Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help - Infection - Trojan.DNSChanger

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Shaba » July 22nd, 2006, 8:50 am

Are you logged in as an administrator? That radio dial may fail because of it if you aren't.

Ok, let's try this:

Please download APT and unzip the contents to a new folder on your desktop.
  • Open the folder you just created and click on apt.exe and search in the window for trkfw.exe.
  • Open your C:\Windows\system32 folder and search for C:\WINDOWS\System32\trkfw.exe. Don't delete it yet, just leave the system32 folder open so you can see the bad file.
  • In APT again, Select trkfw.exe and Click Kill3
  • Then immediately delete C:\WINDOWS\System32\trkfw.exe from your system32 folder.
  • Close APT.

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{938F702D-CC21-43FC-BEF0-9382BA4945C3}.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{938F702D-CC21-43FC-BEF0-9382BA4945C3}.dll
O4 - HKLM\..\Run: [trkfw.exe] C:\WINDOWS\System32\trkfw.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C3F6454-817B-4435-93DD-962D13D0AE06}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{69767973-9E92-4618-8894-F732ED49292F}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{883F5378-3717-478F-8ADC-48FFAA10B5AA}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15126FA-D632-40B0-AFBA-E3721B9534A3}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFB1D823-A012-467A-9D9A-1E19EFA0BC57}: NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144


Close all windows including browser and press fix checked.

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\System32\CSANL.EXE
C:\WINDOWS\SYSTEM32\DMLFN.EXE
C:\WINDOWS\system32\{8608C8F0-DE83-44FC-ADAA-F0DED6F2460B}.dll
C:\WINDOWS\system32\{0D114F70-FC0D-4B5E-A2FE-043CB22F7339}.exe
C:\WINDOWS\system32\{0928CABA-40DC-4EE2-92C9-F743DBBA550D}.exe
C:\WINDOWS\system32\{1000B2AD-C398-4E63-A342-EE8D9D0EF3F6}.exe
C:\WINDOWS\system32\{2BE75C23-723D-447E-AC7A-24A37C938847}.exe
C:\WINDOWS\system32\{FE52CAD0-296D-4F1F-B06E-7FB1B4154210}.exe
C:\WINDOWS\system32\{4FE55A5C-BC08-469F-B3AA-999268853972}.exe
C:\WINDOWS\system32\{04075705-A3A9-484E-84DB-52486A2C7317}.exe
C:\WINDOWS\system32\{FE84D989-E9F8-47D5-9506-3D6E09257067}.exe
C:\WINDOWS\system32\{EF9E2DED-76B2-452F-9203-91BC389AAB78}.exe
C:\WINDOWS\System32\{938F702D-CC21-43FC-BEF0-9382BA4945C3}.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.


Re-run fixwareout

Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log and fixwareout report by using Add/Reply
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Unread postby srs » July 22nd, 2006, 9:20 am

Shaba

I have run into a problem with APT. When I double-click on "apt.exe" in the apt folder I get the error message: "Application error The procedure GetStockObject could not be located in the DLL GDI32.DLL."

What should I do?

Thanks
srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Shaba » July 22nd, 2006, 9:25 am

Hi

First check if you have this file -> C:\windows\system32\gdi32.dll

If you don't have it, follow instructions below:

Please download gdi32.dll from here and place it to C:\windows\system32-folder.

After that, please try again.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby srs » July 22nd, 2006, 9:32 am

Shaba

I appear to have a file by that name in my windows\system32 folder.

Do you want me to delete it and replace it with your suggested replacement?

Thanks
srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Shaba » July 22nd, 2006, 9:36 am

Hi srs

Don't delete the original C:\windows\system32\gdi32.dll, just rename it to
gdi32bak.dll

After that, place that file from that address I gave you to C:\windows\system32 folder.

Also do this:

start -> run
type regsrv32 C:\windows\system32\gdi32.dll and click ok.

And try again to run APT-
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby srs » July 22nd, 2006, 9:50 am

Shaba

Sorry to report that I am getting the same error message still when I try and run apt.exe.

srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » July 22nd, 2006, 9:56 am

Shaba

Sorry, I should have added that after I entered "regsrv32 C:\windows\system32\gdi32.dll" and pressed ok, I got the error message: "Windows cannot find 'regsrv32'. Make sure you typed the name correctly, and then try again."

srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Shaba » July 22nd, 2006, 10:02 am

srs

Sorry, my mistake, it's regsvr32 not regsrv32 :oops:
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby srs » July 22nd, 2006, 10:09 am

Shaba

Still no go I am afraid. This time I got the error message that the file was loaded: "but the DllRegisterServer entry point was not found. This file cannot be registered."

srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Shaba » July 22nd, 2006, 10:14 am

Hi srs

This time I think I must ask for help for some expert.

But I will reply back as soon as I get info how to continue.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby srs » July 22nd, 2006, 10:17 am

Thanks Shaba.

I am grateful for all you have done so far to help me out.

Cheers
srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » July 23rd, 2006, 3:25 am

Shaba

This is strange, but when I booted up my computer for the first time today I was able to make "apt.exe" run. However, what is even stranger is that today I cannot find the "trkfw.exe" file in the the system32 subfolder. I am certain that I saw that file in there yesterday. Also, I cannot see that file in the window opened up by apt.exe.

In any event, I have rune HJT again and attach below the logfile.

Let me know what you want me to do.

Thanks
srs

Logfile of HijackThis v1.99.1
Scan saved at 5:12:17 PM, on 23/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\program files\u-storage tools2.65\ustorage.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Documents and Settings\Suresh Senathirajah\Desktop\apt\apt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\uWDF.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i.net.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{938F702D-CC21-43FC-BEF0-9382BA4945C3}.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{938F702D-CC21-43FC-BEF0-9382BA4945C3}.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools2.65\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.65
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vkpfx.exe] C:\WINDOWS\System32\vkpfx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C3F6454-817B-4435-93DD-962D13D0AE06}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{69767973-9E92-4618-8894-F732ED49292F}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{883F5378-3717-478F-8ADC-48FFAA10B5AA}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15126FA-D632-40B0-AFBA-E3721B9534A3}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Shaba » July 23rd, 2006, 4:59 am

Hi srs

Yes, that file changes its name on every boot. That's why it's extremely irritating and you weren't able to find it.

Let's try this:

Print out instructions below or save them to text file. Essential!

How to configure TCP/IP

To configure TCP/IP, follow these steps:
  1. Disconnect from Internet.
  2. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
  3. Right-click the network connection that you want to configure, and then click Properties.
  4. On the General tab (for a local area connection), or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.
  5. Under Use the following DNS server addresses remove the 85.255.116.30 and 85.255.112.144 entry (empty the boxes between the dots)
  6. You should now be able to tick the Obtain DNS server address automatically.
  7. If you still can't tick the option, follow the steps below.
  8. If you want to manually configure DNS server addresses, click Use the following DNS server addresses, and then type the preferred DNS server 10.205.0.111 and alternate DNS server IP 10.205.0.112 addresses in the Preferred DNS server and Alternate DNS server boxes.
  9. Click ok and close all windows.


After that:

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\CSANL.EXE
C:\WINDOWS\SYSTEM32\DMLFN.EXE
C:\WINDOWS\system32\{8608C8F0-DE83-44FC-ADAA-F0DED6F2460B}.dll
C:\WINDOWS\system32\{0D114F70-FC0D-4B5E-A2FE-043CB22F7339}.exe
C:\WINDOWS\system32\{0928CABA-40DC-4EE2-92C9-F743DBBA550D}.exe
C:\WINDOWS\system32\{1000B2AD-C398-4E63-A342-EE8D9D0EF3F6}.exe
C:\WINDOWS\system32\{2BE75C23-723D-447E-AC7A-24A37C938847}.exe
C:\WINDOWS\system32\{FE52CAD0-296D-4F1F-B06E-7FB1B4154210}.exe
C:\WINDOWS\system32\{4FE55A5C-BC08-469F-B3AA-999268853972}.exe
C:\WINDOWS\system32\{04075705-A3A9-484E-84DB-52486A2C7317}.exe
C:\WINDOWS\system32\{FE84D989-E9F8-47D5-9506-3D6E09257067}.exe
C:\WINDOWS\system32\{EF9E2DED-76B2-452F-9203-91BC389AAB78}.exe
C:\WINDOWS\System32\{938F702D-CC21-43FC-BEF0-9382BA4945C3}.dll

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "No" at the Delete on Reboot prompt(essential!). Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Re-run fixwareout.

Open Hijackthis, click do a system scan only and checkmark these(all of them may not be present any more):

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{938F702D-CC21-43FC-BEF0-9382BA4945C3}.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\{938F702D-CC21-43FC-BEF0-9382BA4945C3}.dll
O4 - HKLM\..\Run: [vkpfx.exe] C:\WINDOWS\System32\vkpfx.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C3F6454-817B-4435-93DD-962D13D0AE06}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{69767973-9E92-4618-8894-F732ED49292F}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{883F5378-3717-478F-8ADC-48FFAA10B5AA}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CCS\Services\Tcpip\..\{C15126FA-D632-40B0-AFBA-E3721B9534A3}: NameServer = 85.255.116.30,85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.30 85.255.112.144
O17 - HKLM\System\CS1\Services\Tcpip\..\{19B17158-42FD-418B-B9C8-01EC305C7F55}: NameServer = 85.255.116.30,85.255.112.144


Delete this file -> C:\WINDOWS\System32\vkpfx.exe

The file name may be different but you'll recognize it. It looks like that in HijackThis log.:

O4 - HKLM\..\Run: [random.exe] C:\WINDOWS\System32\random.exe

Don't confuse that to ctfmon.exe, that's legit Fix the corresponding line with HjT and delete the file.

Send:

- a fresh HijackThis log
- fixwareout report.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby srs » July 23rd, 2006, 9:19 am

Shaba

I did most of the things you asked. I was not able to delete the file "C:\WINDOWS\System32\bignk.exe" using explorer. I did remove its corresponding entry in HJT.

Logs attached below and following.

Thanks
srs

Logfile of HijackThis v1.99.1
Scan saved at 11:05:48 PM, on 23/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\program files\u-storage tools2.65\ustorage.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\WINDOWS\System32\uWDF.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i.net.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools2.65\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.65
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » July 23rd, 2006, 9:23 am

Shaba

Fixwareout log:


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3C24519AB6B9-F579-C024-224D-CF59199A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}47B263C38B93-D159-3FA4-4D87-08FBDCC0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}765212DE3C18-59B9-CFC4-06CF-FFDCC4CD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1C48443AFC19-8259-9A34-DC75-9C6D7EE7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}54F3E2F1A51A-1F5B-6E34-A17B-7D48D8EB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E628B4FF1422-282A-5BF4-52A9-F637E6FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E0D9BE5422F2-5248-D7E4-749B-F9C7F4FD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4BB32DA42FD1-38AA-AA54-86C2-011825FB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5BAAA7B4900C-45DA-57E4-3BC8-E9375DC0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}77A1EE4F5EA1-940A-3664-9834-D1B8E6B6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D5B387D071D8-5169-1854-C91B-7A16F8FD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}129AA12DC5A1-AF8A-80A4-0742-4279B80F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9688276C4D3E-DBEA-5154-D9AA-C4FB69F6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7E421D6A941B-8E6B-BC74-D251-5333C770{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}152AA8BB2107-8F5A-97F4-7B4E-3A2175F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5CC8FCA4E2F4-8AC9-2B94-74EB-1DEFEBE6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8118A7CA6AD2-680A-9DA4-C141-52BD0464{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BE6785BB946D-CB99-CCF4-7FD5-EC0467BB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F27B1E4CFBE9-06B9-6F84-3213-2C47F784{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1C7E71D99EE3-4498-56E4-3661-ADECCD61{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}17803C874A37-BA78-0484-6725-8F80286B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E013DEC860F3-A5EB-3644-8289-44BBF740{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9117C11D5CF4-267A-5E94-862C-BCA9718C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4AEA9D1BE24F-FA1B-D534-A133-BFD0C647{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E85EED18503C-33C8-FB44-39E2-A05C7A6A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2C2F1E0B3B7A-9199-52D4-6DE1-87F180EB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D1FC5A37C8A8-E44B-C064-397E-64FD20D0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}235C1E92842A-4788-B454-94D3-356185A4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AFCB44AF9E65-D568-CC44-EC84-F0459F7F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9D18B3BC5CB1-F689-16D4-7F70-AF261114{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5134B7207C1F-93AA-0C64-EF25-562FB0EE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8A820FEBEBB3-868A-A504-0AB3-38844C4E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AA476C713F55-CE1B-CBC4-001A-830F5CF1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CE675A53A139-D18B-6B14-3E29-DD9794C8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}93BC121384EA-0FE9-A3B4-826C-C69D3DD2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FAC2A84A11D4-35EB-08D4-626C-56E5825E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D33469E8FD0E-C679-5F64-822D-0016D84E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ajqmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmqja.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSCJT.EXE

»»»»» Misc files
* thequicklink C:\WINDOWS\System32\{8608C~1.DLL
* thequicklink C:\WINDOWS\System32\{938F7~1.DLL

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSCJT.EXE 51,211 2006-07-22
C:\WINDOWS\SYSTEM32\DMQJA.EXE 61,964 2002-08-29
Other suspects
Directory of C:\WINDOWS\system32
{938F702D-CC21-43FC-BEF0-9382BA4945C3}.dll
{8608C8F0-DE83-44FC-ADAA-F0DED6F2460B}.dll
{E5285E65-C626-4D80-BE53-4D11A48A2CAF}.exe
{8C4979DD-92E3-41B6-B81D-931A35A576EC}.exe
{E4C44883-3BA0-405A-A868-3BBEBEF028A8}.exe
{411162FA-07F7-4D61-986F-1BC5CB3B81D9}.exe
{4A581653-3D49-454B-8874-A24829E1C532}.exe
{BE081F78-1ED6-4D25-9919-A7B3B0E1F2C2}.exe
{746C0DFB-331A-435D-B1AF-F42EB1D9AEA4}.exe
{047FBB44-9828-4463-BE5A-3F068CED310E}.exe
{16DCCEDA-1663-4E65-8944-3EE99D17E7C1}.exe
{BB7640CE-5DF7-4FCC-99BC-D649BB5876EB}.exe
{6EBEFED1-BE47-49B2-9CA8-4F2E4ACF8CC5}.exe
{077C3335-152D-47CB-B6E8-B149A6D124E7}.exe
{F08B9724-2470-4A08-A8FA-1A5CD21AA921}.exe
{6B6E8B1D-4389-4663-A049-1AE5F4EE1A77}.exe
{DF4F7C9F-B947-4E7D-8425-2F2245EB9D0E}.exe
{FF6E736F-9A25-4FB5-A282-2241FF4B826E}.exe
{7EE7D6C9-57CD-43A9-9528-91CFA34484C1}.exe
{DC4CCDFF-FC60-4CFC-9B95-81C3ED212567}.exe
{0CCDBF80-78D4-4AF3-951D-39B83C362B74}.exe
{0D114F70-FC0D-4B5E-A2FE-043CB22F7339}.exe
{0928CABA-40DC-4EE2-92C9-F743DBBA550D}.exe
{1000B2AD-C398-4E63-A342-EE8D9D0EF3F6}.exe
{2BE75C23-723D-447E-AC7A-24A37C938847}.exe
{FE52CAD0-296D-4F1F-B06E-7FB1B4154210}.exe
{4FE55A5C-BC08-469F-B3AA-999268853972}.exe
{04075705-A3A9-484E-84DB-52486A2C7317}.exe
{FE84D989-E9F8-47D5-9506-3D6E09257067}.exe
{EF9E2DED-76B2-452F-9203-91BC389AAB78}.exe
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 290 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware