Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

imbedded virus / trojans

Started by angrychef , Sep 24 2006 10:39 AM

  • Please log in to reply

#1
angrychef
Posted 24 September 2006 - 10:39 AM

angrychef

    New Member

  • Member
  • Pip
  • 5 posts
i run avg free, spybot and adaware. spybot found 45 items, but couldnt heal or move them. most were called 'imbedded'. cant run ewido because i run xp pro 64 bit and it claims its not supported. biggest issues, no virtual memory, mozilla crashes everyother time on startup and will always crash evntuall. two files appeared on my c drive and my external hd, the e drive. they are greyed-out and are, 'RECYCLER' and 'System Volume Information'. thanks in advance.


Logfile of HijackThis v1.99.1
Scan saved at 12:08:23 PM, on 09/24/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\Program Files\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\DOCUME~1\JOSHFA~1.BIG\LOCALS~1\Temp\2006923143049_mcinfo.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\components\talkback.exe
E:\Program Files\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - URLSearchHook: (no name) - {2A5437EF-331A-8A2B-B14F-0EFE36541B02} - vxdman.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CLSID Support Dll - {32978850-02C0-4F0F-A5E6-C22FB04423FC} - C:\WINDOWS\System32\clsidcore.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 100% Free Hearts Toolbar Helper - {9C613A63-B5AD-4c06-B9E0-6530D88296C5} - C:\Program Files\100% Free Hearts Toolbar\v2.0.0.2\100%_Free_Hearts_Toolbar.dll (file missing)
O3 - Toolbar: SuperBar - {05D59355-D03C-4762-B310-9228ACA0E462} - C:\Program Files\SUPERBAR\SUPERBAR.dll (file missing)
O3 - Toolbar: SuperBar - {A726D3E1-D397-487A-81F7-7B81D02453A6} - C:\Program Files\SUPERBAR\SUPERBAR.dll (file missing)
O3 - Toolbar: 100% Free Hearts Toolbar - {6380715A-2F84-4155-9D7F-5E7BF97DDD07} - C:\Program Files\100% Free Hearts Toolbar\v2.0.0.2\100%_Free_Hearts_Toolbar.dll (file missing)
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [locgoff.exe] C:\WINDOWS\system32\locgoff.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [barint] sysconf16.exe
O4 - HKLM\..\Run: [_ctcp] AppMasterCenter.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\program files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\JOSHFA~1.BIG\LOCALS~1\Temp\2006923143049_mcinfo.exe /insfin
O4 - HKLM\..\Run: [dmebk.exe] C:\WINDOWS\system32\dmebk.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [iehelper] typeconf.exe
O4 - HKCU\..\Run: [Shaitan1678] ERTYDF.exe
O4 - HKCU\..\Run: [InpriseMon] sysmon12.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{14CF7B8C-86D2-495F-957B-FCC53334346E}: NameServer = 85.255.113.149,85.255.112.96
O17 - HKLM\System\CCS\Services\Tcpip\..\{79CB1E49-07E5-4D2C-B43F-2DC78012188A}: NameServer = 85.255.113.149,85.255.112.96
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE787021-AD99-4B33-87FE-2B968BFC8E8B}: NameServer = 85.255.113.149,85.255.112.96
O17 - HKLM\System\CS1\Services\Tcpip\..\{14CF7B8C-86D2-495F-957B-FCC53334346E}: NameServer = 85.255.113.149,85.255.112.96
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


and ComboFix log:


Josh Fasano - 06-09-24 13:03:11.21 Service Pack 2
ComboFix 06.09.23.2 - Running from: "E:\downloads"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Josh Fasano.BIGGIRL\Application Data\Install.dat


((((((((((((((((((((((((((((((( Files Created from 2006-08-24 to 2006-09-24 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-24 11:58 -------- d-------- C:\Program Files\SP2 Connection Patcher
2006-09-24 11:58 -------- d-------- C:\Documents and Settings\Josh Fasano.BIGGIRL\Application Data\AdobeUM
2006-09-24 07:07 -------- d-ah----- C:\Program Files\WindowsUpdate
2006-09-23 17:50 -------- d-------- C:\Documents and Settings\Josh Fasano.BIGGIRL\Application Data\LimeWire
2006-09-23 13:47 -------- d-------- C:\Program Files\Zone Labs
2006-09-17 15:26 -------- d-------- C:\Program Files\McAfee
2006-09-17 08:08 -------- d-a------ C:\Program Files\Common Files
2006-09-11 18:39 -------- d-------- C:\Documents and Settings\Josh Fasano.BIGGIRL\Application Data\WarezGhost
2006-09-09 10:24 -------- d-------- C:\Documents and Settings\Josh Fasano.BIGGIRL\Application Data\AVG7
2006-08-25 17:04 -------- d-------- C:\Program Files\Common Files\WhenU
2006-08-25 16:36 -------- d-------- C:\Program Files\Lavasoft
2006-08-21 18:04 -------- d-a------ C:\Program Files\Internet Explorer
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-19 16:28 -------- d-------- C:\Documents and Settings\Josh Fasano.BIGGIRL\Application Data\Apple Computer
2006-08-10 09:15 -------- d-------- C:\Documents and Settings\Josh Fasano.BIGGIRL\Application Data\warez
2006-08-07 08:16 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-07 08:16 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-04 11:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 11:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-07-31 19:34 -------- d-------- C:\Program Files\Mozilla Firefox
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 22:05 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-26 22:05 20640 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-07-03 17:40 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-07-03 17:40 620180 --a------ C:\WINDOWS\system32\DivX.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mozilla Quick Launch"="\"C:\\Program Files\\mozilla.org\\Mozilla\\Mozilla.exe\" -turbo"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"SP2ConnPatcher"="\"C:\\Program Files\\SP2 Connection Patcher\\sp2connpatcher.exe\" -n=200"
"SP2 Connection Patcher"="\"C:\\Program Files\\SP2 Connection Patcher\\SP2ConnPatcher.exe\" -n=200"
"iehelper"="typeconf.exe"
"Shaitan1678"="ERTYDF.exe"
"InpriseMon"="sysmon12.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"locgoff.exe"="C:\\WINDOWS\\system32\\locgoff.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"barint"="sysconf16.exe"
"_ctcp"="AppMasterCenter.exe"
"iTunesHelper"="\"E:\\Program Files\\iTunesHelper.exe\""
"QuickTime Task"="\"E:\\program files\\qttask.exe\" -atboottime"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"msci"="C:\\DOCUME~1\\JOSHFA~1.BIG\\LOCALS~1\\Temp\\2006923143049_mcinfo.exe /insfin"
"dmebk.exe"="C:\\WINDOWS\\system32\\dmebk.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:ff,00,00,00
"NoBandCustomize"=dword:00000000
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: 09/24/06 13:17:37.93
ComboFix.txt
ComboFix2.txt

Edited by angrychef, 24 September 2006 - 11:21 AM.

  • 0

Advertisements

#2
Metallica
Posted 27 September 2006 - 05:45 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Yuck. :whistling:

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

R3 - URLSearchHook: (no name) - {2A5437EF-331A-8A2B-B14F-0EFE36541B02} - vxdman.dll (file missing)

O2 - BHO: CLSID Support Dll - {32978850-02C0-4F0F-A5E6-C22FB04423FC} - C:\WINDOWS\System32\clsidcore.dll

O2 - BHO: 100% Free Hearts Toolbar Helper - {9C613A63-B5AD-4c06-B9E0-6530D88296C5} - C:\Program Files\100% Free Hearts Toolbar\v2.0.0.2\100%_Free_Hearts_Toolbar.dll (file missing)
O3 - Toolbar: SuperBar - {05D59355-D03C-4762-B310-9228ACA0E462} - C:\Program Files\SUPERBAR\SUPERBAR.dll (file missing)
O3 - Toolbar: SuperBar - {A726D3E1-D397-487A-81F7-7B81D02453A6} - C:\Program Files\SUPERBAR\SUPERBAR.dll (file missing)
O3 - Toolbar: 100% Free Hearts Toolbar - {6380715A-2F84-4155-9D7F-5E7BF97DDD07} - C:\Program Files\100% Free Hearts Toolbar\v2.0.0.2\100%_Free_Hearts_Toolbar.dll (file missing)

O4 - HKLM\..\Run: [locgoff.exe] C:\WINDOWS\system32\locgoff.exe

O4 - HKLM\..\Run: [barint] sysconf16.exe
O4 - HKLM\..\Run: [_ctcp] AppMasterCenter.exe

O4 - HKLM\..\Run: [msci] C:\DOCUME~1\JOSHFA~1.BIG\LOCALS~1\Temp\2006923143049_mcinfo.exe /insfin
O4 - HKLM\..\Run: [dmebk.exe] C:\WINDOWS\system32\dmebk.exe

O4 - HKCU\..\Run: [iehelper] typeconf.exe
O4 - HKCU\..\Run: [Shaitan1678] ERTYDF.exe
O4 - HKCU\..\Run: [InpriseMon] sysmon12.exe

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{14CF7B8C-86D2-495F-957B-FCC53334346E}: NameServer = 85.255.113.149,85.255.112.96
O17 - HKLM\System\CCS\Services\Tcpip\..\{79CB1E49-07E5-4D2C-B43F-2DC78012188A}: NameServer = 85.255.113.149,85.255.112.96
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE787021-AD99-4B33-87FE-2B968BFC8E8B}: NameServer = 85.255.113.149,85.255.112.96
O17 - HKLM\System\CS1\Services\Tcpip\..\{14CF7B8C-86D2-495F-957B-FCC53334346E}: NameServer = 85.255.113.149,85.255.112.96

Click FIX CHECKED. Close HijackThis.

Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.

Regards,
  • 0

#3
angrychef
Posted 27 September 2006 - 05:04 PM

angrychef

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
thank you for responding, i know youre very busy. here are the logs you asked me for:




Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ymzmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nbilbaj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmzmy.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
C:\WINDOWS\SYSTEM32\DMROV.EXE
C:\WINDOWS\SYSTEM32\DMZMY.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMROV.EXE 44,032 2004-08-04
C:\WINDOWS\SYSTEM32\DMZMY.EXE 44,032 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.






Logfile of HijackThis v1.99.1
Scan saved at 7:00:24 PM, on 09/27/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\Program Files\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\program files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


thank you again for the assistance!!
  • 0

#4
Metallica
Posted 28 September 2006 - 01:20 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
That looks much better. :whistling:

Can you run Spybot S&D scan again and post the log please.
Let's see what's left to be dealt with.

Regards,
  • 0

#5
angrychef
Posted 28 September 2006 - 10:05 AM

angrychef

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
thanks for your help metallica! running much more smoothly now - mozilla hasnt crashed yet. however, those greyed out folders are still there on both the c and e drives...any ideas? i am at work but will run spybot tonight and post. thanks again!

Edited by angrychef, 28 September 2006 - 10:05 AM.

  • 0

#6
Metallica
Posted 28 September 2006 - 12:01 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
To hide those files again, the way they were before.

Open an explorer window (f.e. My computer)
Click Tools > Folder options > on the View tab uncheck the option to Display the contents of system folders.

Regards,
  • 0

#7
angrychef
Posted 01 October 2006 - 09:56 AM

angrychef

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Sorry for the delay. I was out of town. I tried to run Spybot, but couldnt get through a session. It crashed multiple times telling me that it was "out of memory" or "resources". It did list a Windows Firewall over ride and also, WinAntiPro2006 [28] [Out of Memory] before it crashed. As for the system folders...duh!! Sorry about that!
I will keep trying to run Spybot and see if I can get a log posted. Thanks.
  • 0

#8
Metallica
Posted 02 October 2006 - 12:21 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Let me know. There are others we can try if Spybot can't finish.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP