Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help - Infection - Trojan.DNSChanger

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help - Infection - Trojan.DNSChanger

Unread postby srs » July 20th, 2006, 12:48 am

I hope that someone can help me with some infections on my computer. It started last night, and my Ewido anti spyware program first alerted me with a warning that I have been infected with the DNS Changer Trojan (Trojan.DNSChanger.ef). I have aslo got Norton Antivirus 2005 installed, which tells me every few minutes since last night that I am infected with a number of trojans (but does not specify with what). Neither of the 2 programs is able to remove the infection(s). I have tried running both for a full clean, including in safe mode. Each time I reboot the infections re-appear.

Since last night I have not been able to get my emails directly on MS Outlook (I have to access manually via webmail). I have checked my LAN connections and the viruses/trojans keep changing my DNS setting, hence my inability to get emails directly on Outlook.

I would be very grateful for help in removing the infections. Set out below is my hijackthis logfile.

Thanks
srs


Logfile of HijackThis v1.99.1
Scan saved at 2:33:49 PM, on 20/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\program files\u-storage tools2.65\ustorage.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
C:\WINDOWS\System32\hppapml0.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\SONYER~1\Mobile\SYNCIN~1.EXE
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\WINDOWS\System32\uWDF.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://i.net.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i.net.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools2.65\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.65
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [hnuks.exe] C:\WINDOWS\System32\hnuks.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C3F6454-817B-4435-93DD-962D13D0AE06}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{69767973-9E92-4618-8894-F732ED49292F}: NameServer = 10.205.0.111,10.205.0.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{883F5378-3717-478F-8ADC-48FFAA10B5AA}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15126FA-D632-40B0-AFBA-E3721B9534A3}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm
Advertisement
Register to Remove

Unread postby Shaba » July 20th, 2006, 3:23 am

Hi srs

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/l ... areout.exe

  • Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.

    Open HijackThis, click do a system scan only and checkmark these:

    O4 - HKLM\..\Run: [hnuks.exe] C:\WINDOWS\System32\hnuks.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1C3F6454-817B-4435-93DD-962D13D0AE06}: NameServer = 85.255.116.30,85.255.112.144
    O17 - HKLM\System\CCS\Services\Tcpip\..\{883F5378-3717-478F-8ADC-48FFAA10B5AA}: NameServer = 85.255.116.30,85.255.112.144
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C15126FA-D632-40B0-AFBA-E3721B9534A3}: NameServer = 85.255.116.30,85.255.112.144
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
    O17 - HKLM\System\CS1\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144


    Close all windows including browser and press fix checked.

    Open Ewido
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
    Note: If the Update now option is grayed out, follow the steps below.
    • Click on Update on the toolbar.
    • Under Manual update, click on the Start Update button.
    • Wait until you see the Update succesfull message.
[*]Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
[/list]If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

Delete if found:

C:\WINDOWS\System32\hnuks.exe

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

Please post:
  1. c:\fixwareout\report.txt
  2. Ewido log
  3. A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby srs » July 20th, 2006, 6:14 am

Shaba

Thanks for helping me out with my problem. Your help is really appreciated.

I have done as you asked, and the various logs are attached below and in the following replies (one log per reply).

Unfortunately, the infection is still present, Norton is giving alerts every few minutes eg Trojan.Favadd,

Thanks
srs

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3C999BCD912E-BB7A-6534-59EF-602A0986{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}292A631A119C-9BAB-8674-69E5-DAF3AB1A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9A2D97F12A0F-CFAA-39E4-C75E-0A011C83{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}746CE4178326-5849-6354-1978-793BC701{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5E9CAD7101EA-C74B-0FC4-46F9-69BA3362{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5C671F5DB56F-11AA-A5B4-B76B-2A0C8D05{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F8254206C974-0589-9674-E4FC-81600F69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}73DBAF388852-6C48-0A54-E119-7EC5C105{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EA8488381961-4119-FB24-7D11-7850DA7F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9692E4FEDB49-9E58-AA44-04F1-41C839E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0803689C586F-1D18-2044-83E6-46FBB50C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}93DEBCD4A46D-8A98-83F4-797A-79F4CAA6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A49E5D7BEC31-0E69-C6B4-FC7D-61B31B9D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}17B97A44D562-072A-9EA4-D5EC-0D3DDCCA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}22253A5137D1-FFAA-B0E4-0CFB-D46A100D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9F8775D2A748-9379-D2B4-B959-755125C2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8372EEC0D34E-8DE9-3A14-6280-94B9AAB0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8CA9E105CA11-B148-7254-2A8F-CDF56367{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C407FCE17CD9-074B-6EE4-FB60-3C17C2C0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F0C52509CBED-8AEA-CA14-858D-0619E1F1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A2C49BC9AFCA-9D7A-67D4-C1C5-15193B89{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2AC0EE6B1640-037A-EA14-57F9-EF7CDB6B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4E0DAE0436DB-D30B-D344-739C-6B1B2BCB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}37209696EE80-B218-EB74-8164-C7EDC03D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FA945975D2E2-CC69-A394-0A15-D06C305C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}587F3E840DA9-4A5A-87D4-D9B5-F6D3F574{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0779921FECEB-341B-CE04-2CBE-AC6D4240{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}71032F3EB82C-446A-9C54-842C-19B20ADB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4E40EC654D34-5AAA-E3D4-C2FA-6A3BC89F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DFDFC016B49E-5C1B-1434-D638-75A505D4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7ED82309DD56-25F8-FF84-F1E3-8160678A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E0D7616DE3CD-6098-FDE4-EE38-24A559FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A94198B00DD4-292A-F1F4-F85D-A5C9B58E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D3249C146B3B-3E7B-56C4-C28A-183AD386{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}04E967FD5962-E0A8-D124-0A99-013CCC31{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F9981A22569F-7328-F734-BE79-1E6F500F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B1E45E82BFBD-C539-64D4-5FC5-F8538AD6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FFEAEF0885AA-3758-E8D4-763E-3EEC9789{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5FAEFF8A1B7B-74E8-A374-E1E7-C5E7F46C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FB11B28D0607-FCA9-6DF4-18BD-53C0BEFD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CF37966D9FE0-FBC9-C884-4B05-00D9770A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}77D943C0E3CB-D699-4914-149F-218445E2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EE760861F97F-3C88-AA34-D3ED-0EF2D8CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AEC4E6C95DDF-95E8-D444-E0F1-76061481{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}461C55EE6014-A3FA-CBF4-56FB-F40FE015{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6CFB1D93C8C5-6639-F2D4-36CB-E4FE510E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8AEFCA555BB6-DD4B-B7F4-53A9-24798C24{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B5666B6F1B77-2DA8-3C64-D509-7EEDC980{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E4E80DC5FA0B-8E58-7D14-3A7F-89F578BA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0FF29CA649C5-FC48-D064-EDE2-CCC6ADE5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}48B0F8326042-DDCA-35B4-82E9-599D448E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B9FD23A05CE6-556A-8644-31A8-174CECA9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\daolnwodi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32
{F1E227B5-9A76-44B1-8F0B-37FF99261D03}.exe
{AF45F3CB-E86E-419C-AC8B-1FEBF348AE16}.exe
{37FDDD9D-A6C7-4CD8-8853-223741815856}.exe
{9ACEC471-8A13-4468-A655-6EC50A32DF9B}.exe
{E844D995-9E28-4B53-ACDD-2406238F0B84}.exe
{5EDA6CCC-2EDE-460D-84CF-5C946AC92FF0}.exe
{AB875F98-F7A3-41D7-85E8-B0AF5CD08E4E}.exe
{089CDEE7-905D-46C3-8AD2-77B1F6B6665B}.exe
{42C89742-9A35-4F7B-B4DD-6BB555ACFEA8}.exe
{E015EF4E-BC63-4D2F-9366-5C8C39D1BFC6}.exe
{510EF04F-BF65-4FBC-AF3A-4106EE55C164}.exe
{18416067-1F0E-444D-8E59-FDD59C6E4CEA}.exe
{AC8D2FE0-DE3D-43AA-88C3-F79F168067EE}.exe
{2E544812-F941-4194-996D-BC3E0C349D77}.exe
{A0779D00-50B4-488C-9CBF-0EF9D66973FC}.exe
{DFEB0C35-DB81-4FD6-9ACF-7060D82B11BF}.exe
{C64F7E5C-7E1E-473A-8E47-B7B1A8FFEAF5}.exe
{9879CEE3-E367-4D8E-8573-AA5880FEAEFF}.exe
{6DA8358F-5CF5-4D46-935C-DBFB28E54E1B}.exe
{F005F6E1-97EB-437F-8237-F96522A1899F}.exe
{13CCC310-99A0-421D-8A0E-2695DF769E40}.exe
{683DA381-A82C-4C65-B7E3-B3B641C9423D}.exe
{E85B9C5A-D58F-4F1F-A292-4DD00B89149A}.exe
{FF955A42-83EE-4EDF-8906-DC3ED6167D0E}.exe

Fixwareout report:
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » July 20th, 2006, 6:17 am

Shaba

Ewido Log:

Thanks
srs

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:01:09 PM 20/07/2006

+ Scan result:



C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP104\A0005520.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP104\A0005521.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP104\A0005556.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP104\A0005566.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP105\A0005597.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP105\A0005598.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP105\A0005599.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP105\A0005600.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP105\A0005609.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{089CDEE7-905D-46C3-8AD2-77B1F6B6665B}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{13CCC310-99A0-421D-8A0E-2695DF769E40}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{18416067-1F0E-444D-8E59-FDD59C6E4CEA}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{2E544812-F941-4194-996D-BC3E0C349D77}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{37FDDD9D-A6C7-4CD8-8853-223741815856}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{42C89742-9A35-4F7B-B4DD-6BB555ACFEA8}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{4FA5F18A-D9FF-4F3F-AD3B-035AF7984EED}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{510EF04F-BF65-4FBC-AF3A-4106EE55C164}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{5EDA6CCC-2EDE-460D-84CF-5C946AC92FF0}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{683DA381-A82C-4C65-B7E3-B3B641C9423D}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{6DA8358F-5CF5-4D46-935C-DBFB28E54E1B}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{9879CEE3-E367-4D8E-8573-AA5880FEAEFF}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{9ACEC471-8A13-4468-A655-6EC50A32DF9B}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{A0779D00-50B4-488C-9CBF-0EF9D66973FC}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{AB875F98-F7A3-41D7-85E8-B0AF5CD08E4E}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{AC8D2FE0-DE3D-43AA-88C3-F79F168067EE}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{B7384198-99CB-45DF-B2B7-E4F73D82FA67}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{C64F7E5C-7E1E-473A-8E47-B7B1A8FFEAF5}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{DFEB0C35-DB81-4FD6-9ACF-7060D82B11BF}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{E015EF4E-BC63-4D2F-9366-5C8C39D1BFC6}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{E844D995-9E28-4B53-ACDD-2406238F0B84}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{E85B9C5A-D58F-4F1F-A292-4DD00B89149A}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{EF32DE19-EF61-40D8-BBC8-811B5891BEE6}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{F005F6E1-97EB-437F-8237-F96522A1899F}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{FF955A42-83EE-4EDF-8906-DC3ED6167D0E}.exe -> Trojan.Hoster : Cleaned with backup (quarantined).


::Report end
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » July 20th, 2006, 6:20 am

Shaba

HJT log:

Thanks
Suresh

Logfile of HijackThis v1.99.1
Scan saved at 8:18:49 PM, on 20/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\program files\u-storage tools2.65\ustorage.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i.net.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{E07E1C51-EC3B-43B5-BDCE-FBDEB9A74A73}.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{E07E1C51-EC3B-43B5-BDCE-FBDEB9A74A73}.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools2.65\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.65
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [cipgw.exe] C:\WINDOWS\System32\cipgw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\KillAndClean\KillAndClean.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\KillAndClean\KillAndClean.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C3F6454-817B-4435-93DD-962D13D0AE06}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{69767973-9E92-4618-8894-F732ED49292F}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{883F5378-3717-478F-8ADC-48FFAA10B5AA}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15126FA-D632-40B0-AFBA-E3721B9534A3}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFB1D823-A012-467A-9D9A-1E19EFA0BC57}: NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Shaba » July 20th, 2006, 6:29 am

We are getting some progress :)

Uninstall via add/remove programs (located in Control Panel):

KillAndClean

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} -C:\WINDOWS\System32\{E07E1C51-EC3B-43B5-BDCE-FBDEB9A74A73}.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} -C:\WINDOWS\System32\{E07E1C51-EC3B-43B5-BDCE-FBDEB9A74A73}.dll
O4 - HKLM\..\Run: [cipgw.exe] C:\WINDOWS\System32\cipgw.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\KillAndClean\KillAndClean.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\KillAndClean\KillAndClean.exe (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C3F6454-817B-4435-93DD-962D13D0AE06}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{69767973-9E92-4618-8894-F732ED49292F}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{883F5378-3717-478F-8ADC-48FFAA10B5AA}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15126FA-D632-40B0-AFBA-E3721B9534A3}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFB1D823-A012-467A-9D9A-1E19EFA0BC57}: NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144


Close all windows including browser and press fix checked.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Please download the Killbox.
Unzip it to the desktop

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\cipgw.exe
C:\WINDOWS\System32\{E07E1C51-EC3B-43B5-BDCE-FBDEB9A74A73}.dll

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Download Hoster and unzip it to your desktop.

Open Hoster

  • Click "Make Hosts Writable?" upper right corner (if available)
  • Click "Restore Microsoft's Original Hosts File" and then click OK
  • Close Hoster

Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually

Re-run fixwareout

Send:

- a fresh HijackThis log
- fixwareout report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby srs » July 21st, 2006, 2:51 am

Hi Shaba

I have encountered a few problems in trying to do what you have asked.

First, my Network Connections, TCP/IP would not allow me to select the radio dial that says "Obtain DNS servers automatically".

Second, when I tried to run Killbox with the twp files pasted I got the following popup:
"PendingFileRenameOperations Registry Data has been Removed by External Process"

I downloaded and ran missingfilesetup.exe, but that seemed to make no difference. I was still unable to run killbox.

Three, I ran Fixwareout again, but I am unsure where the Report was saved. The only one I could find was under the "Fixwareout" folder, subfolder "FindT", "report txt". I hope it's the correct one (as opposed to the previous one). This report is attached below.

The HJT Report is in the next reply.

Also, the Norton warnings are still continuing. There appear to be 3 of them. One is referred to as "Trojan.Desktophijack" and the other 2 as simply "Trojan Horse" with a series of numbers and letters (ie file reference).

Thanks for your ongoing help.

srs


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}658518147322-3588-8DC4-7C6A-D9DDDF73{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}76AF28D37F4E-7B2B-FD54-BC99-8914837B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DEE4897FA530-B3DA-F3F4-FF9D-A81F5AF4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6EEB1985B118-8CBB-8D04-16FE-91ED23FE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5C78CB15BB16-D16A-93C4-CE7E-B4AF2F3E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FB62ED26DC2A-13DA-6B74-5346-26BF32B1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A62DDD8EE3DC-D058-8834-BF80-15C365BC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}797B605F0FCF-E81A-7274-2831-EBBD847F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D7E5AB5E3BE9-EC0A-E9E4-0D7B-78DDD33D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B60908D01EBC-B4CA-B804-C00B-DF8CE3BD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}44270318475C-6B89-67A4-8D17-C0507D4A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\uptmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A3B77E533AFB-FC38-7384-609F-E4ECE3DC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}206A18E64100-ACC9-2394-9EA4-30899A42{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A2DCA3D3E312-089B-AE24-02B2-0E6CE480{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7F0B3F18852A-83C9-C5E4-994C-CBCF1A10{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}155E40FC8421-9BF9-0FC4-55A8-A4180A3F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C70A4926B03C-2A98-7DE4-88DF-C331F962{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4D5378714AAD-C2AA-1004-2D94-13869850{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}40011CFC0F20-D868-1284-AF47-3CBD350C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}637A20A6E659-6429-B5B4-87CC-892A1B0B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF9921A37E1F-5A09-4994-26FC-3004A95A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FC0FEDD0DC1D-9618-C564-F6ED-6A896790{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}572DD76FD1A7-1898-6C64-E081-2976D77C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8685EBDA7441-3F28-54A4-1048-D73F3937{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}02DE1FC530A9-26DB-DD84-9B4B-FD29A48A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}475386E8FA46-41B9-B374-32BE-965768A1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}58F2B06DDE43-EC88-BDD4-AFDA-7A57AB6B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CCBC57DDD94E-B479-5444-9BF9-34C1AD7B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6068CA33DB04-EBFB-5B74-2C59-8B7451EF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0BC2334DF315-3929-8EF4-316C-4DAF3D55{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FF0B3F70A911-1E3A-6A94-0770-1B02ED48{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4CBF0BF4A755-FC9A-E4C4-1F81-2655CB88{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}644B80DC8685-1B18-DAF4-2B6C-8E2B5B8D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A5D4B696907D-0C39-7544-56AB-B1013592{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}158982C2B598-6BA9-C024-7D34-CEC13A28{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF033E192932-5EEB-ACB4-31C6-6E96F00A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9E62994CF07A-3978-F864-F034-1F0A9904{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\daolnwodi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmtpu.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSMXL.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSMXL.EXE 51,219 2006-07-20
Other suspects
Directory of C:\WINDOWS\system32
{8128308B-669A-4855-8FEC-410235619108}.exe
{1232D607-E49F-4F31-913E-BCE1D1249D94}.exe
{F07698B0-FB07-455C-A612-E1B69B1EBA0C}.exe
{536AA49E-C3C9-461C-B2DA-40289A639C16}.exe
{4099A0F1-430F-468F-8793-A70FC49926E9}.exe
{A00F69E6-6C13-4BCA-BEE5-239291E330FE}.exe
{82A31CEC-43D7-420C-9AB6-895B2C289851}.exe
{2953101B-BA65-4457-93C0-D709696B4D5A}.exe
{D8B5B2E8-C6B2-4FAD-81B1-5868CD08B446}.exe
{88BC5562-18F1-4C4E-A9CF-557A4FB0FBC4}.exe
{84DE20B1-0770-49A6-A3E1-119A07F3B0FF}.exe
{55D3FAD4-C613-4FE8-9293-513FD4332CB0}.exe
{FE1547B8-95C2-47B5-BFBE-40BD33AC8606}.exe
{B7DA1C43-9FB9-4445-974B-E49DDD75CBCC}.exe
{B6BA75A7-ADFA-4DDB-88CE-34EDD60B2F85}.exe
{1A867569-EB23-473B-9B14-64AF8E683574}.exe
{A84A92DF-B4B9-48DD-BD62-9A035CF1ED20}.exe
{7393F37D-8401-4A45-82F3-1447ADBE5868}.exe
{C77D6792-180E-46C6-8981-7A1DF67DD275}.exe
{097698A6-DE6F-465C-8169-D1CD0DDEF0CF}.exe
{A59A4003-CF62-4994-90A5-F1E73A1299FE}.exe
{B0B1A298-CC78-4B5B-9246-956E6A02A736}.exe
{C053DBC3-74FA-4821-868D-02F0CFC11004}.exe
{05896831-49D2-4001-AA2C-DAA4178735D4}.exe
{269F133C-FD88-4ED7-89A2-C30B6294A07C}.exe
{F3A0814A-8A55-4CF0-9FB9-1248CF04E551}.exe
{01A1FCBC-C499-4E5C-9C38-A25881F3B0F7}.exe
{084EC6E0-2B20-42EA-B980-213E3D3ACD2A}.exe
{CD3ECE4E-F906-4837-83CF-BFA335E77B3A}.exe
{A4D7050C-71D8-4A76-98B6-C57481307244}.exe
{D33DDD87-B7D0-4E9E-A0CE-9EB3E5BA5E7D}.exe
{F748DBBE-1382-4727-A18E-FCF0F506B797}.exe
{CB563C51-08FB-4388-850D-CD3EE8DDD26A}.exe
{E3F2FA4B-E7EC-4C39-A61D-61BB51BC87C5}.exe
{F1E227B5-9A76-44B1-8F0B-37FF99261D03}.exe
{AF45F3CB-E86E-419C-AC8B-1FEBF348AE16}.exe
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » July 21st, 2006, 2:53 am

Shaba

HJT log attached:

Thanks
srs


Logfile of HijackThis v1.99.1
Scan saved at 4:36:22 PM, on 21/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\program files\u-storage tools2.65\ustorage.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\WINDOWS\System32\hppapml0.exe
C:\WINDOWS\System32\uWDF.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\PROGRA~1\SONYER~1\Mobile\SYNCIN~1.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i.net.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools2.65\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.65
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [sjdxn.exe] C:\WINDOWS\System32\sjdxn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C3F6454-817B-4435-93DD-962D13D0AE06}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{69767973-9E92-4618-8894-F732ED49292F}: NameServer = 10.205.0.111,10.205.0.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{883F5378-3717-478F-8ADC-48FFAA10B5AA}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15126FA-D632-40B0-AFBA-E3721B9534A3}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Shaba » July 21st, 2006, 3:11 am

Hi srs

We need some stronger tools, unfortunately :(

Open HijackThis, click do a system scan only and checkmark these:

O4 - HKLM\..\Run: [sjdxn.exe] C:\WINDOWS\System32\sjdxn.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C3F6454-817B-4435-93DD-962D13D0AE06}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{883F5378-3717-478F-8ADC-48FFAA10B5AA}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15126FA-D632-40B0-AFBA-E3721B9534A3}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144


Close all windows including browser and press fix checked.


1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\System32\CSMXL.EXE
C:\WINDOWS\System32\sjdxn.exe
C:\WINDOWS\system32\{8128308B-669A-4855-8FEC-410235619108}.exe
C:\WINDOWS\system32\{1232D607-E49F-4F31-913E-BCE1D1249D94}.exe
C:\WINDOWS\system32\{F07698B0-FB07-455C-A612-E1B69B1EBA0C}.exe
C:\WINDOWS\system32\{536AA49E-C3C9-461C-B2DA-40289A639C16}.exe
C:\WINDOWS\system32\{4099A0F1-430F-468F-8793-A70FC49926E9}.exe
C:\WINDOWS\system32\{A00F69E6-6C13-4BCA-BEE5-239291E330FE}.exe
C:\WINDOWS\system32\{82A31CEC-43D7-420C-9AB6-895B2C289851}.exe
C:\WINDOWS\system32\{2953101B-BA65-4457-93C0-D709696B4D5A}.exe
C:\WINDOWS\system32\{D8B5B2E8-C6B2-4FAD-81B1-5868CD08B446}.exe
C:\WINDOWS\system32\{88BC5562-18F1-4C4E-A9CF-557A4FB0FBC4}.exe
C:\WINDOWS\system32\{84DE20B1-0770-49A6-A3E1-119A07F3B0FF}.exe
C:\WINDOWS\system32\{55D3FAD4-C613-4FE8-9293-513FD4332CB0}.exe
C:\WINDOWS\system32\{FE1547B8-95C2-47B5-BFBE-40BD33AC8606}.exe
C:\WINDOWS\system32\{B7DA1C43-9FB9-4445-974B-E49DDD75CBCC}.exe
C:\WINDOWS\system32\{B6BA75A7-ADFA-4DDB-88CE-34EDD60B2F85}.exe
C:\WINDOWS\system32\{1A867569-EB23-473B-9B14-64AF8E683574}.exe
C:\WINDOWS\system32\{A84A92DF-B4B9-48DD-BD62-9A035CF1ED20}.exe
C:\WINDOWS\system32\{7393F37D-8401-4A45-82F3-1447ADBE5868}.exe
C:\WINDOWS\system32\{C77D6792-180E-46C6-8981-7A1DF67DD275}.exe
C:\WINDOWS\system32\{097698A6-DE6F-465C-8169-D1CD0DDEF0CF}.exe
C:\WINDOWS\system32\{A59A4003-CF62-4994-90A5-F1E73A1299FE}.exe
C:\WINDOWS\system32\{B0B1A298-CC78-4B5B-9246-956E6A02A736}.exe
C:\WINDOWS\system32\{C053DBC3-74FA-4821-868D-02F0CFC11004}.exe
C:\WINDOWS\system32\{05896831-49D2-4001-AA2C-DAA4178735D4}.exe
C:\WINDOWS\system32\{269F133C-FD88-4ED7-89A2-C30B6294A07C}.exe
C:\WINDOWS\system32\{F3A0814A-8A55-4CF0-9FB9-1248CF04E551}.exe
C:\WINDOWS\system32\{01A1FCBC-C499-4E5C-9C38-A25881F3B0F7}.exe
C:\WINDOWS\system32\{084EC6E0-2B20-42EA-B980-213E3D3ACD2A}.exe
C:\WINDOWS\system32\{CD3ECE4E-F906-4837-83CF-BFA335E77B3A}.exe
C:\WINDOWS\system32\{A4D7050C-71D8-4A76-98B6-C57481307244}.exe
C:\WINDOWS\system32\{D33DDD87-B7D0-4E9E-A0CE-9EB3E5BA5E7D}.exe
C:\WINDOWS\system32\{F748DBBE-1382-4727-A18E-FCF0F506B797}.exe
C:\WINDOWS\system32\{CB563C51-08FB-4388-850D-CD3EE8DDD26A}.exe
C:\WINDOWS\system32\{E3F2FA4B-E7EC-4C39-A61D-61BB51BC87C5}.exe
C:\WINDOWS\system32\{F1E227B5-9A76-44B1-8F0B-37FF99261D03}.exe
C:\WINDOWS\system32\{AF45F3CB-E86E-419C-AC8B-1FEBF348AE16}.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.


Re-run fixwareout.

Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log and fixwareout report by using Add/Reply
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby srs » July 22nd, 2006, 5:53 am

Shaba

Unfortunately I have run into some problems with "the Avenger" program. I followed your instructions up to the point about about copying and pasting the text contained in the code box without any problems. However, when I hit the Green Light icon, I get the following error message: "Error: selected file does not appear to be a valid script". The program then reports "Error code: 0", and aborts.

I have tried it twice. I am not sure what I am doing wrong. I presume you wanted me to copy all of the text in the code box in one go rather than each line seperately?

Thanks, and look forward to hearing from you.

srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Shaba » July 22nd, 2006, 5:57 am

Hi srs

Yes, you should copy all text in code box and also include "Files to delete:"
line. That's essential; otherwise you'll error message as you just did.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby srs » July 22nd, 2006, 5:59 am

Shaba

Thanks very much. That's fixed it.

I will report back soon on progress.

srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » July 22nd, 2006, 6:40 am

Shaba

Reports below (and in following Replies/Posts).

Unfortunately, at least 2 of the infections still appear to be present (ie Norton is giving warning notices).

Thanks
srs

Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\huj^hicc

*******************

Script file located at: \??\C:\Program Files\vwg^kqmu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\CSMXL.EXE deleted successfully.


File C:\WINDOWS\System32\sjdxn.exe not found!
Deletion of file C:\WINDOWS\System32\sjdxn.exe failed!

Could not process line:
C:\WINDOWS\System32\sjdxn.exe
Status: 0xc0000034

File C:\WINDOWS\system32\{8128308B-669A-4855-8FEC-410235619108}.exe deleted successfully.
File C:\WINDOWS\system32\{1232D607-E49F-4F31-913E-BCE1D1249D94}.exe deleted successfully.
File C:\WINDOWS\system32\{F07698B0-FB07-455C-A612-E1B69B1EBA0C}.exe deleted successfully.
File C:\WINDOWS\system32\{536AA49E-C3C9-461C-B2DA-40289A639C16}.exe deleted successfully.
File C:\WINDOWS\system32\{4099A0F1-430F-468F-8793-A70FC49926E9}.exe deleted successfully.
File C:\WINDOWS\system32\{A00F69E6-6C13-4BCA-BEE5-239291E330FE}.exe deleted successfully.
File C:\WINDOWS\system32\{82A31CEC-43D7-420C-9AB6-895B2C289851}.exe deleted successfully.
File C:\WINDOWS\system32\{2953101B-BA65-4457-93C0-D709696B4D5A}.exe deleted successfully.
File C:\WINDOWS\system32\{D8B5B2E8-C6B2-4FAD-81B1-5868CD08B446}.exe deleted successfully.
File C:\WINDOWS\system32\{88BC5562-18F1-4C4E-A9CF-557A4FB0FBC4}.exe deleted successfully.
File C:\WINDOWS\system32\{84DE20B1-0770-49A6-A3E1-119A07F3B0FF}.exe deleted successfully.
File C:\WINDOWS\system32\{55D3FAD4-C613-4FE8-9293-513FD4332CB0}.exe deleted successfully.
File C:\WINDOWS\system32\{FE1547B8-95C2-47B5-BFBE-40BD33AC8606}.exe deleted successfully.
File C:\WINDOWS\system32\{B7DA1C43-9FB9-4445-974B-E49DDD75CBCC}.exe deleted successfully.
File C:\WINDOWS\system32\{B6BA75A7-ADFA-4DDB-88CE-34EDD60B2F85}.exe deleted successfully.
File C:\WINDOWS\system32\{1A867569-EB23-473B-9B14-64AF8E683574}.exe deleted successfully.
File C:\WINDOWS\system32\{A84A92DF-B4B9-48DD-BD62-9A035CF1ED20}.exe deleted successfully.
File C:\WINDOWS\system32\{7393F37D-8401-4A45-82F3-1447ADBE5868}.exe deleted successfully.
File C:\WINDOWS\system32\{C77D6792-180E-46C6-8981-7A1DF67DD275}.exe deleted successfully.
File C:\WINDOWS\system32\{097698A6-DE6F-465C-8169-D1CD0DDEF0CF}.exe deleted successfully.
File C:\WINDOWS\system32\{A59A4003-CF62-4994-90A5-F1E73A1299FE}.exe deleted successfully.
File C:\WINDOWS\system32\{B0B1A298-CC78-4B5B-9246-956E6A02A736}.exe deleted successfully.
File C:\WINDOWS\system32\{C053DBC3-74FA-4821-868D-02F0CFC11004}.exe deleted successfully.
File C:\WINDOWS\system32\{05896831-49D2-4001-AA2C-DAA4178735D4}.exe deleted successfully.
File C:\WINDOWS\system32\{269F133C-FD88-4ED7-89A2-C30B6294A07C}.exe deleted successfully.
File C:\WINDOWS\system32\{F3A0814A-8A55-4CF0-9FB9-1248CF04E551}.exe deleted successfully.
File C:\WINDOWS\system32\{01A1FCBC-C499-4E5C-9C38-A25881F3B0F7}.exe deleted successfully.
File C:\WINDOWS\system32\{084EC6E0-2B20-42EA-B980-213E3D3ACD2A}.exe deleted successfully.
File C:\WINDOWS\system32\{CD3ECE4E-F906-4837-83CF-BFA335E77B3A}.exe deleted successfully.
File C:\WINDOWS\system32\{A4D7050C-71D8-4A76-98B6-C57481307244}.exe deleted successfully.
File C:\WINDOWS\system32\{D33DDD87-B7D0-4E9E-A0CE-9EB3E5BA5E7D}.exe deleted successfully.
File C:\WINDOWS\system32\{F748DBBE-1382-4727-A18E-FCF0F506B797}.exe deleted successfully.
File C:\WINDOWS\system32\{CB563C51-08FB-4388-850D-CD3EE8DDD26A}.exe deleted successfully.
File C:\WINDOWS\system32\{E3F2FA4B-E7EC-4C39-A61D-61BB51BC87C5}.exe deleted successfully.
File C:\WINDOWS\system32\{F1E227B5-9A76-44B1-8F0B-37FF99261D03}.exe deleted successfully.
File C:\WINDOWS\system32\{AF45F3CB-E86E-419C-AC8B-1FEBF348AE16}.exe deleted successfully.

Completed script processing.

*******************
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » July 22nd, 2006, 6:43 am

Shaba

HJT log below

srs

Logfile of HijackThis v1.99.1
Scan saved at 8:42:40 PM, on 22/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\program files\u-storage tools2.65\ustorage.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\uWDF.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i.net.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{938F702D-CC21-43FC-BEF0-9382BA4945C3}.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{938F702D-CC21-43FC-BEF0-9382BA4945C3}.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools2.65\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.65
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [trkfw.exe] C:\WINDOWS\System32\trkfw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C3F6454-817B-4435-93DD-962D13D0AE06}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{69767973-9E92-4618-8894-F732ED49292F}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{883F5378-3717-478F-8ADC-48FFAA10B5AA}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15126FA-D632-40B0-AFBA-E3721B9534A3}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFB1D823-A012-467A-9D9A-1E19EFA0BC57}: NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » July 22nd, 2006, 6:46 am

Shaba

Fixwareout report below.

Thanks
srs



Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSANL.EXE

»»»»» Misc files
* thequicklink C:\WINDOWS\System32\{8608C~1.DLL

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSANL.EXE 51,231 2006-07-22
C:\WINDOWS\SYSTEM32\DMLFN.EXE 62,025 2002-08-29
Other suspects
Directory of C:\WINDOWS\system32
{8608C8F0-DE83-44FC-ADAA-F0DED6F2460B}.dll
{0D114F70-FC0D-4B5E-A2FE-043CB22F7339}.exe
{0928CABA-40DC-4EE2-92C9-F743DBBA550D}.exe
{1000B2AD-C398-4E63-A342-EE8D9D0EF3F6}.exe
{2BE75C23-723D-447E-AC7A-24A37C938847}.exe
{FE52CAD0-296D-4F1F-B06E-7FB1B4154210}.exe
{4FE55A5C-BC08-469F-B3AA-999268853972}.exe
{04075705-A3A9-484E-84DB-52486A2C7317}.exe
{FE84D989-E9F8-47D5-9506-3D6E09257067}.exe
{EF9E2DED-76B2-452F-9203-91BC389AAB78}.exe
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 34 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware