Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help - Clicker.fr / Dns Hijack?


  • This topic is locked This topic is locked
13 replies to this topic

#1 Tidders

Tidders

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 12 July 2006 - 09:24 AM

Help please......I do not know how to proceed. AVG has detected CLICKER.FR on my system and Spyware Doctor has blocked several attempted DNS Hijack attemts.

I have run Ewido and have attached a copy of the log file, I have also run Hijack and attached that log file below.

Please can you advise me on how to remove this nasty trojan.

many thanks

Tidders

EWIDO Logfile:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 14:15:10 12/07/2006

+ Scan result:



C:\WINDOWS\system32\{324C9F6C-B2F4-4C0F-8FF4-C846399D69B5}.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP140\A0021058.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP178\A0031948.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP178\A0032948.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0033948.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0033988.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0034028.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0035019.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0035049.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0035093.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[164] VM_00CE0000 -> Downloader.Agent.uj : Error during cleaning.
[1652] VM_007B0000 -> Downloader.Agent.uj : Error during cleaning.
[168] VM_003B0000 -> Downloader.Agent.uj : Error during cleaning.
[1900] VM_003A0000 -> Downloader.Agent.uj : Error during cleaning.
[1928] VM_00880000 -> Downloader.Agent.uj : Error during cleaning.
[1940] VM_00910000 -> Downloader.Agent.uj : Error during cleaning.
[1948] VM_00900000 -> Downloader.Agent.uj : Error during cleaning.
[1968] VM_00380000 -> Downloader.Agent.uj : Error during cleaning.
[1976] VM_003E0000 -> Downloader.Agent.uj : Error during cleaning.
[2044] VM_009C0000 -> Downloader.Agent.uj : Error during cleaning.
[208] VM_003F0000 -> Downloader.Agent.uj : Error during cleaning.
[2440] VM_00890000 -> Downloader.Agent.uj : Error during cleaning.
[376] VM_008B0000 -> Downloader.Agent.uj : Error during cleaning.
[564] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning.
[588] VM_00CD0000 -> Downloader.Agent.uj : Error during cleaning.
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP178\A0031954.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP178\A0032955.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0033955.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0033994.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0034034.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0035026.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0035056.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0035099.exe -> Downloader.Small : Cleaned with backup (quarantined).
[424] VM_003A0000 -> Trojan.DNSChanger.ef : Error during cleaning.
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP178\A0031962.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP178\A0031963.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).


::Report end

HIJACKTHIS Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 15:18:06, on 12/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\Program Files\Norton Internet Security\ccEmFlSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {D161292D-E84D-F9A1-C473-DCDF5EB36DDA} - PasswdMon.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [trycrt] zxc.exe
O4 - HKLM\..\Run: [driver32] startman.exe
O4 - HKLM\..\Run: [dmnzm.exe] C:\WINDOWS\System32\dmnzm.exe
O4 - HKLM\..\Run: [iyvoa.exe] C:\WINDOWS\System32\iyvoa.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.EXE /P23 "EPSON Stylus C64 Series" /M "Stylus C64" /EF "HKCU"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [FLKPT] TemplateDongle.exe
O4 - HKCU\..\Run: [sysmon12] WTFCTF.exe
O4 - HKCU\..\Run: [ABCXYZ] sound64.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Homepage - {26D8E843-2DEB-4B36-97B1-8E94B36B52D4} - http://bt.yahoo.com (file missing) (HKCU)
O9 - Extra button: BT - {71874503-072D-4601-A500-E77CCA39641F} - http://www.bt.com (file missing) (HKCU)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://82.163.212.89:8080/activex/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{19C688D2-4A03-40F4-8EA0-B4A0FE52C8D4}: NameServer = 85.255.114.35
O17 - HKLM\System\CCS\Services\Tcpip\..\{80BE7812-0436-4F4A-90F6-E86749958D6D}: NameServer = 85.255.114.35
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

BC AdBot (Login to Remove)

 


m

#2 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 14 July 2006 - 06:15 PM

Hi,

Welcome to BleepingComputer. I will be more than happy to help you work on your problems.
Please give me some time to review your log as this can be a lengthy process. As soon as a BleepingComputer Staff Expert reviews my fix, I will post it for you.
In the mean time, if any problems occur. Please let me know.
Please only use this topic to reply to. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
If you’re unsure of anything at all please stop and ask!
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 Tidders

Tidders
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 15 July 2006 - 02:49 AM

Hi Agrarianmonk!

So please that you have shown up and I really do appreciate your offer of assistance.

One point to note, is that the PC has slowed down since this infection and also when I run Norton AV it appears to 'stall' when scanning the following file: c:\windows\system32\wzcsapi.dll (may not be connected?). Also when I do a search in Google and connect to a link sometimes the system tries to change the web address of the 'go to' page?

Again thanks and look forward to hearing from you.

Tidders :thumbsup:

#4 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 16 July 2006 - 08:37 PM

Your log shows that you have both AVG and Norton antivirus programs installed. Running more than one antivirus program simultaneously greatly diminishes their stability and effectiveness. Please remove either AVG or Norton antivirus using Add or Remove programs.

If you have a current subscription to Norton Antivirus, I suggest removing AVG. However, if you do not have a current subscription to Norton and do not wish to pay for one, then I would suggest removing Norton, since AVG has free subscriptions.

If you decide to uninstall Norton, please see the instructions here: How To Remove Your Norton Products


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

R3 - URLSearchHook: (no name) - {D161292D-E84D-F9A1-C473-DCDF5EB36DDA} - PasswdMon.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [trycrt] zxc.exe
O4 - HKLM\..\Run: [driver32] startman.exe
O4 - HKLM\..\Run: [dmnzm.exe] C:\WINDOWS\System32\dmnzm.exe
O4 - HKLM\..\Run: [iyvoa.exe] C:\WINDOWS\System32\iyvoa.exe
O4 - HKCU\..\Run: [FLKPT] TemplateDongle.exe
O4 - HKCU\..\Run: [sysmon12] WTFCTF.exe
O4 - HKCU\..\Run: [ABCXYZ] sound64.exe

Now close all windows other than HiJackThis, then click Fix Checked. close HijackThis.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.


Download Blacklight Beta from here:
http://www.f-secure.com/blacklight/try.shtml
* Hit I accept. It will take you to download page.
* Download blbeta.exe and save it to the Desktop.
* Once saved... double click blbeta.exe to install the program.
* Click accept agreement and Click scan
This app too may fire off a warning from antivirus. Let the driver load.
Wait for it to finish.
* If it displays any items...don't do anything with them yet. Just hit exit (close) because legitimate items can also be present there, such as "wbemtest.exe"
* It will drop a log on Desktop that starts with fsbl....big number
Please post contents of log.

In your next post, please include
  • new hijackthis log
  • blacklight log
  • fixwareout log (report.txt)

agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 Tidders

Tidders
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 17 July 2006 - 04:40 AM

Hi agrarianmonk!

I have carried out tasks as requested - couldn't find dmnzm.exe and iyvoa.exe in the logfile.

Things appear to have moved on as I now have a hi-jacked search bar in google and explorer!

As always, I appreciate your time and support.

Here are the log-files:

1. HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 10:31:51, on 17/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{24A8709D-6A20-4537-BA1C-85C3FAD8CF03}.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{24A8709D-6A20-4537-BA1C-85C3FAD8CF03}.dll
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [liowu.exe] C:\WINDOWS\System32\liowu.exe
O4 - HKLM\..\Run: [dmjjj.exe] C:\WINDOWS\System32\dmjjj.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.EXE /P23 "EPSON Stylus C64 Series" /M "Stylus C64" /EF "HKCU"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Homepage - {26D8E843-2DEB-4B36-97B1-8E94B36B52D4} - http://bt.yahoo.com (file missing) (HKCU)
O9 - Extra button: BT - {71874503-072D-4601-A500-E77CCA39641F} - http://www.bt.com (file missing) (HKCU)
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://82.163.212.89:8080/activex/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{19C688D2-4A03-40F4-8EA0-B4A0FE52C8D4}: NameServer = 85.255.114.35,85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{80BE7812-0436-4F4A-90F6-E86749958D6D}: NameServer = 85.255.114.35,85.255.112.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


2. BLACKLIGHT

07/17/06 10:09:04 [Info]: BlackLight Engine 1.0.42 initialized
07/17/06 10:09:04 [Info]: OS: 5.1 build 2600 ()
07/17/06 10:09:05 [Note]: 7019 4
07/17/06 10:09:05 [Note]: 7005 0
07/17/06 10:09:17 [Note]: 7006 0
07/17/06 10:09:17 [Note]: 7011 1948
07/17/06 10:09:18 [Note]: 7026 0
07/17/06 10:09:18 [Note]: 7026 0
07/17/06 10:09:18 [Note]: 7024 3
07/17/06 10:09:18 [Info]: Hidden process: C:\WINDOWS\System32\{916CB0BF-AE29-4C7A-9971-B54BA100CC55}.exe
07/17/06 10:09:18 [Note]: 7024 3
07/17/06 10:09:18 [Info]: Hidden process: C:\WINDOWS\System32\{939BAB52-06D5-4292-AFB3-327FDAFD4595}.exe
07/17/06 10:09:18 [Note]: FSRAW library version 1.7.1019
07/17/06 10:28:08 [Info]: Hidden file: c:\WINDOWS\system32\dmjjj.exe
07/17/06 10:28:08 [Note]: 7002 32
07/17/06 10:28:08 [Note]: 7003 1
07/17/06 10:28:08 [Note]: 10002 1
07/17/06 10:28:18 [Info]: Hidden file: c:\WINDOWS\system32\cszsk.exe
07/17/06 10:28:18 [Note]: 7002 32
07/17/06 10:28:18 [Note]: 7003 1
07/17/06 10:28:18 [Note]: 10002 1
07/17/06 10:28:20 [Info]: Hidden file: C:\WINDOWS\System32\{916CB0BF-AE29-4C7A-9971-B54BA100CC55}.exe
07/17/06 10:28:20 [Note]: 10002 1
07/17/06 10:28:21 [Info]: Hidden file: c:\WINDOWS\system32\{02CD2D41-195A-4E28-A174-848EB2B5661E}.exe
07/17/06 10:28:21 [Note]: 10002 1
07/17/06 10:28:21 [Info]: Hidden file: c:\WINDOWS\system32\{2000D34C-C3F0-4840-9781-AF486AD164BA}.exe
07/17/06 10:28:22 [Note]: 7002 5
07/17/06 10:28:22 [Note]: 7003 1
07/17/06 10:28:22 [Note]: 10002 1
07/17/06 10:28:22 [Info]: Hidden file: c:\WINDOWS\system32\{8F375483-764B-4467-A067-66F0A82A9FB7}.exe
07/17/06 10:28:23 [Note]: 10002 1
07/17/06 10:28:23 [Info]: Hidden file: C:\WINDOWS\System32\{939BAB52-06D5-4292-AFB3-327FDAFD4595}.exe
07/17/06 10:28:24 [Note]: 10002 1
07/17/06 10:30:42 [Note]: 7007 0


3 FIXWAREOUT


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}387B4862FAFA-5C9A-FF84-CC67-13E91D3D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8B833602BE1A-067B-1064-4661-1D1F1D0E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}570780E0BC7E-D608-9CA4-12DF-C17C1D85{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D800E63FF403-1B6B-17C4-3332-80705322{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C12958E290E5-CFB8-3A04-5E06-E1CD0E3C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}010E71359561-4F29-AE34-30D3-80A47416{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2B0F492367FB-183B-06C4-3CAE-7EB3CF40{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}05BF874C0966-565A-D8D4-DE70-D9EEDBCA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4745735DF809-A7CB-A9E4-8D61-A9310105{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}995BED3D91F5-D339-33F4-1EF4-BE6D8097{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1B548FE49E4F-A379-FD44-C1C1-FB28C58F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A42835819A39-96B8-0834-E012-F64394C3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B5E796C3439B-1F18-6914-520B-3810ABA9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\zffmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1EC03C66B83F-4278-6A04-3A8A-F6921189{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F32584E8B130-9F6B-7D04-6A45-FD1FD4BC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2A6FF143024A-C4E9-4F24-0F5F-4E85D0C8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmffz.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSDDJ.EXE
* csr.exe C:\WINDOWS\System32\CSYHF.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSDDJ.EXE 51,263 2006-07-16
C:\WINDOWS\SYSTEM32\CSYHF.EXE 51,227 2006-07-10
C:\WINDOWS\SYSTEM32\DMFFZ.EXE 62,045 2001-08-23
Other suspects
Directory of C:\WINDOWS\system32
{8C0D58E4-F5F0-42F4-9E4C-A420341FF6A2}.exe
{CB4DF1DF-54A6-40D7-B6F9-031B8E48523F}.exe
{9811296F-A8A3-40A6-8724-F38B66C30CE1}.exe
{F85C82BF-1C1C-44DF-973A-F4E94EF845B1}.exe
{ACBDEE9D-07ED-4D8D-A565-6690C478FB50}.exe
{61474A08-3D03-43EA-92F4-16595317E010}.exe
{22350708-2333-4C71-B6B1-304FF36E008D}.exe
{E0D1F1D1-1664-4601-B760-A1EB206338B8}.exe


Thanks again.

#6 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 17 July 2006 - 01:11 PM

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.


Some security programs with active monitoring processes are known to interfere with automatic scanners and can actually prevent HJT fixes from taking effect.

Please turn off or disable any of the following programs you may have,

Spyware Doctor
1. Open Spyware Doctor
2. Click on the 'Settings' button on the left hand panel
3. Then click on the 'Startup Settings' under 'Pick a Category'
4. Uncheck the box on the right that says 'Run at Windows Startup'

*********************************

I notice you already have Ewido installed; Open Ewido
  • On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
    Note: If the Update now option is grayed out, follow the steps below.
  • Click on Update on the toolbar.
  • Under Manual update, click on the Start Update button.
  • Wait until you see the Update succesfull message.
[*]Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
[/list]If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\System32\liowu.exe
    C:\WINDOWS\System32\dmjjj.exe
    C:\WINDOWS\System32\{916CB0BF-AE29-4C7A-9971-B54BA100CC55}.exe
    C:\WINDOWS\System32\{939BAB52-06D5-4292-AFB3-327FDAFD4595}.exe
    c:\WINDOWS\system32\cszsk.exe
    C:\WINDOWS\System32\{916CB0BF-AE29-4C7A-9971-B54BA100CC55}.exe
    c:\WINDOWS\system32\{02CD2D41-195A-4E28-A174-848EB2B5661E}.exe
    c:\WINDOWS\system32\{2000D34C-C3F0-4840-9781-AF486AD164BA}.exe
    c:\WINDOWS\system32\{8F375483-764B-4467-A067-66F0A82A9FB7}.exe
    C:\WINDOWS\System32\{939BAB52-06D5-4292-AFB3-327FDAFD4595}.exe
    C:\WINDOWS\System32\CSDDJ.EXE
    C:\WINDOWS\System32\CSYHF.EXE
    C:\WINDOWS\SYSTEM32\DMFFZ.EXE
    C:\WINDOWS\SYSTEM32\{8C0D58E4-F5F0-42F4-9E4C-A420341FF6A2}.exe
    C:\WINDOWS\SYSTEM32\{CB4DF1DF-54A6-40D7-B6F9-031B8E48523F}.exe
    C:\WINDOWS\SYSTEM32\{9811296F-A8A3-40A6-8724-F38B66C30CE1}.exe
    C:\WINDOWS\SYSTEM32\{F85C82BF-1C1C-44DF-973A-F4E94EF845B1}.exe
    C:\WINDOWS\SYSTEM32\{ACBDEE9D-07ED-4D8D-A565-6690C478FB50}.exe
    C:\WINDOWS\SYSTEM32\{61474A08-3D03-43EA-92F4-16595317E010}.exe
    C:\WINDOWS\SYSTEM32\{22350708-2333-4C71-B6B1-304FF36E008D}.exe
    C:\WINDOWS\SYSTEM32\{E0D1F1D1-1664-4601-B760-A1EB206338B8}.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    NOTE: You must use the File menu--pasting by right-clicking the mouse will only enter one file.

  • Click the red-and-white Delete File button.

IMPORTANT: When you are prompted to reboot, DON'T ALLOW Pocket KillBox to Reboot your computer yet. Follow the instructions below. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message let me know about it.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

***************************

Using My Computer/Windows Explorer Navigate to C:\fixwareout and double click on the FixIt batch file.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

***************************
Please physically disconnect from the internet before running Hijackthis.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{24A8709D-6A20-4537-BA1C-85C3FAD8CF03}.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{24A8709D-6A20-4537-BA1C-85C3FAD8CF03}.dll
O4 - HKLM\..\Run: [liowu.exe] C:\WINDOWS\System32\liowu.exe
O4 - HKLM\..\Run: [dmjjj.exe] C:\WINDOWS\System32\dmjjj.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{19C688D2-4A03-40F4-8EA0-B4A0FE52C8D4}: NameServer = 85.255.114.35,85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{80BE7812-0436-4F4A-90F6-E86749958D6D}: NameServer = 85.255.114.35,85.255.112.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13

Now close all windows other than HiJackThis, then click Fix Checked. close HijackThis.

Note:
If You have connection problems after fixing with Hijackthis,
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________
Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

In your next post, please include
  • new hijackthis log
  • ewido log
  • fixwareout log (report.txt)

agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#7 Tidders

Tidders
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 18 July 2006 - 05:14 AM

Hello Again!

I have completed the actions as oulined and attached the log files. I am travelling on business but will be back at my desktop on Thursday pm.

Thanks again for your excellent assistance.

1. HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 11:07:34, on 18/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dmmnk.exe] C:\WINDOWS\System32\dmmnk.exe
O4 - HKLM\..\Run: [rswan.exe] C:\WINDOWS\System32\rswan.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C2.EXE /P23 "EPSON Stylus C64 Series" /M "Stylus C64" /EF "HKCU"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Homepage - {26D8E843-2DEB-4B36-97B1-8E94B36B52D4} - http://bt.yahoo.com (file missing) (HKCU)
O9 - Extra button: BT - {71874503-072D-4601-A500-E77CCA39641F} - http://www.bt.com (file missing) (HKCU)
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://82.163.212.89:8080/activex/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{19C688D2-4A03-40F4-8EA0-B4A0FE52C8D4}: NameServer = 85.255.114.35,85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{80BE7812-0436-4F4A-90F6-E86749958D6D}: NameServer = 85.255.114.35,85.255.112.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.35 85.255.112.13
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


2. EWIDO

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:59:06 18/07/2006

+ Scan result:



HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj.1 -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj\CLSID -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
C:\!KillBox\( 4) -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\!KillBox\{CB4DF1DF-54A6-40D7-B6F9-031B8E48523F}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0045226.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0045227.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046383.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{939BAB52-06D5-4292-AFB3-327FDAFD4595}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\!KillBox\( 5) -> Adware.Msnagent : Cleaned with backup (quarantined).
C:\!KillBox\{22350708-2333-4C71-B6B1-304FF36E008D}.exe -> Adware.Msnagent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0044159.exe -> Adware.Msnagent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0044160.exe -> Adware.Msnagent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046388.exe -> Adware.Msnagent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{916CB0BF-AE29-4C7A-9971-B54BA100CC55}.exe -> Adware.Msnagent : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20060718-085338-935.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0044184.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0045208.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{24A8709D-6A20-4537-BA1C-85C3FAD8CF03}.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{7D34B7B5-F4A3-4A7A-8370-2C9C25CD42F8}.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
C:\!KillBox\csyhf.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0036092.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0037092.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0038092.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP179\A0038108.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0039108.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0040108.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0041108.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0042108.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0043108.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0043123.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0043142.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0043157.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046380.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[200] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning.
[224] VM_00C20000 -> Downloader.Agent.uj : Error during cleaning.
[744] VM_007B0000 -> Downloader.Agent.uj : Error during cleaning.
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0044188.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\!KillBox\( 1) -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\!KillBox\{8C0D58E4-F5F0-42F4-9E4C-A420341FF6A2}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0045228.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0045229.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046382.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{8F375483-764B-4467-A067-66F0A82A9FB7}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\!KillBox\dmffz.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0044192.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0045200.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0045315.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0046336.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046381.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dmrsh.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0045224.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0045225.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP180\A0045332.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046370.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046371.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046372.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046373.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046374.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046384.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046385.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046386.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046389.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3FB59108-D118-46F2-9A17-4447228395C4}\RP181\A0046395.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{2000D34C-C3F0-4840-9781-AF486AD164BA}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{237AF892-011A-4C0D-9783-23FF4E42ECBB}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{E9597FB0-7019-48B6-900C-763465B61E3B}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).


::Report end


3 FIXWAREOUT


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C7E8CBE5982A-1768-0054-ECCE-6EDEE3E9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AB461DA684FA-1879-0484-0F3C-C43D0002{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5954DFADF723-3BFA-2924-5D60-25BAB939{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}55CC001AB45B-1799-A7C4-92EA-FB0BC619{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7BF9A28A0F66-760A-7644-B467-384573F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E1665B2BE848-471A-82E4-A591-14D2DC20{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CC7A91FECDA3-C14B-6244-9968-4FBABADA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\hsrmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BBCE24E4FF32-3879-D0C4-A110-298FA732{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B3E16B564367-C009-6B84-9107-0BF7959E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmrsh.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSRQB.EXE

»»»»» Misc files
* thequicklink C:\WINDOWS\System32\{24A87~1.DLL

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSRQB.EXE 51,263 2006-07-17
C:\WINDOWS\SYSTEM32\DMRSH.EXE 62,045 2001-08-23
Other suspects
Directory of C:\WINDOWS\system32
{24A8709D-6A20-4537-BA1C-85C3FAD8CF03}.dll
{E9597FB0-7019-48B6-900C-763465B61E3B}.exe
{237AF892-011A-4C0D-9783-23FF4E42ECBB}.exe
{02CD2D41-195A-4E28-A174-848EB2B5661E}.exe
{8F375483-764B-4467-A067-66F0A82A9FB7}.exe
{916CB0BF-AE29-4C7A-9971-B54BA100CC55}.exe
{939BAB52-06D5-4292-AFB3-327FDAFD4595}.exe
{2000D34C-C3F0-4840-9781-AF486AD164BA}.exe

#8 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 19 July 2006 - 12:33 AM

Now you need to help us. The next step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection.
Click here: http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

After updating windows and posting a new hijackthis log, please do not reboot your computer until you get further instructions from me. The reason is because your infection will mutate every time you reboot, and we need to kill it all at once in order to get rid of it once and for all.

If you're going to be away from your machine for an extended period of time at any point during our fix, please let me know.
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#9 Tidders

Tidders
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 19 July 2006 - 03:23 AM

Hi agrarianmonk

Thank you for the last post. I will be back at my desktop this coming Thursday pm and will be able to carry out the requested actions then. I hope that this will be ok with you.

#10 Tidders

Tidders
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 20 July 2006 - 09:42 AM

Hello

I am now back at my desktop.

I downloaded Service Pack 1a from the Microsoft site and tried to install it. However I have got the message 'Product Key is Invalid'? :thumbsup:

Is this to do with the virus or does it mean that I have not got a valid version of XP installed on my PC. The PC was purchased some years ago as a total system, the company is no longer trading so I do not know what I can do.

I would welcome your advice on this as I do need to remove the viruses as this PC is used for my business.

Apologies for keep throwing problems at you but as you may guess my level of PC expertise is not good!

thanks

#11 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 20 July 2006 - 04:07 PM

Hi Tidders,


By the presence of these threads at SWI here and here, it appears that you have had an unpatched OS for quite some time, even though you have previously been asked to install critical updates for Windows.

Your inability to update has two possible origins:

1) your copy of Windows is illegal
2) The validation process of Windows itself by Microsoft could have errored, which has been shown to be the case in about 20% of validation attempts; this is discussed here at SWI by Mike Healan.

If (1) is true, then I can no longer help you until you have obtained a legitimate copy of Windows.
If (1) is false and (2) is true, then your best hope is to go to Microsoft.com, find the support and contact link, and contact Microsoft directly about your inability to validate windows. Only after you are able to sort the validation issue out with Microsoft and update to SP1 can we proceed here and help you here, because with an unpatched version of Windows XP, reinfection is extremely likely, and thus your computer would be constantly infected even if we clean it.

A couple things to consider:

Your current infection appears to be rootkit base, and there may be more on your system than we can detect, so a complete reformat may be the only way to completely rid your system of the infection.

If you do use your computer for regular business purposes, it would be responsible to invest in a legitimate copy of Windows XP because the infections due to an unpatched version of windows are costing you and if any sensitive customer information is leaked through these infections, you may be liable in court.



Please let me know what you plan to do in your next post.

Regards,
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#12 Tidders

Tidders
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 21 July 2006 - 07:54 AM

Hi agrarianmonk

They say it never rains but it pours....! :thumbsup:

I want to ensure that I have a valid copy of Windows XP Pro installed on my PC. Can you suggest how I should go about this - do I purchase a 'clean' version of XP Pro and would I have to reformat my disk drive in order to reinstall it?

Not sure if this is outside your brief but I would welcome your comments.

If I manage to get a valid version of XP installed would I be able to come back to you to revalidate how clean the system is (as I guess this will take me some time to sort out) or would I have to post a new thread.

Thanks again for the support.

Tidders

#13 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 21 July 2006 - 11:10 AM

If your copy of Windows XP is legitimate, then purchasing a new copy of Windows XP is unnecessary. I would talk to Microsoft about it (you'll probably need to give them your product key) and ask them why the product key is failing to validate. I don't know how they usually proceed (perhaps they active your old one or issue you an entirely new product key), but after getting your product key validated by Microsoft, you should be able to install SP1 normally.

after doing that, you can just come back to this thread, post a new log, and we'll take it from there.
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#14 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 04 September 2006 - 12:26 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users