU\..\Run: [0445bfa1.exe] C:\Documents and Settings\Pasak Family\Local Settings\Application Data\0445bfa1.exe
O4 - Startup: restart_vs.lnk = D:\Viewsonic.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01BAE8A2-02C2-7264-B3A8-41C56450B45B} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {03B271AB-3123-3757-260F-27C93CE10715} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {24CC390B-87A2-4726-D93B-053F77C2A3EA} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {2A255745-C0C1-2890-3FAA-1B203361612E} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {2BBF30A5-39CA-031C-2BD8-4EC50CE14ED2} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {325744DB-5CCF-0726-FAA1-402E3188D032} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {387734E1-6C21-0ED9-B10A-374B68EB27D8} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {388DE921-0C25-0162-F773-7A6C3D17D1FD} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {3AF83D45-D573-6534-E64F-6C7146E09697} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {3B8A8C56-BD6A-717D-F06C-7DEF5E702544} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {515ECF39-1952-4C9A-FA8F-33BB47013C3E} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {52096DA7-8F0E-65CB-3865-38316F7489DE} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145759993745
O16 - DPF: {6739BBE1-708B-4A76-0856-18F6741F4DAD} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6C4839A1-3C29-289F-AAF6-114B0081B279} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145759930517
O16 - DPF: {6FB5EED3-8DBC-2E95-0705-7E7D026E1985} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {7862B8F3-1159-501D-51C7-24446AB12852} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {7A82D592-1F64-1F37-926F-766731D32997} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#5 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 08 June 2006 - 01:06 PM

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). We’ll get them next step.
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#6 GPasak

GPasak
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 08 June 2006 - 01:19 PM

Thanks for all your help.

I cannot change my home page, it always goes to www.MSN.com.

I cannot change the desktop background. Under desktop in display properties it will not let me select a theme or image.

When I hit control/alt/delete to access task manager, it says it has been disabled by my administrator.

thanks

SmitFraudFix v2.56

Scan done at 13:12:57.84, Thu 06/08/2006
Run from C:\Documents and Settings\Pasak Family\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\uniq FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Pasak Family\Application Data

C:\Documents and Settings\Pasak Family\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PASAKF~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\secure32.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\WINDOWS\\warnhp.html"
"SubscribedURL"=""
"FriendlyName"="Desktop Uninstall"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINDOWS\system32\dcom_21.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINDOWS\system32\dcom_21.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#7 GPasak

GPasak
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 08 June 2006 - 01:42 PM

Update:

I went into regedit and followed this path: HKEY_CURRENT USER/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/POLICIES/SYSTEM

Listed in here was desktop disabled and tast manager disable with about 5 other disable keys. I deleted them all and I now am able to edit the desktop and my task manager works.

I still cannot change my home page and I think I still am not out of the woods.


thanks

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 08 June 2006 - 03:25 PM

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
============================
Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 GPasak

GPasak
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 08 June 2006 - 10:37 PM

Thanks for all your help, I think it is getting better.

Here is the logs.

SmitFraudFix v2.56

Scan done at 22:01:17.84, Thu 06/08/2006
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINDOWS\system32\dcom_21.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINDOWS\system32\dcom_21.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\uniq Deleted
C:\Documents and Settings\Pasak Family\Application Data\Install.dat Deleted
C:\Program Files\secure32.html Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\dcom_21.dll -> Missing File


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End





********
10:04 PM: | Start of Session, Thursday, June 08, 2006 |
10:04 PM: Spy Sweeper started
10:04 PM: Sweep initiated using definitions version 695
10:04 PM: Starting Memory Sweep
10:05 PM: Memory Sweep Complete, Elapsed Time: 00:01:16
10:05 PM: Starting Registry Sweep
10:05 PM: Found Adware: winantivirus pro
10:05 PM: HKCR\wap6.pcheck\ (5 subtraces) (ID = 1216032)
10:05 PM: HKCR\clsid\{b2a3156e-3332-4b47-af5a-5b121503514f}\ (12 subtraces) (ID = 1216099)
10:05 PM: HKCR\typelib\{1234890a-5e6e-4867-8136-ca6f1456b235}\ (9 subtraces) (ID = 1216116)
10:05 PM: HKLM\software\classes\clsid\{b2a3156e-3332-4b47-af5a-5b121503514f}\ (12 subtraces) (ID = 1216288)
10:05 PM: HKLM\software\classes\typelib\{1234890a-5e6e-4867-8136-ca6f1456b235}\ (9 subtraces) (ID = 1216305)
10:05 PM: Found Trojan Horse: trojan-downloader-wareout
10:05 PM: HKU\S-1-5-21-1935655697-1409082233-839522115-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {bf69df00-2734-477f-8257-27cd04f88779} (ID = 144839)
10:05 PM: HKU\S-1-5-21-1935655697-1409082233-839522115-1004\software\winantivirus pro 2006\ (90 subtraces) (ID = 1216147)
10:06 PM: Registry Sweep Complete, Elapsed Time:00:00:11
10:06 PM: Starting Cookie Sweep
10:06 PM: Found Spy Cookie: about cookie
10:06 PM: pasak family@about[1].txt (ID = 2037)
10:06 PM: Found Spy Cookie: pointroll cookie
10:06 PM: pasak family@ads.pointroll[1].txt (ID = 3148)
10:06 PM: Found Spy Cookie: adtech cookie
10:06 PM: pasak family@adtech[2].txt (ID = 2155)
10:06 PM: Found Spy Cookie: advertising cookie
10:06 PM: pasak family@advertising[1].txt (ID = 2175)
10:06 PM: Found Spy Cookie: atlas dmt cookie
10:06 PM: pasak family@atdmt[2].txt (ID = 2253)
10:06 PM: Found Spy Cookie: overture cookie
10:06 PM: pasak family@data1.perf.overture[2].txt (ID = 3106)
10:06 PM: Found Spy Cookie: did-it cookie
10:06 PM: pasak family@did-it[1].txt (ID = 2523)
10:06 PM: Found Spy Cookie: 2o7.net cookie
10:06 PM: pasak family@dmedia.122.2o7[1].txt (ID = 1958)
10:06 PM: Found Spy Cookie: mediaplex cookie
10:06 PM: pasak family@mediaplex[1].txt (ID = 6442)
10:06 PM: pasak family@msnportal.112.2o7[1].txt (ID = 1958)
10:06 PM: Found Spy Cookie: nextag cookie
10:06 PM: pasak family@nextag[2].txt (ID = 5014)
10:06 PM: pasak family@perf.overture[1].txt (ID = 3106)
10:06 PM: Found Spy Cookie: questionmarket cookie
10:06 PM: pasak family@questionmarket[1].txt (ID = 3217)
10:06 PM: Found Spy Cookie: tacoda cookie
10:06 PM: pasak family@tacoda[1].txt (ID = 6444)
10:06 PM: pasak family@webmd.122.2o7[1].txt (ID = 1958)
10:06 PM: pasak family@womenshealth.about[1].txt (ID = 2038)
10:06 PM: Found Spy Cookie: zedo cookie
10:06 PM: pasak family@zedo[2].txt (ID = 3762)
10:06 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:06 PM: Starting File Sweep
10:06 PM: c:\documents and settings\all users\application data\winantivirus pro 2006 (1 subtraces) (ID = -2147453525)
10:06 PM: Found Adware: dialerplatform
10:06 PM: rdgus2535.exe (ID = 301244)
10:12 PM: Found Trojan Horse: trojan-downloader-ruin
10:12 PM: dmuoy.exe (ID = 147)
10:19 PM: File Sweep Complete, Elapsed Time: 00:13:47
10:19 PM: Full Sweep has completed. Elapsed time 00:15:24
10:19 PM: Traces Found: 165
10:27 PM: Removal process initiated
10:27 PM: Quarantining All Traces: winantivirus pro
10:27 PM: Quarantining All Traces: trojan-downloader-wareout
10:27 PM: Quarantining All Traces: about cookie
10:27 PM: Quarantining All Traces: pointroll cookie
10:27 PM: Quarantining All Traces: adtech cookie
10:27 PM: Quarantining All Traces: advertising cookie
10:27 PM: Quarantining All Traces: atlas dmt cookie
10:27 PM: Quarantining All Traces: overture cookie
10:27 PM: Quarantining All Traces: did-it cookie
10:27 PM: Quarantining All Traces: 2o7.net cookie
10:27 PM: Quarantining All Traces: mediaplex cookie
10:27 PM: Quarantining All Traces: nextag cookie
10:27 PM: Quarantining All Traces: questionmarket cookie
10:27 PM: Quarantining All Traces: tacoda cookie
10:27 PM: Quarantining All Traces: zedo cookie
10:27 PM: Quarantining All Traces: dialerplatform
10:27 PM: Quarantining All Traces: trojan-downloader-ruin
10:27 PM: Removal process completed. Elapsed time 00:00:13
********
9:56 PM: | Start of Session, Thursday, June 08, 2006 |
9:56 PM: Spy Sweeper started
9:57 PM: Your spyware definitions have been updated.
10:03 PM: Program Version 4.5.9 (Build 709) Using Spyware Definitions 695
10:04 PM: | End of Session, Thursday, June 08, 2006



Logfile of HijackThis v1.99.1
Scan saved at 10:30:07 PM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\explorer.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [0445bfa1.exe] C:\WINDOWS\system32\0445bfa1.exe
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe" /silent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [7039ecc1.exe] C:\Documents and Settings\Pasak Family\Local Settings\Application Data\7039ecc1.exe
O4 - HKCU\..\Run: [0445bfa1.exe] C:\Documents and Settings\Pasak Family\Local Settings\Application Data\0445bfa1.exe
O4 - Startup: restart_vs.lnk = D:\Viewsonic.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01BAE8A2-02C2-7264-B3A8-41C56450B45B} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {03B271AB-3123-3757-260F-27C93CE10715} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {24CC390B-87A2-4726-D93B-053F77C2A3EA} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {2A255745-C0C1-2890-3FAA-1B203361612E} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {2BBF30A5-39CA-031C-2BD8-4EC50CE14ED2} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {325744DB-5CCF-0726-FAA1-402E3188D032} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {387734E1-6C21-0ED9-B10A-374B68EB27D8} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {388DE921-0C25-0162-F773-7A6C3D17D1FD} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {3AF83D45-D573-6534-E64F-6C7146E09697} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {3B8A8C56-BD6A-717D-F06C-7DEF5E702544} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {515ECF39-1952-4C9A-FA8F-33BB47013C3E} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {52096DA7-8F0E-65CB-3865-38316F7489DE} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145759993745
O16 - DPF: {6739BBE1-708B-4A76-0856-18F6741F4DAD} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6C4839A1-3C29-289F-AAF6-114B0081B279} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145759930517
O16 - DPF: {6FB5EED3-8DBC-2E95-0705-7E7D026E1985} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {7862B8F3-1159-501D-51C7-24446AB12852} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {7A82D592-1F64-1F37-926F-766731D32997} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks again,

GPasak

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 09 June 2006 - 03:23 PM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HJT – mark them, close IE, click fix checked

O4 - HKLM\..\Run: [0445bfa1.exe] C:\WINDOWS\system32\0445bfa1.exe

O4 - HKCU\..\Run: [7039ecc1.exe] C:\Documents and Settings\Pasak Family\Local Settings\Application Data\7039ecc1.exe

O4 - HKCU\..\Run: [0445bfa1.exe] C:\Documents and Settings\Pasak Family\Local Settings\Application Data\0445bfa1.exe

O16 - DPF: {01BAE8A2-02C2-7264-B3A8-41C56450B45B} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {03B271AB-3123-3757-260F-27C93CE10715} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {24CC390B-87A2-4726-D93B-053F77C2A3EA} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {2A255745-C0C1-2890-3FAA-1B203361612E} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {2BBF30A5-39CA-031C-2BD8-4EC50CE14ED2} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {325744DB-5CCF-0726-FAA1-402E3188D032} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {387734E1-6C21-0ED9-B10A-374B68EB27D8} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {388DE921-0C25-0162-F773-7A6C3D17D1FD} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {3AF83D45-D573-6534-E64F-6C7146E09697} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {3B8A8C56-BD6A-717D-F06C-7DEF5E702544} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {515ECF39-1952-4C9A-FA8F-33BB47013C3E} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {52096DA7-8F0E-65CB-3865-38316F7489DE} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6739BBE1-708B-4A76-0856-18F6741F4DAD} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6C4839A1-3C29-289F-AAF6-114B0081B279} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {6FB5EED3-8DBC-2E95-0705-7E7D026E1985} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {7862B8F3-1159-501D-51C7-24446AB12852} - http://85.255.114.166/1/rdgUS2535.exe
O16 - DPF: {7A82D592-1F64-1F37-926F-766731D32997} - http://85.255.114.166/1/rdgUS2535.exe

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\0445bfa1.exe
C:\Documents and Settings\Pasak Family\Local Settings\Application Data\7039ecc1.exe
C:\Documents and Settings\Pasak Family\Local Settings\Application Data\0445bfa1.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users