Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan Horse Clicker.fr


  • This topic is locked This topic is locked
18 replies to this topic

#1 derbyian

derbyian

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 07 July 2006 - 12:31 PM

Getting constant alerts from AVG that I am infected with the Trojan Horse Clicker.FR but clicking heal doean't do any good.

I also suspect I am infected with an IE link hijacker as it often takes two or three attempts to get to the correct target page from google.

I have a problem with IE – there is no button toolbar or file command menu.

And finally I have problems downloading files so I had to use my other pc to download HJT as the download link would not work.

Have followed the steps in the Preparation Guide – not without problems along the way – but now have clean Ad-Aware scans and clean SpyBot S&D.

At Step 5 could only get Bit Defender to work and have almost clean result from that. There was one virus it couldn’t disinfect or delete (not clicker)

Ran the Stinger. Have ZoneAlarm as firewall – bang up to date.

Have downloaded the latest window security updates (about 30 of them) but only today.

HJT Log attached

Can you help me please?

Thanks very much...

Logfile of HijackThis v1.99.1
Scan saved at 18:22:09, on 07/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Palm\Hotsync.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WHSmith Online
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.millbrooksoftware.com/"); (C:\Program Files\Netscape\Users\millbrook2000\prefs.js)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dmiao.exe] C:\WINDOWS\system32\dmiao.exe
O4 - HKLM\..\Run: [yummj.exe] C:\WINDOWS\system32\yummj.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125090413043
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7864FD14-20D7-476E-9E4B-23140A46B58A}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{D95F0D99-BE59-4354-A33F-A69CF9234907}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:57 PM

Posted 08 July 2006 - 11:27 AM

Hello,

Please perform my steps in the right order....

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [dmiao.exe] C:\WINDOWS\system32\dmiao.exe
O4 - HKLM\..\Run: [yummj.exe] C:\WINDOWS\system32\yummj.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7864FD14-20D7-476E-9E4B-23140A46B58A}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{D95F0D99-BE59-4354-A33F-A69CF9234907}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 derbyian

derbyian
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 08 July 2006 - 01:45 PM

OK – Thanks for the help…
I followed your instructions as best I could and here’s what happened…
1. Disabled teatimer as suggested (NB was not prompted to accept change to registry)
2. Ran Resetteatimer.bat
3. Started HJT and ticked all the entries except the two O4 entries which were not present.
4. Clicked on Fix Checked (having made sure IE was not running) and got this error message …
############################################
An unexpected error has occurred at procedure: modMain_FixOther1Item(sItem=O1 - Hosts: localhost 127.0.0.1)
Error #75 - Path/File access error

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
#############################################
5. Clicked OK and HJT seemed to finish OK
6. Dowloaded Fixwareout (I have to download from my laptop as IE won’t let me download). Ran it.
7. After the reboot, report.txt did not open automatically but I found it – here it is…
##############################################

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}68EB6386E130-E869-0094-AA55-98AFADF0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6D3BB06A924B-5BAB-3044-8A05-2F29B3CD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}177114F0E0F2-559A-3434-A524-77CF3287{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D68727A12541-6739-D544-FC70-B815B114{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C6A5FA3CD2BB-7E8A-6C44-0EAD-D09342B6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5878F8AA8982-705B-F9D4-AE47-E536392B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0C0D18C09A92-FF1B-C394-0B39-D092D278{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B69CA0C0915A-C37B-F444-2273-7CC34652{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1AC5F6FFB70E-B3AB-42B4-719C-035BC03B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}33A2FBF97B69-D008-A714-457F-2454A53E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7FF138CB80E9-8BD9-8EA4-B68D-64674F34{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3D59429CAB61-7F9A-5A64-8E9C-33B4E113{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}09EEF6DBE012-F299-66C4-EFBC-FFBF388F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E63F53E0C0B3-5068-D154-9EE5-435B42F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}98120706AEFA-5ECB-9004-B199-50A830C5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F5D536248A74-2A1A-8D24-2BBB-AFAF7E5E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DAAD1B3A4112-8B79-C714-20F0-9106E64E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5961EE38464C-598B-00F4-1C15-8155A0D1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}18E8C06A29CB-F1AB-60E4-7D41-4379F87B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}383F7AEF0536-5359-8564-DDA6-83C8CD3E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FD124A217299-2F39-2B64-492E-168BA63A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}46469CB3E858-C299-8FA4-0A23-E1ADD5EE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A06B706D6A0B-5B99-0AF4-BC83-74F32D07{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7752294B8B63-8C4A-CD84-847A-83895888{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}95BC4733A8A9-B4AB-87A4-3394-38FEB38C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F8B673D923CD-C47B-D3E4-1CA2-90490A88{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}30394F5B4FC6-DD0A-0E44-337C-36F03479{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EFCAD9B7C357-2D8B-20D4-6BD2-FD682385{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}544ED9DD4437-40B8-3944-BCB3-5A084A9E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7EE4543E4FE0-A0C8-1744-50FC-C07842E5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7F7EAF377300-EFEA-9F64-37FC-58E03C83{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}60106C93A35F-C9EA-0E14-4853-5CB84CE3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9E707A13475A-5B78-1B94-9BDE-BCFC9A6C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}46A607541744-7EA8-8B94-23A7-EE44190E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}75D0CAE1A950-4ABA-2FA4-F8E0-A4EE9AA9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ED5F10846608-32F8-1AA4-85DC-152F212B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D70846D359B9-1ABA-6534-629B-D3C2BBC2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C7939B976C6B-53B8-9AC4-BD34-CED5D287{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A39D6E6BE5D3-139A-B814-5B82-3FBD4900{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F0EA21BC0C4B-8648-36F4-79BE-480CBF44{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}67E83C2D867F-F4C9-FDE4-EA2A-A3748469{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}00A1BE0A3A5C-A909-7A94-83CE-2600CC90{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DE0049D92903-FC6A-B7D4-E20F-672056CC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}80F08B6836E0-40E8-6114-80DE-8C1F9EC1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A4EC64321623-E6F9-5DC4-6D59-40FF33A6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DFFF2C8FD410-E788-DBB4-39C7-39DAA2EF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A6D3930ED15A-4238-A3A4-9881-4F3024BF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ACA59F5D5EE7-3479-AE84-DD0A-30E127D3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4E9DE738CE6E-5B99-1BF4-27F4-AC51DE72{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8AC09B5E5910-F7CB-6194-0777-78B7B555{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8E1CCBE0E576-1539-7F84-A767-99F5A908{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6454BC23ADF8-23A8-B5C4-E268-33B00E89{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6BC8BD728AA3-DA79-B844-6F52-BBAE964C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4A16652BB637-011B-9FA4-59A4-C1550A0B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}074DC26A6878-5A1A-A8C4-977D-52F87E2E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2634F1F8AADC-FE18-CC44-782C-A91AE6C1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ABCAA781C120-05D9-E494-AE80-04F685B2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4CC3539B0AEA-D7E8-DCC4-904F-9288CA17{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BD331784A5F2-D28B-D0D4-444D-1EE90F79{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B88C85E6A7B5-8AD8-53B4-8C1E-6C15DBE6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}219F25C7CC0A-A548-90D4-1CED-A6C72A56{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B1CEDFA60CF8-002A-4254-1296-B2EAC931{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2BBE09B600A3-EC7B-6CA4-2099-A363ED23{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4433BD4C04B8-40D8-EE64-0DA7-E15CB305{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}27FC8C4B6590-2F09-4574-4BFF-6A3E4349{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}818681BF71DC-B0AA-1254-067F-ED48DFEB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3E7C784165CA-A3CB-7CF4-63CE-A3276DAF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}42EDE04A50B7-FF3A-BB84-3E11-89F605ED{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4B1DBAFD9C95-99D9-7094-55B8-1360C978{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}94A7F012D2FF-8F9B-D0F4-2978-4AA1DF40{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FA38F4AF4CE5-5E58-18E4-6296-2EA61654{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C5981D8D9578-692B-2AF4-B0AE-CA87DCB5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8D5A5D9805FE-584B-E374-C49A-90453FC2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}17C782D7B562-A498-0234-0604-BE37ACC0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AF84062D5973-339A-6BB4-C42B-FD74E500{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5FE9CED185B0-8F0A-1F34-A211-F8CF50C5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}96F2197898F1-3D3A-DD14-0276-7EB55AF7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1FAB8DD28B01-5198-1494-C87E-DA743708{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F6343E834352-DCEB-7F74-8A26-904089F4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B9A3D39EE286-05B8-0184-8385-628C5816{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CE707B6791B1-D7D9-E6B4-5CB7-F518B808{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BE9C22112438-3E39-B2D4-9805-659A4DF0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9A5693AA4FB7-DC9A-8324-1B56-556A6C4C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3BE82DC6B7D0-1299-C184-49FB-A10D9975{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7D134C0A52A0-D28A-7234-4E1A-8761A693{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}981549EEF805-7558-4124-8618-CBA8302F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}519445713807-99B9-EE24-E072-38C010FA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BD4246858E18-28EB-9EE4-D7EC-52E544F5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5FABA65E4970-C8FA-90F4-A258-75596D97{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AEFC9B47934D-C54B-7BA4-D438-371CDB9B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}82202724EEA7-8FFB-8124-A64F-213FBA10{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DF7581C72B94-1F8B-9DB4-9E66-2A43F9CB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7B7CAC559FE-B848-15C4-CB8D-CB05E211{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FEB477917E87-399A-A334-F2E6-6566354E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E2C36D20ACD4-2D7A-A0F4-A7C7-3FCADA5D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}278E40CD00D2-84BB-48B4-9908-8A4C8A58{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3C79082A7201-1AFA-3044-50B1-7240DA5B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}487741034407-EFC8-1624-4072-63798C08{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2264CEF84B0E-3AE9-B754-495A-8D472158{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}611A32D19FCB-3688-87F4-7FAF-F8342D7F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4ED2638A1B50-638A-EA44-50EC-3BD1DDA6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9B899347CA3E-B4EB-D0D4-9EFE-E1F025AE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}32CF3376606E-5199-6054-F298-2F9986EA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0892976CD9D6-6DBB-B544-8F8B-B660B128{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B9B83BDA59D5-F4E9-43B4-0CCE-51106437{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1BECF7A4E916-C4DA-8894-C938-724EA0D5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B26FE9FDB2C0-8AF8-C454-7BCE-FA0DA3D5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}93B835C75E7F-B178-9F64-8DC4-EADB1F8E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B8B9A4516012-B8EB-4B74-124B-CB8DA97F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5F3A60139E9D-46A9-95E4-C9D4-5498258E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}657F0E72656C-713A-1FE4-D209-A2E6698D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7EB8566A6B68-9D89-A9A4-1C79-9D488461{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1A3A4EFB6BDF-8249-0E94-DA21-4C0A4E67{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EAEB4E80BAC3-EAE9-BD34-C33A-A21C6944{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B86F4EAE1D10-26A8-8384-1EA5-D11E5E18{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F721F701E326-AB78-3764-EC75-EB73BFA0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B4E4C6E12FDC-BB79-3734-7422-0BBF4370{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0658BE098369-B40A-EDB4-7D74-D84DF462{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B023585E36F1-7C0A-2CE4-5D98-B59F74C0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A2565BBA4FD0-175A-8A64-8170-8A64589D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CFC65065A257-E228-B084-D14E-05C0B1FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D033D0C05DA2-29FA-D664-72EA-18ACE90B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6BC6221D6693-78A8-24D4-54D4-14496BB2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9EFBB77495B8-0E7A-C4D4-CA24-096B9976{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}59988F4D2C18-DDB9-CA84-0EA4-FD857EC4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CCB08BF3ABD6-8EBA-5474-4294-166AAC92{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F8B993650166-74A8-BD64-9C70-1FDB84F3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D3E90FE505D0-5308-5144-8840-C6F76757{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AE06F2AC3182-D49A-7924-A0BF-0EAA207F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CA6C08C39E20-6448-9E24-B390-5D6B575C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2BCE1030F7DF-785B-8FB4-3893-B07390AC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ACF88758B07D-36D9-B1C4-9E72-E585E6C5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CF91B02E2653-8688-B364-E410-4E8E9D25{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F3E3305722D0-80D8-6FE4-CCFB-5B39FA56{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FCCFA10EC349-4028-B414-0221-07DED2E3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4C15E5C53193-6E7A-D0E4-8729-7B303B01{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4C28200ED634-AA7B-EC64-B9A0-1381A0B0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}560E82ADCF22-4FBA-5504-9D46-67E2924A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8D62D9B85482-992B-4024-7980-7E67766E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}61D77EC60264-D079-F2D4-3337-BAEDF38D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E4688951EF8D-842B-D8A4-7C3A-190EC724{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}540F4216D79E-17DB-C614-4848-88B7FF94{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}23EA7E1E57FE-7239-D0E4-FD72-4B49048B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}54B329D1EA99-EABB-7624-C043-62D63165{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EC6779FB0461-537B-6244-D512-1386123C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}467693635FA2-B109-A2B4-5C76-611E345A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}60C0CBA0F77B-726A-BA44-292E-ECCC7BF1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2E247DB7F0DC-EABB-0244-1A8F-1DD7B287{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CBD95F23F45B-D5B8-8034-24CF-B27B249B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F512BB4B9A25-ECEA-8F14-BDBC-63C52AF6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6DD90B1C0A8E-E949-F464-CF7B-F72FBFFF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6A63BE0CC0AC-E3F8-2414-63EE-144A0F0C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0AF69344C82B-9579-B3C4-73A1-363BF210{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7B1691036B09-5F38-EFC4-514E-A0355222{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E219CED5355A-BF9B-66C4-29DB-D7F05A4E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A0F86567B603-F2A9-B624-9D4D-CA66ADEE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}91D5C5DD2AFE-EA3A-FC84-3CF9-2C04BE59{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ADD993AFFEB8-5548-6734-B5E2-D80DA43A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DEE6EE26972E-4E0B-9504-EB8C-ECAF361D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7B2D07D4A5E7-E9A9-6D94-DD31-5C753EFA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}81C65F2BDCF9-71AA-EBC4-03FD-ACCB408B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4205579D0976-2268-57C4-9905-9536A7ED{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DADB7843C727-EE6A-ED64-CDB4-0A72BF40{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}76B8616E9A96-C919-79F4-686F-1EAC66E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F5932C597C51-B9A8-E244-D10E-0116E2F6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4D4B5351A176-3008-6D94-3D32-71058E7B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C5D0CEE83BD8-5C4A-6AD4-F3B9-F010EF68{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}28775B680526-5588-FCD4-9166-52574260{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}65BA99A3DC17-192A-D234-0961-1418FB8F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D459997C4C50-B22A-CF84-021E-A67A9DA7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9C2FA5000B18-2028-9614-398B-5CCDA985{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C2BD6332BB15-C6EA-EAC4-8E45-422A4B4E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A3E3B6DAB3D1-FD79-AC74-7A8E-087EDD47{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B4195F5FE5D4-844B-66D4-2CAA-A6A8D11B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}18E7ED3CA06D-198B-7694-0B95-875B5904{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DB6B934E7A0F-CADB-5694-C049-AF5BC016{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A7875AA17F1B-518A-0C34-9330-D546D3E0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}79B821F85B11-580A-5674-1F2E-B8DC834D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7AD65FE251F3-9F7B-6DF4-0DA0-B6254ECF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3AB5D1E164C6-8E1B-8614-D9C0-A982F678{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E5FE877CBA9A-2F4B-58D4-1B30-B25D5BCC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}89749CBCEE89-9829-BC94-5C8E-00F04099{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FA6015D1F168-FCFB-0B94-610A-DDD70A3D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C34FAD3B2FC3-15D9-8834-0184-8DE52C64{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9B0F464A250A-3F0A-1314-DE89-42842DA6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F03E39501AA0-8C8B-6D54-F751-0649F3DE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8592B5BAF2C6-64FB-C674-D89B-D4562DAE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B318A4C3647D-ECFA-7934-21DB-6C1BD97C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF2ED817ECB2-CB49-43A4-810B-095EADD4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BE695C7F1627-E2CB-AB34-D2D6-94FF8A2E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3E0857BCEC37-BC79-56D4-4122-363491F6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}781BF2B2EB99-14D8-C0B4-41B4-2C63BA40{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A7D5776BAB36-27E8-D2E4-5A91-6467E925{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BE4889C9C058-D2BB-73F4-2EC6-2BDB20A3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7B61365236EC-1ACB-83E4-E8F6-9FA3D87F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}26F326A20536-1E5A-8304-FFBE-BFDF2633{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E20747981264-C088-C224-02FC-E849530F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C371C59CD7F3-6988-A004-4C7B-60B2695D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ED09F08A681B-1989-F7B4-F87A-796D84A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F46362B06E1F-FC0B-F6D4-9B9B-2EFE34E3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}53477FDF32FC-46E9-BD24-AB11-EE499564{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8D0C81D1467B-3CEB-7554-206A-2FABFE14{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}16AE87E9BD7D-6079-8B24-69AE-DFE0FD88{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C9BB279BACDD-7BFA-69D4-1903-FCA7BE82{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D1CC3CF97E0A-A7F8-B034-71C7-689E73FC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}04526898454F-2BC9-F244-D8B7-FCFE30AA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6F1C71B6B3CE-DC48-DF14-DE7D-BA943A06{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7FD9CC9B2FB6-8CE8-FDD4-7C03-8B60883F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}888CC3B6605A-90B8-E2E4-33E7-F08E34C0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F68DBFDD462D-F22A-E8C4-FDC2-31B3E1E5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B6C3DF44847A-ACA8-B1A4-3642-8196F1A9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}35AB5BD8E3FF-3E19-30C4-F225-A73AF53F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BED4A7BA5D93-6E38-C244-69F8-B2B67C9D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3C3D22E169E7-0A19-0BD4-5C2D-535F65BC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CF92E8CE7761-B739-D5A4-C6A2-698DA582{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}19879C2D8319-921B-9194-085B-47042EA1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}327BA3F902D6-A60B-F7A4-3168-BFDF465B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}514C7B5D46FF-997A-D3A4-D983-71CD146E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FCAA1FBBFDF0-0C4B-6214-3B2B-30DEABCC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2B93277E1542-119A-15E4-B487-7EA527B7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F093A551CAAA-AA0B-8624-5549-6B9C59A8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E9843A1F2997-F229-D1C4-3222-BF36B35F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}174C87707FA8-B78A-DD74-C595-21A7EEBB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}80F606932668-1C89-2954-87A1-F1C73D8E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}98121A699854-E2B9-0B54-26AB-4E21D056{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}10F4780935D2-691B-7FE4-8707-9715FC92{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F742396384B7-319A-CED4-1A58-302D0D37{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}551BD2DE3D94-6138-E4D4-9E2B-FFCB89D3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EBD9180AFA23-CF3B-E7A4-9DAE-308CB33F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}53A87EBB1288-DFFA-AE74-D3E6-0E79B938{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4AD538F20DBA-983B-9854-17E3-A37B0F63{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6B304917FC62-CC09-0A74-1B4C-9CCC836D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2E8E1DE39DDF-76FB-E3E4-EEAB-6F9A7021{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}50154036236C-48F9-85E4-EC9C-5413D9B0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FBF4A81EF82D-EBFB-69C4-45C7-3DE38418{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9DBB2ABF2F96-8789-9CF4-CDC6-6C51E4E8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4D55BCC81CBD-8B08-F5A4-8B1B-B600BDE6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E00C0DD65896-96BB-8F84-04D8-93C37B76{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}12A3C43E0047-6FF8-B7F4-51D5-3CC63621{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1EF6543A40E1-1C1A-CCE4-9F29-FB081083{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F142E11A17FE-C4EB-6524-84E0-1DE7CC60{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AF9C04EE90CB-949A-B634-2FC3-662D48D0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0C96181BBB8B-4A6A-49F4-6A53-ECE30335{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C7E11838062C-8088-79C4-BA47-824193F5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9601D28B7470-FACB-83F4-0636-E59522D7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A1F644D35F48-9CF8-FC64-6305-DF1A7B00{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3A006ADE2CAC-1CEB-2A24-2C6C-4EC97537{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1D3D2372EA1B-2D48-DEF4-A548-D4DE3F09{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}45C912F76903-FEBA-7A74-5150-9CEF880E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8156F6CAECF3-6D4B-AE94-F215-884F534E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2D893DC673E8-FFBB-00C4-3954-AA88E24F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9D0A7329CEE8-95A9-1D94-7054-618309ED{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}995E35D59430-133B-8264-10C3-2138A766{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}10EC0E298E69-C9D8-A924-7821-9FE72B58{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}02D3C8588C6F-683A-01B4-336D-88851115{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}52F1D84CA74E-FC0A-EEA4-43EA-0BF322DA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3D386835BE91-38DA-02F4-F52A-76FBA0E3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FCF703C513AD-0868-A6A4-32D1-62AF33FA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B1801ACED892-CD4A-53A4-69D9-58BA7FEC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}834B20FFCAD4-32B8-2734-EA8C-1DC913D3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DF5544ED3425-B9AA-4004-BF34-1194899D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}689420FE3809-2EBA-C2E4-F123-0CE48162{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DAABF5A1D5F8-B49B-AF54-9BA6-D272948E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ED21D5004525-1288-7D44-8D7F-457E9D0A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E2430EB5DDF6-7ABB-D894-5296-869CFA88{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}78B5789D12D9-05B8-B134-6B63-A4370812{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AB82280012C4-05EA-F054-9165-98FABBF6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}14616827C031-AD39-FD24-A949-3608F16B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BD0AEEC1713F-11EA-B504-7217-6D23BFBA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6645E5D25F53-6BBB-C414-2621-4BC2FB86{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}040E17AEEF40-095B-9F84-B22D-CAAE91DD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F9B67D1AF668-76AA-0D04-2916-29089F61{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AD9766C71BF4-EB38-ED34-48E6-6383515A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9AB8BD2E0535-AFD8-B944-200F-113CDE90{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BEB7C1A090C3-89D9-63C4-4F27-3EC72F3B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CCE9E27AC59F-9D28-7A64-8C49-7C4AF193{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CA3186776CDB-8778-A764-B611-8F52C4D5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8BD048AD3274-298A-4794-9B9B-4E500BD9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C3CECE1BF939-F1EA-4F14-32D9-AEFDF0EE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}46E6879A9811-8AEB-4A44-5CE8-F048359B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}35F8AC0F53EF-3C08-CB04-1F82-AB92B403{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0C94B272FA26-772B-1A74-B984-2587C11F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E0B5383A1883-56AB-F274-8376-9D9362B3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F248484AD077-D498-5474-6D64-0834D4B5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F6EBF6213632-5948-C8A4-9F4C-C5856ECB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}779F56B0D86A-A329-5CD4-FDC2-2F452549{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}52D8C958EF30-B0C8-13C4-FD4F-7CAFBFEC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A66E494F1B9A-FD98-7B24-EEB5-9AC898B6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}23D39DDF0C1F-E999-E704-7DD9-41B85890{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C964A7953D5A-3319-A6D4-633C-572A6AA5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F5FE2C31750E-D7D9-7B04-5567-85496040{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}395524A6FDD7-7FA8-3484-0BFB-17DEE841{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}437F8A4B313D-4608-F374-2499-7C40F0BB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6A35EAFDE317-84E9-E694-B68B-59BA87E8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}539D200707EB-A08B-80C4-2482-E1B9CACF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}18D939A18054-FF8B-0474-59A0-92ABECF2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D2BA576877BA-F25A-9A04-BE2A-49108B53{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}70FC8B56FAAA-C778-4A74-55BB-C95218F5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B5E60EB67DE2-992B-8EC4-8EFA-7D19093C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D85C0FCE61F3-DFA9-F9D4-5D77-79F8C9D1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7EE495F2F848-3E88-7094-7A8F-02A270DF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4524C7F37D0D-D32B-6BC4-F095-D755448F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4E6A2C70206B-6B9B-A9C4-0D88-AEB157F5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CAF42AFB6287-8E8B-3D74-DCCE-99C3E65B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}37D993B17392-EEC8-C6C4-4D70-407E122B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5F77E0F4509D-9A28-54E4-04BB-1100C60B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}894773D6BAD4-5A69-ABE4-147A-1A80A3B2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}50D02A3B7EE5-16CB-9FE4-E680-701B3F52{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B283EB69B7DA-2609-D134-1DE9-EBA13004{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}80E6F09ABC5A-2048-90D4-29D0-5315A9E6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ECBEE2B31CF4-79AA-BCB4-00B4-7BE3E069{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}73CCBAE140D3-108B-BD34-B67A-616EC943{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9903CCF30352-E50B-AD94-7287-1CB756C1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EB5EDA20CD1F-96FB-D4E4-4F26-2E594640{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0FFB20905C32-609A-65C4-67DE-271BD25E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9AF3F6F1C2B4-107B-8D34-5D99-BF24B727{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5779F077738A-FAF9-2D84-D161-B99E2F9F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F5105B574CBF-5A89-8C24-CCA8-ADFD59FE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9D330E1B57EF-E52B-ABB4-0BE4-D86CCA66{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\hcfmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}653A648AB4F9-6739-0AA4-4FD3-284A5FD3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A17B4E01459C-80C8-9294-40DB-4DB4EFEE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B1F96C814A8F-2D2A-7B84-7AE8-BBBD5A5D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AD3BF18632A2-E778-92E4-FCEB-8D3F971C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmfch.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMFCH.EXE 44,109 2003-06-19
C:\WINDOWS\SYSTEM32\DMFCU.EXE 44,049 2003-06-19
Other suspects
Directory of C:\WINDOWS\system32
{C179F3D8-BECF-4E29-877E-2A23681FB3DA}.exe
{D5A5DBBB-8EA7-48B7-A2D2-F8A418C69F1B}.exe
{EEFE4BD4-BD04-4929-8C08-C95410E4B71A}.exe
{3DF5A482-3DF4-4AA0-9376-9F4BA846A356}.exe
{66ACC68D-4EB0-4BBA-B25E-FE75B1E033D9}.exe
{EF95DFDA-8ACC-42C8-98A5-FBC475B5015F}.exe
{F9F2E99B-161D-48D2-9FAF-A837770F9775}.exe
{727B42FB-99D5-43D8-B701-4B2C1F6F3FA9}.exe
{E52DB172-ED76-4C56-A906-23C50902BFF0}.exe
{046495E2-62F4-4E4D-BF69-F1DC02ADE5BE}.exe
{1C657BC1-7827-49DA-B05E-25303FCC3099}.exe
{349CE616-A76B-43DB-B801-3D041EABCC37}.exe
{960E3EB7-4B00-4BCB-AA97-4FC13B2EEBCE}.exe
{6E9A5135-0D92-4D09-8402-A5CBA90F6E08}.exe
{40031ABE-9ED1-431D-9062-AD7B96BE382B}.exe
{25F3B107-086E-4EF9-BC61-5EE7B3A20D05}.exe
{2B3A08A1-A741-4EBA-96A5-4DAB6D377498}.exe
{B06C0011-BB40-4E45-82A9-D9054F0E77F5}.exe
{B221E704-07D4-4C6C-8CEE-29371B399D73}.exe
{B56E3C99-ECCD-47D3-B8E8-7826BFA24FAC}.exe
{5F751BEA-88D0-4C9A-B9B6-B60207C2A6E4}.exe
{F844557D-590F-4CB6-B23D-D0D73F7C4254}.exe
{FD072A20-F8A7-4907-88E3-848F2F594EE7}.exe
{1D9C8F97-77D5-4D9F-9AFD-3F16ECF0C58D}.exe
{C39091D7-AFE8-4CE8-B299-2ED76BE06E5B}.exe
{5F81259C-BB55-47A4-877C-AAAF65B8CF07}.exe
{35B80194-A2EB-40A9-A52F-AB778675AB2D}.exe
{2FCEBA29-0A95-4740-B8FF-45081A939D81}.exe
{FCAC9B1E-2842-4C08-B80A-BE707002D935}.exe
{8E78AB95-B86B-496E-9E48-713EDFAE53A6}.exe
{BB0F04C7-9942-473F-8064-D313B4A8F734}.exe
{148EED71-BFB0-4843-8AF7-7DDF6A425593}.exe
{04069458-7655-40B7-9D7D-E05713C2EF5F}.exe
{5AA6A275-C336-4D6A-9133-A5D3597A469C}.exe
{09858B14-9DD7-407E-999E-F1C0FDD93D32}.exe
{6B898CA9-5BEE-42B7-89DF-A9B1F494E66A}.exe
{CEFBFAC7-F4DF-4C31-8C0B-03FE859C8D25}.exe
{945254F2-2CDF-4DC5-923A-A68D0B65F977}.exe
{BCE6585C-C4F9-4A8C-8495-2363126FBE6F}.exe
{5B4D4380-46D6-4745-894D-770DA484842F}.exe
{3B2639D9-6738-472F-BA65-3881A3835B0E}.exe
{F11C7852-489B-47A1-B277-62AF272B49C0}.exe
{304B29BA-28F1-40BC-80C3-FE35F0CA8F53}.exe
{B953840F-8EC5-44A4-BEA8-1189A9786E64}.exe
{EE0FDFEA-9D23-41F4-AE1F-939FB1ECEC3C}.exe
{9DB005E4-B9B9-4974-A892-4723DA840DB8}.exe
{5D4C25F8-116B-467A-8778-BDC6776813AC}.exe
{391FA4C7-94C8-46A7-82D9-F95CA72E9ECC}.exe
{B3F27CE3-72F4-4C36-9D98-3C090A1C7BEB}.exe
{09EDC311-F002-449B-8DFA-5350E2DB8BA9}.exe
{A5153836-6E84-43DE-83BE-4FB17C6679DA}.exe
{16F98092-6192-40D0-AA67-866FA1D76B9F}.exe
{DD19EAAC-D22B-48F9-B590-04FEEA71E040}.exe
{68BF2CB4-1262-414C-BBB6-35F52D5E5466}.exe
{ABFB32D6-7127-405B-AE11-F3171CEEA0DB}.exe
{B61F8063-949A-42DF-93DA-130C72861641}.exe
{6FBBAF89-5619-450F-AE50-4C21008228BA}.exe
{2180734A-36B6-431B-8B50-9D21D9875B87}.exe
{88AFC968-6925-498D-BBA7-6FDD5BE0342E}.exe
{A0D9E754-F7D8-44D7-8821-5254005D12DE}.exe
{E849272D-6AB9-45FA-B94B-8F5D1A5FBAAD}.exe
{26184EC0-321F-4E2C-ABE2-9083EF024986}.exe
{D9984911-43FB-4004-AA9B-5243DE4455FD}.exe
{3D319CD1-C8AE-4372-8B23-4DACFF02B438}.exe
{CEF7AB85-9D96-4A35-A4DC-298DECA1081B}.exe
{AF33FA26-1D23-4A6A-8680-DA315C307FCF}.exe
{3E0ABF67-A25F-4F20-AD83-19EB538683D3}.exe
{AD223FB0-AE34-4AEE-A0CF-E47AC48D1F25}.exe
{51115888-D633-4B10-A386-F6C8858C3D20}.exe
{85B27EF9-1287-429A-8D9C-96E892E0CE01}.exe
{667A8312-3C01-4628-B331-03495D53E599}.exe
{DE903816-4507-49D1-9A59-8EEC9237A0D9}.exe
{F42E88AA-4593-4C00-BBFF-8E376CD398D2}.exe
{E435F488-512F-49EA-B4D6-3FCEAC6F6518}.exe
{E088FEC9-0515-47A7-ABEF-30967F219C54}.exe
{90F3ED4D-845A-4FED-84D2-B1AE2732D3D1}.exe
{73579CE4-C6C2-42A2-BEC1-CAC2EDA600A3}.exe
{00B7A1FD-5036-46CF-8FC9-84F53D446F1A}.exe
{7D22595E-6360-4F38-BCAF-0747B82D1069}.exe
{5F391428-74AB-4C97-8808-C26083811E7C}.exe
{53303ECE-35A6-4F94-A6A4-B8BBB18169C0}.exe
{0D84D266-3CF2-436B-A949-BC09EE40C9FA}.exe
{06CC7ED1-0E48-4256-BE4C-EF71A11E241F}.exe
{380180BF-92F9-4ECC-A1C1-1E04A3456FE1}.exe
{12636CC3-5D15-4F7B-8FF6-7400E34C3A21}.exe
{67B73C39-8D40-48F8-BB69-69856DD0C00E}.exe
{6EDB006B-B1B8-4A5F-80B8-DBC18CCB55D4}.exe
{8E4E15C6-6CDC-4FC9-9878-69F2FBA2BBD9}.exe
{81483ED3-7C54-4C96-BFBE-D28FE18A4FBF}.exe
{0B9D3145-C9CE-4E58-9F84-C63263045105}.exe
{1207A9F6-BAEE-4E3E-BF67-FDD93ED1E8E2}.exe
{D638CCC9-C4B1-47A0-90CC-26CF719403B6}.exe
{36F0B73A-3E71-4589-B389-ABD02F835DA4}.exe
{839B97E0-6E3D-47EA-AFFD-8821BBE78A35}.exe
{F33BC803-EAD9-4A7E-B3FC-32AFA0819DBE}.exe
{3D98BCFF-B2E9-4D4E-8316-49D3ED2DB155}.exe
{73D0D203-85A1-4DEC-A913-7B483693247F}.exe
{29CF5179-7078-4EF7-B196-2D5390874F01}.exe
{650D12E4-BA62-45B0-9B2E-458996A12189}.exe
{E8D37C1F-1A78-4592-98C1-866239606F08}.exe
{BBEE7A12-595C-47DD-A87B-8AF70778C471}.exe
{F53B63FB-2223-4C1D-922F-7992F1A3489E}.exe
{8A95C9B6-9455-4268-B0AA-AAAC155A390F}.exe
{7B725AE7-784B-4E51-A911-2451E77239B2}.exe
{CCBAED03-B2B3-4126-B4C0-0FDFBBF1AACF}.exe
{E641DC17-389D-4A3D-A799-FF64D5B7C415}.exe
{B564FDFB-8613-4A7F-B06A-6D209F3AB723}.exe
{1AE24074-B580-4919-B129-9138D2C97891}.exe
{285AD896-2A6C-4A5D-937B-1677EC8E29FC}.exe
{CB56F535-D2C5-4DB0-91A0-7E961E22D3C3}.exe
{D9C76B2B-8F96-442C-83E6-39D5AB7A4DEB}.exe
{F35FA37A-522F-4C03-91E3-FF3E8DB5BA53}.exe
{9A1F6918-2463-4A1B-8ACA-A74844FD3C6B}.exe
{5E1E3B13-2CDF-4C8E-A22F-D264DDFBD86F}.exe
{0C43E80F-7E33-4E2E-8B09-A5066B3CC888}.exe
{F38806B8-30C7-4DDF-8EC8-6BF2B9CC9DF7}.exe
{60A349AB-D7ED-41FD-84CD-EC3B6B17C1F6}.exe
{AA03EFCF-7B8D-442F-9CB2-F45489862540}.exe
{CF37E986-7C17-430B-8F7A-A0E79FC3CC1D}.exe
{28EB7ACF-3091-4D96-AFB7-DDCAB972BB9C}.exe
{88DF0EFD-EA96-42B8-9706-D7DB9E78EA61}.exe
{41EFBAF2-A602-4557-BEC3-B7641D18C0D8}.exe
{465994EE-11BA-42DB-9E64-CF23FDF77435}.exe
{3E43EFE2-B9B9-4D6F-B0CF-F1E60B26364F}.exe
{0A48D697-A78F-4B7F-9891-B186A80F90DE}.exe
{D5962B06-B7C4-400A-8896-3F7DC95C173C}.exe
{F035948E-CF20-422C-880C-46218974702E}.exe
{3362FDFB-EBFF-4038-A5E1-63502A623F62}.exe
{F78D3AF9-6F8E-4E38-BCA1-CE63256316B7}.exe
{3A02BDB2-6CE2-4F37-BB2D-850C9C9884EB}.exe
{529E7646-19A5-4E2D-8E72-63BAB6775D7A}.exe
{531006C7-08C4-479D-9A59-6BF0C04D049E}.exe
###########################################
8. The Trojan is still there and now IE will not work at all – doesn’t start from the short cut. (I’ve posted this from my laptop)
9. Finally, here is the new HJT log . Thanks for your help!
###########################################
Logfile of HijackThis v1.99.1
Scan saved at 19:29:38, on 08/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Palm\Hotsync.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WHSmith Online
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.millbrooksoftware.com/"); (C:\Program Files\Netscape\Users\millbrook2000\prefs.js)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{9E183069-B9ED-4278-AA3E-9D5494310BF4}.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{9E183069-B9ED-4278-AA3E-9D5494310BF4}.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [hcoet.exe] C:\WINDOWS\system32\hcoet.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125090413043
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:57 PM

Posted 08 July 2006 - 02:40 PM

Hello,

Let's give this another round, but first I want you to UNINSTALL zonealarm, because zonealarm is blocking your hostsfile and as long as your hostsfile is being blocked, we won't be able to fix things properly. Also zonealarm blocks other modifications as well.

Reboot after uninstalling Zonealarm. You can reinstall zonealarm afterwards when there are no problems anymore and your issue is solved.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{9E183069-B9ED-4278-AA3E-9D5494310BF4}.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{9E183069-B9ED-4278-AA3E-9D5494310BF4}.dll
O4 - HKLM\..\Run: [hcoet.exe] C:\WINDOWS\system32\hcoet.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7864FD14-20D7-476E-9E4B-23140A46B58A}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{D95F0D99-BE59-4354-A33F-A69CF9234907}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed, so also open taskmanager, select the tab processes and look in the list if iexplore.exe is running and close it.
Then click Fix Checked in hijackthis!

Delete next files first present in your C:\WINDOWS\system32\ - folder:

{C179F3D8-BECF-4E29-877E-2A23681FB3DA}.exe
{D5A5DBBB-8EA7-48B7-A2D2-F8A418C69F1B}.exe
{EEFE4BD4-BD04-4929-8C08-C95410E4B71A}.exe
{3DF5A482-3DF4-4AA0-9376-9F4BA846A356}.exe
{66ACC68D-4EB0-4BBA-B25E-FE75B1E033D9}.exe
{EF95DFDA-8ACC-42C8-98A5-FBC475B5015F}.exe
{F9F2E99B-161D-48D2-9FAF-A837770F9775}.exe
{727B42FB-99D5-43D8-B701-4B2C1F6F3FA9}.exe
{E52DB172-ED76-4C56-A906-23C50902BFF0}.exe
{046495E2-62F4-4E4D-BF69-F1DC02ADE5BE}.exe
{1C657BC1-7827-49DA-B05E-25303FCC3099}.exe
{349CE616-A76B-43DB-B801-3D041EABCC37}.exe
{960E3EB7-4B00-4BCB-AA97-4FC13B2EEBCE}.exe
{6E9A5135-0D92-4D09-8402-A5CBA90F6E08}.exe
{40031ABE-9ED1-431D-9062-AD7B96BE382B}.exe
{25F3B107-086E-4EF9-BC61-5EE7B3A20D05}.exe
{2B3A08A1-A741-4EBA-96A5-4DAB6D377498}.exe
{B06C0011-BB40-4E45-82A9-D9054F0E77F5}.exe
{B221E704-07D4-4C6C-8CEE-29371B399D73}.exe
{B56E3C99-ECCD-47D3-B8E8-7826BFA24FAC}.exe
{5F751BEA-88D0-4C9A-B9B6-B60207C2A6E4}.exe
{F844557D-590F-4CB6-B23D-D0D73F7C4254}.exe
{FD072A20-F8A7-4907-88E3-848F2F594EE7}.exe
{1D9C8F97-77D5-4D9F-9AFD-3F16ECF0C58D}.exe
{C39091D7-AFE8-4CE8-B299-2ED76BE06E5B}.exe
{5F81259C-BB55-47A4-877C-AAAF65B8CF07}.exe
{35B80194-A2EB-40A9-A52F-AB778675AB2D}.exe
{2FCEBA29-0A95-4740-B8FF-45081A939D81}.exe
{FCAC9B1E-2842-4C08-B80A-BE707002D935}.exe
{8E78AB95-B86B-496E-9E48-713EDFAE53A6}.exe
{BB0F04C7-9942-473F-8064-D313B4A8F734}.exe
{148EED71-BFB0-4843-8AF7-7DDF6A425593}.exe
{04069458-7655-40B7-9D7D-E05713C2EF5F}.exe
{5AA6A275-C336-4D6A-9133-A5D3597A469C}.exe
{09858B14-9DD7-407E-999E-F1C0FDD93D32}.exe
{6B898CA9-5BEE-42B7-89DF-A9B1F494E66A}.exe
{CEFBFAC7-F4DF-4C31-8C0B-03FE859C8D25}.exe
{945254F2-2CDF-4DC5-923A-A68D0B65F977}.exe
{BCE6585C-C4F9-4A8C-8495-2363126FBE6F}.exe
{5B4D4380-46D6-4745-894D-770DA484842F}.exe
{3B2639D9-6738-472F-BA65-3881A3835B0E}.exe
{F11C7852-489B-47A1-B277-62AF272B49C0}.exe
{304B29BA-28F1-40BC-80C3-FE35F0CA8F53}.exe
{B953840F-8EC5-44A4-BEA8-1189A9786E64}.exe
{EE0FDFEA-9D23-41F4-AE1F-939FB1ECEC3C}.exe
{9DB005E4-B9B9-4974-A892-4723DA840DB8}.exe
{5D4C25F8-116B-467A-8778-BDC6776813AC}.exe
{391FA4C7-94C8-46A7-82D9-F95CA72E9ECC}.exe
{B3F27CE3-72F4-4C36-9D98-3C090A1C7BEB}.exe
{09EDC311-F002-449B-8DFA-5350E2DB8BA9}.exe
{A5153836-6E84-43DE-83BE-4FB17C6679DA}.exe
{16F98092-6192-40D0-AA67-866FA1D76B9F}.exe
{DD19EAAC-D22B-48F9-B590-04FEEA71E040}.exe
{68BF2CB4-1262-414C-BBB6-35F52D5E5466}.exe
{ABFB32D6-7127-405B-AE11-F3171CEEA0DB}.exe
{B61F8063-949A-42DF-93DA-130C72861641}.exe
{6FBBAF89-5619-450F-AE50-4C21008228BA}.exe
{2180734A-36B6-431B-8B50-9D21D9875B87}.exe
{88AFC968-6925-498D-BBA7-6FDD5BE0342E}.exe
{A0D9E754-F7D8-44D7-8821-5254005D12DE}.exe
{E849272D-6AB9-45FA-B94B-8F5D1A5FBAAD}.exe
{26184EC0-321F-4E2C-ABE2-9083EF024986}.exe
{D9984911-43FB-4004-AA9B-5243DE4455FD}.exe
{3D319CD1-C8AE-4372-8B23-4DACFF02B438}.exe
{CEF7AB85-9D96-4A35-A4DC-298DECA1081B}.exe
{AF33FA26-1D23-4A6A-8680-DA315C307FCF}.exe
{3E0ABF67-A25F-4F20-AD83-19EB538683D3}.exe
{AD223FB0-AE34-4AEE-A0CF-E47AC48D1F25}.exe
{51115888-D633-4B10-A386-F6C8858C3D20}.exe
{85B27EF9-1287-429A-8D9C-96E892E0CE01}.exe
{667A8312-3C01-4628-B331-03495D53E599}.exe
{DE903816-4507-49D1-9A59-8EEC9237A0D9}.exe
{F42E88AA-4593-4C00-BBFF-8E376CD398D2}.exe
{E435F488-512F-49EA-B4D6-3FCEAC6F6518}.exe
{E088FEC9-0515-47A7-ABEF-30967F219C54}.exe
{90F3ED4D-845A-4FED-84D2-B1AE2732D3D1}.exe
{73579CE4-C6C2-42A2-BEC1-CAC2EDA600A3}.exe
{00B7A1FD-5036-46CF-8FC9-84F53D446F1A}.exe
{7D22595E-6360-4F38-BCAF-0747B82D1069}.exe
{5F391428-74AB-4C97-8808-C26083811E7C}.exe
{53303ECE-35A6-4F94-A6A4-B8BBB18169C0}.exe
{0D84D266-3CF2-436B-A949-BC09EE40C9FA}.exe
{06CC7ED1-0E48-4256-BE4C-EF71A11E241F}.exe
{380180BF-92F9-4ECC-A1C1-1E04A3456FE1}.exe
{12636CC3-5D15-4F7B-8FF6-7400E34C3A21}.exe
{67B73C39-8D40-48F8-BB69-69856DD0C00E}.exe
{6EDB006B-B1B8-4A5F-80B8-DBC18CCB55D4}.exe
{8E4E15C6-6CDC-4FC9-9878-69F2FBA2BBD9}.exe
{81483ED3-7C54-4C96-BFBE-D28FE18A4FBF}.exe
{0B9D3145-C9CE-4E58-9F84-C63263045105}.exe
{1207A9F6-BAEE-4E3E-BF67-FDD93ED1E8E2}.exe
{D638CCC9-C4B1-47A0-90CC-26CF719403B6}.exe
{36F0B73A-3E71-4589-B389-ABD02F835DA4}.exe
{839B97E0-6E3D-47EA-AFFD-8821BBE78A35}.exe
{F33BC803-EAD9-4A7E-B3FC-32AFA0819DBE}.exe
{3D98BCFF-B2E9-4D4E-8316-49D3ED2DB155}.exe
{73D0D203-85A1-4DEC-A913-7B483693247F}.exe
{29CF5179-7078-4EF7-B196-2D5390874F01}.exe
{650D12E4-BA62-45B0-9B2E-458996A12189}.exe
{E8D37C1F-1A78-4592-98C1-866239606F08}.exe
{BBEE7A12-595C-47DD-A87B-8AF70778C471}.exe
{F53B63FB-2223-4C1D-922F-7992F1A3489E}.exe
{8A95C9B6-9455-4268-B0AA-AAAC155A390F}.exe
{7B725AE7-784B-4E51-A911-2451E77239B2}.exe
{CCBAED03-B2B3-4126-B4C0-0FDFBBF1AACF}.exe
{E641DC17-389D-4A3D-A799-FF64D5B7C415}.exe
{B564FDFB-8613-4A7F-B06A-6D209F3AB723}.exe
{1AE24074-B580-4919-B129-9138D2C97891}.exe
{285AD896-2A6C-4A5D-937B-1677EC8E29FC}.exe
{CB56F535-D2C5-4DB0-91A0-7E961E22D3C3}.exe
{D9C76B2B-8F96-442C-83E6-39D5AB7A4DEB}.exe
{F35FA37A-522F-4C03-91E3-FF3E8DB5BA53}.exe
{9A1F6918-2463-4A1B-8ACA-A74844FD3C6B}.exe
{5E1E3B13-2CDF-4C8E-A22F-D264DDFBD86F}.exe
{0C43E80F-7E33-4E2E-8B09-A5066B3CC888}.exe
{F38806B8-30C7-4DDF-8EC8-6BF2B9CC9DF7}.exe
{60A349AB-D7ED-41FD-84CD-EC3B6B17C1F6}.exe
{AA03EFCF-7B8D-442F-9CB2-F45489862540}.exe
{CF37E986-7C17-430B-8F7A-A0E79FC3CC1D}.exe
{28EB7ACF-3091-4D96-AFB7-DDCAB972BB9C}.exe
{88DF0EFD-EA96-42B8-9706-D7DB9E78EA61}.exe
{41EFBAF2-A602-4557-BEC3-B7641D18C0D8}.exe
{465994EE-11BA-42DB-9E64-CF23FDF77435}.exe
{3E43EFE2-B9B9-4D6F-B0CF-F1E60B26364F}.exe
{0A48D697-A78F-4B7F-9891-B186A80F90DE}.exe
{D5962B06-B7C4-400A-8896-3F7DC95C173C}.exe
{F035948E-CF20-422C-880C-46218974702E}.exe
{3362FDFB-EBFF-4038-A5E1-63502A623F62}.exe
{F78D3AF9-6F8E-4E38-BCA1-CE63256316B7}.exe
{3A02BDB2-6CE2-4F37-BB2D-850C9C9884EB}.exe
{529E7646-19A5-4E2D-8E72-63BAB6775D7A}.exe
{531006C7-08C4-479D-9A59-6BF0C04D049E}.exe
DMFCH.EXE

Then run fixwareout again.
After reboot, post the new fixwareout log in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 derbyian

derbyian
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 08 July 2006 - 03:24 PM

Hi - thanks for quick reply. Instructions followed here are FWO and HJT logs.

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3AE3B0549EBF-DE69-9944-ACC8-CE82C470{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DE6119C99F4D-20FB-1E94-0D9D-32A752E0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9036AAFC7881-357B-4AF4-515B-6BB2AB62{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7F344AB44E09-30EA-12C4-EA4D-15D51EFE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}60FC63B7A9C7-F689-4984-7157-7983BB0D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}99C97CFE3A8C-2368-B5E4-0843-F8FE98D9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BDF8C1BE5483-EA0A-E104-0CD3-9C6CED40{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}205A846894CF-9A68-6B24-C6AC-9DAE8F8F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4CC8E9F48F79-79CB-0474-99C6-C868CE37{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4B7ADC04B440-2D5B-EF74-DB96-4C62B3F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6664A0052AC9-549B-7DA4-1915-5193039A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}343A9F69BDBC-1AA8-CB34-6F74-C8CAD6D2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5BF3FF2BC2FF-E328-9134-BCE4-8758DB96{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}21F5F32C6EC0-3359-0DA4-19B1-CCBFFB45{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}714D173B120A-FA39-9894-8F3B-BB870646{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EBEA9B9542C1-2DEA-B714-4722-5191EDCB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5B8126C3A129-5C1A-8C24-9F44-D47284BF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8163D2F62AD7-2EEA-87B4-AAB3-EB0853DD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CB65909CFA5F-175A-B234-409A-974B5714{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}39A012B0D0BD-2499-8CD4-6057-B1C7D35F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9C512D2DC965-BE88-DBC4-5EFE-6A7C6E8D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tikmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C81616162AF4-F0E8-D194-E8D1-214427A7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmkit.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSPGA.EXE

»»»»» Misc files
##########################################
Logfile of HijackThis v1.99.1
Scan saved at 21:20:55, on 08/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WHSmith Online
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.millbrooksoftware.com/"); (C:\Program Files\Netscape\Users\millbrook2000\prefs.js)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{AAF9B9F9-5EEA-47E4-8872-F9CCEBAB249F}.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{AAF9B9F9-5EEA-47E4-8872-F9CCEBAB249F}.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vldpe.exe] C:\WINDOWS\system32\vldpe.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125090413043
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7864FD14-20D7-476E-9E4B-23140A46B58A}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{D95F0D99-BE59-4354-A33F-A69CF9234907}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


Thanks

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:57 PM

Posted 08 July 2006 - 03:58 PM

Let's give this another try... because you are still infected.
We'll have to tweak here...

I am going to let you kill explorer and iexplore. When explorer is killed, your desktop, start and taskbar will disappear, this is normal. So you have to perform everything via taskmanager.

Let me explain this step by step... so I recommend you save these instructions in notepad, because you are not allowed to open your browser!!
Leave the notepad file open!!!
Open your Hijackthis and leave it open!!!
Open your taskmanager by holding CTRL-ALT-DEL together
Select the tab processes.
Search for explorer.exe in the list and click the End process button. (your desktop will disappear)
Search for iexplore.exe in the list and click the End process button

Then, leave your taskmanager open!!

With your hijackthis open, click scan and Fix next entries in hijackthis:

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{AAF9B9F9-5EEA-47E4-8872-F9CCEBAB249F}.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{AAF9B9F9-5EEA-47E4-8872-F9CCEBAB249F}.dll
O4 - HKLM\..\Run: [vldpe.exe] C:\WINDOWS\system32\vldpe.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7864FD14-20D7-476E-9E4B-23140A46B58A}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{D95F0D99-BE59-4354-A33F-A69CF9234907}: NameServer = 85.255.116.70,85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.70 85.255.112.101


In your taskmanager again, select the first tab 'Applications'
Click 'new task' below.
Click 'browse'
below in the window, select: 'all files' next to 'files of type'

Now browse to next files and delete them (rightclick them and select 'delete') - (remember, you still have no desktop!!):

C:\WINDOWS\system32\vldpe.exe
C:\WINDOWS\System32\CSPGA.EXE

Also look if there are any files present left in your system32-folder looking ike the ones you deleted before.
for example: {AAF9B9F9-5EEA-47E4-8872-F9CCEBAB249F}.dll
{C179F3D8-BECF-4E29-877E-2A23681FB3DA}.exe etc etc

delete them as well.

Then, browse to the fixwareout-folder present on your C:\
Open that folder and doubleclick FixIt.bat

This starts the fixwareoutfix again and will ask to reboot.

After reboot, post a new hijackthislog together with the fixwareout log

Edited by miekiemoes, 08 July 2006 - 03:59 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 derbyian

derbyian
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 09 July 2006 - 06:08 AM

Followed instructions with these results:
Killed IE and Explorer
Fixed in HJT as instructed.
Deleted two exe files (vldpe and cspga) in Windows/System32
Deleted lots of dodgy files in System32 of the style of {AAF9B9F9-etc etc
When I came to delete the last one, the system hung. I left it overnight but it was still hanging in the morning so I cancelled it.
I ran the fixwareout script and rebooted. Here is the report text.
#######################################

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AE634B3C3005-7978-9FF4-8DCF-CD4ADCDF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C881B4C59BC4-039B-5BF4-5A05-38D42DBA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AB56B9CB0C8A-0008-9DE4-FD89-4284A850{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7B1EC9C0B2F7-CC0B-9DF4-36EE-F957C43A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}05D6FE7313B7-50B9-9934-359F-2F2C2369{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F9D24BC5F918-B26B-0C24-BD64-F78E8DEF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CFF3F71F88D7-18BA-D9E4-0532-AE276535{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BEBBA7ED3449-CDA9-8004-AFDA-F69F77E2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BB877B5EC7C4-01EA-DF14-FC20-2DF348AE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FE2B4CF5C61B-9F6A-E1D4-5AB4-BA210E0A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0BF35011C0E6-10E9-6BD4-FBF8-7DB0FC34{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}60FE5822DCC3-2B2A-DDD4-416F-4E75B844{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}61AFFECCEAB8-B5F8-B734-2ED1-D6BC80F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0E77318A3634-B568-6DD4-FFC0-B0804B05{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CFCB5D21C9E1-3138-8884-9D40-D1F85ACA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FECCCF8B955E-05B8-A3C4-5B74-E69F3AB6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8A7006505180-9E2A-8EF4-C983-ABF109EE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BD25B323BA39-0ACB-24A4-0EE4-8BF7C465{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AFCBB2D8227F-C4A9-A2B4-6190-8619B8A8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}58A1270EF0A2-ADAA-1F44-D6C2-B43BB378{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1E7B64EF806B-D248-9BB4-7153-3C4176C9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8DF3EAD77476-11F8-BC24-D05D-332299F2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3E12F72E0E41-FA28-57A4-EEAE-E6661202{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E69C73D56733-E46A-6F04-E7F2-98A6E27F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}30E2865BD1B3-C63B-CC14-B312-6BDCFB66{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B82B24690AFE-31AA-3F34-CB64-79560B1D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C449B96F94DB-A378-A754-8D1B-BF891BD3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0BC89A3A7A66-B0E9-7C24-8F51-5B8A5952{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6B79FF667424-6409-86F4-BFE9-24CBDBAC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7C426416D0DF-F8CA-C5E4-8BBB-4BF54831{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\bwtmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmtwb.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSASL.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSASL.EXE 51,273 2006-07-08
C:\WINDOWS\SYSTEM32\DMFCU.EXE 44,049 2003-06-19
C:\WINDOWS\SYSTEM32\DMKIT.EXE 44,109 2003-06-19
C:\WINDOWS\SYSTEM32\DMTWB.EXE 44,109 2003-06-19
Other suspects
Directory of C:\WINDOWS\system32
{13845FB4-BBB8-4E5C-AC8F-FD0D614624C7}.exe
{CABDBC42-9EFB-4F68-9046-424766FF97B6}.exe
{2595A8B5-15F8-42C7-9E0B-66A7A3A98CB0}.exe
{3DB198FB-B1D8-457A-873A-BD49F69B944C}.exe
{D1B06597-46BC-43F3-AA13-EFA09642B28B}.exe
{66BFCDB6-213B-41CC-B36C-3B1DB5682E03}.exe
{F72E6A89-2F7E-40F6-A64E-33765D37C96E}.exe
{2021666E-EAEE-4A75-82AF-14E0E27F21E3}.exe
{2F992233-D50D-42CB-8F11-67477DAE3FD8}.exe
{9C6714C3-3517-4BB9-842D-B608FE46B7E1}.exe
{873BB34B-2C6D-44F1-AADA-2A0FE0721A85}.exe
{8A8B9168-0916-4B2A-9A4C-F7228D2BBCFA}.exe
{564C7FB8-4EE0-4A42-BCA0-93AB323B52DB}.exe
{EE901FBA-389C-4FE8-A2E9-0815056007A8}.exe
{6BA3F96E-47B5-4C3A-8B50-E559B8FCCCEF}.exe
{ACA58F1D-04D9-4888-8313-1E9C12D5BCFC}.exe
{50B4080B-0CFF-4DD6-865B-4363A81377E0}.exe
{8F08CB6D-1DE2-437B-8F5B-8BAECCEFFA16}.exe
{448B57E4-F614-4DDD-A2B2-3CCD2285EF06}.exe
{43CF0BD7-8FBF-4DB6-9E01-6E0C11053FB0}.exe
{A0E012AB-4BA5-4D1E-A6F9-B16C5FC4B2EF}.exe
{EA843FD2-02CF-41FD-AE10-4C7CE5B778BB}.exe
{2E77F96F-ADFA-4008-9ADC-9443DE7ABBEB}.exe
{535672EA-2350-4E9D-AB81-7D88F17F3FFC}.exe
{FED8E87F-46DB-42C0-B62B-819F5CB42D9F}.exe
{9632C2F2-F953-4399-9B05-7B3137EF6D50}.exe
{A34C759F-EE63-4FD9-B0CC-7F2B0C9CE1B7}.exe
{058A4824-98DF-4ED9-8000-A8C0BC9B65BA}.exe
{ABD24D83-50A5-4FB5-B930-4CB95C4B188C}.exe
############################################
Logfile of HijackThis v1.99.1
Scan saved at 11:46:55, on 09/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Palm\Hotsync.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WHSmith Online
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.millbrooksoftware.com/"); (C:\Program Files\Netscape\Users\millbrook2000\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125090413043
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
#############################################

I can see that there are still dodgy files in windows sys32 and that I still have the virus so I’m going to repeat your instructions to try and get a clean sys32 directory.
I deleted another 20 or so files. Here is report.txt followed by HJT log…
#############################################

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSASL.EXE

»»»»» Misc files
#############################################
Logfile of HijackThis v1.99.1
Scan saved at 12:03:11, on 09/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Palm\Hotsync.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\Iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WHSmith Online
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.millbrooksoftware.com/"); (C:\Program Files\Netscape\Users\millbrook2000\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125090413043
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
#############################################

PC - IE seems to be working a bit better now.

Thanks for your help.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:57 PM

Posted 09 July 2006 - 06:23 AM

Stubborn little buggar...

I can see that there are still dodgy files in windows sys32 and that I still have the virus so I’m going to repeat your instructions to try and get a clean sys32 directory.
I deleted another 20 or so files. Here is report.txt followed by HJT log…


well, performing this again did the trick as I can see from your log :thumbsup:

Delete next file:

C:\WINDOWS\System32\CSASL.EXE

and look once again if there are any of these {058A4824-98DF-4ED9-8000-A8C0BC9B65BA}.* files are still present there and delete them.

By the way, your hijackthislog looks clean again.
Can you also run AVG again to get rid of the leftovers if still present.
Let me know afterwards how things are running now.... Hope it stays away now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 derbyian

derbyian
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 09 July 2006 - 05:49 PM

Hi, Thanks ever so much for your help - everything seems much better now - IE is back to normal and I don't get the constant alerts from AVG about clicker.FR. Thanks for helping me and sorry it was so difficult.

I'm trying to reinstall ZoneAlarm and have a small problem with the following message...
vsmon.exe - unable to locate DLL "The dynamic link library zpy.dll could not be found in the specified path" followed by a long and complicated path/file name.

Any ideas? (HJT Log attached just in case)

Thanks
Logfile of HijackThis v1.99.1
Scan saved at 23:45:04, on 09/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Palm\Hotsync.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\msdtc.exe
C:\My Documents\Safe Harbour\zlsSetup_65_722_000_en.exe
C:\DOCUME~1\IANWHI~1\LOCALS~1\Temp\GLBF.tmp
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WHSmith Online
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.millbrooksoftware.com/"); (C:\Program Files\Netscape\Users\millbrook2000\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmiao.exe] C:\WINDOWS\system32\dmiao.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} -
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125090413043
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:57 PM

Posted 09 July 2006 - 05:57 PM

Hello,

Wait with zonealarm, it looks like you are still infected :thumbsup:

Check and fix next entries in hijackthis:

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O4 - HKLM\..\Run: [dmiao.exe] C:\WINDOWS\system32\dmiao.exe


Then end this process via taskmanager: GLBF.tmp

Perform next steps:

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Then run fixwareout again.

After reboot, perform next as well:

Download and Save blacklight to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply together with the log from Fixwareout and a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 derbyian

derbyian
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 10 July 2006 - 01:06 PM

Oh dear, this is being difficult!
I deleted the O2 entry but the O4 was not present.
Couldn’t see the GLBF.tmp process either
Cleared the IE cache and cookies
Haven’t got Firefox
Cleaned the other files and recycle bin
Ran Fixwareout – log below.
Followed your link but got 404 error page. Searched around the F-Secure page a bit but couldn’t find blacklight anywhere so just ran HJT (log below) and posted this.

PS - I'm trying to install new Palm Desktop but having trouble uninstalling the old - is this likely to be part of the same problem? If so then I'll wait but I've got a new Palm that I'm dying to try out!!!

Thanks
Ian

################################################
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMFCU.EXE 44,049 2003-06-19
C:\WINDOWS\SYSTEM32\DMKIT.EXE 44,109 2003-06-19
C:\WINDOWS\SYSTEM32\DMTWB.EXE 44,109 2003-06-19
Other suspects
Directory of C:\WINDOWS\system32

################################################
Logfile of HijackThis v1.99.1
Scan saved at 18:56:30, on 10/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WHSmith Online
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.millbrooksoftware.com/"); (C:\Program Files\Netscape\Users\millbrook2000\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} -
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125090413043
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
################################################

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:57 PM

Posted 10 July 2006 - 01:51 PM

Hello,

Your log looks clean again, but I want to see another hijackthislog afterwards.

First delete next files:

C:\WINDOWS\SYSTEM32\DMFCU.EXE
C:\WINDOWS\SYSTEM32\DMKIT.EXE
C:\WINDOWS\SYSTEM32\DMTWB.EXE

Then download blacklight from here (I see the link was changed):
https://europe.f-secure.com/blacklight/try.shtml

Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 derbyian

derbyian
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 10 July 2006 - 03:48 PM

Hi -0 think we're getting there now...
3 files deleted.
Blacklight reported no files found.
FBSL log followed by HJT...
#######################################################
07/10/06 21:34:12 [Info]: BlackLight Engine 1.0.42 initialized
07/10/06 21:34:12 [Info]: OS: 5.0 build 2195 (Service Pack 4)
07/10/06 21:34:12 [Note]: 7019 4
07/10/06 21:34:12 [Note]: 7005 0
07/10/06 21:34:17 [Note]: 7006 0
07/10/06 21:34:17 [Note]: 7011 344
07/10/06 21:34:18 [Note]: 7026 0
07/10/06 21:34:18 [Note]: 7026 0
07/10/06 21:34:38 [Note]: FSRAW library version 1.7.1019
07/10/06 21:39:01 [Error]: 6019 0
#######################################################
Logfile of HijackThis v1.99.1
Scan saved at 21:43:54, on 10/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Ian White\Desktop\blbeta.exe
c:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WHSmith Online
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.millbrooksoftware.com/"); (C:\Program Files\Netscape\Users\millbrook2000\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} -
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125090413043
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
#######################################################

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:57 PM

Posted 10 July 2006 - 04:02 PM

Yes, I think we are done here since you were able to find those three files and delete them.

How are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 derbyian

derbyian
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 10 July 2006 - 04:10 PM

Thanks very much - things seem to be running OK as I'm no longer getting the frequent and annoying virus alerts but... I still can't re-install ZoneAlarm - it says it needs to log in to the TrueVector service and it can't and that I should use the Service Manager to shut down TRueVector and restart the install. Do you know what that means?
Cheers
Ian




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users