To talk on Icrontic, just register!

It only takes 30 seconds.

Have an account? Sign in:

Forgot?

To reopen your thread, send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own thread instead.

 
Reply to Discussion Options
kwijy
Getting settled in
kwijy
6 Posts
8 Jul 2006, 6:33am

Need assistance with Win.32.small-ek[trj] + Win.32.Adan-094 and 078 [Adw]

I've been getting Avast warnings constantly about these 3 infections.

Win.32.small-ek[trj]
Win.32.Adan-094[Adw]
Win.32.Adan-078[Adw]


Here's a paste from my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:06:28 PM, on 8/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kwij\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {E501D54B-4849-1DAD-6CEB-023C92DF9C68} - dePloy.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [br0ken] NopeZ.exe
O4 - HKLM\..\Run: [StartCpl] Dest068.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [rmseb.exe] C:\WINDOWS\system32\rmseb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [StatusCheck] iesetupdll.exe
O4 - HKCU\..\Run: [clamav] _ctcp.exe
O4 - HKCU\..\Run: [EXE32EXE] bingo9.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1A3E52C-71FF-4539-B914-497214141346}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe


Thanks in advance!
chiaz
Spyware Mod
chiaz
1,219 Posts
8 Jul 2006, 10:12am
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.


Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
kwijy
Getting settled in
kwijy
6 Posts
8 Jul 2006, 10:06pm
Logfile of HijackThis v1.99.1
Scan saved at 7:04:02 AM, on 9/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kwij\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {E501D54B-4849-1DAD-6CEB-023C92DF9C68} - dePloy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [br0ken] NopeZ.exe
O4 - HKLM\..\Run: [StartCpl] Dest068.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [nxoby.exe] C:\WINDOWS\system32\nxoby.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [StatusCheck] iesetupdll.exe
O4 - HKCU\..\Run: [clamav] _ctcp.exe
O4 - HKCU\..\Run: [EXE32EXE] bingo9.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE7EFC8B-1D5E-4D10-A346-B322F125EE13}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe


-------------------------

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BBD7784AC389-1789-9944-4C0B-5153F253{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D266985840EF-D859-9584-6A05-AB63C9CC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}615C6D8376A6-43BB-6784-BEC9-E6743BBF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}113BA85E6E7E-FE69-E324-D076-F2576CB2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0E415F2ABCBF-015A-75C4-7F03-F155B51C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3D9C12208AC7-640A-D314-92CE-9B414F9F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9573CC7F6E88-F918-B744-83FD-7F4F3852{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AE3B12DD2247-447A-CDC4-F582-5C148066{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FDBC8D2782F7-F859-A1F4-6FE9-7B56570A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}781A6936E2A3-62E9-8DC4-F499-E4AC8133{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A828AF220147-2DAB-2D74-A74C-A2CF0993{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}971D469848C0-8B49-9294-15E4-78D65629{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3EC20130B40D-B01A-1B54-DDFC-90468107{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}24CC842B44A4-B49B-0F14-858D-D96BB60A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A89FCE408B44-C579-B854-490A-0716F753{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7C6221B9409-9F7B-25C4-C9CB-1BE1E234{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF96D952A35E-8E9B-DFA4-88A2-29460B38{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}77659CAC03F2-01AA-F9E4-0270-618F41A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}28C6FC6C2E4F-B43A-F2B4-4709-8EB262BF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6EB6EC901F34-CFFB-7274-D192-B3DCA1CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6FE361553753-937A-21B4-808C-853CBD99{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EA0DD6D2B51E-FBDB-21C4-EBE5-0733FCC0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F05295D9D590-D518-5D64-3266-15A856FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}32E44D7C9F04-D3A8-AB74-6042-BF55BDA4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5BE5A6F41A91-A90A-2094-5D20-E64F5C98{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}89C2CE2484B7-D7CB-0174-6B52-02F98126{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}656B705A36C2-D448-01C4-5B82-80E4ECF3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}87750C5674EB-D8F9-2BF4-4440-39BC97BC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}350166284AB4-996B-F4E4-BCAF-D8CD6D8A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D61671FEDC5B-6958-2664-A0A0-1C363D16{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}041FEB172CC6-0019-F3B4-46CC-EAF96FA7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B80AFD1D1DC9-109B-A294-6CFD-1306FAF6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A453F0157D4A-545B-2DB4-0E99-04CE6151{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}35B50CBE87DF-212A-E5C4-D434-B5D9F9E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}155643D8DA18-52C9-E944-CD72-FC334805{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}07CE0EA2AC35-00EB-9B94-2B54-4B4EB90F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C88593A3170F-AA2B-62E4-E6A1-A75A9D2C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}98FE6FCD726A-2ECB-E804-D390-70841F69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EE58C5FB2D9F-8C48-4254-0E1F-716F3647{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}04D4F4CEE211-4B09-4C64-3E56-9DE19572{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}71F629A07D50-069A-6274-E98F-16CBA533{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3A87A5300EBE-E8A8-2AD4-2A8B-B63F0EF9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2390FD841E48-4909-5E44-4FE3-70649D19{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1A88AA294812-5A2A-78E4-A50B-8996224B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7104488C840C-65FB-EB44-6942-714D7924{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}50B8EC9E1D7C-1BBA-1B44-ED7B-DA1E4F82{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}388C5A930955-AB5A-6EF4-CB28-F8213EF1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5D0AE774F07B-5FF8-27E4-3292-E2A3F160{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BFC85A648FCD-D3FB-A354-57CD-15358C4D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
* csr.exe C:\WINDOWS\System32\CSEMJ.EXE
* csr.exe C:\WINDOWS\System32\{352F3~1.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSEMJ.EXE 51,293 2006-07-08
Other suspects
Directory of C:\WINDOWS\system32
{D4C85351-DC75-453A-BF3D-DCF846A58CFB}.exe
{061F3A2E-2923-4E72-8FF5-B70F477EA0D5}.exe
{1FE3128F-82BC-4FE6-A5BA-559039A5C883}.exe
{28F4E1AD-B7DE-44B1-ABB1-C7D1E9CE8B05}.exe
{4297D417-2496-44BE-BF56-C048C8844017}.exe
{B4226998-B05A-4E87-A2A5-218492AA88A1}.exe
{91D94607-3EF4-44E5-9094-84E148DF0932}.exe
{9FE0F36B-B8A2-4DA2-8A8E-EBE0035A78A3}.exe
{335ABC61-F89E-4726-A960-05D70A926F17}.exe
{27591ED9-65E3-46C4-90B4-112EEC4F4D40}.exe
{7463F617-F1E0-4524-84C8-F9D2BF5C85EE}.exe
{96F14807-093D-408E-BCE2-A627DCF6EF89}.exe
{C2D9A57A-1A6E-4E26-B2AA-F0713A39588C}.exe
{F09BE4B4-45B2-49B9-BE00-53CA2AE0EC70}.exe
{508433CF-27DC-449E-9C25-81AD8D346551}.exe
{4E9F9D5B-434D-4C5E-A212-FD78EBC05B53}.exe
{1516EC40-99E0-4BD2-B545-A4D7510F354A}.exe
{6FAF6031-DFC6-492A-B901-9CD1D1DFA08B}.exe
{7AF69FAE-CC64-4B3F-9100-6CC271BEF140}.exe
{61D363C1-0A0A-4662-8596-B5CDEF17616D}.exe
{A8D6DC8D-FACB-4E4F-B699-4BA482661053}.exe
{CB79CB93-0444-4FB2-9F8D-BE4765C05778}.exe
{3FCE4E08-28B5-4C10-844D-2C63A507B656}.exe
{62189F20-25B6-4710-BC7D-7B4842EC2C98}.exe
{4ADB55FB-2406-47BA-8A3D-40F9C7D44E23}.exe
{FF658A51-6623-46D5-815D-095D9D59250F}.exe
{0CCF3370-5EBE-4C12-BDBF-E15B2D6DD0AE}.exe
{99DBC358-C808-4B12-A739-357355163EF6}.exe
{AC1ACD3B-291D-4727-BFFC-43F109CE6BE6}.exe
{FB262BE8-9074-4B2F-A34B-F4E2C6CF6C82}.exe
{0A14F816-0720-4E9F-AA10-2F30CAC95677}.exe
{83B06492-2A88-4AFD-B9E8-E53A259D69FE}.exe
{432E1EB1-BC9C-4C52-B7F9-9049B1226C7B}.exe
{357F6170-A094-458B-975C-44B804ECF98A}.exe
{A06BB69D-D858-41F0-B94B-4A44B248CC42}.exe
{70186409-CFDD-45B1-A10B-D04B03102CE3}.exe
{92656D87-4E51-4929-94B8-0C848964D179}.exe
{3990FC2A-C47A-47D2-BAD2-741022FA828A}.exe
{3318CA4E-994F-4CD8-9E26-3A2E6396A187}.exe
{A07565B7-9EF6-4F1A-958F-7F2872D8CBDF}.exe
{660841C5-285F-4CDC-A744-7422DD21B3EA}.exe
{2583F4F7-DF38-447B-819F-88E6F7CC3759}.exe
{F9F414B9-EC29-413D-A046-7CA80221C9D3}.exe
{C15B551F-30F7-4C57-A510-FBCBA2F514E0}.exe
{2BC6752F-670D-423E-96EF-E7E6E58AB311}.exe
{FBB3476E-9CEB-4876-BB34-6A6738D6C516}.exe
{CC9C36BA-50A6-4859-958D-FE048589662D}.exe
{352F3515-B0C4-4499-9871-983CA4877DBB}.exe
chiaz
Spyware Mod
chiaz
1,219 Posts
9 Jul 2006, 9:54am
Please launch HijackThis and place a tick by the following entries:
R3 - URLSearchHook: (no name) - {E501D54B-4849-1DAD-6CEB-023C92DF9C68} - dePloy.dll (file missing)
O4 - HKLM\..\Run: [br0ken] NopeZ.exe
O4 - HKLM\..\Run: [StartCpl] Dest068.exe
O4 - HKLM\..\Run: [rmseb.exe] C:\WINDOWS\system32\rmseb.exe
O4 - HKCU\..\Run: [StatusCheck] iesetupdll.exe
O4 - HKCU\..\Run: [clamav] _ctcp.exe
O4 - HKCU\..\Run: [EXE32EXE] bingo9.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1A3E52C-71FF-4539-B914-497214141346}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185

Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.


Please download FixWareout again from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
kwijy
Getting settled in
kwijy
6 Posts
9 Jul 2006, 12:07pm
I've done as asked, however when i saw the HijackThis report it still contained a couple of entries which i must have missed, so i repeated the proccess to make sure i had them all -- These are the reports from the second time.

After doing this it seems the only warning i'm getting from avast! is the Win32:Small-EL [Trj]. I havn't seen the other two warnings again thus far.


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BBD7784AC389-1789-9944-4C0B-5153F253{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D266985840EF-D859-9584-6A05-AB63C9CC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}615C6D8376A6-43BB-6784-BEC9-E6743BBF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}113BA85E6E7E-FE69-E324-D076-F2576CB2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0E415F2ABCBF-015A-75C4-7F03-F155B51C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3D9C12208AC7-640A-D314-92CE-9B414F9F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9573CC7F6E88-F918-B744-83FD-7F4F3852{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AE3B12DD2247-447A-CDC4-F582-5C148066{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FDBC8D2782F7-F859-A1F4-6FE9-7B56570A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}781A6936E2A3-62E9-8DC4-F499-E4AC8133{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A828AF220147-2DAB-2D74-A74C-A2CF0993{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}971D469848C0-8B49-9294-15E4-78D65629{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3EC20130B40D-B01A-1B54-DDFC-90468107{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}24CC842B44A4-B49B-0F14-858D-D96BB60A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A89FCE408B44-C579-B854-490A-0716F753{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7C6221B9409-9F7B-25C4-C9CB-1BE1E234{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF96D952A35E-8E9B-DFA4-88A2-29460B38{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}77659CAC03F2-01AA-F9E4-0270-618F41A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}28C6FC6C2E4F-B43A-F2B4-4709-8EB262BF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6EB6EC901F34-CFFB-7274-D192-B3DCA1CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6FE361553753-937A-21B4-808C-853CBD99{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EA0DD6D2B51E-FBDB-21C4-EBE5-0733FCC0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F05295D9D590-D518-5D64-3266-15A856FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}32E44D7C9F04-D3A8-AB74-6042-BF55BDA4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5BE5A6F41A91-A90A-2094-5D20-E64F5C98{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}89C2CE2484B7-D7CB-0174-6B52-02F98126{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}656B705A36C2-D448-01C4-5B82-80E4ECF3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}87750C5674EB-D8F9-2BF4-4440-39BC97BC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}350166284AB4-996B-F4E4-BCAF-D8CD6D8A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D61671FEDC5B-6958-2664-A0A0-1C363D16{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}041FEB172CC6-0019-F3B4-46CC-EAF96FA7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B80AFD1D1DC9-109B-A294-6CFD-1306FAF6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A453F0157D4A-545B-2DB4-0E99-04CE6151{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}35B50CBE87DF-212A-E5C4-D434-B5D9F9E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}155643D8DA18-52C9-E944-CD72-FC334805{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}07CE0EA2AC35-00EB-9B94-2B54-4B4EB90F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C88593A3170F-AA2B-62E4-E6A1-A75A9D2C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}98FE6FCD726A-2ECB-E804-D390-70841F69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EE58C5FB2D9F-8C48-4254-0E1F-716F3647{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}04D4F4CEE211-4B09-4C64-3E56-9DE19572{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}71F629A07D50-069A-6274-E98F-16CBA533{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3A87A5300EBE-E8A8-2AD4-2A8B-B63F0EF9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2390FD841E48-4909-5E44-4FE3-70649D19{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1A88AA294812-5A2A-78E4-A50B-8996224B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7104488C840C-65FB-EB44-6942-714D7924{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}50B8EC9E1D7C-1BBA-1B44-ED7B-DA1E4F82{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}388C5A930955-AB5A-6EF4-CB28-F8213EF1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5D0AE774F07B-5FF8-27E4-3292-E2A3F160{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BFC85A648FCD-D3FB-A354-57CD-15358C4D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
* csr.exe C:\WINDOWS\System32\CSEMJ.EXE
* csr.exe C:\WINDOWS\System32\{352F3~1.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSEMJ.EXE 51,293 2006-07-08
Other suspects
Directory of C:\WINDOWS\system32
{D4C85351-DC75-453A-BF3D-DCF846A58CFB}.exe
{061F3A2E-2923-4E72-8FF5-B70F477EA0D5}.exe
{1FE3128F-82BC-4FE6-A5BA-559039A5C883}.exe
{28F4E1AD-B7DE-44B1-ABB1-C7D1E9CE8B05}.exe
{4297D417-2496-44BE-BF56-C048C8844017}.exe
{B4226998-B05A-4E87-A2A5-218492AA88A1}.exe
{91D94607-3EF4-44E5-9094-84E148DF0932}.exe
{9FE0F36B-B8A2-4DA2-8A8E-EBE0035A78A3}.exe
{335ABC61-F89E-4726-A960-05D70A926F17}.exe
{27591ED9-65E3-46C4-90B4-112EEC4F4D40}.exe
{7463F617-F1E0-4524-84C8-F9D2BF5C85EE}.exe
{96F14807-093D-408E-BCE2-A627DCF6EF89}.exe
{C2D9A57A-1A6E-4E26-B2AA-F0713A39588C}.exe
{F09BE4B4-45B2-49B9-BE00-53CA2AE0EC70}.exe
{508433CF-27DC-449E-9C25-81AD8D346551}.exe
{4E9F9D5B-434D-4C5E-A212-FD78EBC05B53}.exe
{1516EC40-99E0-4BD2-B545-A4D7510F354A}.exe
{6FAF6031-DFC6-492A-B901-9CD1D1DFA08B}.exe
{7AF69FAE-CC64-4B3F-9100-6CC271BEF140}.exe
{61D363C1-0A0A-4662-8596-B5CDEF17616D}.exe
{A8D6DC8D-FACB-4E4F-B699-4BA482661053}.exe
{CB79CB93-0444-4FB2-9F8D-BE4765C05778}.exe
{3FCE4E08-28B5-4C10-844D-2C63A507B656}.exe
{62189F20-25B6-4710-BC7D-7B4842EC2C98}.exe
{4ADB55FB-2406-47BA-8A3D-40F9C7D44E23}.exe
{FF658A51-6623-46D5-815D-095D9D59250F}.exe
{0CCF3370-5EBE-4C12-BDBF-E15B2D6DD0AE}.exe
{99DBC358-C808-4B12-A739-357355163EF6}.exe
{AC1ACD3B-291D-4727-BFFC-43F109CE6BE6}.exe
{FB262BE8-9074-4B2F-A34B-F4E2C6CF6C82}.exe
{0A14F816-0720-4E9F-AA10-2F30CAC95677}.exe
{83B06492-2A88-4AFD-B9E8-E53A259D69FE}.exe
{432E1EB1-BC9C-4C52-B7F9-9049B1226C7B}.exe
{357F6170-A094-458B-975C-44B804ECF98A}.exe
{A06BB69D-D858-41F0-B94B-4A44B248CC42}.exe
{70186409-CFDD-45B1-A10B-D04B03102CE3}.exe
{92656D87-4E51-4929-94B8-0C848964D179}.exe
{3990FC2A-C47A-47D2-BAD2-741022FA828A}.exe
{3318CA4E-994F-4CD8-9E26-3A2E6396A187}.exe
{A07565B7-9EF6-4F1A-958F-7F2872D8CBDF}.exe
{660841C5-285F-4CDC-A744-7422DD21B3EA}.exe
{2583F4F7-DF38-447B-819F-88E6F7CC3759}.exe
{F9F414B9-EC29-413D-A046-7CA80221C9D3}.exe
{C15B551F-30F7-4C57-A510-FBCBA2F514E0}.exe
{2BC6752F-670D-423E-96EF-E7E6E58AB311}.exe
{FBB3476E-9CEB-4876-BB34-6A6738D6C516}.exe
{CC9C36BA-50A6-4859-958D-FE048589662D}.exe
{352F3515-B0C4-4499-9871-983CA4877DBB}.exe


---------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 9:01:06 PM, on 9/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Kwij\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [zorec.exe] C:\WINDOWS\system32\zorec.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1A3E52C-71FF-4539-B914-497214141346}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE7EFC8B-1D5E-4D10-A346-B322F125EE13}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
kwijy
Getting settled in
kwijy
6 Posts
10 Jul 2006, 4:35pm
Still having problems with the same viruses come back again
kwijy
Getting settled in
kwijy
6 Posts
11 Jul 2006, 12:41pm
Is there anyone there that can help me? Is it okay for me to be still using my computer? Not quite sure what i need to do.
chiaz
Spyware Mod
chiaz
1,219 Posts
11 Jul 2006, 4:14pm
Sorry for the delay.

The Wareout infection is refusing to be removed. Let's try again. Launch HijackThis and place a tick by the following entries:
O4 - HKLM\..\Run: [zorec.exe] C:\WINDOWS\system32\zorec.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1A3E52C-71FF-4539-B914-497214141346}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE7EFC8B-1D5E-4D10-A346-B322F125EE13}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185

Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.


Rescan with HijackThis and post the new log in your nect reply. Thanks.
kwijy
Getting settled in
kwijy
6 Posts
12 Jul 2006, 12:55am
Logfile of HijackThis v1.99.1
Scan saved at 9:50:24 AM, on 12/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kwij\Desktop\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [fsoge.exe] C:\WINDOWS\system32\fsoge.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

:S
Go Back   Icrontic Forums > Malware Help > Spyware & Virus Removal > Resolved / Inactive
Reload this Page Need assistance with Win.32.small-ek[trj] + Win.32.Adan-094 and 078 [Adw]
Jump to
This Thread Search this Thread
Search this Thread:

Advanced Search

Today's Posts - Mark All Read - Contact Us - Icrontic.com - Archive - Top

Current time: 1:02am (GMT)
Powered by vBulletin®
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Get Vanilla instead. Trust me.