Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I am infected and i need help please

Started by jaco7799 , Nov 25 2006 02:04 AM

  • This topic is locked This topic is locked

#1
jaco7799
Posted 25 November 2006 - 02:04 AM

jaco7799

    New Member

  • Member
  • Pip
  • 8 posts
My computer is running really slow and takes 20 min to start up before i can even open up the internet or any other operation. When the computer is starting up i keep getting notifications that my computer isnt being protected and i need an anti virus and a firewall activated. When the computer is booted up i keep getting little pop-ups that look like DOS windows and i can see SYSTEM32 int the blue bar at the top. I also get a bunch of little IE windows that open and close when i am at the desktop that say default:BLANK in the blue bar. Also my norton pops up to tell me about viruses it has deleted but i dont think they have been deleted a majority of them have been Trojan.dldr and my spybot S&D cannot delete a smitfraud thing.

Here is my hijackthis file:

Logfile of HijackThis v1.99.1
Scan saved at 12:56:19 AM, on 11/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\aspi2126511.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\djmrnrvg.exe
C:\WINDOWS\system32\mdmex5.exe
C:\WINDOWS\system32\cmd32.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\DOCUME~1\Home\LOCALS~1\Temp\svchost.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\System32\rundll32.exe
C:\DOCUME~1\Home\LOCALS~1\Temp\IlsILalfh
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\z13.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\se.exe.exe
C:\WINDOWS\system32\w.exe.exe
C:\DOCUME~1\Home\LOCALS~1\Temp\1710192912.exe
C:\WINDOWS\system32\taskdir.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Home\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www1.giantexp.../sidesearch.htm
R3 - URLSearchHook: giantexplorer.com toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\Downloaded Program Files\CONFLICT.4\toolbar.dll
O2 - BHO: C:\WINDOWS\system32\xpRecovery.dll - {8A5849B5-93F3-429D-FF34-660A2068897C} - C:\WINDOWS\system32\xpRecovery.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: giantexplorer.com toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\Downloaded Program Files\CONFLICT.4\toolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ChkDisk] C:\WINDOWS\system32\iesniff.exe
O4 - HKLM\..\Run: [djmrnrvg] C:\WINDOWS\system32\djmrnrvg.exe
O4 - HKLM\..\Run: [dmhrg.exe] C:\WINDOWS\system32\dmhrg.exe
O4 - HKLM\..\Run: [winclean] c:\windows\system32\winclean.exe
O4 - HKLM\..\Run: [SvcManager] mdmex5.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
O4 - HKCU\..\Run: [djmrnrvg] C:\WINDOWS\system32\djmrnrvg.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\system32\z2750801984.exe
O4 - HKCU\..\Run: [Avp monitor] C:\DOCUME~1\Home\LOCALS~1\Temp\svchost.exe
O4 - HKCU\..\Run: [WinUpdate] "C:\WINDOWS\system32\z2750894921.exe "
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {042A55A0-D70D-338B-6E3E-52A25DA0BDB7} - http://85.255.114.166/1/rdgUS2650.exe
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://cheyenne.fnis...rintControl.cab
O16 - DPF: {4923CF82-E016-24A1-B0B1-65D9008F39A2} - http://85.255.114.166/1/rdgUS2650.exe
O16 - DPF: {5ED4E915-084E-4E80-D361-2BD818575BD7} - http://85.255.114.166/1/rdgUS2650.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147904900812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147920273687
O16 - DPF: {92F05779-6D88-4958-8AD3-83C12D855D67} - http://www.giantexpl...bar/toolbar.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {D270FE47-4F7B-4AFF-BCF8-B023A6FF4DFA} (SystemChecker.CheckerCtrl) - http://cheyenne.fnis...stemChecker.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.co...aploader_v6.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://zllin.info/n/us26/n.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BD8DE46-E5AB-4F12-8594-BB3A20275519}: NameServer = 85.255.114.8,85.255.112.189
O17 - HKLM\System\CCS\Services\Tcpip\..\{587E04DC-F97F-4087-A320-EDBC43C7D821}: NameServer = 85.255.114.8,85.255.112.189
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DC47964-E709-4F11-8D1A-76863BB9F241}: NameServer = 85.255.114.8,85.255.112.189
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.8 85.255.112.189
O17 - HKLM\System\CS1\Services\Tcpip\..\{3BD8DE46-E5AB-4F12-8594-BB3A20275519}: NameServer = 85.255.114.8,85.255.112.189
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.8 85.255.112.189
O17 - HKLM\System\CS3\Services\Tcpip\..\{3BD8DE46-E5AB-4F12-8594-BB3A20275519}: NameServer = 85.255.114.8,85.255.112.189
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.8 85.255.112.189
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: se500mdm - se500mdm.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: hXYBIUclS - {80282687-2A82-8C2D-8356-A8BE89AA1615} - C:\WINDOWS\system32\mht.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi2126511.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

any help is appreciated greatly thank you
  • 0

Advertisements

#2
Daemon
Posted 25 November 2006 - 02:17 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Do this first. Please download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HJT log.

  • 0

#3
jaco7799
Posted 25 November 2006 - 03:10 AM

jaco7799

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
i am having a problem with this program cus my computer has soo much crap on it it is closing this program about 2 min into the scan (it's almost like my computer doesnt want it to run. . it has done this to me a few times while trying to run hijackthis and open IE). Is there any way around this.
  • 0

#4
Daemon
Posted 25 November 2006 - 04:08 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK, we can clean up manually then follow my first post. You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:

http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin, follow the prompts. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load, this is normal.

At the end of the fix, you may need to restart your computer again.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\DOCUME~1\Home\LOCALS~1\Temp\IlsILalfh
    C:\WINDOWS\system32\z13.exe
    C:\WINDOWS\system32\se.exe.exe
    C:\WINDOWS\system32\w.exe.exe
    C:\DOCUME~1\Home\LOCALS~1\Temp\1710192912.exe
    C:\WINDOWS\system32\iesniff.exe
    C:\WINDOWS\system32\djmrnrvg.exe
    C:\WINDOWS\system32\dmhrg.exe
    c:\windows\system32\winclean.exe
    C:\WINDOWS\system32\wservice.exe
    C:\WINDOWS\system32\z2750801984.exe
    C:\DOCUME~1\Home\LOCALS~1\Temp\svchost.exe
    C:\WINDOWS\system32\z2750894921.exe
    C:\winstall.exe
    C:\WINDOWS\system32\taskdir.exe
    C:\WINDOWS\system32\rpcc.dll
    C:\WINDOWS\system32\mht.dll
    C:\WINDOWS\system32\aspi2126511.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt.
If after a while, your computer does not restart automatically, please restart it manually.

Then, make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www1.giantexp.../sidesearch.htm
R3 - URLSearchHook: giantexplorer.com toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\Downloaded Program Files\CONFLICT.4\toolbar.dll
O2 - BHO: C:\WINDOWS\system32\xpRecovery.dll - {8A5849B5-93F3-429D-FF34-660A2068897C} - C:\WINDOWS\system32\xpRecovery.dll
O3 - Toolbar: giantexplorer.com toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\Downloaded Program Files\CONFLICT.4\toolbar.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ChkDisk] C:\WINDOWS\system32\iesniff.exe
O4 - HKLM\..\Run: [djmrnrvg] C:\WINDOWS\system32\djmrnrvg.exe
O4 - HKLM\..\Run: [dmhrg.exe] C:\WINDOWS\system32\dmhrg.exe
O4 - HKLM\..\Run: [winclean] c:\windows\system32\winclean.exe
O4 - HKLM\..\Run: [SvcManager] mdmex5.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [djmrnrvg] C:\WINDOWS\system32\djmrnrvg.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\system32\z2750801984.exe
O4 - HKCU\..\Run: [Avp monitor] C:\DOCUME~1\Home\LOCALS~1\Temp\svchost.exe
O4 - HKCU\..\Run: [WinUpdate] "C:\WINDOWS\system32\z2750894921.exe "
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O16 - DPF: {042A55A0-D70D-338B-6E3E-52A25DA0BDB7} - http://85.255.114.166/1/rdgUS2650.exe
O16 - DPF: {4923CF82-E016-24A1-B0B1-65D9008F39A2} - http://85.255.114.166/1/rdgUS2650.exe
O16 - DPF: {5ED4E915-084E-4E80-D361-2BD818575BD7} - http://85.255.114.166/1/rdgUS2650.exe
O16 - DPF: {92F05779-6D88-4958-8AD3-83C12D855D67} - http://www.giantexpl...bar/toolbar.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://zllin.info/n/us26/n.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BD8DE46-E5AB-4F12-8594-BB3A20275519}: NameServer = 85.255.114.8,85.255.112.189
O17 - HKLM\System\CCS\Services\Tcpip\..\{587E04DC-F97F-4087-A320-EDBC43C7D821}: NameServer = 85.255.114.8,85.255.112.189
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DC47964-E709-4F11-8D1A-76863BB9F241}: NameServer = 85.255.114.8,85.255.112.189
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.8 85.255.112.189
O17 - HKLM\System\CS1\Services\Tcpip\..\{3BD8DE46-E5AB-4F12-8594-BB3A20275519}: NameServer = 85.255.114.8,85.255.112.189
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.8 85.255.112.189
O17 - HKLM\System\CS3\Services\Tcpip\..\{3BD8DE46-E5AB-4F12-8594-BB3A20275519}: NameServer = 85.255.114.8,85.255.112.189
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.8 85.255.112.189
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: se500mdm - se500mdm.dll (file missing)
O21 - SSODL: hXYBIUclS - {80282687-2A82-8C2D-8356-A8BE89AA1615} - C:\WINDOWS\system32\mht.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi2126511.exe

Exit HijackThis. Reboot and post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt and the SUPERAntiSpyware Scan Log.

Edited by Daemon, 25 November 2006 - 04:19 AM.

  • 0

#5
jaco7799
Posted 26 November 2006 - 03:51 AM

jaco7799

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:48:42 AM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Home\Desktop\HJ\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://cheyenne.fnis...rintControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147904900812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147920273687
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {D270FE47-4F7B-4AFF-BCF8-B023A6FF4DFA} (SystemChecker.CheckerCtrl) - http://cheyenne.fnis...stemChecker.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.co...aploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


fixwareout log:


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmhrg.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSSJF.EXE 51,753 2006-10-15
C:\WINDOWS\SYSTEM32\DMMCD.EXE 60,992 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


SUPERAntispyware log:

SUPERAntiSpyware Scan Log
Generated 11/25/2006 at 05:56 PM

Application Version : 3.3.1020

Core Rules Database Version : 3135
Trace Rules Database Version: 1152

Scan type : Complete Scan
Total Scan Time : 00:32:45

Memory items scanned : 400
Memory threats detected : 0
Registry items scanned : 4753
Registry threats detected : 65
File items scanned : 27154
File threats detected : 64

411Ferret Toolbar
HKCR\CLSID\{12F02779-6D88-4958-8AD3-83C12D86ADC7}
HKCR\CLSID\{12F02779-6D88-4958-8AD3-83C12D86ADC7}\Implemented Categories
HKCR\CLSID\{12F02779-6D88-4958-8AD3-83C12D86ADC7}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{12F02779-6D88-4958-8AD3-83C12D86ADC7}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{12F02779-6D88-4958-8AD3-83C12D86ADC7}\InprocServer32
HKCR\CLSID\{12F02779-6D88-4958-8AD3-83C12D86ADC7}\InprocServer32#ThreadingModel
HKCR\CLSID\{12F02779-6D88-4958-8AD3-83C12D86ADC7}\ProgID
HKCR\CLSID\{12F02779-6D88-4958-8AD3-83C12D86ADC7}\Programmable
HKCR\CLSID\{12F02779-6D88-4958-8AD3-83C12D86ADC7}\TypeLib
HKCR\CLSID\{12F02779-6D88-4958-8AD3-83C12D86ADC7}\VersionIndependentProgID

Unclassified.Unknown Origin
HKCR\CLSID\{73364D99-1240-4DFF-B12A-67E448373148}
HKCR\CLSID\{73364D99-1240-4DFF-B12A-67E448373148}\InprocServer32
HKCR\CLSID\{73364D99-1240-4DFF-B12A-67E448373148}\InprocServer32#ThreadingModel
HKCR\CLSID\{73364D99-1240-4DFF-B12A-67E448373148}\InprocServer32#Enable Browser Extensions
HKCR\CLSID\{8A5849B5-93F3-429D-FF34-660A2068897C}
HKCR\CLSID\{8A5849B5-93F3-429D-FF34-660A2068897C}#ThreadingModel
HKCR\CLSID\{8A5849B5-93F3-429D-FF34-660A2068897C}\InProcServer32
HKCR\CLSID\{8A5849B5-93F3-429D-FF34-660A2068897C}\InProcServer32#ThreadingModel

Trojan.SE500
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SE500MDMD
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SE500MDMD#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SE500MDMD\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SE500MDMD\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SE500MDMD\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SE500MDMD\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SE500MDMD\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SE500MDMD\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SE500MDMD\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SE500MDMD\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SE500MDMD\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SE500MDMD\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\se500mdmd
HKLM\SYSTEM\CurrentControlSet\Services\se500mdmd#Type
HKLM\SYSTEM\CurrentControlSet\Services\se500mdmd#Start
HKLM\SYSTEM\CurrentControlSet\Services\se500mdmd#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\se500mdmd#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\se500mdmd#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\se500mdmd\Security
HKLM\SYSTEM\CurrentControlSet\Services\se500mdmd\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\se500mdmd\Enum
HKLM\SYSTEM\CurrentControlSet\Services\se500mdmd\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\se500mdmd\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\se500mdmd\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\se500mdmd\Enum#INITSTARTFAILED
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP137\A0023020.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP139\A0023069.SYS

Trojan.ASPI113210
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPI113210
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPI113210#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPI113210\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPI113210\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPI113210\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPI113210\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPI113210\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPI113210\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPI113210\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Services\aspi113210
HKLM\SYSTEM\CurrentControlSet\Services\aspi113210#Type
HKLM\SYSTEM\CurrentControlSet\Services\aspi113210#Start
HKLM\SYSTEM\CurrentControlSet\Services\aspi113210#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\aspi113210#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\aspi113210#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\aspi113210#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\aspi113210\Security
HKLM\SYSTEM\CurrentControlSet\Services\aspi113210\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\aspi113210\Enum
HKLM\SYSTEM\CurrentControlSet\Services\aspi113210\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\aspi113210\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\aspi113210\Enum#NextInstance

Trojan.Downloader-ASPI
C:\!KILLBOX\ASPI2126511.EXE

Trojan.Downloader-WService
C:\!KILLBOX\WSERVICE.EXE

Trojan.HiPoint-Installer
C:\DOCUMENTS AND SETTINGS\HOME\DESKTOP\HJ\BACKUPS\BACKUP-20061125-172017-510.INF
C:\RECYCLER\NPROTECT\00003335.INF

Adware.Tracking Cookie
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\home@adprofile[1].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\home@findwhat[1].txt
C:\Documents and Settings\Home\Local Settings\Temp\Cookies\home@goclick[2].txt

Dialer.Dial/Gen Variant
C:\DOCUMENTS AND SETTINGS\HOME\LOCAL SETTINGS\TEMP\HER.PT
C:\RECYCLER\NPROTECT\00002831.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP165\A0033275.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP166\A0033309.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP166\A0033310.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP167\A0033346.EXE

Trojan.SpySheriff
C:\DOCUMENTS AND SETTINGS\HOME\LOCAL SETTINGS\TEMP\JPPMILOGG
C:\DOCUMENTS AND SETTINGS\HOME\LOCAL SETTINGS\TEMP\KFUEMCMHF
C:\DOCUMENTS AND SETTINGS\HOME\LOCAL SETTINGS\TEMP\KSOOKCGHF
C:\DOCUMENTS AND SETTINGS\HOME\LOCAL SETTINGS\TEMP\MNPRKMEHH
C:\DOCUMENTS AND SETTINGS\HOME\LOCAL SETTINGS\TEMP\NGMLJINGG
C:\DOCUMENTS AND SETTINGS\HOME\LOCAL SETTINGS\TEMP\RHNNKNOHG
C:\DOCUMENTS AND SETTINGS\HOME\LOCAL SETTINGS\TEMP\TFDLHOFHH
C:\RECYCLER\NPROTECT\00000761.EXE
C:\RECYCLER\NPROTECT\00001527.EXE
C:\RECYCLER\NPROTECT\00001911.EXE
C:\RECYCLER\NPROTECT\00002843.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP125\A0022871.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP165\A0033256.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP167\A0033349.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP168\A0033380.EXE

Trojan.Smitfraud Variant
C:\DOCUMENTS AND SETTINGS\HOME\SDFFF
C:\RECYCLER\NPROTECT\00000755.EXE
C:\RECYCLER\NPROTECT\00001397.EXE
C:\RECYCLER\NPROTECT\00001899.EXE
C:\RECYCLER\NPROTECT\00002825.EXE
C:\RECYCLER\S-1-5-21-1454471165-963894560-725345543-1003\DC6
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP165\A0033254.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP167\A0033344.EXE
C:\WINDOWS\SYSTEM32\DIAL23.EXE
C:\WINDOWS\SYSTEM32\Z12.EXE
C:\WINDOWS\Prefetch\DIAL23.EXE-04E1C40D.pf
C:\WINDOWS\Prefetch\Z12.EXE-127F50C9.pf

Trojan.Unknown Origin
C:\RECYCLER\NPROTECT\00000777.EXE
C:\RECYCLER\NPROTECT\00000780.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP165\A0033257.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP165\A0033258.EXE

Dialer.DialerPlatformLimited
C:\RECYCLER\NPROTECT\00002764.EXE
C:\RECYCLER\NPROTECT\00002949.EXE
C:\RECYCLER\NPROTECT\00002966.EXE
C:\RECYCLER\NPROTECT\00003084.EXE
C:\RECYCLER\NPROTECT\00003087.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDGUS2650.EXE
C:\WINDOWS\Prefetch\RDGUS2650.EXE-2A0A67B8.pf

Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP168\A0033378.EXE
C:\WINDOWS\SYSTEM32\Z15.EXE
C:\WINDOWS\Prefetch\Z15.EXE-1218EE05.pf

Trojan.Downloader-Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA814AFF-4FE1-406E-9BCF-451DA843A850}\RP168\A0033382.DLL

Trojan.ErrorSafe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UERS_0001_N82M1105NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UERS_0001_N85M0906NETINSTALLER.EXE

Trojan.GKJ
C:\WINDOWS\SYSTEM32\ERT.DLL

Trojan.Downloader-Proba
C:\WINDOWS\SYSTEM32\Z2750832812.EXE
C:\WINDOWS\SYSTEM32\Z2750864250.EXE

Trojan.TaskDir
C:\WINDOWS\SYSTEM32\ZLBW.DLL
  • 0

#6
Daemon
Posted 26 November 2006 - 04:11 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
That's looking better. Go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

C:\WINDOWS\SYSTEM32\CSSJF.EXE

Click on the submit button. Repeat for:

C:\WINDOWS\SYSTEM32\DMMCD.EXE

Please post the results for both in your next reply.
  • 0

#7
jaco7799
Posted 26 November 2006 - 04:18 AM

jaco7799

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
File: CSSJF.EXE
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 b0b857e08471d94ee778838f2b09b4b9
Packers detected: -
Scanner results
AntiVir Found Trojan/Dldr.DNSChanger.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Downloader.Mohbpork.A
ClamAV Found nothing
Dr.Web Found Trojan.DnsChange
F-Prot Antivirus Found Possibly a new variant of W32/new-malware!Maximus
F-Secure Anti-Virus Found nothing
Fortinet Found PossibleThreat!013311
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/Small.FB
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Agent.32 (probable variant)



File: DMMCD.EXE
Status: INFECTED/MALWARE
MD5 5873768c11dd4785634e18a050078c31
Packers detected: -
Scanner results
AntiVir Found Trojan/Small.FB.215
ArcaVir Found Trojan.Small.Fb
Avast Found nothing
AVG Antivirus Found Generic2.HFU
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.DnsChange
F-Prot Antivirus Found Possibly a new variant of W32/new-malware!Maximus
F-Secure Anti-Virus Found Trojan.Win32.Small.fb
Fortinet Found W32/Small.FB!tr
Kaspersky Anti-Virus Found Trojan.Win32.Small.fb
NOD32 Found a variant of Win32/Small.FB
Norman Virus Control Found W32/Smalltroj.MIE
VirusBuster Found nothing
VBA32 Found Trojan.Win32.Small.fb


I am also having some IE problems no thumbnails or buttons are showing up on any sites.
  • 0

#8
Daemon
Posted 26 November 2006 - 04:36 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK, delete both of those files. I'm not sure what you are referring to about IE - can you take a screenshot?
  • 0

#9
jaco7799
Posted 26 November 2006 - 05:00 AM

jaco7799

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Posted Image

hopefully this screenshot will work
  • 0

#10
Daemon
Posted 26 November 2006 - 05:19 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Hmm... not sure what could be causing that. Click here to download System Security Suite. Extract it from the zip file into a folder and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so.

Let me know.

If no success, installing IE7 may resolve it.
  • 0

Advertisements

#11
jaco7799
Posted 26 November 2006 - 01:19 PM

jaco7799

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I am still having the same problem after installing IE7 and im not sure how to search for help for this problem.
  • 0

#12
Daemon
Posted 26 November 2006 - 03:56 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Are they still clickable without the image or do they not work at all?
  • 0

#13
jaco7799
Posted 26 November 2006 - 04:51 PM

jaco7799

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
some are useable some are broken i cant figure it out.
  • 0

#14
Daemon
Posted 27 November 2006 - 01:31 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Is it just IE or are any other applications affected? Can you remember at what stage you first started noticing this?
  • 0

#15
jaco7799
Posted 27 November 2006 - 01:57 AM

jaco7799

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
so far i have just noticed it in IE i think it started about the time i was having problems with the superantispyware program closing itself and i was having alot of popups in IE windows.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP