Secondly, I keep getting a firewall alert, that my windows exploer has violated outbound email rules. I am send in more than 5 messages in 2 seconds, when i am not sending anything at all. I tell it not to send them and I get a second alert a second later and they just keep coming. Not sure if it is part of the same virus or not. So, it seems my antivirus software is corrupted and I can't go to any other sites to download due to the virus. Any suggestions?
virus win32.hostblock / Outbound emails from Windows Explorer
#1
Posted 07 October 2006 - 06:15 PM
Secondly, I keep getting a firewall alert, that my windows exploer has violated outbound email rules. I am send in more than 5 messages in 2 seconds, when i am not sending anything at all. I tell it not to send them and I get a second alert a second later and they just keep coming. Not sure if it is part of the same virus or not. So, it seems my antivirus software is corrupted and I can't go to any other sites to download due to the virus. Any suggestions?
#2
Posted 07 October 2006 - 06:21 PM
* Click here to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
#3
Posted 08 October 2006 - 03:24 PM
Logfile of HijackThis v1.99.1
Scan saved at 5:34:18 PM, on 10/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\inet20004\winlogon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\inet20004\socks.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {EF0AE751-CC67-6647-339C-E14393A5D6A0} - bingo9.dll (file missing)
F3 - REG:win.ini: run=C:\WINDOWS\inet20004\winlogon.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINDOWS\inet20004\107183925.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TorontoMail] teqq32.exe
O4 - HKLM\..\Run: [NukeSpan] forces_elite.exe
O4 - HKLM\..\Run: [yojxq.exe] C:\WINDOWS\system32\yojxq.exe
O4 - HKLM\..\Run: [7f8e] C:\WINDOWS\system32\z1685.exe 9idf
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20004\socks.exe
O4 - HKLM\..\Run: [zwebj.exe] C:\WINDOWS\system32\zwebj.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\winlogon.exe
O4 - HKLM\..\Run: [dmwzy.exe] C:\WINDOWS\system32\dmwzy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [corrida] DTOURS.exe
O4 - HKCU\..\Run: [atl_helper] SetupExeDll.exe
O4 - HKCU\..\Run: [cnftips] powerdll.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20004\winlogon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124151115890
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3206F4AD-43FA-488A-A3D0-8DF8BCCF54E9}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{E45F86AC-3EDD-4650-9331-82B0107DFA71}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.28 85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.28 85.255.112.124
O20 - AppInit_DLLs: C:\WINDOWS\system32\tmp_f.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O21 - SSODL: cholecyst - {ee2975b6-e8d5-405e-8448-8fe9590f6cfb} - (no file)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_32.dll
O21 - SSODL: ycfnZSV - {D86F2954-72C5-83FE-94BA-8EE8B5CD977C} - C:\WINDOWS\system32\bdw.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi215789.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Edited by silvianc, 08 October 2006 - 03:37 PM.
#4
Posted 08 October 2006 - 05:09 PM
There is alot going on. Lets start with the below
Download the Hoster Here
Please do not use program yet
Unzip Hoster to your desktop
Open up the Hoster program.
- Make sure that the "make hosts writable?" button in the upper right corner is enabled.
- Click back up Host files
- then click Restore orginal host files
- close program
Note: In the event you already have Killbox, this is a new version that I need you to download.
- Save it to your desktop.
- Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\2236_32.dll
C:\WINDOWS\system32\tmp_f.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\system32\dmwzy.exe
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\inet20004
- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.
Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):
O17 - HKLM\System\CCS\Services\Tcpip\..\{3206F4AD-43FA-488A-A3D0-8DF8BCCF54E9}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{E45F86AC-3EDD-4650-9331-82B0107DFA71}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.28 85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.28 85.255.112.124
Click FIX CHECKED. Close HijackThis.
Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.
#5
Posted 08 October 2006 - 06:06 PM
Hi
There is alot going on. Lets start with the below
Download the Hoster Here
Please do not use program yet
Unzip Hoster to your desktop
Open up the Hoster program.Please download the Killbox by Option^Explicit.
- Make sure that the "make hosts writable?" button in the upper right corner is enabled.
- Click back up Host files
- then click Restore orginal host files
- close program
Note: In the event you already have Killbox, this is a new version that I need you to download.If your computer does not restart automatically, please restart it manually.
- Save it to your desktop.
- Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\2236_32.dll
C:\WINDOWS\system32\tmp_f.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\system32\dmwzy.exe
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\inet20004
- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.
Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):
O17 - HKLM\System\CCS\Services\Tcpip\..\{3206F4AD-43FA-488A-A3D0-8DF8BCCF54E9}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{E45F86AC-3EDD-4650-9331-82B0107DFA71}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.28 85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.28 85.255.112.124
Click FIX CHECKED. Close HijackThis.
Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.
#6
Posted 08 October 2006 - 06:08 PM
#7
Posted 08 October 2006 - 06:45 PM
#8
Posted 09 October 2006 - 11:59 AM
#9
Posted 09 October 2006 - 07:10 PM
Please print these directions out
Please open Notepad, and copy/paste the code in the white box below into a new text file. Save it as "delete.bat" WITH THE QUOTES and save it on your Desktop.
@echo off attrib -s -r -h "C:\WINDOWS\system32\tmp_f.dll" del /q "C:\WINDOWS\system32\tmp_f.dll" attrib -s -r -h "C:\WINDOWS\system32\rpcc.dll" del /q "C:\WINDOWS\system32\rpcc.dll" attrib -s -r -h "C:\WINDOWS\system32\dmwzy.exe" del /q "C:\WINDOWS\system32\dmwzy.exe" attrib -s -r -h "C:\WINDOWS\system32\zwebj.exe" del /q "C:\WINDOWS\system32\zwebj.exe" attrib -s -r -h "C:\WINDOWS\system32\z1685.exe" del /q "C:\WINDOWS\system32\z1685.exe" attrib -s -r -h "C:\WINDOWS\system32\taskdir.exe" del /q "C:\WINDOWS\system32\taskdir.exe" attrib -s -r -h "C:\WINDOWS\system32\forces_elite.exe" del /q "C:\WINDOWS\system32\forces_elite.exe" attrib -s -r -h "C:\WINDOWS\system32\teqq32.exe" del /q "C:\WINDOWS\system32\teqq32.exe" sc stop aspi113210 attrib -s -r -h "C:\WINDOWS\system32\aspi215789.exe" del /q "C:\WINDOWS\system32\aspi215789.exe" sc delete aspi113210 attrib -s -r -h "C:\WINDOWS\inet20004\*.*" rd /q /s "C:\WINDOWS\inet20004"
after saving as instructed above, please close notepad. You will now have a file on your desktop called delete.bat. Dont do anything with it yet
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Please run a scan with HijackThis and check the following lines for removal:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {EF0AE751-CC67-6647-339C-E14393A5D6A0} - bingo9.dll (file missing)
F3 - REG:win.ini: run=C:\WINDOWS\inet20004\winlogon.exe
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINDOWS\inet20004\107183925.dll
O4 - HKLM\..\Run: [TorontoMail] teqq32.exe
O4 - HKLM\..\Run: [NukeSpan] forces_elite.exe
O4 - HKLM\..\Run: [yojxq.exe] C:\WINDOWS\system32\yojxq.exe
O4 - HKLM\..\Run: [7f8e] C:\WINDOWS\system32\z1685.exe 9idf
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20004\socks.exe
O4 - HKLM\..\Run: [zwebj.exe] C:\WINDOWS\system32\zwebj.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\winlogon.exe
O4 - HKLM\..\Run: [dmwzy.exe] C:\WINDOWS\system32\dmwzy.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [corrida] DTOURS.exe
O4 - HKCU\..\Run: [atl_helper] SetupExeDll.exe
O4 - HKCU\..\Run: [cnftips] powerdll.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20004\winlogon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O21 - SSODL: cholecyst - {ee2975b6-e8d5-405e-8448-8fe9590f6cfb} - (no file)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_32.dll
O21 - SSODL: ycfnZSV - {D86F2954-72C5-83FE-94BA-8EE8B5CD977C} - C:\WINDOWS\system32\bdw.dll (file missing)
Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.
Clean out your Temporary Internet files. Proceed as follows:
- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start, click Control Panel, and then double-click Internet Options.
- On the General tab, click Delete Files under Temporary Internet Files.
- In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
- On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
- Click OK.
Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply as well as a hijack log
Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Edited by loophole, 09 October 2006 - 07:11 PM.
#10
Posted 09 October 2006 - 07:18 PM
#11
Posted 09 October 2006 - 08:15 PM
#12
Posted 15 October 2006 - 05:41 PM
#13
Posted 15 October 2006 - 07:28 PM
Can you post a new Hijack log. I've attached combofix to this post in a zip folder. You will need to save it to the desktop, extract it from the zip folder to your desktop to run it
Edited by loophole, 16 October 2006 - 08:32 PM.
#14
Posted 16 October 2006 - 05:59 PM
Logfile of HijackThis v1.99.1
Scan saved at 7:54:35 PM, on 10/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Uninstall.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124151115890
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3206F4AD-43FA-488A-A3D0-8DF8BCCF54E9}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{E45F86AC-3EDD-4650-9331-82B0107DFA71}: NameServer = 85.255.116.28,85.255.112.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.28 85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.28 85.255.112.124
O20 - AppInit_DLLs: C:\WINDOWS\system32\tmp_f.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
#15
Posted 16 October 2006 - 08:26 PM
Killbox by Option^Explicit.
The Avenger
Edited by loophole, 16 October 2006 - 08:28 PM.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users