View Full Version : Need assistance with Win.32.small-ek[trj] + Win.32.Adan-094 and 078 [Adw]
I've been getting Avast warnings constantly about these 3 infections.
Win.32.small-ek[trj]
Win.32.Adan-094[Adw]
Win.32.Adan-078[Adw]
Here's a paste from my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 3:06:28 PM, on 8/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kwij\Desktop\HijackThis.exe
R3 - URLSearchHook: (no name) - {E501D54B-4849-1DAD-6CEB-023C92DF9C68} - dePloy.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [br0ken] NopeZ.exe
O4 - HKLM\..\Run: [StartCpl] Dest068.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [rmseb.exe] C:\WINDOWS\system32\rmseb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [StatusCheck] iesetupdll.exe
O4 - HKCU\..\Run: [clamav] _ctcp.exe
O4 - HKCU\..\Run: [EXE32EXE] bingo9.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1A3E52C-71FF-4539-B914-497214141346}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
Thanks in advance!
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
Logfile of HijackThis v1.99.1
Scan saved at 7:04:02 AM, on 9/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kwij\Desktop\HijackThis.exe
R3 - URLSearchHook: (no name) - {E501D54B-4849-1DAD-6CEB-023C92DF9C68} - dePloy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [br0ken] NopeZ.exe
O4 - HKLM\..\Run: [StartCpl] Dest068.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [nxoby.exe] C:\WINDOWS\system32\nxoby.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [StatusCheck] iesetupdll.exe
O4 - HKCU\..\Run: [clamav] _ctcp.exe
O4 - HKCU\..\Run: [EXE32EXE] bingo9.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE7EFC8B-1D5E-4D10-A346-B322F125EE13}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
-------------------------
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BBD7784AC389-1789-9944-4C0B-5153F253{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D266985840EF-D859-9584-6A05-AB63C9CC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}615C6D8376A6-43BB-6784-BEC9-E6743BBF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}113BA85E6E7E-FE69-E324-D076-F2576CB2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0E415F2ABCBF-015A-75C4-7F03-F155B51C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3D9C12208AC7-640A-D314-92CE-9B414F9F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9573CC7F6E88-F918-B744-83FD-7F4F3852{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AE3B12DD2247-447A-CDC4-F582-5C148066{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FDBC8D2782F7-F859-A1F4-6FE9-7B56570A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}781A6936E2A3-62E9-8DC4-F499-E4AC8133{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A828AF220147-2DAB-2D74-A74C-A2CF0993{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}971D469848C0-8B49-9294-15E4-78D65629{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3EC20130B40D-B01A-1B54-DDFC-90468107{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}24CC842B44A4-B49B-0F14-858D-D96BB60A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A89FCE408B44-C579-B854-490A-0716F753{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7C6221B9409-9F7B-25C4-C9CB-1BE1E234{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF96D952A35E-8E9B-DFA4-88A2-29460B38{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}77659CAC03F2-01AA-F9E4-0270-618F41A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}28C6FC6C2E4F-B43A-F2B4-4709-8EB262BF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6EB6EC901F34-CFFB-7274-D192-B3DCA1CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6FE361553753-937A-21B4-808C-853CBD99{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EA0DD6D2B51E-FBDB-21C4-EBE5-0733FCC0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F05295D9D590-D518-5D64-3266-15A856FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}32E44D7C9F04-D3A8-AB74-6042-BF55BDA4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5BE5A6F41A91-A90A-2094-5D20-E64F5C98{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}89C2CE2484B7-D7CB-0174-6B52-02F98126{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}656B705A36C2-D448-01C4-5B82-80E4ECF3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}87750C5674EB-D8F9-2BF4-4440-39BC97BC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}350166284AB4-996B-F4E4-BCAF-D8CD6D8A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D61671FEDC5B-6958-2664-A0A0-1C363D16{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}041FEB172CC6-0019-F3B4-46CC-EAF96FA7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B80AFD1D1DC9-109B-A294-6CFD-1306FAF6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A453F0157D4A-545B-2DB4-0E99-04CE6151{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}35B50CBE87DF-212A-E5C4-D434-B5D9F9E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}155643D8DA18-52C9-E944-CD72-FC334805{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}07CE0EA2AC35-00EB-9B94-2B54-4B4EB90F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C88593A3170F-AA2B-62E4-E6A1-A75A9D2C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}98FE6FCD726A-2ECB-E804-D390-70841F69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EE58C5FB2D9F-8C48-4254-0E1F-716F3647{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}04D4F4CEE211-4B09-4C64-3E56-9DE19572{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}71F629A07D50-069A-6274-E98F-16CBA533{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3A87A5300EBE-E8A8-2AD4-2A8B-B63F0EF9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2390FD841E48-4909-5E44-4FE3-70649D19{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1A88AA294812-5A2A-78E4-A50B-8996224B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7104488C840C-65FB-EB44-6942-714D7924{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}50B8EC9E1D7C-1BBA-1B44-ED7B-DA1E4F82{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}388C5A930955-AB5A-6EF4-CB28-F8213EF1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5D0AE774F07B-5FF8-27E4-3292-E2A3F160{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BFC85A648FCD-D3FB-A354-57CD-15358C4D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
* csr.exe C:\WINDOWS\System32\CSEMJ.EXE
* csr.exe C:\WINDOWS\System32\{352F3~1.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSEMJ.EXE 51,293 2006-07-08
Other suspects
Directory of C:\WINDOWS\system32
{D4C85351-DC75-453A-BF3D-DCF846A58CFB}.exe
{061F3A2E-2923-4E72-8FF5-B70F477EA0D5}.exe
{1FE3128F-82BC-4FE6-A5BA-559039A5C883}.exe
{28F4E1AD-B7DE-44B1-ABB1-C7D1E9CE8B05}.exe
{4297D417-2496-44BE-BF56-C048C8844017}.exe
{B4226998-B05A-4E87-A2A5-218492AA88A1}.exe
{91D94607-3EF4-44E5-9094-84E148DF0932}.exe
{9FE0F36B-B8A2-4DA2-8A8E-EBE0035A78A3}.exe
{335ABC61-F89E-4726-A960-05D70A926F17}.exe
{27591ED9-65E3-46C4-90B4-112EEC4F4D40}.exe
{7463F617-F1E0-4524-84C8-F9D2BF5C85EE}.exe
{96F14807-093D-408E-BCE2-A627DCF6EF89}.exe
{C2D9A57A-1A6E-4E26-B2AA-F0713A39588C}.exe
{F09BE4B4-45B2-49B9-BE00-53CA2AE0EC70}.exe
{508433CF-27DC-449E-9C25-81AD8D346551}.exe
{4E9F9D5B-434D-4C5E-A212-FD78EBC05B53}.exe
{1516EC40-99E0-4BD2-B545-A4D7510F354A}.exe
{6FAF6031-DFC6-492A-B901-9CD1D1DFA08B}.exe
{7AF69FAE-CC64-4B3F-9100-6CC271BEF140}.exe
{61D363C1-0A0A-4662-8596-B5CDEF17616D}.exe
{A8D6DC8D-FACB-4E4F-B699-4BA482661053}.exe
{CB79CB93-0444-4FB2-9F8D-BE4765C05778}.exe
{3FCE4E08-28B5-4C10-844D-2C63A507B656}.exe
{62189F20-25B6-4710-BC7D-7B4842EC2C98}.exe
{4ADB55FB-2406-47BA-8A3D-40F9C7D44E23}.exe
{FF658A51-6623-46D5-815D-095D9D59250F}.exe
{0CCF3370-5EBE-4C12-BDBF-E15B2D6DD0AE}.exe
{99DBC358-C808-4B12-A739-357355163EF6}.exe
{AC1ACD3B-291D-4727-BFFC-43F109CE6BE6}.exe
{FB262BE8-9074-4B2F-A34B-F4E2C6CF6C82}.exe
{0A14F816-0720-4E9F-AA10-2F30CAC95677}.exe
{83B06492-2A88-4AFD-B9E8-E53A259D69FE}.exe
{432E1EB1-BC9C-4C52-B7F9-9049B1226C7B}.exe
{357F6170-A094-458B-975C-44B804ECF98A}.exe
{A06BB69D-D858-41F0-B94B-4A44B248CC42}.exe
{70186409-CFDD-45B1-A10B-D04B03102CE3}.exe
{92656D87-4E51-4929-94B8-0C848964D179}.exe
{3990FC2A-C47A-47D2-BAD2-741022FA828A}.exe
{3318CA4E-994F-4CD8-9E26-3A2E6396A187}.exe
{A07565B7-9EF6-4F1A-958F-7F2872D8CBDF}.exe
{660841C5-285F-4CDC-A744-7422DD21B3EA}.exe
{2583F4F7-DF38-447B-819F-88E6F7CC3759}.exe
{F9F414B9-EC29-413D-A046-7CA80221C9D3}.exe
{C15B551F-30F7-4C57-A510-FBCBA2F514E0}.exe
{2BC6752F-670D-423E-96EF-E7E6E58AB311}.exe
{FBB3476E-9CEB-4876-BB34-6A6738D6C516}.exe
{CC9C36BA-50A6-4859-958D-FE048589662D}.exe
{352F3515-B0C4-4499-9871-983CA4877DBB}.exe
Please launch HijackThis and place a tick by the following entries:
R3 - URLSearchHook: (no name) - {E501D54B-4849-1DAD-6CEB-023C92DF9C68} - dePloy.dll (file missing)
O4 - HKLM\..\Run: [br0ken] NopeZ.exe
O4 - HKLM\..\Run: [StartCpl] Dest068.exe
O4 - HKLM\..\Run: [rmseb.exe] C:\WINDOWS\system32\rmseb.exe
O4 - HKCU\..\Run: [StatusCheck] iesetupdll.exe
O4 - HKCU\..\Run: [clamav] _ctcp.exe
O4 - HKCU\..\Run: [EXE32EXE] bingo9.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1A3E52C-71FF-4539-B914-497214141346}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.
Please download FixWareout again from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
I've done as asked, however when i saw the HijackThis report it still contained a couple of entries which i must have missed, so i repeated the proccess to make sure i had them all -- These are the reports from the second time.
After doing this it seems the only warning i'm getting from avast! is the Win32:Small-EL [Trj]. I havn't seen the other two warnings again thus far.
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BBD7784AC389-1789-9944-4C0B-5153F253{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D266985840EF-D859-9584-6A05-AB63C9CC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}615C6D8376A6-43BB-6784-BEC9-E6743BBF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}113BA85E6E7E-FE69-E324-D076-F2576CB2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0E415F2ABCBF-015A-75C4-7F03-F155B51C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3D9C12208AC7-640A-D314-92CE-9B414F9F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9573CC7F6E88-F918-B744-83FD-7F4F3852{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AE3B12DD2247-447A-CDC4-F582-5C148066{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FDBC8D2782F7-F859-A1F4-6FE9-7B56570A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}781A6936E2A3-62E9-8DC4-F499-E4AC8133{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A828AF220147-2DAB-2D74-A74C-A2CF0993{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}971D469848C0-8B49-9294-15E4-78D65629{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3EC20130B40D-B01A-1B54-DDFC-90468107{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}24CC842B44A4-B49B-0F14-858D-D96BB60A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A89FCE408B44-C579-B854-490A-0716F753{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7C6221B9409-9F7B-25C4-C9CB-1BE1E234{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF96D952A35E-8E9B-DFA4-88A2-29460B38{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}77659CAC03F2-01AA-F9E4-0270-618F41A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}28C6FC6C2E4F-B43A-F2B4-4709-8EB262BF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6EB6EC901F34-CFFB-7274-D192-B3DCA1CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6FE361553753-937A-21B4-808C-853CBD99{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EA0DD6D2B51E-FBDB-21C4-EBE5-0733FCC0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F05295D9D590-D518-5D64-3266-15A856FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}32E44D7C9F04-D3A8-AB74-6042-BF55BDA4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5BE5A6F41A91-A90A-2094-5D20-E64F5C98{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}89C2CE2484B7-D7CB-0174-6B52-02F98126{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}656B705A36C2-D448-01C4-5B82-80E4ECF3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}87750C5674EB-D8F9-2BF4-4440-39BC97BC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}350166284AB4-996B-F4E4-BCAF-D8CD6D8A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D61671FEDC5B-6958-2664-A0A0-1C363D16{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}041FEB172CC6-0019-F3B4-46CC-EAF96FA7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B80AFD1D1DC9-109B-A294-6CFD-1306FAF6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A453F0157D4A-545B-2DB4-0E99-04CE6151{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}35B50CBE87DF-212A-E5C4-D434-B5D9F9E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}155643D8DA18-52C9-E944-CD72-FC334805{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}07CE0EA2AC35-00EB-9B94-2B54-4B4EB90F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C88593A3170F-AA2B-62E4-E6A1-A75A9D2C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}98FE6FCD726A-2ECB-E804-D390-70841F69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EE58C5FB2D9F-8C48-4254-0E1F-716F3647{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}04D4F4CEE211-4B09-4C64-3E56-9DE19572{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}71F629A07D50-069A-6274-E98F-16CBA533{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3A87A5300EBE-E8A8-2AD4-2A8B-B63F0EF9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2390FD841E48-4909-5E44-4FE3-70649D19{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1A88AA294812-5A2A-78E4-A50B-8996224B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7104488C840C-65FB-EB44-6942-714D7924{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}50B8EC9E1D7C-1BBA-1B44-ED7B-DA1E4F82{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}388C5A930955-AB5A-6EF4-CB28-F8213EF1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5D0AE774F07B-5FF8-27E4-3292-E2A3F160{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BFC85A648FCD-D3FB-A354-57CD-15358C4D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
* csr.exe C:\WINDOWS\System32\CSEMJ.EXE
* csr.exe C:\WINDOWS\System32\{352F3~1.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSEMJ.EXE 51,293 2006-07-08
Other suspects
Directory of C:\WINDOWS\system32
{D4C85351-DC75-453A-BF3D-DCF846A58CFB}.exe
{061F3A2E-2923-4E72-8FF5-B70F477EA0D5}.exe
{1FE3128F-82BC-4FE6-A5BA-559039A5C883}.exe
{28F4E1AD-B7DE-44B1-ABB1-C7D1E9CE8B05}.exe
{4297D417-2496-44BE-BF56-C048C8844017}.exe
{B4226998-B05A-4E87-A2A5-218492AA88A1}.exe
{91D94607-3EF4-44E5-9094-84E148DF0932}.exe
{9FE0F36B-B8A2-4DA2-8A8E-EBE0035A78A3}.exe
{335ABC61-F89E-4726-A960-05D70A926F17}.exe
{27591ED9-65E3-46C4-90B4-112EEC4F4D40}.exe
{7463F617-F1E0-4524-84C8-F9D2BF5C85EE}.exe
{96F14807-093D-408E-BCE2-A627DCF6EF89}.exe
{C2D9A57A-1A6E-4E26-B2AA-F0713A39588C}.exe
{F09BE4B4-45B2-49B9-BE00-53CA2AE0EC70}.exe
{508433CF-27DC-449E-9C25-81AD8D346551}.exe
{4E9F9D5B-434D-4C5E-A212-FD78EBC05B53}.exe
{1516EC40-99E0-4BD2-B545-A4D7510F354A}.exe
{6FAF6031-DFC6-492A-B901-9CD1D1DFA08B}.exe
{7AF69FAE-CC64-4B3F-9100-6CC271BEF140}.exe
{61D363C1-0A0A-4662-8596-B5CDEF17616D}.exe
{A8D6DC8D-FACB-4E4F-B699-4BA482661053}.exe
{CB79CB93-0444-4FB2-9F8D-BE4765C05778}.exe
{3FCE4E08-28B5-4C10-844D-2C63A507B656}.exe
{62189F20-25B6-4710-BC7D-7B4842EC2C98}.exe
{4ADB55FB-2406-47BA-8A3D-40F9C7D44E23}.exe
{FF658A51-6623-46D5-815D-095D9D59250F}.exe
{0CCF3370-5EBE-4C12-BDBF-E15B2D6DD0AE}.exe
{99DBC358-C808-4B12-A739-357355163EF6}.exe
{AC1ACD3B-291D-4727-BFFC-43F109CE6BE6}.exe
{FB262BE8-9074-4B2F-A34B-F4E2C6CF6C82}.exe
{0A14F816-0720-4E9F-AA10-2F30CAC95677}.exe
{83B06492-2A88-4AFD-B9E8-E53A259D69FE}.exe
{432E1EB1-BC9C-4C52-B7F9-9049B1226C7B}.exe
{357F6170-A094-458B-975C-44B804ECF98A}.exe
{A06BB69D-D858-41F0-B94B-4A44B248CC42}.exe
{70186409-CFDD-45B1-A10B-D04B03102CE3}.exe
{92656D87-4E51-4929-94B8-0C848964D179}.exe
{3990FC2A-C47A-47D2-BAD2-741022FA828A}.exe
{3318CA4E-994F-4CD8-9E26-3A2E6396A187}.exe
{A07565B7-9EF6-4F1A-958F-7F2872D8CBDF}.exe
{660841C5-285F-4CDC-A744-7422DD21B3EA}.exe
{2583F4F7-DF38-447B-819F-88E6F7CC3759}.exe
{F9F414B9-EC29-413D-A046-7CA80221C9D3}.exe
{C15B551F-30F7-4C57-A510-FBCBA2F514E0}.exe
{2BC6752F-670D-423E-96EF-E7E6E58AB311}.exe
{FBB3476E-9CEB-4876-BB34-6A6738D6C516}.exe
{CC9C36BA-50A6-4859-958D-FE048589662D}.exe
{352F3515-B0C4-4499-9871-983CA4877DBB}.exe
---------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:01:06 PM, on 9/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Kwij\Desktop\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [zorec.exe] C:\WINDOWS\system32\zorec.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1A3E52C-71FF-4539-B914-497214141346}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE7EFC8B-1D5E-4D10-A346-B322F125EE13}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
Still having problems with the same viruses come back again :(
kwijy
11 Jul 2006, 12:41pm
Is there anyone there that can help me? Is it okay for me to be still using my computer? Not quite sure what i need to do.
Sorry for the delay.
The Wareout infection is refusing to be removed. Let's try again. Launch HijackThis and place a tick by the following entries:
O4 - HKLM\..\Run: [zorec.exe] C:\WINDOWS\system32\zorec.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1A3E52C-71FF-4539-B914-497214141346}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE7EFC8B-1D5E-4D10-A346-B322F125EE13}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.
Rescan with HijackThis and post the new log in your nect reply. Thanks. :)
kwijy
12 Jul 2006, 12:55am
Logfile of HijackThis v1.99.1
Scan saved at 9:50:24 AM, on 12/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kwij\Desktop\HijackThis.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [fsoge.exe] C:\WINDOWS\system32\fsoge.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
:S
vBulletin® v3.8.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.