Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

clicker.FR in New Zealand!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

clicker.FR in New Zealand!

Unread postby mrmac58 » July 4th, 2006, 4:31 am

The log file:
Logfile of HijackThis v1.99.1
Scan saved at 8:30:11 PM, on 7/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Music\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\hh.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - {B04A6240-A48C-1970-926A-F93B87B46B1D} - RtlFindVal.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{49E88D9B-06BC-4241-A585-7B5F4A4C3AC0}.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{49E88D9B-06BC-4241-A585-7B5F4A4C3AC0}.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Music\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xxtoolbar] KeywordFinder.exe
O4 - HKLM\..\Run: [WhatsNewBot] browsebar.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [duenm.exe] C:\WINDOWS\System32\duenm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [sysconf16] RtlFindVal.exe
O4 - HKCU\..\Run: [MONITER] RtlFindVal.exe
O4 - HKCU\..\Run: [iesetupdll] atl_helper.exe
O4 - HKCU\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{67BF026C-2256-49A8-8C25-01EA250D4F33}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0331287-19F9-442C-96E1-E16F835482B1}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
mrmac58
Active Member
 
Posts: 6
Joined: July 4th, 2006, 4:26 am
Advertisement
Register to Remove

Unread postby Gary R » July 4th, 2006, 7:45 am

Hi mrmac58,

I'm Gary R. I'll be glad to help you with your computer problems.
Please be patient, I know that you want your problems solved quickly, and I will work hard to help you.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
If you can do these things, everything should go smoothly.

You are running an anti-spyware programme SpywareBot that is on the Spyware Warrior Rogue Programs list.
http://www.spywarewarrior.com/rogue_ant ... rustworthy

I strongly recommend you uninstall it using Add/Remove Programs in Control Panel.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.


Download FixWareout and save it to your Desktop.
Aternate Download Site

  • Double click Fixwareout.exe to run it.
  • Click Next, then Install.
  • Make sure Run fixit is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
  • At the end of the fix, you may need to restart your computer again.
Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

Now lets check some settings on your system.

(2000/XP) Only
  • Click Start > Connect to > Show all connections.
  • Right click on your default connection, usually local area connection for cable and dsl.
  • Left click on Properties.
  • Click the Networking tab.
  • Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically.
  • Press OK twice to get out of the properties screen and reboot if it asks. (That option might not be avaiable on some systems).
Next!
  • Click Start > Run type cmd and hit OK.
  • Type ipconfig /flushdns then hit enter, (Note: there is a space between ipconfig and /flushdns).
  • Type exit hit enter.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21779
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

2nd output...

Unread postby mrmac58 » July 5th, 2006, 3:40 am

Hi Gary...thanks for swift response....

I'm using a 2nd machine to post replies as I go...

Here is the report.txt

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F16F0E4DAB78-AD4A-C044-172F-5EB3D915{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}75F0D2A81EBD-D3EA-4BE4-AD12-864AE5E6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7B62B9DD963B-CE5A-D074-5BD5-862B12CC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}33EA503E03FA-F0EA-44A4-1FD5-D23B7BA7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B8BBA115480F-7FAB-A2C4-E1A7-4FB250C6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}82CF62039435-A399-E394-A06C-872B4875{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7ECCEF75E94-7A79-EB54-6A0C-EA360069{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}92BCF07F82A3-5B8A-92C4-C65C-38835BA2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8815823A5283-B62B-5354-2B63-12387732{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}37B04878ACA4-EDD9-08F4-D502-4B0385D1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C9378C661299-B739-B064-95AE-82F85F91{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}02FDCE508634-4DB8-1A34-4C90-1DDAF68E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9F7132622718-BA69-DF84-BE40-57E49F6F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B578AA2D49A3-5F49-D454-3809-43EFB9CB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BAEDEFDEDF50-BDC9-D434-C206-78551036{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1ED6D520DD73-DA98-0574-0A38-BF1A95E9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}99254A89EEC8-C32B-5C94-DE59-934A9828{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2F3F01A982AD-BEEB-12C4-4EDA-9E2F0877{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9A207CCE5ED5-6C6A-3544-02C8-5A14EC0F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A11B04C30423-972B-AFC4-0B2F-AA032E7A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}01A6D848FBB4-3248-E784-A220-45012D74{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}18C9E0236371-4098-EB24-6C88-F88EF44A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5C95038F485C-EAC8-B4F4-5EFD-C74A7F13{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DF25004B55FE-3A89-0B54-52A1-4A9CB495{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A813FC9976E8-9AAB-ACA4-2FE6-E64A9645{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C183226FD897-010B-1964-5EA1-D4E15489{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A5EF66EC1D06-CEA9-0F14-E9AE-8F80813E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CADD789817FF-333B-2EC4-5BE5-C0F1E1C1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EE4318D5965E-AC99-08E4-94F5-3578E5FA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3E3AF7A9FEC5-3CBA-C2F4-E1D7-F6B0F694{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}346A2F8A51DA-FA2A-6A74-C9BB-E327611F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ABD444AAC06E-1A0B-1D54-D8FB-4BC9D9F3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CDD6E9E75126-FB6B-1074-820A-D73E2295{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AF50E84C4D87-722B-3A24-5DE0-305F86EC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2CDD684F20CE-0228-9184-D2F9-CAE5BCD5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3F491903B8B4-55EB-3554-78D9-2D26824D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D1000A6B9A27-AA4A-B0A4-7E4B-E6E4B693{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9D528338923B-D47B-8154-A023-B05B6E3C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F4CB3362E90A-0E28-45E4-353F-AB0C3895{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}27C43B219B7A-70B8-98B4-E5EB-3F7C4336{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DBCD0967A237-0BCB-91E4-BCCE-77B01FCF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F99215459E80-B649-4A14-6934-84A6F43C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2CD7C59E3343-AD1B-F3B4-A159-5CC1C1FE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D70466CD816B-280A-CA54-EA12-69C5B0E3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B2135EFAB811-B76B-55F4-F9AE-DF415283{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1EFA37AF723D-7969-7EA4-AFE0-E7C78A90{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0572706A790D-78F9-49A4-2D1F-D769F4E7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\hwtmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FE5FAB70B004-61C8-FCF4-0276-9C620460{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmtwh.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSJLP.EXE
* csr.exe C:\WINDOWS\System32\CSWVY.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSJLP.EXE 51,207 2006-07-04
C:\WINDOWS\SYSTEM32\CSWVY.EXE 51,207 2006-07-04
C:\WINDOWS\SYSTEM32\DMTWH.EXE 44,085 2002-08-29
C:\WINDOWS\SYSTEM32\DMWTX.EXE 44,085 2002-08-29
Other suspects
Directory of C:\WINDOWS\system32
{064026C9-6720-4FCF-8C16-400B07BAF5EF}.exe
{7E4F967D-F1D2-4A94-9F87-D097A6072750}.exe
{09A87C7E-0EFA-4AE7-9697-D327FA73AFE1}.exe
{382514FD-EA9F-4F55-B67B-118BAFE5312B}.exe
{3E0B5C96-21AE-45AC-A082-B618DC66407D}.exe
{EF1C1CC5-951A-4B3F-B1DA-3433E95C7DC2}.exe
{C34F6A48-4396-41A4-946B-08E95451299F}.exe
{FCF10B77-ECCB-4E19-BCB0-732A7690DCBD}.exe
{95C0A8D9-B1CF-4167-9648-E86047F614A3}.exe
{3FFA2A78-104B-47FB-B15B-2670CEF209CC}.exe
{85181F48-E3AA-4248-A874-0C77FBF74500}.exe
{5983C0BA-F353-4E54-82E0-A09E2633BC4F}.exe
{C3E6B50B-320A-4518-B74D-B329833825D9}.exe
{396B4E6E-B4E7-4A0B-A4AA-72A9B6A0001D}.exe
{D42862D2-9D87-4553-BE55-4B8B309194F3}.exe
{5DCB5EAC-9F2D-4819-8220-EC02F486DDC2}.exe
{CE68F503-0ED5-42A3-B227-78D4C48E05FA}.exe
{5922E37D-A028-4701-B6BF-62157E9E6DDC}.exe
{3F9D9CB4-BF8D-45D1-B0A1-E60CAA444DBA}.exe
{F116723E-BB9C-47A6-A2AF-AD15A8F2A643}.exe
{496F0B6F-7D1E-4F2C-ABC3-5CEF9A7FA3E3}.exe
{AF5E8753-5F49-4E80-99CA-E5695D8134EE}.exe
{1C1E1F0C-5EB5-4CE2-B333-FF718987DDAC}.exe
{E31808F8-EA9E-41F0-9AEC-60D1CE66FE5A}.exe
{98451E4D-1AE5-4691-B010-798DF622381C}.exe
{5469A46E-6EF2-4ACA-BAA9-8E6799CF318A}.exe
{594BC9A4-1A25-45B0-98A3-EF55B40052FD}.exe
{31F7A47C-DFE5-4F4B-8CAE-C584F83059C5}.exe
{A44FE88F-88C6-42BE-8904-1736320E9C81}.exe
{47D21054-022A-487E-8423-4BBF848D6A10}.exe
{A7E230AA-F2B0-4CFA-B279-32403C40B11A}.exe
{F0CE41A5-8C20-4453-A6C6-5DE5ECC702A9}.exe
{7780F2E9-ADE4-4C21-BEEB-DA289A10F3F2}.exe
{8289A439-95ED-49C5-B23C-8CEE98A45299}.exe
{9E59A1FB-83A0-4750-89AD-37DD025D6DE1}.exe
{63015587-602C-434D-9CDB-05FDEDFEDEAB}.exe
{BC9BFE34-9083-454D-94F5-3A94D2AA875B}.exe
{F6F94E75-04EB-48FD-96AB-8172262317F9}.exe
{E86FADD1-09C4-43A1-8BD4-436805ECDF20}.exe
{19F58F28-EA59-460B-937B-992166C8739C}.exe
{1D5830B4-205D-4F80-9DDE-4ACA87840B73}.exe
{23778321-36B2-4535-B26B-3825A3285188}.exe
{2AB53883-C56C-4C29-A8B5-3A28F70FCB29}.exe
{960063AE-C0A6-45BE-97A7-49E57FECCE7B}.exe
{5784B278-C60A-493E-993A-53493026FC28}.exe
{6C052BF4-7A1E-4C2A-BAF7-F084511ABB8B}.exe
{7AB7B32D-5DF1-4A44-AE0F-AF30E305AE33}.exe
{CC21B268-5DB5-470D-A5EC-B369DD9B26B7}.exe
{6E5EA468-21DA-4EB4-AE3D-DBE18A2D0F57}.exe
mrmac58
Active Member
 
Posts: 6
Joined: July 4th, 2006, 4:26 am

Unread postby Gary R » July 5th, 2006, 8:33 am

Hi mrmac58,

Can you send me the new HJT log I asked for in my last post please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21779
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

NZ

Unread postby mrmac58 » July 7th, 2006, 1:58 am

Hi !

Enclosed is the content of the report.txt I have just run...

Thanks for your help...


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F16F0E4DAB78-AD4A-C044-172F-5EB3D915{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}75F0D2A81EBD-D3EA-4BE4-AD12-864AE5E6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7B62B9DD963B-CE5A-D074-5BD5-862B12CC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}33EA503E03FA-F0EA-44A4-1FD5-D23B7BA7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B8BBA115480F-7FAB-A2C4-E1A7-4FB250C6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}82CF62039435-A399-E394-A06C-872B4875{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7ECCEF75E94-7A79-EB54-6A0C-EA360069{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}92BCF07F82A3-5B8A-92C4-C65C-38835BA2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8815823A5283-B62B-5354-2B63-12387732{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}37B04878ACA4-EDD9-08F4-D502-4B0385D1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C9378C661299-B739-B064-95AE-82F85F91{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}02FDCE508634-4DB8-1A34-4C90-1DDAF68E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9F7132622718-BA69-DF84-BE40-57E49F6F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B578AA2D49A3-5F49-D454-3809-43EFB9CB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BAEDEFDEDF50-BDC9-D434-C206-78551036{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1ED6D520DD73-DA98-0574-0A38-BF1A95E9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}99254A89EEC8-C32B-5C94-DE59-934A9828{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2F3F01A982AD-BEEB-12C4-4EDA-9E2F0877{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9A207CCE5ED5-6C6A-3544-02C8-5A14EC0F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A11B04C30423-972B-AFC4-0B2F-AA032E7A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}01A6D848FBB4-3248-E784-A220-45012D74{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}18C9E0236371-4098-EB24-6C88-F88EF44A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5C95038F485C-EAC8-B4F4-5EFD-C74A7F13{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DF25004B55FE-3A89-0B54-52A1-4A9CB495{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A813FC9976E8-9AAB-ACA4-2FE6-E64A9645{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C183226FD897-010B-1964-5EA1-D4E15489{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A5EF66EC1D06-CEA9-0F14-E9AE-8F80813E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CADD789817FF-333B-2EC4-5BE5-C0F1E1C1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EE4318D5965E-AC99-08E4-94F5-3578E5FA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3E3AF7A9FEC5-3CBA-C2F4-E1D7-F6B0F694{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}346A2F8A51DA-FA2A-6A74-C9BB-E327611F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ABD444AAC06E-1A0B-1D54-D8FB-4BC9D9F3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CDD6E9E75126-FB6B-1074-820A-D73E2295{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AF50E84C4D87-722B-3A24-5DE0-305F86EC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2CDD684F20CE-0228-9184-D2F9-CAE5BCD5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3F491903B8B4-55EB-3554-78D9-2D26824D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D1000A6B9A27-AA4A-B0A4-7E4B-E6E4B693{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9D528338923B-D47B-8154-A023-B05B6E3C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F4CB3362E90A-0E28-45E4-353F-AB0C3895{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}27C43B219B7A-70B8-98B4-E5EB-3F7C4336{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DBCD0967A237-0BCB-91E4-BCCE-77B01FCF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F99215459E80-B649-4A14-6934-84A6F43C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2CD7C59E3343-AD1B-F3B4-A159-5CC1C1FE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D70466CD816B-280A-CA54-EA12-69C5B0E3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B2135EFAB811-B76B-55F4-F9AE-DF415283{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1EFA37AF723D-7969-7EA4-AFE0-E7C78A90{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0572706A790D-78F9-49A4-2D1F-D769F4E7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\hwtmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FE5FAB70B004-61C8-FCF4-0276-9C620460{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmtwh.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSJLP.EXE
* csr.exe C:\WINDOWS\System32\CSWVY.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSJLP.EXE 51,207 2006-07-04
C:\WINDOWS\SYSTEM32\CSWVY.EXE 51,207 2006-07-04
C:\WINDOWS\SYSTEM32\DMTWH.EXE 44,085 2002-08-29
C:\WINDOWS\SYSTEM32\DMWTX.EXE 44,085 2002-08-29
Other suspects
Directory of C:\WINDOWS\system32
{064026C9-6720-4FCF-8C16-400B07BAF5EF}.exe
{7E4F967D-F1D2-4A94-9F87-D097A6072750}.exe
{09A87C7E-0EFA-4AE7-9697-D327FA73AFE1}.exe
{382514FD-EA9F-4F55-B67B-118BAFE5312B}.exe
{3E0B5C96-21AE-45AC-A082-B618DC66407D}.exe
{EF1C1CC5-951A-4B3F-B1DA-3433E95C7DC2}.exe
{C34F6A48-4396-41A4-946B-08E95451299F}.exe
{FCF10B77-ECCB-4E19-BCB0-732A7690DCBD}.exe
{95C0A8D9-B1CF-4167-9648-E86047F614A3}.exe
{3FFA2A78-104B-47FB-B15B-2670CEF209CC}.exe
{85181F48-E3AA-4248-A874-0C77FBF74500}.exe
{5983C0BA-F353-4E54-82E0-A09E2633BC4F}.exe
{C3E6B50B-320A-4518-B74D-B329833825D9}.exe
{396B4E6E-B4E7-4A0B-A4AA-72A9B6A0001D}.exe
{D42862D2-9D87-4553-BE55-4B8B309194F3}.exe
{5DCB5EAC-9F2D-4819-8220-EC02F486DDC2}.exe
{CE68F503-0ED5-42A3-B227-78D4C48E05FA}.exe
{5922E37D-A028-4701-B6BF-62157E9E6DDC}.exe
{3F9D9CB4-BF8D-45D1-B0A1-E60CAA444DBA}.exe
{F116723E-BB9C-47A6-A2AF-AD15A8F2A643}.exe
{496F0B6F-7D1E-4F2C-ABC3-5CEF9A7FA3E3}.exe
{AF5E8753-5F49-4E80-99CA-E5695D8134EE}.exe
{1C1E1F0C-5EB5-4CE2-B333-FF718987DDAC}.exe
{E31808F8-EA9E-41F0-9AEC-60D1CE66FE5A}.exe
{98451E4D-1AE5-4691-B010-798DF622381C}.exe
{5469A46E-6EF2-4ACA-BAA9-8E6799CF318A}.exe
{594BC9A4-1A25-45B0-98A3-EF55B40052FD}.exe
{31F7A47C-DFE5-4F4B-8CAE-C584F83059C5}.exe
{A44FE88F-88C6-42BE-8904-1736320E9C81}.exe
{47D21054-022A-487E-8423-4BBF848D6A10}.exe
{A7E230AA-F2B0-4CFA-B279-32403C40B11A}.exe
{F0CE41A5-8C20-4453-A6C6-5DE5ECC702A9}.exe
{7780F2E9-ADE4-4C21-BEEB-DA289A10F3F2}.exe
{8289A439-95ED-49C5-B23C-8CEE98A45299}.exe
{9E59A1FB-83A0-4750-89AD-37DD025D6DE1}.exe
{63015587-602C-434D-9CDB-05FDEDFEDEAB}.exe
{BC9BFE34-9083-454D-94F5-3A94D2AA875B}.exe
{F6F94E75-04EB-48FD-96AB-8172262317F9}.exe
{E86FADD1-09C4-43A1-8BD4-436805ECDF20}.exe
{19F58F28-EA59-460B-937B-992166C8739C}.exe
{1D5830B4-205D-4F80-9DDE-4ACA87840B73}.exe
{23778321-36B2-4535-B26B-3825A3285188}.exe
{2AB53883-C56C-4C29-A8B5-3A28F70FCB29}.exe
{960063AE-C0A6-45BE-97A7-49E57FECCE7B}.exe
{5784B278-C60A-493E-993A-53493026FC28}.exe
{6C052BF4-7A1E-4C2A-BAF7-F084511ABB8B}.exe
{7AB7B32D-5DF1-4A44-AE0F-AF30E305AE33}.exe
{CC21B268-5DB5-470D-A5EC-B369DD9B26B7}.exe
{6E5EA468-21DA-4EB4-AE3D-DBE18A2D0F57}.exe
mrmac58
Active Member
 
Posts: 6
Joined: July 4th, 2006, 4:26 am

Unread postby Gary R » July 7th, 2006, 2:31 am

I still can't see a HJT log.

The Fixwareout log is very long, and is not complete.

There is a file limit to the posts here which your Fixwareout log has exceeded.

Try posting again. It's going to take to make more than 1 post to get them all in. Please ensure I have ALL the Fixwareout log AND a HJT log.

Check after posting to make sure its all visible in the forum.

Sorry for the inconvenience.

Gary
User avatar
Gary R
Administrator
Administrator
 
Posts: 21779
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

HJT Log

Unread postby mrmac58 » July 8th, 2006, 5:44 pm

Enclosed is the entire content of the latest run of HJT:

Logfile of HijackThis v1.99.1
Scan saved at 9:33:47 a.m., on 9/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Music\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Real\RealPlayer\trueplay.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - {B04A6240-A48C-1970-926A-F93B87B46B1D} - RtlFindVal.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{7DCBF8B3-3A23-46D9-97D9-AFFAEC1C5E44}.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{7DCBF8B3-3A23-46D9-97D9-AFFAEC1C5E44}.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Music\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xxtoolbar] KeywordFinder.exe
O4 - HKLM\..\Run: [WhatsNewBot] browsebar.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [knqqm.exe] C:\WINDOWS\System32\knqqm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [sysconf16] RtlFindVal.exe
O4 - HKCU\..\Run: [MONITER] RtlFindVal.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [iesetupdll] atl_helper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{67BF026C-2256-49A8-8C25-01EA250D4F33}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0331287-19F9-442C-96E1-E16F835482B1}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


------------
Hope this is what you need...
mrmac58
Active Member
 
Posts: 6
Joined: July 4th, 2006, 4:26 am

And the FIXIT report.txt...

Unread postby mrmac58 » July 8th, 2006, 5:52 pm

This was run AFTER the just posted HJT - is that OK ?


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3D6779F328CD-B7FB-9964-51E2-93B4CEBB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}293B893A1C7D-88F8-8944-409E-5CF187AE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}667E285AC95D-9828-7A44-ABB3-81D9A730{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}929F3B888745-26F9-3354-7FBD-84B0AF1B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}289496B87C50-61FA-B134-C879-7A09B732{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}441E43D4D700-833A-EE24-6E64-97BA6871{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0077BF956E1B-DCC9-E214-F7D2-A9BC741D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}18D77FD5E6D9-632A-42B4-A338-6A3C0A19{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BA5364337D2A-ECEA-4C44-14B7-13010643{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BF163751A996-7159-CB64-D55C-9D37CCB6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}163F173CAE2E-00DA-ED44-6948-05B75F87{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}17373971B8CD-11AA-D334-7596-93953D9C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8808ED343637-96F8-B504-D2E1-9B28E443{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F578F29B26A3-4B1B-7BC4-8533-F36B782E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1660F440EB01-DD7B-CE84-8598-5ADE5F84{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}65188080B044-EDD9-F6F4-27C1-FD58C79A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}79B1D770154D-8A79-D5F4-0D86-85AD516D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}244614E4F344-5C4B-5C84-8DBC-C165455A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7CD88696B661-A84A-B614-606A-C7EFDC0D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}92F05583BDC8-C189-97B4-7885-B5A9BB07{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C7A750CB1AC9-95B9-78F4-CB8C-C40E7EC1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}261B23AC93D6-C5C8-A114-80E4-D81847A4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AC7114A9EDF1-F219-52B4-A061-1F176D7E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}04913DFF163B-44EA-5FC4-C254-E8F3DEED{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}09FC1057D540-ACBA-A134-640C-C5B493B5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F4ACC18B27FD-8878-EAD4-B2CD-616A0727{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}891CC9642F82-7C7A-DF24-32A9-7C3FCD52{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}08BB7A73377D-F5DA-9AC4-A36C-FA6B247E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}042F72EB4627-08DB-EE64-1188-E786B8A4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A742B5A8DD13-2089-72F4-AB18-0C955BAA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}87D9111A7CAC-0239-8994-B25A-51E746A4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B763A90DB3FD-2B3A-8AA4-0113-96C97931{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}00FDBF4FEF1D-068B-BDD4-D2AC-398BA591{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6C67B8A53158-8688-3EA4-79F8-035FFD93{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BF8AA9AAE7CE-025A-1AD4-96F0-CA8471F1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}16C8F1D3EA7B-B598-F174-A4FD-3E4DAD02{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ED312C739DA0-E0DA-06A4-DF7D-A6E50E6D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9640F1990D34-3429-F084-0824-4FE19588{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}80DFEB2CCBDA-9BB8-CA74-0C25-C108E44C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5AC8E6CA061E-0A78-C384-D7B8-AC0B539E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BC329E8D17EC-B42B-D604-E0D6-AA12916D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}79EEEFB70B8D-937B-2AF4-171C-AC65A371{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8A46CE3AB3F7-83A9-1A64-C8F1-BD4EE565{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}34380D22CD16-F198-4424-6A63-97AF2AA8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CE001058ABC3-2069-F084-E268-935708BA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A0BAE4ABA58F-1788-3134-AD60-77548A19{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CAFC84FE17E3-7C09-28B4-4087-9EA3EACE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7761C493C08F-97C8-D704-D615-37B7053E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}22ECA9794D1E-F9B8-7464-6BCB-D1B4B095{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7C103B4F5B47-314B-6554-E593-099D0A3F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EFB6D493C243-0DF9-C014-0E46-69FAE734{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3A0D044801EC-2618-7904-151E-7B8C77A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}78E61E21D4FC-6588-0304-AB5F-4930C0C4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F200B93375F3-024A-C4E4-0AD0-AC078208{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7109FDF3358C-3609-DB84-8679-47220F88{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7BD03DE23A65-C129-D504-7377-71818368{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}698D1B6C55B4-74DB-5424-4650-E81B8880{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F01282A0CB7A-2A5A-60F4-A39D-B3C6D47E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4E07B975F821-A01B-DEB4-55A8-27A2E119{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}60616263DFA3-4089-9AE4-F631-B4310B8E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3B8DF6BE57FF-489A-8614-37E9-30D91C5A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5F373BFB99F8-DDDA-3CC4-69A0-2AD32C97{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}28B475CA80FC-21D8-D294-F533-79249CCB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8E43D890CB6F-711B-D494-4AFF-0CF75F89{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}48F6A2DF49C7-CDF9-11A4-CAE6-5D79FD00{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6A63F22EA6CB-71FB-C1F4-33C3-8BA0FF32{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7A32BE91E271-CD79-CC94-0B58-31FF3661{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ADC827F32081-F24A-3FE4-93AE-59F0EE04{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EEC12F65D964-59BA-B964-DD9F-F9ADF55D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C400E22C9C6A-2A59-7444-ED54-579CD83F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6A3C43CFDA7D-8C29-74B4-728B-D1A46311{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}75CB5E524E02-5958-34D4-CD64-AC936AF5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9DB7AC911885-BED8-7704-AE56-AA5DD207{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D44F271F0941-83EA-5FA4-DEF1-959A3AB3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FC631C27FAB0-B479-86A4-CC94-4FB2F688{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}737C6746AFFA-42E8-E004-B191-86360F9B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}60307485F683-195A-E1F4-0BBE-D050F67A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9B8988CA2AF9-FC18-C7B4-D9F1-356B23B2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C0D6F56CF7D4-001B-2C04-E488-D05EADA1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E7BFC2735C22-0038-8E94-ACF1-825183C8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DCCF31AE8E60-80C9-B844-7311-6F011257{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2431DB90747C-9C2B-4C24-399B-2598AB8C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}45B66AC192AD-3D79-F0F4-3972-3441E32D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F4D2BE1BE9D9-E69A-31A4-A5D8-EDA4070E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F10CFE4D0210-7EB9-BC84-317E-CACFA081{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A27A34B6843C-8468-B984-91BC-BF2848B3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}200A46388F66-EBA9-92E4-BD62-77F35F6D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FFD26FEC37EE-1D58-9E94-195D-2548ACD3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}79F90659FF23-FD4B-8864-ACA7-A82B491F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A8D91856E581-7A6A-F1E4-3AEC-724D5F55{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C281F640C185-43E8-AF34-4252-507474D0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BFAEF09A43F2-4B2B-5674-1343-815EEE94{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D9C2B1137F86-EA3A-86A4-C56E-5407D97F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B79EC9142FCD-4D29-3B64-A12A-ED710BBF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C74822B59F3E-0688-4E54-AF86-76F76DF4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8E4E4F68DB61-D9C9-C1B4-108A-3BFBE2AE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E05CB87DBB5E-B2C8-A2C4-2C9C-B1B13737{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}69FAE95447F0-A9A9-42E4-CE49-42FF4901{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9DAA7318900E-F96A-F904-2D5B-8C3FA80B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BE1486ABFA98-485A-D474-5629-CEF964CE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}57645ED77250-17CB-0C64-90B8-42F17767{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}176A49F55D83-0389-0154-A434-360596B4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8F4165433D8E-2F5B-0E54-AC94-AACAC7CF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D6FA53C58B23-5F99-7404-EFB7-B6F00445{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BD9283B09A31-70BB-67A4-635A-6312E862{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6CB3DB24DB45-9B6B-4C74-966C-B9DEC1AE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ADDA9DF357FE-8B49-AEB4-C9FC-36908D11{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C06AA62F6D1A-08C8-7154-7D70-E284DCAA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C70547C26559-0698-44E4-C791-69C47FEB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}143F83B14011-EACA-8AF4-0EEE-3D86C9F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B100129FA704-F778-AB74-6AEF-CA81F28E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}59C5E9539ADB-9159-8654-03D3-0B84633A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AB3D7524C0D8-529B-B244-E5ED-037247EE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D1DF92B67684-0FEA-E494-B0B8-00BE4A77{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}92D9369B5535-B6E8-9BD4-0AFB-68922998{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1660E0C459AB-692A-8754-955C-48E32A34{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}531258EE50F5-EE78-75D4-0BEB-03ED717A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AD3B4CD425D1-B0EA-A594-C704-7728F1B8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9861138174BE-C989-6444-DCED-D155069E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C4D833C8D0E7-C29A-68C4-0149-15159AE0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3FEEDF7DFBDD-6149-3C94-D205-DB5B428D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FD49121AC04F-89E8-46D4-29C9-021D25CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}878F02CD80C7-1F38-4FC4-EF3D-A82804FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}331CA809574E-7BFA-55E4-F1D5-A5E90A1E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E6F29347B202-202B-F914-4645-C831AB59{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4C6C0D290E11-96F8-D034-4C94-8107BA2A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B92D9C80C970-DE69-41B4-AF5B-6CB5FC2E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}589680F1B37F-F6A8-F094-46C9-B7D3CF53{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5700B4560879-FBDB-BFC4-944B-6916A50B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}922982D27695-189A-CCD4-891C-51A891E6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}06C5C534881B-90EB-FE64-D313-32FA068C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DA1D27DD15EC-598B-5834-5B66-09FDF821{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}93EE9B61B4CF-85EB-2AC4-7B4A-C46971E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9DF6C7B4B4AD-3A18-2DC4-6B35-6F9F753C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}40CBB1214247-203B-23B4-E71E-2FDD5EDF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\odemd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CBAF3EE406E9-9FBB-4234-A771-0F7AA365{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8A48BAD13AD3-A3D8-F2E4-AF87-795D3481{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}102684A5BDEE-CE2A-CA14-113D-CAA4FB36{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmedo.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSJLP.EXE
* csr.exe C:\WINDOWS\System32\CSQIK.EXE
* csr.exe C:\WINDOWS\System32\CSWVY.EXE

»»»»» Misc files
* thequicklink C:\WINDOWS\System32\{7DCBF~1.DLL

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSJLP.EXE 51,207 2006-07-04
C:\WINDOWS\SYSTEM32\CSQIK.EXE 51,207 2006-07-05
C:\WINDOWS\SYSTEM32\CSWVY.EXE 51,207 2006-07-04
C:\WINDOWS\SYSTEM32\DMEDO.EXE 44,085 2002-08-29
C:\WINDOWS\SYSTEM32\DMSFT.EXE 44,085 2002-08-29
C:\WINDOWS\SYSTEM32\DMTWH.EXE 44,085 2002-08-29
C:\WINDOWS\SYSTEM32\DMWTX.EXE 44,085 2002-08-29
Other suspects
Directory of C:\WINDOWS\system32
{7DCBF8B3-3A23-46D9-97D9-AFFAEC1C5E44}.dll
{63BF4AAC-D311-41AC-A2EC-EEDB5A486201}.exe
{1843D597-78FA-4E2F-8D3A-3DA31DAB84A8}.exe
{563AA7F0-177A-4324-BBF9-9E604EE3FABC}.exe
{D824B5BD-502D-49C3-9416-DDBFD7FDEEF3}.exe
{E960551D-DECD-4446-989C-EB4718311689}.exe
{8B1F8277-407C-495A-AE0B-1D524DC4B3DA}.exe
{43A23E84-C559-4578-A296-BA954C0E0661}.exe
{A33648B0-3D30-4568-9519-BDA9359E5C95}.exe
{8F9C68D3-EEE0-4FA8-ACAE-11041B38F341}.exe
{BEF74C96-197C-4E44-8960-95562C74507C}.exe
{AACD482E-07D7-4517-8C80-A1D6F26AA60C}.exe
{11D80963-CF9C-4BEA-94B8-EF753FD9ADDA}.exe
{EA1CED9B-C669-47C4-B6B9-54BD42BD3BC6}.exe
{268E2136-A536-4A76-BB07-13A90B3829DB}.exe
{54400F6B-7BFE-4047-99F5-32B85C35AF6D}.exe
{FC7CACAA-49CA-45E0-B5F2-E8D3345614F8}.exe
{4B695063-434A-4510-9830-38D55F94A671}.exe
{76771F24-8B09-46C0-BC71-05277DE54675}.exe
{EC469FEC-9265-474D-A584-89AFBA6841EB}.exe
{B08AF3C8-B5D2-409F-A69F-E0098137AAD9}.exe
{1094FF24-94EC-4E24-9A9A-0F74459EAF96}.exe
{73731B1B-C9C2-4C2A-8C2B-E5BBD78BC50E}.exe
{F79D7045-E65C-4A68-A3AE-68F7311B2C9D}.exe
{49EEE518-3431-4765-B2B4-2F34A90FEAFB}.exe
{0D474705-2524-43FA-8E34-581C046F182C}.exe
{55F5D427-CEA3-4E1F-A6A7-185E65819D8A}.exe
{F194B28A-7ACA-4688-B4DF-32FF95609F97}.exe
{3DCA8452-D591-49E9-85D1-EE73CEF62DFF}.exe
{D6F53F77-26DB-4E29-9ABE-66F88364A002}.exe
{3B8482FB-CB19-489B-8648-C3486B43A72A}.exe
{180AFCAC-E713-48CB-9BE7-0120D4EFC01F}.exe
{E0704ADE-8D5A-4A13-A96E-9D9EB1EB2D4F}.exe
{D23E1443-2793-4F0F-97D3-DA291CA66B54}.exe
{C8BA8952-B993-42C4-B2C9-C74709BD1342}.exe
{752110F6-1137-448B-9C08-06E8EA13FCCD}.exe
{8C381528-1FCA-49E8-8300-22C5372CFB7E}.exe
{1ADAE50D-884E-40C2-B100-4D7FC65F6D0C}.exe
{2B32B653-1F9D-4B7C-81CF-9FA2AC8898B9}.exe
{A76F050D-EBB0-4F1E-A591-386F58470306}.exe
{B9F06368-191B-400E-8E24-AFFA6476C737}.exe
{886F2BF4-49CC-4A68-974B-0BAF72C136CF}.exe
{3BA3A959-1FED-4AF5-AE38-1490F172F44D}.exe
{702DD5AA-65EA-4077-8DEB-588119CA7BD9}.exe
{5FA639CA-46DC-4D43-8595-20E425E5BC57}.exe
{11364A1D-B827-4B47-92C8-D7ADFC34C3A6}.exe
{F38DC975-45DE-4447-95A2-A6C9C22E004C}.exe
{D55FDA9F-F9DD-469B-AB95-469D56F21CEE}.exe
{40EE0F95-EA39-4EF3-A42F-18023F728CDA}.exe
{1663FF13-85B0-49CC-97DC-172E19EB23A7}.exe
{23FF0AB8-3C33-4F1C-BF17-BC6AE22F36A6}.exe
{00DF97D5-6EAC-4A11-9FDC-7C94FD2A6F84}.exe
{98F57FC0-FFA4-494D-B117-F6BC098D34E8}.exe
{BCC94297-335F-492D-8D12-CF08AC574B82}.exe
{79C23DA2-0A96-4CC3-ADDD-8F99BFB373F5}.exe
{A5C19D03-9E73-4168-A984-FF75EB6FD8B3}.exe
{E8B0134B-136F-4EA9-9804-3AFD36261606}.exe
{911E2A72-8A55-4BED-B10A-128F579B70E4}.exe
{E74D6C3B-D93A-4F06-A5A2-A7BC0A28210F}.exe
{0888B18E-0564-4245-BD47-4B55C6B1D896}.exe
{86381817-7737-405D-921C-56A32ED30DB7}.exe
{88F02274-9768-48BD-9063-C8533FDF9017}.exe
{802870CA-0DA0-4E4C-A420-3F57339B002F}.exe
{4C0C0394-F5BA-4030-8856-CF4D12E16E87}.exe
{0A77C8B7-E151-4097-8162-CE108440D0A3}.exe
{437EAF96-64E0-410C-9FD0-342C394D6BFE}.exe
{590B4B1D-BCB6-4647-8B9F-E1D4979ACE22}.exe
{E3507B73-516D-407D-8C79-F80C394C1677}.exe
{ECAE3AE9-7804-4B82-90C7-3E71EF48CFAC}.exe
{91A84577-06DA-4313-8871-F85ABA4EAB0A}.exe
{AB807539-862E-480F-9602-3CBA850100EC}.exe
{8AA2FA79-36A6-4244-891F-61DC22D08343}.exe
{565EE4DB-1F8C-46A1-9A38-7F3BA3EC64A8}.exe
{173A56CA-C171-4FA2-B739-D8B07BFEEE97}.exe
{D61921AA-6D0E-406D-B24B-CE71D8E923CB}.exe
{E935B0CA-8B7D-483C-87A0-E160AC6E8CA5}.exe
{C44E801C-52C0-47AC-8BB9-ADBCC2BEFD08}.exe
{88591EF4-4280-480F-9243-43D0991F0469}.exe
{D6E05E6A-D7FD-4A60-AD0E-0AD937C213DE}.exe
{20DAD4E3-DF4A-471F-895B-B7AE3D1F8C61}.exe
{1F1748AC-0F69-4DA1-A520-EC7EAA9AA8FB}.exe
{39DFF530-8F97-4AE3-8868-85135A8B76C6}.exe
{195AB893-CA2D-4DDB-B860-D1FEF4FBDF00}.exe
{13979C69-3110-4AA8-A3B2-DF3BD09A367B}.exe
{4A647E15-A52B-4998-9320-CAC7A1119D78}.exe
{AAB559C0-81BA-4F27-9802-31DD8A5B247A}.exe
{4A8B687E-8811-46EE-BD80-7264BE27F240}.exe
{E742B6AF-C63A-4CA9-AD5F-D77337A7BB80}.exe
{25DCF3C7-9A23-42FD-A7C7-28F2469CC198}.exe
{7270A616-DC2B-4DAE-8788-DF72B81CCA4F}.exe
{5B394B5C-C046-431A-ABCA-045D7501CF90}.exe
{DEED3F8E-452C-4CF5-AE44-B361FFD31940}.exe
{E7D671F1-160A-4B25-912F-1FDE9A4117CA}.exe
{4A74818D-4E08-411A-8C5C-6D39CA32B162}.exe
{1CE7E04C-C8BC-4F87-9B59-9CA1BC057A7C}.exe
{70BB9A5B-5887-4B79-981C-8CDB38550F29}.exe
{D0CDFE7C-A606-416B-A48A-166B69688DC7}.exe
{A554561C-CBD8-48C5-B4C5-443F4E416442}.exe
{D615DA58-68D0-4F5D-97A8-D451077D1B97}.exe
{A97C85DF-1C72-4F6F-9DDE-440B08088156}.exe
{48F5EDA5-8958-48EC-B7DD-10BE044F0661}.exe
{E287B63F-3358-4CB7-B1B4-3A62B92F875F}.exe
{344E82B9-1E2D-405B-8F69-736343DE8088}.exe
{C9D35939-6957-433D-AA11-DC8B17937371}.exe
{78F57B50-8496-44DE-AD00-E2EAC371F361}.exe
{6BCC73D9-C55D-46BC-9517-699A157361FB}.exe
{34601031-7B41-44C4-AECE-A2D7334635AB}.exe
{91A0C3A6-833A-4B24-A236-9D6E5DF77D81}.exe
{D147CB9A-2D7F-412E-9CCD-B1E659FB7700}.exe
{1786AB79-46E6-42EE-A338-007D4D34E144}.exe
{237B90A7-978C-431B-AF16-05C78B694982}.exe
{B1FA0B48-DBF7-4533-9F62-547888B3F929}.exe
{037A9D18-3BBA-44A7-8289-D59CA582E766}.exe
{EA781FC5-E904-4498-8F88-D7C1A398B392}.exe
{064026C9-6720-4FCF-8C16-400B07BAF5EF}.exe
{7E4F967D-F1D2-4A94-9F87-D097A6072750}.exe
{09A87C7E-0EFA-4AE7-9697-D327FA73AFE1}.exe
{382514FD-EA9F-4F55-B67B-118BAFE5312B}.exe
{3E0B5C96-21AE-45AC-A082-B618DC66407D}.exe
{EF1C1CC5-951A-4B3F-B1DA-3433E95C7DC2}.exe
{C34F6A48-4396-41A4-946B-08E95451299F}.exe
{95C0A8D9-B1CF-4167-9648-E86047F614A3}.exe
{3FFA2A78-104B-47FB-B15B-2670CEF209CC}.exe
{85181F48-E3AA-4248-A874-0C77FBF74500}.exe
{5983C0BA-F353-4E54-82E0-A09E2633BC4F}.exe
{C3E6B50B-320A-4518-B74D-B329833825D9}.exe
{396B4E6E-B4E7-4A0B-A4AA-72A9B6A0001D}.exe
{D42862D2-9D87-4553-BE55-4B8B309194F3}.exe
{5DCB5EAC-9F2D-4819-8220-EC02F486DDC2}.exe
{CE68F503-0ED5-42A3-B227-78D4C48E05FA}.exe
{5922E37D-A028-4701-B6BF-62157E9E6DDC}.exe
{3F9D9CB4-BF8D-45D1-B0A1-E60CAA444DBA}.exe
{F116723E-BB9C-47A6-A2AF-AD15A8F2A643}.exe
{496F0B6F-7D1E-4F2C-ABC3-5CEF9A7FA3E3}.exe
{AF5E8753-5F49-4E80-99CA-E5695D8134EE}.exe
{1C1E1F0C-5EB5-4CE2-B333-FF718987DDAC}.exe
{E31808F8-EA9E-41F0-9AEC-60D1CE66FE5A}.exe
{98451E4D-1AE5-4691-B010-798DF622381C}.exe
{5469A46E-6EF2-4ACA-BAA9-8E6799CF318A}.exe
{594BC9A4-1A25-45B0-98A3-EF55B40052FD}.exe
{31F7A47C-DFE5-4F4B-8CAE-C584F83059C5}.exe
{A44FE88F-88C6-42BE-8904-1736320E9C81}.exe
{47D21054-022A-487E-8423-4BBF848D6A10}.exe
{A7E230AA-F2B0-4CFA-B279-32403C40B11A}.exe
{F0CE41A5-8C20-4453-A6C6-5DE5ECC702A9}.exe
{7780F2E9-ADE4-4C21-BEEB-DA289A10F3F2}.exe
{8289A439-95ED-49C5-B23C-8CEE98A45299}.exe
{9E59A1FB-83A0-4750-89AD-37DD025D6DE1}.exe
{63015587-602C-434D-9CDB-05FDEDFEDEAB}.exe
{BC9BFE34-9083-454D-94F5-3A94D2AA875B}.exe
{F6F94E75-04EB-48FD-96AB-8172262317F9}.exe
{E86FADD1-09C4-43A1-8BD4-436805ECDF20}.exe
{19F58F28-EA59-460B-937B-992166C8739C}.exe
{1D5830B4-205D-4F80-9DDE-4ACA87840B73}.exe
{23778321-36B2-4535-B26B-3825A3285188}.exe
{2AB53883-C56C-4C29-A8B5-3A28F70FCB29}.exe
{960063AE-C0A6-45BE-97A7-49E57FECCE7B}.exe
{5784B278-C60A-493E-993A-53493026FC28}.exe
{6C052BF4-7A1E-4C2A-BAF7-F084511ABB8B}.exe
{7AB7B32D-5DF1-4A44-AE0F-AF30E305AE33}.exe
{CC21B268-5DB5-470D-A5EC-B369DD9B26B7}.exe
{6E5EA468-21DA-4EB4-AE3D-DBE18A2D0F57}.exe
mrmac58
Active Member
 
Posts: 6
Joined: July 4th, 2006, 4:26 am

Unread postby Gary R » July 8th, 2006, 6:23 pm

Hi mrmac58,

Going to take me a while to go through your logs, its 11.30 pm here, so will get back to you in the morning.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21779
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Unread postby Gary R » July 9th, 2006, 3:31 am

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.


First go to Add/Remove Programs in Control Panel, and uninstall the following program. SpywareBot.
This is a programme on the Spyware Warrior Rogue Programs List and we do not advise you to have it on your computer.

Make sure that you can see hidden files and folders.
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
Download ATF Cleaner by Atribune and save it to your Desktop.
Download Pocket Killbox and install it to your Desktop.
Download ewido anti-malware it is a free version of the program.

  • Install ewido anti-malware.
  • Launch ewido by double-clicking on the icon.
  • The program will now open to the main screen.
  • You will need to update ewido to the latest definition files.

    • At the top of the main screen click Update.
      • Then in the Manual Update section, click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
  • When updates are completed, close Ewido. (Do not run a scan with Ewido yet).
Run Killbox.
  • First copy the filepaths in the box below to your clipboard, by highlighting them and pressing Ctrl+C.
C:\WINDOWS\SYSTEM32\CSJLP.EXE
C:\WINDOWS\SYSTEM32\CSQIK.EXE
C:\WINDOWS\SYSTEM32\CSWVY.EXE
C:\WINDOWS\SYSTEM32\DMEDO.EXE
C:\WINDOWS\SYSTEM32\DMSFT.EXE
C:\WINDOWS\SYSTEM32\DMTWH.EXE
C:\WINDOWS\SYSTEM32\DMWTX.EXE
C:\WINDOWS\System32\{7DCBF8B3-3A23-46D9-97D9-AFFAEC1C5E44}.dll
C:\WINDOWS\SYSTEM32\KeywordFinder.exe
C:\WINDOWS\SYSTEM32\browsebar.exe
C:\WINDOWS\SYSTEM32\knqqm.exe
C:\WINDOWS\SYSTEM32\RtlFindVal.exe
C:\WINDOWS\SYSTEM32\atl_helper.exe

  • Open Killbox and check a mark in the "RadioBox" which says Delete On Reboot
  • Click File > Paste from Clipboard.
  • Click on the Red button with a Cross, and answer Yes when prompted to Backup and Delete the pasted files.
  • Answer No when prompted to Reboot now.

Now run a scan with HJT, and check the following entries (if found).

R3 - URLSearchHook: (no name) - {B04A6240-A48C-1970-926A-F93B87B46B1D} - RtlFindVal.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{7DCBF8B3-3A23-46D9-97D9-AFFAEC1C5E44}.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{7DCBF8B3-3A23-46D9-97D9-AFFAEC1C5E44}.dll
O4 - HKLM\..\Run: [xxtoolbar] KeywordFinder.exe
O4 - HKLM\..\Run: [WhatsNewBot] browsebar.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [knqqm.exe] C:\WINDOWS\System32\knqqm.exe
O4 - HKCU\..\Run: [sysconf16] RtlFindVal.exe
O4 - HKCU\..\Run: [MONITER] RtlFindVal.exe
O4 - HKCU\..\Run: [iesetupdll] atl_helper.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{67BF026C-2256-49A8-8C25-01EA250D4F33}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0331287-19F9-442C-96E1-E16F835482B1}: NameServer = 85.255.116.164,85.255.112.112
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.164 85.255.112.112


Click Fix Checked to remove them.

Shutdown your computer, and Boot Up into Safe Mode, by hitting the F8 key repeatedly as you power up.

This will bring up a menu, select Safe Mode and press enter. Log on as a user with administrator priviledges, and find and delete the following if found.

These Folders
C:\Program Files\Wareout
C:\Program Files\SpywareBot


Clear your Temp Files.
  • Double click ATF-Cleaner.exe to run the program.
  • Check the following boxes:
    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Prefetch
    • Recycle Bin
    • Java Cache
  • The rest are optional - if you want to remove the lot, check Select All.
  • Now click Empty Selected.
  • When you get the Done Cleaning message, click OK.
  • If you use Firefox browser.
    • Click Firefox at the top and choose: Select All
    • If you would like to keep your saved passwords, please click No at the prompt.
    • Click the Empty Selected button.
  • If you use Opera browser.
    • Click Opera at the top and choose: Select All
    • If you would like to keep your saved passwords, please click No at the prompt.
    • Click the Empty Selected button.
Run a scan with Ewido.
  • Click on Scanner
    • Click on the Settings tab, and set the following settings.
      • How to act
        • Click on Recommended actions, and set to Quarantine.
      • How to scan
        • Check all options.
      • Possibly unwanted software.
        • Check all options.
      • Reports
        • Check Automatically generate report after every scan.
        • Uncheck Only if threats were found.
      • What to scan
        • Check Scan every file.
    • Click on the Scan tab.
      • Click on Complete System Scan and the scan will begin.
      • When the scan has finished
        • Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
        • At the bottom of the window click on the Apply all Actions button.

Note: Don't save the report before you hit the Apply action button.

Close ewido anti-malware.

Ewido will save a report in the following location C:\Program Files\ewido anti-spyware 4.0\Reports

Reboot into Normal Mode.

Finally, please post a fresh HijackThis log, along with theEwido log.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21779
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Logs as requested - issue with ewido...

Unread postby mrmac58 » July 15th, 2006, 1:13 am

Hi Gary,

Sorry for delay - I was out of town for a day. I had problems running ewido - it kept hanging on the system.ini file - I left it running for 4 hours but it seemed to have locked up. I did run is twice on "memory" and "registry" scans...logs enclosed.

Other things worked justed fine...

----- system.ini -------
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=app850.FON
EGA80WOA.FON=EGA80850.FON
EGA40WOA.FON=EGA40850.FON
CGA80WOA.FON=CGA80850.FON
CGA40WOA.FON=CGA40850.FON


ewido logs:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:36:38 p.m. 15/07/2006

+ Scan result:



[204] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning.
[228] VM_00C10000 -> Downloader.Agent.uj : Error during cleaning.
[780] VM_007B0000 -> Downloader.Agent.uj : Error during cleaning.


::Report end

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:42:31 p.m. 15/07/2006

+ Scan result:



HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj.1 -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj\CLSID -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup (quarantined).


::Report end


---------------- HJT Log -----------
Logfile of HijackThis v1.99.1
Scan saved at 5:00:23 p.m., on 15/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\Music\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HJT\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Music\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

------------------------

Cheers !

Colin
mrmac58
Active Member
 
Posts: 6
Joined: July 4th, 2006, 4:26 am

Unread postby Gary R » July 15th, 2006, 1:56 am

Hi Colin,

Your HJT log looks clean. however I'm concerned by the Ewido problem, so I'd like you to do a couple of things for me.

Download CWShredder to your Desktop.
  • Ensure all other programs and browsers are closed.
  • Double click CWShredder.exe to launch the program.
  • Click Fix and allow the programme to run.

Run a scan with HJT, and check the following entries.

O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)


Click on Fix Checked to remove them.

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:

    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK.
  • Now under select a target to scan select My Computer.
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post please, along with a new HJT log.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21779
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Unread postby NonSuch » July 28th, 2006, 2:59 pm

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27228
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: NonSuch and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware