Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Clicker.fr


  • This topic is locked This topic is locked
11 replies to this topic

#1 alias452

alias452

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 04 July 2006 - 08:45 PM

About a week ago my AVG starting popping up messages saying "Virus Detected". It says it's a Trojan Horse called Clicker.FR. Just yesterday AVG was able to scan my entire computer, usually locks up on one of the infected files, showing 53 files infected. All in C:\WINDOWS\system32\{... I can no longer us Firefox, as it locks up instantly. And when I use IE and click a link, every few minutes it will take me to another site. I'm getting to the point where I'm looking at reformating the HD, or even pull it and get a bigger HD. Here's a HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:34:12 PM, on 7/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\Service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\alias\LOCALS~1\Temp\200674174812_mcinfo.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\alias\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R3 - URLSearchHook: (no name) - {1A701473-C51D-7F35-5570-DBC3697FEAFB} - SetupExeDll.dll (file missing)
R3 - URLSearchHook: (no name) - {C32D4170-E1C1-08FC-8CC0-5CDD33976A7A} - br0ken.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{02DC3903-E9CB-4203-8F77-0477C63AF5A2}.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{02DC3903-E9CB-4203-8F77-0477C63AF5A2}.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [cmon14] ABCXYZ.exe
O4 - HKLM\..\Run: [new32] JAguAr.exe
O4 - HKLM\..\Run: [vxdman] scanSYS.exe
O4 - HKLM\..\Run: [SpyElim] ___.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\alias\LOCALS~1\Temp\200674174812_mcinfo.exe /insfin
O4 - HKLM\..\Run: [pktfm.exe] C:\WINDOWS\system32\pktfm.exe
O4 - HKLM\..\Run: [dmics.exe] C:\WINDOWS\system32\dmics.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [sayjaaaa] C:\WINDOWS\system32\sayjaaaa.exe
O4 - HKCU\..\Run: [sysmon12] sysconf16.exe
O4 - HKCU\..\Run: [UserSp1] clamav.exe
O4 - HKCU\..\Run: [cnftips] prcmon.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [stuffmon] SetupExeDll.exe
O4 - HKCU\..\Run: [borlandg] bnui.exe
O4 - HKCU\..\Run: [corrida] startman.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136693982296
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,34
O17 - HKLM\System\CCS\Services\Tcpip\..\{89C64984-644F-42AE-A07E-2F4A4DE72DFC}: NameServer = 85.255.114.85, 85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C97192F-9B39-4A87-97FB-43D62EB3EFF5}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE897D0F-4D09-4C25-B575-938FB3EAD821}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9EC6B85-6E53-46C8-9408-BF34F9AA27DD}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213
O21 - SSODL: IEFilter - {EE9D483D-45A9-4E1A-99CC-914BE8CA10EA} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O23 - Service: .NET Runtime Optimization Service v1.000.3.1434 - Unknown owner - C:\WINDOWS\system32\dcxsernx.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks for any help. Jeremy

BC AdBot (Login to Remove)

 


#2 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:07:10 PM

Posted 05 July 2006 - 01:04 PM

Welcome to BleepingComputer, Jeremy.

I'm currently working on your log and will be back ASAP. Thanks :thumbsup:
Posted ImagePosted Image

Olivier

#3 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:07:10 PM

Posted 06 July 2006 - 03:38 AM

Hi Jeremy,

* You are currently using HijackThis from a temp directory. This can cause problems.

Please download the self-extracting version of HijackThis from here:

HijackThis_sfx download

Save HijackThis_sfx to your desktop.

Double-click the file then click the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

* Please download FixWareout from here and save it to your Desktop. Doubleclick on Fixwareout.exe to extract the files and click Next and then Install. Make sure that "Run fixit" is checked and click Finish. The fix will begin, follow the prompts.

You will be asked to reboot your computer, please do so. Your system may take longer than usual to load but this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{89C64984-644F-42AE-A07E-2F4A4DE72DFC}: NameServer = 85.255.114.85, 85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C97192F-9B39-4A87-97FB-43D62EB3EFF5}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE897D0F-4D09-4C25-B575-938FB3EAD821}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9EC6B85-6E53-46C8-9408-BF34F9AA27DD}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213


Click Fix Checked. Close HijackThis and click OK to proceed. At the end of the fix, you will need to restart your computer again.

Post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

NB: You must be online to run this utility
.
Posted ImagePosted Image

Olivier

#4 alias452

alias452
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 06 July 2006 - 09:11 PM

Here are the two logs

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D4D064AAA4D9-4868-1474-0B9B-693DF385{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}22F60553AA2E-74AA-6394-511A-F097A1DC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}528E7190A43C-2339-3064-F65E-B2BA722B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F98AB68B65A5-DDEB-1F44-917C-54145E47{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9B8A4DDBC76F-E858-1C24-F554-9D8017A5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}046464551146-883A-4944-3A0D-5197F454{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\jngmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BF9BE082EDD7-8B1B-C574-644C-53BDB624{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmgnj.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

Search by size and names...
* csr.exe C:\WINDOWS\System32\CSFWI.EXE
* csr.exe C:\WINDOWS\System32\CSGSS.EXE

Misc files
* thequicklink C:\WINDOWS\System32\{02DC3~1.DLL
* thequicklink C:\WINDOWS\System32\{0DCFB~1.DLL

Checking for older varients covered by the Rem3 tool
C:\WINDOWS\System32\service.exe


Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSFWI.EXE 51,205 2006-06-28
C:\WINDOWS\SYSTEM32\CSGSS.EXE 51,234 2006-07-06
C:\WINDOWS\SYSTEM32\DMGNJ.EXE 44,127 2004-08-04
C:\WINDOWS\SYSTEM32\DMXIC.EXE 44,085 2004-08-04
Other suspects
Directory of C:\WINDOWS\system32
{0DCFB993-8DF1-417A-B8A1-82277E12D78A}.dll
{02DC3903-E9CB-4203-8F77-0477C63AF5A2}.dll
{426BDB35-C446-475C-B1B8-7DDE280EB9FB}.exe
{454F7915-D0A3-4494-A388-641155464640}.exe
{5A7108D9-455F-42C1-858E-F67CBDD4A8B9}.exe
{74E54145-C719-44F1-BEDD-5A56B86BA89F}.exe
{CD1A790F-A115-4936-AA47-E2AA35506F22}.exe
{583FD396-B9B0-4741-8684-9D4AAA460D4D}.exe
{C330FB83-727B-44FC-ACC3-1B418C5E44F7}.exe
{AC8ACDB2-78C5-4B2D-9178-A1AEEA6FC5EE}.exe
{45E7B536-C55A-4336-AC92-555755130F79}.exe
{E376E300-0C6E-408F-BBB0-3223291336FF}.exe
{CBC73A36-F9A0-4A68-81F0-B31B53B1F801}.exe
{83588C3A-C9D9-47CF-895C-20C49B2B9262}.exe
{AB62370F-D2D0-44CF-B239-1AE94D3741D6}.exe
{7692921F-4CE0-487A-8A12-57599CBA493F}.exe
{DF6E3C26-102C-4D43-8043-44F1F8F89759}.exe
{CBC6BA13-644B-4702-AA33-B57C8C15B731}.exe
{6C85128B-BF13-4C8D-BB76-5E05DA121C45}.exe
{EE7F59A3-BDAA-4CEF-8929-8EA541CDD57E}.exe
{1F818283-3017-45A3-AEE9-D2AD8422F06D}.exe
{BB060937-1F72-43AF-BEBB-B9EC2F84CBDE}.exe
{59373908-7264-40AD-A631-FF544A5C7040}.exe
{F3CBD26A-6040-450F-A4D3-DDA9153455FB}.exe
{97934AF7-33A7-450C-9D89-09DB38C7840B}.exe
{B94A8CCC-775A-474D-989F-A6AE654422CC}.exe
{AD42CAED-70CC-4927-8013-40FE625BF5D8}.exe
{28D0E5A8-47C9-41A7-B340-F6EB8C166A88}.exe
{83864B29-D14D-403E-A89C-94DFCF86300A}.exe
{553E3F1C-B064-4095-B2D6-059996D1462A}.exe
{2C2E7FC1-74A6-45DB-9454-2E7770B44953}.exe
{A08155DB-733B-4876-9874-370B34FAFF31}.exe
{9A3111E7-A6BB-47A8-9D73-B861632D8CED}.exe
{B249B4CB-1C8E-4B40-8D91-31A4F93D3D4A}.exe
{1A0105D2-DFB5-4900-AB5D-C577B65CD9D2}.exe
{80FCF503-954C-4984-A7F6-EBC196489297}.exe
{3908F585-5823-413A-B514-B223DB67F774}.exe
{03AF0DC3-2748-47AA-8446-A48A7F41F7DC}.exe
{C49F6082-E900-4C65-8EEF-63FDA13F48A1}.exe
{51891117-3A01-4EBA-ACC2-E5914F209ADD}.exe
{B83919E6-0A57-413D-BC7D-0C40148F4D80}.exe
{9F336903-FE5B-47AF-BC69-1628A2C7056B}.exe
{EBEF2629-A3F3-447D-BAFF-D6F930982233}.exe
{8B2DFE84-90CA-4F4B-BBE8-29C113A0C681}.exe
{1D2FD58C-BFE9-4750-A14E-BD2FB2EF5649}.exe
{2E218FC1-2861-43EA-9733-2B4AF7EA98DB}.exe
{FBFAFE87-F0AB-43E0-B4B3-A2FCC01E34E2}.exe
{125302D9-7569-4454-89BF-A043145B37C9}.exe
{7B3670AC-EA01-4FD7-822F-6D4B7EB990FC}.exe
{990087ED-1F41-4DF0-842A-2AC4CD936443}.exe
{97909B72-781A-4E20-B34E-6F3B0B29170C}.exe
{78C186ED-F536-4918-86DD-1B62A6C8D35B}.exe
{C712569A-2D10-47F5-AC5E-E344DE2B1AF5}.exe
{B1D3DF61-229F-4F89-BC09-D0910047B042}.exe
{E7F87D8E-B6B2-47E3-B809-B486A3BF85B8}.exe

Logfile of HijackThis v1.99.1
Scan saved at 8:58:27 PM, on 7/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\Service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\alias\LOCALS~1\Temp\200674174812_mcinfo.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {1A701473-C51D-7F35-5570-DBC3697FEAFB} - SetupExeDll.dll (file missing)
R3 - URLSearchHook: (no name) - {C32D4170-E1C1-08FC-8CC0-5CDD33976A7A} - br0ken.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{7CA7059A-921F-448D-BDDB-A46C89E3331B}.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{7CA7059A-921F-448D-BDDB-A46C89E3331B}.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [cmon14] ABCXYZ.exe
O4 - HKLM\..\Run: [new32] JAguAr.exe
O4 - HKLM\..\Run: [vxdman] scanSYS.exe
O4 - HKLM\..\Run: [SpyElim] ___.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\alias\LOCALS~1\Temp\200674174812_mcinfo.exe /insfin
O4 - HKLM\..\Run: [dmwvl.exe] C:\WINDOWS\system32\dmwvl.exe
O4 - HKLM\..\Run: [bzyil.exe] C:\WINDOWS\system32\bzyil.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [sayjaaaa] C:\WINDOWS\system32\sayjaaaa.exe
O4 - HKCU\..\Run: [sysmon12] sysconf16.exe
O4 - HKCU\..\Run: [UserSp1] clamav.exe
O4 - HKCU\..\Run: [cnftips] prcmon.exe
O4 - HKCU\..\Run: [stuffmon] SetupExeDll.exe
O4 - HKCU\..\Run: [borlandg] bnui.exe
O4 - HKCU\..\Run: [corrida] startman.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136693982296
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,37
O17 - HKLM\System\CCS\Services\Tcpip\..\{89C64984-644F-42AE-A07E-2F4A4DE72DFC}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C97192F-9B39-4A87-97FB-43D62EB3EFF5}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE897D0F-4D09-4C25-B575-938FB3EAD821}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9EC6B85-6E53-46C8-9408-BF34F9AA27DD}: NameServer = 85.255.114.85, 85.255.112.213
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213
O21 - SSODL: IEFilter - {EE9D483D-45A9-4E1A-99CC-914BE8CA10EA} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O23 - Service: .NET Runtime Optimization Service v1.000.3.1434 - Unknown owner - C:\WINDOWS\system32\dcxsernx.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks for the help so far. Now I'm off to work on my ReplayTV, that HD I AM going to shoot. :D

Jeremy

#5 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:07:10 PM

Posted 07 July 2006 - 07:53 AM

Hi Jeremy,

* Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:http://www.java.com/en/download/manual.jsp
* Go to Start> Run> Type in the box cmd then copy paste the following tex (hit enter after each line):

sc stop ".NET Runtime Optimization Service v1.000.3.1434"
sc delete ".NET Runtime Optimization Service v1.000.3.1434"
exit

* Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\System32\{02DC3~1.DLL
    C:\WINDOWS\System32\{0DCFB~1.DLL
    C:\WINDOWS\System32\service.exe
    C:\WINDOWS\SYSTEM32\CSFWI.EXE
    C:\WINDOWS\SYSTEM32\CSGSS.EXE
    C:\WINDOWS\SYSTEM32\DMGNJ.EXE
    C:\WINDOWS\SYSTEM32\DMXIC.EXE
    C:\WINDOWS\system32\{0DCFB993-8DF1-417A-B8A1-82277E12D78A}.dll
    C:\WINDOWS\system32\{02DC3903-E9CB-4203-8F77-0477C63AF5A2}.dll
    C:\WINDOWS\system32\{426BDB35-C446-475C-B1B8-7DDE280EB9FB}.exe
    C:\WINDOWS\system32\{454F7915-D0A3-4494-A388-641155464640}.exe
    C:\WINDOWS\system32\{5A7108D9-455F-42C1-858E-F67CBDD4A8B9}.exe
    C:\WINDOWS\system32\{74E54145-C719-44F1-BEDD-5A56B86BA89F}.exe
    C:\WINDOWS\system32\{CD1A790F-A115-4936-AA47-E2AA35506F22}.exe
    C:\WINDOWS\system32\{583FD396-B9B0-4741-8684-9D4AAA460D4D}.exe
    C:\WINDOWS\system32\{C330FB83-727B-44FC-ACC3-1B418C5E44F7}.exe
    C:\WINDOWS\system32\{AC8ACDB2-78C5-4B2D-9178-A1AEEA6FC5EE}.exe
    C:\WINDOWS\system32\{45E7B536-C55A-4336-AC92-555755130F79}.exe
    C:\WINDOWS\system32\{E376E300-0C6E-408F-BBB0-3223291336FF}.exe
    C:\WINDOWS\system32\{CBC73A36-F9A0-4A68-81F0-B31B53B1F801}.exe
    C:\WINDOWS\system32\{83588C3A-C9D9-47CF-895C-20C49B2B9262}.exe
    C:\WINDOWS\system32\{AB62370F-D2D0-44CF-B239-1AE94D3741D6}.exe
    C:\WINDOWS\system32\{7692921F-4CE0-487A-8A12-57599CBA493F}.exe
    C:\WINDOWS\system32\{DF6E3C26-102C-4D43-8043-44F1F8F89759}.exe
    C:\WINDOWS\system32\{CBC6BA13-644B-4702-AA33-B57C8C15B731}.exe
    C:\WINDOWS\system32\{6C85128B-BF13-4C8D-BB76-5E05DA121C45}.exe
    C:\WINDOWS\system32\{EE7F59A3-BDAA-4CEF-8929-8EA541CDD57E}.exe
    C:\WINDOWS\system32\{1F818283-3017-45A3-AEE9-D2AD8422F06D}.exe
    C:\WINDOWS\system32\{BB060937-1F72-43AF-BEBB-B9EC2F84CBDE}.exe
    C:\WINDOWS\system32\{59373908-7264-40AD-A631-FF544A5C7040}.exe
    C:\WINDOWS\system32\{F3CBD26A-6040-450F-A4D3-DDA9153455FB}.exe
    C:\WINDOWS\system32\{97934AF7-33A7-450C-9D89-09DB38C7840B}.exe
    C:\WINDOWS\system32\{B94A8CCC-775A-474D-989F-A6AE654422CC}.exe
    C:\WINDOWS\system32\{AD42CAED-70CC-4927-8013-40FE625BF5D8}.exe
    C:\WINDOWS\system32\{28D0E5A8-47C9-41A7-B340-F6EB8C166A88}.exe
    C:\WINDOWS\system32\{83864B29-D14D-403E-A89C-94DFCF86300A}.exe
    C:\WINDOWS\system32\{553E3F1C-B064-4095-B2D6-059996D1462A}.exe
    C:\WINDOWS\system32\{2C2E7FC1-74A6-45DB-9454-2E7770B44953}.exe
    C:\WINDOWS\system32\{A08155DB-733B-4876-9874-370B34FAFF31}.exe
    C:\WINDOWS\system32\{9A3111E7-A6BB-47A8-9D73-B861632D8CED}.exe
    C:\WINDOWS\system32\{B249B4CB-1C8E-4B40-8D91-31A4F93D3D4A}.exe
    C:\WINDOWS\system32\{1A0105D2-DFB5-4900-AB5D-C577B65CD9D2}.exe
    C:\WINDOWS\system32\{80FCF503-954C-4984-A7F6-EBC196489297}.exe
    C:\WINDOWS\system32\{3908F585-5823-413A-B514-B223DB67F774}.exe
    C:\WINDOWS\system32\{03AF0DC3-2748-47AA-8446-A48A7F41F7DC}.exe
    C:\WINDOWS\system32\{C49F6082-E900-4C65-8EEF-63FDA13F48A1}.exe
    C:\WINDOWS\system32\{51891117-3A01-4EBA-ACC2-E5914F209ADD}.exe
    C:\WINDOWS\system32\{B83919E6-0A57-413D-BC7D-0C40148F4D80}.exe
    C:\WINDOWS\system32\{9F336903-FE5B-47AF-BC69-1628A2C7056B}.exe
    C:\WINDOWS\system32\{EBEF2629-A3F3-447D-BAFF-D6F930982233}.exe
    C:\WINDOWS\system32\{8B2DFE84-90CA-4F4B-BBE8-29C113A0C681}.exe
    C:\WINDOWS\system32\{1D2FD58C-BFE9-4750-A14E-BD2FB2EF5649}.exe
    C:\WINDOWS\system32\{2E218FC1-2861-43EA-9733-2B4AF7EA98DB}.exe
    C:\WINDOWS\system32\{FBFAFE87-F0AB-43E0-B4B3-A2FCC01E34E2}.exe
    C:\WINDOWS\system32\{125302D9-7569-4454-89BF-A043145B37C9}.exe
    C:\WINDOWS\system32\{7B3670AC-EA01-4FD7-822F-6D4B7EB990FC}.exe
    C:\WINDOWS\system32\{990087ED-1F41-4DF0-842A-2AC4CD936443}.exe
    C:\WINDOWS\system32\{97909B72-781A-4E20-B34E-6F3B0B29170C}.exe
    C:\WINDOWS\system32\{78C186ED-F536-4918-86DD-1B62A6C8D35B}.exe
    C:\WINDOWS\system32\{C712569A-2D10-47F5-AC5E-E344DE2B1AF5}.exe
    C:\WINDOWS\system32\{B1D3DF61-229F-4F89-BC09-D0910047B042}.exe
    C:\WINDOWS\system32\{E7F87D8E-B6B2-47E3-B809-B486A3BF85B8}.exe
    C:\WINDOWS\system32\ABCXYZ.exe
    C:\WINDOWS\system32\JAguAr.exe
    C:\WINDOWS\system32\scanSYS.exe
    C:\WINDOWS\system32\___.exe
    C:\DOCUME~1\alias\LOCALS~1\Temp\200674174812_mcinfo.exe
    C:\WINDOWS\system32\dmwvl.exe
    C:\WINDOWS\system32\bzyil.exe
    C:\WINDOWS\system32\sayjaaaa.exe
    C:\WINDOWS\system32\sysconf16.exe
    C:\WINDOWS\system32\clamav.exe
    C:\WINDOWS\system32\prcmon.exe
    C:\WINDOWS\system32\SetupExeDll.exe
    C:\WINDOWS\system32\bnui.exe
    C:\WINDOWS\system32\startman.exe
    C:\WINDOWS\system32\IEFilter.dll
    C:\WINDOWS\system32\dcxsernx.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

* Please re-open HijackThis and Scan. Check the following items if listed:

R3 - URLSearchHook: (no name) - {1A701473-C51D-7F35-5570-DBC3697FEAFB} - SetupExeDll.dll (file missing)
R3 - URLSearchHook: (no name) - {C32D4170-E1C1-08FC-8CC0-5CDD33976A7A} - br0ken.dll (file missing)

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{7CA7059A-921F-448D-BDDB-A46C89E3331B}.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{7CA7059A-921F-448D-BDDB-A46C89E3331B}.dll

O4 - HKLM\..\Run: [cmon14] ABCXYZ.exe
O4 - HKLM\..\Run: [new32] JAguAr.exe
O4 - HKLM\..\Run: [vxdman] scanSYS.exe
O4 - HKLM\..\Run: [SpyElim] ___.exe

O4 - HKLM\..\Run: [msci] C:\DOCUME~1\alias\LOCALS~1\Temp\200674174812_mcinfo.exe /insfin
O4 - HKLM\..\Run: [dmwvl.exe] C:\WINDOWS\system32\dmwvl.exe
O4 - HKLM\..\Run: [bzyil.exe] C:\WINDOWS\system32\bzyil.exe

O4 - HKCU\..\Run: [sayjaaaa] C:\WINDOWS\system32\sayjaaaa.exe
O4 - HKCU\..\Run: [sysmon12] sysconf16.exe
O4 - HKCU\..\Run: [UserSp1] clamav.exe
O4 - HKCU\..\Run: [cnftips] prcmon.exe
O4 - HKCU\..\Run: [stuffmon] SetupExeDll.exe
O4 - HKCU\..\Run: [borlandg] bnui.exe
O4 - HKCU\..\Run: [corrida] startman.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{89C64984-644F-42AE-A07E-2F4A4DE72DFC}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C97192F-9B39-4A87-97FB-43D62EB3EFF5}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE897D0F-4D09-4C25-B575-938FB3EAD821}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9EC6B85-6E53-46C8-9408-BF34F9AA27DD}: NameServer = 85.255.114.85, 85.255.112.213
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213
O21 - SSODL: IEFilter - {EE9D483D-45A9-4E1A-99CC-914BE8CA10EA} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O23 - Service: .NET Runtime Optimization Service v1.000.3.1434 - Unknown owner - C:\WINDOWS\system32\dcxsernx.exe (file missing)


Click Fix Checked. Close HijackThis.

* Please read this thread this thread:
http://www.thespykiller.co.uk/forum/index.php?topic=5.0

* Upload the files listed in Killbox here:
http://www.thespykiller.co.uk/forum/index.php?board=1.0

* Please download F-Secure Blacklight (blbeta.exe) and save to your C:\ drive.
1. Open a command window by going to Start > Run and typing: cmd
2. Copy/paste or type the following in the command window:

C:\blbeta.exe /expert

3. Hit "Enter" to start the program and then close the cmd box.
4. Accept the user agreement and click "Next".
5 Click "Scan".
6. After the scan is complete, click "Next", then "Exit". BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
7. The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present...like "wbemtest.exe".
8. Exit Blacklight and post the contents of the log in your next reply.

Note: If you download Blacklight to your desktop, just double-click to run from there and it will create the "fsbl-xxxxxxx.log" on your desktop.

* Finally post back a new hijackthis log as well as the Blacklight one, please.
Posted ImagePosted Image

Olivier

#6 alias452

alias452
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 07 July 2006 - 08:50 PM

Ok, just finish with your last post. New version of Java installed, old one removed. Installed and ran Killbox. It seemed like once Killbox scanned certain filed, AVG started popping up Virus Detected boxes. After I hit the Delete file button, I did get the PendingFileRenameOperations prompt.

I then opened HJT, however 3 of the items you wanted me to select were not there:
O4 - HKLM\..\Run: [dmwvl.exe] C:\WINDOWS\system32\dmwvl.exe
O4 - HKLM\..\Run: [bzyil.exe] C:\WINDOWS\system32\bzyil.exe
O23 - Service: .NET Runtime Optimization Service v1.000.3.1434 - Unknown owner - C:\WINDOWS\system32\dcxsernx.exe (file missing)

The link to F-Secure Blacklight did not work, so I manually installed it and did the scan. Here's the Blacklight log:

07/07/06 21:24:58 [Info]: BlackLight Engine 1.0.42 initialized
07/07/06 21:24:58 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/07/06 21:24:59 [Note]: 7019 4
07/07/06 21:24:59 [Note]: 7005 0
07/07/06 21:25:09 [Note]: 7006 0
07/07/06 21:25:09 [Note]: 7011 540
07/07/06 21:25:09 [Note]: 7026 0
07/07/06 21:25:09 [Note]: 7026 0
07/07/06 21:25:15 [Note]: FSRAW library version 1.7.1019
07/07/06 21:28:49 [Info]: Hidden file: c:\WINDOWS\system32\dmszf.exe
07/07/06 21:28:49 [Note]: 7002 32
07/07/06 21:28:49 [Note]: 7003 1
07/07/06 21:28:49 [Note]: 10002 1
07/07/06 21:28:52 [Info]: Hidden file: c:\WINDOWS\system32\cstiv.exe
07/07/06 21:28:52 [Note]: 7002 32
07/07/06 21:28:52 [Note]: 7003 1
07/07/06 21:28:52 [Note]: 10002 1
07/07/06 21:28:53 [Info]: Hidden file: c:\WINDOWS\system32\{7C19ABD1-585A-43AD-91ED-DED2463A1BB8}.exe
07/07/06 21:28:53 [Note]: 7002 5
07/07/06 21:28:53 [Note]: 7003 1
07/07/06 21:28:53 [Note]: 10002 1
07/07/06 21:28:54 [Info]: Hidden file: c:\WINDOWS\system32\{828DDBEA-28FC-4FF1-A3F1-67DE1F5D5278}.exe
07/07/06 21:28:54 [Note]: 10002 1
07/07/06 21:28:54 [Info]: Hidden file: c:\WINDOWS\system32\{9048ABBB-626D-4666-9297-339CEEF86A42}.exe
07/07/06 21:28:54 [Note]: 10002 1
07/07/06 21:28:55 [Info]: Hidden file: c:\WINDOWS\system32\{976ED55D-F2D4-4B81-A464-FC651154ED20}.exe
07/07/06 21:28:55 [Note]: 10002 1
07/07/06 21:28:55 [Info]: Hidden file: c:\WINDOWS\system32\{99E99A32-37C4-4D01-8F73-F2D257752D30}.exe
07/07/06 21:28:55 [Note]: 7002 5
07/07/06 21:28:55 [Note]: 7003 1
07/07/06 21:28:55 [Note]: 10002 1
07/07/06 21:28:56 [Info]: Hidden file: c:\WINDOWS\system32\{CE5EA5D3-8219-4BAD-A603-80F3B8F41EF0}.exe
07/07/06 21:28:56 [Note]: 7002 5
07/07/06 21:28:56 [Note]: 7003 1
07/07/06 21:28:56 [Note]: 10002 1
07/07/06 21:28:56 [Info]: Hidden file: c:\WINDOWS\system32\{E81B2401-250C-47E7-B2A8-820C5AC6C88A}.exe
07/07/06 21:28:56 [Note]: 7002 5
07/07/06 21:28:56 [Note]: 7003 1
07/07/06 21:28:56 [Note]: 10002 1
07/07/06 21:28:56 [Info]: Hidden file: c:\WINDOWS\system32\{FAB3C7D4-8243-43AA-93AC-5550A068EEDB}.exe
07/07/06 21:28:56 [Note]: 7002 5
07/07/06 21:28:56 [Note]: 7003 1
07/07/06 21:28:56 [Note]: 10002 1
07/07/06 21:28:57 [Info]: Hidden file: c:\WINDOWS\system32\{0CC50470-5731-4127-89BB-469DF4A3A0D9}.exe
07/07/06 21:28:57 [Note]: 7002 5
07/07/06 21:28:57 [Note]: 7003 1
07/07/06 21:28:57 [Note]: 10002 1
07/07/06 21:28:57 [Info]: Hidden file: c:\WINDOWS\system32\{125CC338-5DA6-42E9-93C7-16E526BD1C53}.exe
07/07/06 21:28:57 [Note]: 7002 5
07/07/06 21:28:57 [Note]: 7003 1
07/07/06 21:28:57 [Note]: 10002 1
07/07/06 21:28:58 [Info]: Hidden file: c:\WINDOWS\system32\{1CBA1628-A6BC-4833-B510-6B2252CD282E}.exe
07/07/06 21:28:58 [Note]: 10002 1
07/07/06 21:28:58 [Info]: Hidden file: c:\WINDOWS\system32\{52CE8DA9-CE58-4064-92CB-53F673EC4D6B}.exe
07/07/06 21:28:58 [Note]: 7002 5
07/07/06 21:28:58 [Note]: 7003 1
07/07/06 21:28:58 [Note]: 10002 1
07/07/06 21:28:58 [Info]: Hidden file: c:\WINDOWS\system32\{5A10CD90-B2C5-4AC1-A447-B5840D26C6A7}.exe
07/07/06 21:28:58 [Note]: 7002 5
07/07/06 21:28:58 [Note]: 7003 1
07/07/06 21:28:58 [Note]: 10002 1
07/07/06 21:28:59 [Info]: Hidden file: c:\WINDOWS\system32\{2F46F000-B42A-4211-928E-6405C5C3D365}.exe
07/07/06 21:28:59 [Note]: 7002 5
07/07/06 21:28:59 [Note]: 7003 1
07/07/06 21:28:59 [Note]: 10002 1
07/07/06 21:28:59 [Info]: Hidden file: c:\WINDOWS\system32\{4898D968-ECB3-4299-8AD1-505CB97ECF9E}.exe
07/07/06 21:28:59 [Note]: 7002 5
07/07/06 21:28:59 [Note]: 7003 1
07/07/06 21:28:59 [Note]: 10002 1
07/07/06 21:30:39 [Note]: 7007 0

And the new HJT

Logfile of HijackThis v1.99.1
Scan saved at 9:33:37 PM, on 7/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [cozna.exe ] C:\WINDOWS\system32\cozna.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb- 8876480.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136693982296
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,37
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Again, Thank you for the help.

Jeremy

#7 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:07:10 PM

Posted 08 July 2006 - 04:50 AM

Hi Jeremy,

* Please re-open Killbox> Files> !Killbox backups and upload the files inside with the following ones:

C:\WINDOWS\system32\cozna.exe
c:\WINDOWS\system32\dmszf.exe
c:\WINDOWS\system32\cstiv.exe


here:
http://www.thespykiller.co.uk/forum/index.php?board=1.0

* Please re-open Hijackthis and scan. Check the below entries:

O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)

O4 - HKLM\..\Run: [cozna.exe ] C:\WINDOWS\system32\cozna.exe


Then click on Fix Checked. Exit HijackThis.

* Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\cozna.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

* 1. Now use Blacklight in exactly the same way as before, but when it shows the list of the items found, select each entry and choose to let Blacklite rename them by clicking the Rename button.
2. Next to each entry, "rename" should appear.
3. Click "Next".
4. Blacklight will give you a warning if you are sure. Click "Yes".
5. Then it will tell you: "Your computer will reboot now"
6. Click "Yes"

* Post back a new hijackthis log as well as the F-Secure one, please.
Posted ImagePosted Image

Olivier

#8 alias452

alias452
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 09 July 2006 - 06:37 PM

OK

The lastest logs


Logfile of HijackThis v1.99.1
Scan saved at 5:37:31 PM, on 7/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [dmrqn.exe] C:\WINDOWS\system32\dmrqn.exe
O4 - HKLM\..\Run: [vqadd.exe] C:\WINDOWS\system32\vqadd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136693982296
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,37
O17 - HKLM\System\CCS\Services\Tcpip\..\{89C64984-644F-42AE-A07E-2F4A4DE72DFC}: NameServer = 85.255.114.85, 85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C97192F-9B39-4A87-97FB-43D62EB3EFF5}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9EC6B85-6E53-46C8-9408-BF34F9AA27DD}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

07/09/06 17:50:23 [Info]: BlackLight Engine 1.0.42 initialized
07/09/06 17:50:23 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/09/06 17:50:24 [Note]: 7019 4
07/09/06 17:50:24 [Note]: 7005 0
07/09/06 17:50:29 [Note]: 7007 0

Jeremy

#9 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:07:10 PM

Posted 11 July 2006 - 04:23 AM

Hi Jeremy,

* Please re-open HijackThis and Scan. Check the below entries:

O4 - HKLM\..\Run: [dmrqn.exe] C:\WINDOWS\system32\dmrqn.exe
O4 - HKLM\..\Run: [vqadd.exe] C:\WINDOWS\system32\vqadd.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{89C64984-644F-42AE-A07E-2F4A4DE72DFC}: NameServer = 85.255.114.85, 85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C97192F-9B39-4A87-97FB-43D62EB3EFF5}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9EC6B85-6E53-46C8-9408-BF34F9AA27DD}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213


Close any open windows except for HijackThis then click on Fix checked.

* Before deleting the following files with Killbox, please upload them here:
http://www.thespykiller.co.uk/forum/index.php?board=1.0

* Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\dmrqn.exe
    C:\WINDOWS\system32\vqadd.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

* Please download again F-Secure Blacklight (blbeta.exe) and save to your C:\ drive.
1. Open a command window by going to Start > Run and typing: cmd
2. Copy/paste or type the following in the command window:

C:\blbeta.exe /expert

3. Hit "Enter" to start the program and then close the cmd box.
4. Accept the user agreement and click "Next".
5 Click "Scan".
6. After the scan is complete, click "Next", then "Exit". BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
7. The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present...like "wbemtest.exe".
8. Exit Blacklight and post the contents of the log in your next reply.

Note: If you download Blacklight to your desktop, just double-click to run from there and it will create the "fsbl-xxxxxxx.log" on your desktop.

* Post back a new hijackthis log as well as the Blacklight one, please.

Please use separate posts to post the required logs to make sure all data gets posted.
Posted ImagePosted Image

Olivier

#10 alias452

alias452
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 11 July 2006 - 06:33 PM

A little update quick. Yesterday was a real POed day, as I powered up my computer and had my desk top turn red with a black box in the center. Blinking in red letters Danger: Spyware, and under that was something like Raze Spykiller, $49.99, and a list and types of spyware/virus I have. Ran all the programs I've been for these posts, now my desktop background just blinks white and tan. When I shut down, my regular ground comes up.

Also, I can't read the thread for uploading. Only read one language, unfortunately :D.

Oh yeah, the toolbar that was gone is now back. And every time I turn the power off, ie the switch in back of my box, all my settings are reset. I have to reset the clock, as it goes back to December 31, 2001 at 2300 hours.

Anyway, heres the logs.

Logfile of HijackThis v1.99.1
Scan saved at 7:17:00 PM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [lmwit.exe] C:\WINDOWS\system32\lmwit.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136693982296
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,37
O17 - HKLM\System\CCS\Services\Tcpip\..\{89C64984-644F-42AE-A07E-2F4A4DE72DFC}: NameServer = 85.255.114.85, 85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C97192F-9B39-4A87-97FB-43D62EB3EFF5}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9EC6B85-6E53-46C8-9408-BF34F9AA27DD}: NameServer = 85.255.114.85,85.255.112.213
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.85 85.255.112.213
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


07/11/06 19:10:08 [Info]: BlackLight Engine 1.0.42 initialized
07/11/06 19:10:08 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/11/06 19:10:08 [Note]: 7019 4
07/11/06 19:10:08 [Note]: 7005 0
07/11/06 19:10:12 [Note]: 7006 0
07/11/06 19:10:12 [Note]: 7011 156
07/11/06 19:10:12 [Note]: 7026 0
07/11/06 19:10:12 [Note]: 7026 0
07/11/06 19:10:18 [Note]: FSRAW library version 1.7.1019
07/11/06 19:13:57 [Info]: Hidden file: c:\WINDOWS\system32\csqxg.exe
07/11/06 19:13:57 [Note]: 7002 32
07/11/06 19:13:57 [Note]: 7003 1
07/11/06 19:13:57 [Note]: 10002 1
07/11/06 19:13:57 [Info]: Hidden file: c:\WINDOWS\system32\dmrsj.exe
07/11/06 19:13:57 [Note]: 7002 32
07/11/06 19:13:57 [Note]: 7003 1
07/11/06 19:13:57 [Note]: 10002 1
07/11/06 19:14:01 [Info]: Hidden file: c:\WINDOWS\system32\{07196C37-871D-497F-834C-EC5B524DA992}.exe
07/11/06 19:14:01 [Note]: 7002 5
07/11/06 19:14:01 [Note]: 7003 1
07/11/06 19:14:01 [Note]: 10002 1
07/11/06 19:14:01 [Info]: Hidden file: c:\WINDOWS\system32\{0846B26E-32FA-4389-83FA-997B2D9DB4DC}.exe
07/11/06 19:14:01 [Note]: 10002 1
07/11/06 19:14:02 [Info]: Hidden file: c:\WINDOWS\system32\{1CE28CD1-7C0A-4107-BAAD-B5C4A80815E5}.exe
07/11/06 19:14:02 [Note]: 7002 5
07/11/06 19:14:02 [Note]: 7003 1
07/11/06 19:14:02 [Note]: 10002 1
07/11/06 19:14:02 [Info]: Hidden file: c:\WINDOWS\system32\{231D3034-59FC-432B-BC58-F3EE005DA8C1}.exe
07/11/06 19:14:02 [Note]: 7002 5
07/11/06 19:14:02 [Note]: 7003 1
07/11/06 19:14:02 [Note]: 10002 1
07/11/06 19:14:03 [Info]: Hidden file: c:\WINDOWS\system32\{C63DEDB9-B976-4A13-BE03-50CD93D3D846}.exe
07/11/06 19:14:03 [Note]: 7002 5
07/11/06 19:14:03 [Note]: 7003 1
07/11/06 19:14:03 [Note]: 10002 1
07/11/06 19:14:03 [Info]: Hidden file: c:\WINDOWS\system32\{F01E21F1-89B4-4EBE-8FA4-46CBDAE4D674}.exe
07/11/06 19:14:03 [Note]: 10002 1
07/11/06 19:14:03 [Info]: Hidden file: c:\WINDOWS\system32\{61B79B61-E844-4E0F-95D3-C33E210961E5}.exe
07/11/06 19:14:03 [Note]: 10002 1
07/11/06 19:14:04 [Info]: Hidden file: c:\WINDOWS\system32\{A4D7CF5B-7EB0-4ED3-8717-09E15CEC6001}.exe
07/11/06 19:14:04 [Note]: 10002 1
07/11/06 19:14:04 [Info]: Hidden file: c:\WINDOWS\system32\{AF8E7714-62D4-4807-846E-28D3AEA9FF26}.exe
07/11/06 19:14:04 [Note]: 7002 5
07/11/06 19:14:04 [Note]: 7003 1
07/11/06 19:14:04 [Note]: 10002 1
07/11/06 19:15:48 [Note]: 7007 0

Much for of this, and this HD will end up going to the gun range along with the ReplayTV HD. 12gauge should make one hell of a virus killer.

Jeremy

#11 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:07:10 PM

Posted 13 July 2006 - 04:39 AM

Hello Jeremy,

Let's try the following:

* Use Blacklight in exactly the same way as before, but when it shows the list of the items found, select each entry and choose to let Blacklite rename them by clicking the Rename button.
2. Next to each entry, "rename" should appear.
3. Click "Next".
4. Blacklight will give you a warning if you are sure. Click "Yes".
5. Then it will tell you: "Your computer will reboot now"
6. Click "Yes"

* Please re-open HijackThis and scan. Check the following entry:

O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)

O4 - HKLM\..\Run: [lmwit.exe] C:\WINDOWS\system32\lmwit.exe


Close any open windows except for HijackThis then click on Fix checked. Exit the program.

* Please download again FixWareout from here and save it to your Desktop. Doubleclick on Fixwareout.exe to extract the files and click Next and then Install. Make sure that "Run fixit" is checked and click Finish. The fix will begin, follow the prompts.

You will be asked to reboot your computer, please do so. Your system may take longer than usual to load but this is normal.

* Run again F-Secure Black light.

* At last please post back:
  • C:\fixwareout\report.txt
  • a new hijackthis log
  • Blacklight one

Posted ImagePosted Image

Olivier

#12 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:07:10 PM

Posted 04 September 2006 - 02:09 AM

due to lack of feedback... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users