Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hello, y'all...First, I want to give a big thanks everyone at computing.net. The assistance and information I have found in the forums has been excelent. I have consistently solved problems with my system without having to post; just by reading the help y'all have given others. Thank you.
Unfortunately. I think I need to post, now :(
N.A.V. pops up with "Trojan" (howiper.exe) and "Trojan.Favadd" (favset.exe) and won't delete them. My browser (both IE and Firefox) redirects to search sites or malicious sites whenever I use a link. My instant messenger freezes during chat.
After some research, I tried to delete favset.exe with Killbox, but got the error message:
pendingfilerenamingoperation Registry Data has been removed by External Process
I figure that the trojan got into my registry, but I'm concerned about changing the wrong thing.
i hope someone here can help me with this, programs on my computer are running slower and slower, none of the spyware programs find anything, and I want to avoid re-formatting.
Any help would be appreciated
Again, thank you!
Please post a Hijack this log so I can see what's going on. You can download Hijack this here.
We'll see about a Panda scan after I know what I'm up against.
Proud member of Alliance of Security Analysis Professionals since 2005. ASAP
0 
ok, here goes...a log from just a few hours ago:
Logfile of HijackThis v1.99.1
Scan saved at 3:33:29 PM, on 5/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\LVCOMSX.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Siemens\SpeedStream Wireless PCI\SSPCICfg.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Art Programs\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [exe.qhcmd] C:\WINDOWS\system32\dmchq.exe
O4 - HKLM\..\Run: [exe.zfnmd] C:\WINDOWS\system32\dmnfz.exe
O4 - HKLM\..\Run: [exe.clqmd] C:\WINDOWS\system32\dmqlc.exe
O4 - HKLM\..\Run: [exe.zspmd] C:\WINDOWS\system32\dmpsz.exe
O4 - HKLM\..\Run: [exe.ggbmd] C:\WINDOWS\system32\dmbgg.exe
O4 - HKLM\..\Run: [exe.oammd] C:\WINDOWS\system32\dmmao.exe
O4 - HKLM\..\Run: [exe.pxpmd] C:\WINDOWS\system32\dmpxp.exe
O4 - HKLM\..\Run: [exe.nsymd] C:\WINDOWS\system32\dmysn.exe
O4 - HKLM\..\Run: [exe.dzmmd] C:\WINDOWS\system32\dmmzd.exe
O4 - HKLM\..\Run: [exe.yqdmd] C:\WINDOWS\system32\dmdqy.exe
O4 - HKLM\..\Run: [exe.ndgmd] C:\WINDOWS\system32\dmgdn.exe
O4 - HKLM\..\Run: [exe.lcqmd] C:\WINDOWS\system32\dmqcl.exe
O4 - HKLM\..\Run: [exe.wkxmd] C:\WINDOWS\system32\dmxkw.exe
O4 - HKLM\..\Run: [exe.vlvmd] C:\WINDOWS\system32\dmvlv.exe
O4 - HKLM\..\Run: [exe.upwmd] C:\WINDOWS\system32\dmwpu.exe
O4 - HKLM\..\Run: [exe.xtcmd] C:\WINDOWS\system32\dmctx.exe
O4 - HKLM\..\Run: [exe.uhzmd] C:\WINDOWS\system32\dmzhu.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [exe.ihfmd] C:\WINDOWS\system32\dmfhi.exe
O4 - HKLM\..\Run: [exe.sdkmd] C:\WINDOWS\system32\dmkds.exe
O4 - HKLM\..\Run: [exe.qpamd] C:\WINDOWS\system32\dmapq.exe
O4 - HKLM\..\Run: [exe.ydlmd] C:\WINDOWS\system32\dmldy.exe
O4 - HKLM\..\Run: [exe.irbmd] C:\WINDOWS\system32\dmbri.exe
O4 - HKLM\..\Run: [exe.hkemd] C:\WINDOWS\system32\dmekh.exe
O4 - HKLM\..\Run: [exe.jtdmd] C:\WINDOWS\system32\dmdtj.exe
O4 - HKLM\..\Run: [exe.idzmd] C:\WINDOWS\system32\dmzdi.exe
O4 - HKLM\..\Run: [exe.fofmd] C:\WINDOWS\system32\dmfof.exe
O4 - HKLM\..\Run: [exe.cjsmd] C:\WINDOWS\system32\dmsjc.exe
O4 - HKLM\..\Run: [exe.bwqmd] C:\WINDOWS\system32\dmqwb.exe
O4 - HKLM\..\Run: [exe.yyxmd] C:\WINDOWS\system32\dmxyy.exe
O4 - HKLM\..\Run: [exe.pvymd] C:\WINDOWS\system32\dmyvp.exe
O4 - HKLM\..\Run: [exe.oljmd] C:\WINDOWS\system32\dmjlo.exe
O4 - HKLM\..\Run: [exe.hhcmd] C:\WINDOWS\system32\dmchh.exe
O4 - HKLM\..\Run: [exe.ieamd] C:\WINDOWS\system32\dmaei.exe
O4 - HKLM\..\Run: [exe.izamd] C:\WINDOWS\system32\dmazi.exe
O4 - HKLM\..\Run: [exe.aqomd] C:\WINDOWS\system32\dmoqa.exe
O4 - HKLM\..\Run: [exe.wyjmd] C:\WINDOWS\system32\dmjyw.exe
O4 - HKLM\..\Run: [exe.objmd] C:\WINDOWS\system32\dmjbo.exe
O4 - HKLM\..\Run: [exe.emimd] C:\WINDOWS\system32\dmime.exe
O4 - HKLM\..\Run: [exe.dpxmd] C:\WINDOWS\system32\dmxpd.exe
O4 - HKLM\..\Run: [exe.ywxmd] C:\WINDOWS\system32\dmxwy.exe
O4 - HKLM\..\Run: [exe.itrmd] C:\WINDOWS\system32\dmrti.exe
O4 - HKLM\..\Run: [exe.esfmd] C:\WINDOWS\system32\dmfse.exe
O4 - HKLM\..\Run: [exe.ljgmd] C:\WINDOWS\system32\dmgjl.exe
O4 - HKLM\..\Run: [exe.jwumd] C:\WINDOWS\system32\dmuwj.exe
O4 - HKLM\..\Run: [exe.bhbmd] C:\WINDOWS\system32\dmbhb.exe
O4 - HKLM\..\Run: [exe.zndmd] C:\WINDOWS\system32\dmdnz.exe
O4 - HKLM\..\Run: [exe.ksdmd] C:\WINDOWS\system32\dmdsk.exe
O4 - HKLM\..\Run: [exe.cdbmd] C:\WINDOWS\system32\dmbdc.exe
O4 - HKLM\..\Run: [exe.slpmd] C:\WINDOWS\system32\dmpls.exe
O4 - HKLM\..\Run: [exe.fqdmd] C:\WINDOWS\system32\dmdqf.exe
O4 - HKLM\..\Run: [exe.xovmd] C:\WINDOWS\system32\dmvox.exe
O4 - HKLM\..\Run: [exe.fzxmd] C:\WINDOWS\system32\dmxzf.exe
O4 - HKLM\..\Run: [exe.dvxmd] C:\WINDOWS\system32\dmxvd.exe
O4 - HKLM\..\Run: [exe.xbxmd] C:\WINDOWS\system32\dmxbx.exe
O4 - HKLM\..\Run: [exe.qtnmd] C:\WINDOWS\system32\dmntq.exe
O4 - HKLM\..\Run: [exe.rugmd] C:\WINDOWS\system32\dmgur.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [exe.wzdmd] C:\WINDOWS\system32\dmdzw.exe
O4 - HKLM\..\Run: [exe.kdxmd] C:\WINDOWS\system32\dmxdk.exe
O4 - HKLM\..\Run: [exe.gvfmd] C:\WINDOWS\system32\dmfvg.exe
O4 - HKLM\..\Run: [exe.jcrmd] C:\WINDOWS\system32\dmrcj.exe
O4 - HKLM\..\Run: [exe.fkymd] C:\WINDOWS\system32\dmykf.exe
O4 - HKLM\..\Run: [exe.acumd] C:\WINDOWS\system32\dmuca.exe
O4 - HKLM\..\Run: [exe.mgtmd] C:\WINDOWS\system32\dmtgm.exe
O4 - HKLM\..\Run: [exe.ezjmd] C:\WINDOWS\system32\dmjze.exe
O4 - HKLM\..\Run: [exe.ylwmd] C:\WINDOWS\system32\dmwly.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [exe.dywmd] C:\WINDOWS\system32\dmwyd.exe
O4 - HKLM\..\Run: [exe.lhbmd] C:\WINDOWS\system32\dmbhl.exe
O4 - HKLM\..\Run: [exe.ycumd] C:\WINDOWS\system32\dmucy.exe
O4 - HKLM\..\Run: [exe.rzgmd] C:\WINDOWS\system32\dmgzr.exe
O4 - HKLM\..\Run: [exe.ppfmd] C:\WINDOWS\system32\dmfpp.exe
O4 - HKLM\..\Run: [exe.hrbmd] C:\WINDOWS\system32\dmbrh.exe
O4 - HKLM\..\Run: [exe.jpqmd] C:\WINDOWS\system32\dmqpj.exe
O4 - HKLM\..\Run: [exe.sgbmd] C:\WINDOWS\system32\dmbgs.exe
O4 - HKLM\..\Run: [exe.dyqmd] C:\WINDOWS\system32\dmqyd.exe
O4 - HKLM\..\Run: [exe.ukqmd] C:\WINDOWS\system32\dmqku.exe
O4 - HKLM\..\Run: [exe.zrgmd] C:\WINDOWS\system32\dmgrz.exe
O4 - HKLM\..\Run: [exe.regmd] C:\WINDOWS\system32\dmger.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SpeedStream Wireless LAN Utility.lnk = C:\Program Files\Siemens\SpeedStream Wireless PCI\SSPCICfg.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE7782B-0322-4D1B-B6CB-4F7994981210}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1FFAD89-C2CD-4A6E-AB39-7E05D5082814}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA4E274E-9792-4B33-84D7-7EABA57186EF}: NameServer = 85.255.114.196,85.255.112.149
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exeby the way...what are all of these 5-letter exe's? Would they be part of the problem?
0
Let's go for that panda scan . All those exe's are unfamiliar to me but I can see some other definite problems. Save the log of the panda scan as a txt file and post it back here for me please. Let's see if it can better identify those exe's.
Proud member of Alliance of Security Analysis Professionals since 2005. ASAP
0
Sorry to interrupt, but I got a nasty virus from the online Panda scan and because I wasn't a paid subscription holder they blew me off. I would rather do a Kaspersky or BitDefender scan if I were you. Just a bit of advice that will hopefully help
Hopefully my advice will help you...Please post back with your results....thanks
0
I hope it helps too. Thanks XPuser.
To anyone else or even you XP of course. Does anyone know what all those 04 entries are? All the ones beginning with "dm....exe". I've seen something like this before but the entries were all "ym...exe". I can't remember what the person did to fix this and I can't find a thread anywhere with this problem. I just wanted to know that if I start removing these viruses and some spyware programs, if these trojans will disappear or stop being written by a rogue program? I do believe that they are trojans. I can have him remove them with Hijack this and then manually delete them in safe mode afterward but will that get rid of them? If not, what file are they associated with?
I will gladly let someone else take over here. I don't want to get into something I don't recognize and cause other problems for him.
I've tried inputting a few of the entries into:
answers that work
Greatis startup application database
pacmans startup programs list
Kephyr file database
Wintasks file database
Wintasks process library
and Windows startup online databaseto come up empty handed.
Any help at all would be great here.
Proud member of Alliance of Security Analysis Professionals since 2005. ASAP
0
Thank you, Blood. I also, was unable to find any info on them. That's when I decided to come to y'all. I'm sure my computer has been infected for a month or more.
On a bit of a side note...I un-installed Yahoo today because of all the probs, but I see from the Hijack log that it's still in the registry. Is it safe to remove those entries?
Sorry the Pandascan took so long. Here it is:
Incident Status LocationAdware:adware/cws Not disinfected c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
Adware:adware/sbsoft Not disinfected c:\windows\rdt.ini
Potentially unwanted tool:application/unspypc Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-4734-477F-8257-27CD04F88779}
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Charles\Cookies\charles@ads.pointroll[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Charles\Cookies\charles@as-us.falkag[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Charles\Cookies\charles@com[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Charles\Cookies\charles@stats1.reliablestats[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Charles\Cookies\charles@tribalfusion[1].txt
Again, Thank You for your time!
0
Not much in the scan really. A little odd seeing as what's in your computer. I'll stick with you and see what happens here until someone can come up with something. I'll do some more researching tonight and we can start with those viruses for now. I'll be back tomorrow with some instructions for those.
Once again, any help from anyone on this would be great.
Proud member of Alliance of Security Analysis Professionals since 2005. ASAP
0
info:
04's -
dm***.exe [* = random char] dm***.exe [* = random char] Wareout - malware masquerading as a spyware and dialer remover,....
6B 69 6C 72 6F 79 20 77 61 73 20 68 65 72 65
0
THANK YOU BOFRA.
That hit me like a slap in the face.
I'll get a speech ready for you tomorrow Chuck. Right now, I have to go to bed. 3 am comes early.
Proud member of Alliance of Security Analysis Professionals since 2005. ASAP
0
Found some good info for now. Try this to see what happens. I have another option if it doesn't work but it involves downloading a program and I avoid that if possible unless it's something you'll use more than once.
Reboot the computer to Safe mode (press F8 when windows start).
Go to Start > Settings > Control Panel> Add/Remove Programs, scroll down the list to find WareOut or WareOut Spyware Remover to uninstall WareOut.
Open a Dos command prompt window (from Start > Programs > Accessories ), enter the following commands:cd %WinDir%\System32
regsvr32 /u hybsys32.dll
regsvr32 /u wosys32 .dll
del hybsys32.dll
del wosys32 .dllClick Start > Run, type 'regedit', and click OK to open the Registry editor.
Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.In the right pane find and delete the entries with the following value:
ParisM, PasswdMon, ExchangeMaster, XTermInit, RtlFindVal, cnftips, Kargo, trycrt, TForm1, utsgmon, NsCplTray, ERTYDF, JAguAr, PrcIdle, utsgmon, zxc, EXE32EXE
Delete the folder %ProgramFiles%\WareOut.
Reboot the computer.Proud member of Alliance of Security Analysis Professionals since 2005. ASAP
0
Next time anyone is not sure if a file(s) is mailacious or not,go to one of these links and upload the files in question.They will be scanned by all market AV's.
0
"Once again, any help from anyone on this would be great."
I can't help but wonder: have you (ever) had much success analyzing logs?
I'm just sayin' - but it doesn't look that way (ASAP membership notwithstanding)
We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true
0
I see bloodhound114 has retire for the evening. Should you want to work toward removing you wareout infection do the following. If you would prefer, wait on him/her.
For "fixwareout to work, as as described in the paragraph below you will need to disable Norton's script blocking after you have downloaded "fixwareout" as follows:
Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options.
If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK.Please download Fixwareout from this link
http://swandog46.geekstogo.com/Fixwareout.exe
or
http://downloads.subratam.org/Fixwareout.exe
Save it to your desktop and run it. Click next, then Install, then make sure "Run fixit" is checked and click finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.Post a copy at the log located at C:\fixwareout\report.txt .
Once you have posted the log above Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe modeDownload Ewido Security Suite then set it up this way Ewido Setup Instructions We will need this later in safe mode
0
I apreciate that, Jabuck, but I think I'm done for the night, also.
I don't think wareout is the problem, though, and I also don't care to download MORE programs. I do have, and use, Ewido, Spybot, and Ad-ware in addition to norton.
Following Bloodhound's instructions:I found no Wareout in "Add or Remove".
In the command screen, "specified module could not be found" for both hybsys32.dll and wosys32.dll.
In regedit, I could not find ANY of the referenced entries...though I DID find and delete "dmoka.exe" and "dmger.exe".
Everything else in that particular reg key was legit (except "nwiz" "Cmaudio"...I don't know what those are yet.)Then, I ran Ccleaner and deleted every issue it found in the registry except those for known products. I ran HJT again and it showed none of those dm***.exe's. In HJT, I deleted every entry for Yahoo...which I had uninstalled because it was having probs, too.
I use Yahoo to chat with my clients, so now I'm going to try to re-install it, see if it works and keep an eye out for the dreaded Norton Alert for Favadd and Howiper ("repair failed" and "access denied").
thanks again, y'all. I'll look into this thread tomorrow morning, before I head to my day job, and see what else we can get rid of!
0
Wareout is the problem, should you lose your internet service in the process of trying to remove this beast do the following:
Go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
0
I've submitted your Hijack log to some friends of mine with very impressive backrounds. I/they should have something figured out by tonight.
For now, could you restart your computer and then come up with a new Hijack log for me. Not that you have to post it right away, just keep it somewhere for now.
For now I've got to go back to work for the afternoon. I'll be home in a few hours.
Proud member of Alliance of Security Analysis Professionals since 2005. ASAP
0
Can do...here ya go:
Logfile of HijackThis v1.99.1
Scan saved at 12:01:37 PM, on 5/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\LVCOMSX.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Siemens\SpeedStream Wireless PCI\SSPCICfg.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exeO1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Art Programs\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {86C510E9-97EF-4749-914F-0280247BE3A6} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SpeedStream Wireless LAN Utility.lnk = C:\Program Files\Siemens\SpeedStream Wireless PCI\SSPCICfg.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE7782B-0322-4D1B-B6CB-4F7994981210}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA4E274E-9792-4B33-84D7-7EABA57186EF}: NameServer = 85.255.114.196,85.255.112.149
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
0
copy and paste your file into this free HJT analyzer
http://hijackthis.de/
and you can see most of your problems, if in doubt about what files to delete, wait till bloodhound114 or Jabuck gets back on.Hopefully my advice will help you...Please post back with your results....thanks
0
The 017's are bad, if you are not
from the Ukraine.inetnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
remarks: -----------
remarks: Abuse notifications to: abuse@inhoster.com
remarks: Network problems to: noc@inhoster.com
remarks: Peering requests to: peering@inhoster.com
remarks: -----------
country: UA
org: ORG-EST1-RIPE
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
tech-c: FWHS1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: RECIT-MNT
mnt-routes: RECIT-MNT
mnt-domains: RECIT-MNT
mnt-by: DAV-MNT
mnt-routes: DAV-MNT
mnt-domains: DAV-MNT
source: RIPE # Filteredorganisation: ORG-EST1-RIPE
org-name: INHOSTER
org-type: NON-REGISTRY
remarks: *************************************
remarks: * Abuse contacts: abuse@inhoster.com *
remarks: *************************************
address: OOO Inhoster
address: Poltavskij Shliax 24, Xarkov,
address: 61000, Ukraine
phone: +38 066 4633621
e-mail: support@inhoster.com
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
mnt-ref: DAV-MNT
mnt-by: DAV-MNT
source: RIPE # Filteredperson: Andrei Kislizin
address: OOO Inhoster,
address: ul.Antonova 5, Kiev,
address: 03186, Ukraine
phone: +38 044 2404332
nic-hdl: AK4026-RIPE
source: RIPE # Filteredperson: Fast Web Hosting Support
address: 01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 201.
address: UA
phone: +357 99 117759
e-mail: support@fwebhost.com
nic-hdl: FWHS1-RIPE
source: RIPE # Filtered
0
Next reboot into safe mode, follow these instructions if you need them Safe Mode
Run Hijack This from safe mode, close all windows except HT, place a check to the left of the following items and press "fix checked"
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE7782B-0322-4D1B-B6CB-4F7994981210}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA4E274E-9792-4B33-84D7-7EABA57186EF}: NameServer = 85.255.114.196,85.255.112.149
Exit Hijack This
Run Ewido from safe mode.When the scan has completed, Ewido will create a report.txt file. Click the "Save Report" button on the bottom of the screen and save the log to your desktop.
Run ATF-Cleaner in safe mode. Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Reboot and post the Ewido report on your desktop.
Run fixwareout once more and post the log located at C:\fixwareout\report.txt and be sure script blocking is turned off and do not run fixwareout from safe mode.
0
Still waiting on that response. Until then, stick with Jabuck. He knows what he's doing. It may also be a good idea (if you haven't in the past while) to create a restore point in case something happens when we start digging in the registry. It's better to come back to a poor restore point than a non-existent one.
To Jabuck:
What are your thoughts on Blacklight, Avenger and doing some registry searches with RegSrch.vbs for Wareout. If RegSrch won't show wareout then we may be dealing with a Bube variant. Curious on your thoughts. I haven't done much more looking since lastnight. I'm just going from what I've talked to a couple people about.
Proud member of Alliance of Security Analysis Professionals since 2005. ASAP
0
I got that reply I was waiting for. They'd prefer that you run a program before they go any further. We had it pinned. It was Wareout.
The program they'd like you to run is Fix Wareout
It can also be downloaded at this alternate link
They want to make sure that Wareout is good and gone and they'd like a fresh Hijack this log afterward. Also with that, they'd like you to do a scan from Kapersky Webscanner and return that log too.
The instructions were as follows:
Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.
If there is anything you don't understand, please ask BEFORE proceeding with the fixes.
Please ensure that you follow the instructions in the order I have them listed.Please download FixWareout or use this alternate location.
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O4 - HKLM\..\Run: [exe.qhcmd] C:\WINDOWS\system32\dmchq.exe
O4 - HKLM\..\Run: [exe.zfnmd] C:\WINDOWS\system32\dmnfz.exe
O4 - HKLM\..\Run: [exe.clqmd] C:\WINDOWS\system32\dmqlc.exe
O4 - HKLM\..\Run: [exe.zspmd] C:\WINDOWS\system32\dmpsz.exe
O4 - HKLM\..\Run: [exe.ggbmd] C:\WINDOWS\system32\dmbgg.exe
O4 - HKLM\..\Run: [exe.oammd] C:\WINDOWS\system32\dmmao.exe
O4 - HKLM\..\Run: [exe.pxpmd] C:\WINDOWS\system32\dmpxp.exe
O4 - HKLM\..\Run: [exe.nsymd] C:\WINDOWS\system32\dmysn.exe
O4 - HKLM\..\Run: [exe.dzmmd] C:\WINDOWS\system32\dmmzd.exe
O4 - HKLM\..\Run: [exe.yqdmd] C:\WINDOWS\system32\dmdqy.exe
O4 - HKLM\..\Run: [exe.ndgmd] C:\WINDOWS\system32\dmgdn.exe
O4 - HKLM\..\Run: [exe.lcqmd] C:\WINDOWS\system32\dmqcl.exe
O4 - HKLM\..\Run: [exe.wkxmd] C:\WINDOWS\system32\dmxkw.exe
O4 - HKLM\..\Run: [exe.vlvmd] C:\WINDOWS\system32\dmvlv.exe
O4 - HKLM\..\Run: [exe.upwmd] C:\WINDOWS\system32\dmwpu.exe
O4 - HKLM\..\Run: [exe.xtcmd] C:\WINDOWS\system32\dmctx.exe
O4 - HKLM\..\Run: [exe.uhzmd] C:\WINDOWS\system32\dmzhu.exe
O4 - HKLM\..\Run: [exe.ihfmd] C:\WINDOWS\system32\dmfhi.exe
O4 - HKLM\..\Run: [exe.sdkmd] C:\WINDOWS\system32\dmkds.exe
O4 - HKLM\..\Run: [exe.qpamd] C:\WINDOWS\system32\dmapq.exe
O4 - HKLM\..\Run: [exe.ydlmd] C:\WINDOWS\system32\dmldy.exe
O4 - HKLM\..\Run: [exe.irbmd] C:\WINDOWS\system32\dmbri.exe
O4 - HKLM\..\Run: [exe.hkemd] C:\WINDOWS\system32\dmekh.exe
O4 - HKLM\..\Run: [exe.jtdmd] C:\WINDOWS\system32\dmdtj.exe
O4 - HKLM\..\Run: [exe.idzmd] C:\WINDOWS\system32\dmzdi.exe
O4 - HKLM\..\Run: [exe.fofmd] C:\WINDOWS\system32\dmfof.exe
O4 - HKLM\..\Run: [exe.cjsmd] C:\WINDOWS\system32\dmsjc.exe
O4 - HKLM\..\Run: [exe.bwqmd] C:\WINDOWS\system32\dmqwb.exe
O4 - HKLM\..\Run: [exe.yyxmd] C:\WINDOWS\system32\dmxyy.exe
O4 - HKLM\..\Run: [exe.pvymd] C:\WINDOWS\system32\dmyvp.exe
O4 - HKLM\..\Run: [exe.oljmd] C:\WINDOWS\system32\dmjlo.exe
O4 - HKLM\..\Run: [exe.hhcmd] C:\WINDOWS\system32\dmchh.exe
O4 - HKLM\..\Run: [exe.ieamd] C:\WINDOWS\system32\dmaei.exe
O4 - HKLM\..\Run: [exe.izamd] C:\WINDOWS\system32\dmazi.exe
O4 - HKLM\..\Run: [exe.aqomd] C:\WINDOWS\system32\dmoqa.exe
O4 - HKLM\..\Run: [exe.wyjmd] C:\WINDOWS\system32\dmjyw.exe
O4 - HKLM\..\Run: [exe.objmd] C:\WINDOWS\system32\dmjbo.exe
O4 - HKLM\..\Run: [exe.emimd] C:\WINDOWS\system32\dmime.exe
O4 - HKLM\..\Run: [exe.dpxmd] C:\WINDOWS\system32\dmxpd.exe
O4 - HKLM\..\Run: [exe.ywxmd] C:\WINDOWS\system32\dmxwy.exe
O4 - HKLM\..\Run: [exe.itrmd] C:\WINDOWS\system32\dmrti.exe
O4 - HKLM\..\Run: [exe.esfmd] C:\WINDOWS\system32\dmfse.exe
O4 - HKLM\..\Run: [exe.ljgmd] C:\WINDOWS\system32\dmgjl.exe
O4 - HKLM\..\Run: [exe.jwumd] C:\WINDOWS\system32\dmuwj.exe
O4 - HKLM\..\Run: [exe.bhbmd] C:\WINDOWS\system32\dmbhb.exe
O4 - HKLM\..\Run: [exe.zndmd] C:\WINDOWS\system32\dmdnz.exe
O4 - HKLM\..\Run: [exe.ksdmd] C:\WINDOWS\system32\dmdsk.exe
O4 - HKLM\..\Run: [exe.cdbmd] C:\WINDOWS\system32\dmbdc.exe
O4 - HKLM\..\Run: [exe.slpmd] C:\WINDOWS\system32\dmpls.exe
O4 - HKLM\..\Run: [exe.fqdmd] C:\WINDOWS\system32\dmdqf.exe
O4 - HKLM\..\Run: [exe.xovmd] C:\WINDOWS\system32\dmvox.exe
O4 - HKLM\..\Run: [exe.fzxmd] C:\WINDOWS\system32\dmxzf.exe
O4 - HKLM\..\Run: [exe.dvxmd] C:\WINDOWS\system32\dmxvd.exe
O4 - HKLM\..\Run: [exe.xbxmd] C:\WINDOWS\system32\dmxbx.exe
O4 - HKLM\..\Run: [exe.qtnmd] C:\WINDOWS\system32\dmntq.exe
O4 - HKLM\..\Run: [exe.rugmd] C:\WINDOWS\system32\dmgur.exe
O4 - HKLM\..\Run: [exe.wzdmd] C:\WINDOWS\system32\dmdzw.exe
O4 - HKLM\..\Run: [exe.kdxmd] C:\WINDOWS\system32\dmxdk.exe
O4 - HKLM\..\Run: [exe.gvfmd] C:\WINDOWS\system32\dmfvg.exe
O4 - HKLM\..\Run: [exe.jcrmd] C:\WINDOWS\system32\dmrcj.exe
O4 - HKLM\..\Run: [exe.fkymd] C:\WINDOWS\system32\dmykf.exe
O4 - HKLM\..\Run: [exe.acumd] C:\WINDOWS\system32\dmuca.exe
O4 - HKLM\..\Run: [exe.mgtmd] C:\WINDOWS\system32\dmtgm.exe
O4 - HKLM\..\Run: [exe.ezjmd] C:\WINDOWS\system32\dmjze.exe
O4 - HKLM\..\Run: [exe.ylwmd] C:\WINDOWS\system32\dmwly.exe
O4 - HKLM\..\Run: [exe.dywmd] C:\WINDOWS\system32\dmwyd.exe
O4 - HKLM\..\Run: [exe.lhbmd] C:\WINDOWS\system32\dmbhl.exe
O4 - HKLM\..\Run: [exe.ycumd] C:\WINDOWS\system32\dmucy.exe
O4 - HKLM\..\Run: [exe.rzgmd] C:\WINDOWS\system32\dmgzr.exe
O4 - HKLM\..\Run: [exe.ppfmd] C:\WINDOWS\system32\dmfpp.exe
O4 - HKLM\..\Run: [exe.hrbmd] C:\WINDOWS\system32\dmbrh.exe
O4 - HKLM\..\Run: [exe.jpqmd] C:\WINDOWS\system32\dmqpj.exe
O4 - HKLM\..\Run: [exe.sgbmd] C:\WINDOWS\system32\dmbgs.exe
O4 - HKLM\..\Run: [exe.dyqmd] C:\WINDOWS\system32\dmqyd.exe
O4 - HKLM\..\Run: [exe.ukqmd] C:\WINDOWS\system32\dmqku.exe
O4 - HKLM\..\Run: [exe.zrgmd] C:\WINDOWS\system32\dmgrz.exe
O4 - HKLM\..\Run: [exe.regmd] C:\WINDOWS\system32\dmger.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE7782B-0322-4D1B-B6CB-4F7994981210}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1FFAD89-C2CD-4A6E-AB39-7E05D5082814}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA4E274E-9792-4B33-84D7-7EABA57186EF}: NameServer = 85.255.114.196,85.255.112.149
Click Fix Checked. Close HijackThis, and click OK to proceed.At the end of the fix, you may need to restart your computer again.
Online Scan
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScannerNext Click on Launch Kaspersky Anti-Virus Web Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Bases
Click OKNow under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.* Turn off the real time scanner of any existing antivirus program while performing the online scan
Please post back with the report.txt, Kaspersky Log and a fresh HijackThis Log.Of course you can ignore any entries that are no longer remaining in your computer seeing as you have gotten rid of them.
Proud member of Alliance of Security Analysis Professionals since 2005. ASAP
0
ok, ran fixware out.
Then I ran HJT and fixed alot of stuff.
I have both reports posted here.
But I had a prob with Kapersky.
everytime I "accepted" to download the online scan and definitions, IE poped up with "error on page" and the download would not start.
Maybe it's just traffic with Kapersky?
I'll try again in the morning and post again...if I have anything to post.Sorry, y'all. I had a long work day and will be away for work for most of the weekend.
I WILL keep this process going. I appreciate y'all sticking with me.Here's the fixwareout report and HJT log:
Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\hokmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"exe.nhomd"=-
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.exe
* csr.exe C:\WINDOWS\System32\CSARN.exe
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSARN.exe 51,207 2006-04-05
Logfile of HijackThis v1.99.1
Scan saved at 12:36:08 AM, on 5/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\LVCOMSX.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Siemens\SpeedStream Wireless PCI\SSPCICfg.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.exe
C:\Program Files\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
C:\Program Files\Messenger\msmsgs.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Art Programs\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {86C510E9-97EF-4749-914F-0280247BE3A6} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SpeedStream Wireless LAN Utility.lnk = C:\Program Files\Siemens\SpeedStream Wireless PCI\SSPCICfg.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE7782B-0322-4D1B-B6CB-4F7994981210}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA4E274E-9792-4B33-84D7-7EABA57186EF}: NameServer = 85.255.114.196,85.255.112.149
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
0
Now we're getting somewhere. We're down to a couple 02 entries and those two 017 entries. I guess I could finish from this point on but I'll let them guys take a real good look at it. I should be getting my reply some time around noon (currently 7:30). The Kapersky scan should run but I guess if you can't get it to, we'll deal with it later. Did you turn off your real-time anti-virus scanners? You have a couple in there from Norton. Just turn off real-time scanning while Kapersky does its thing but don't forget to re-enable it after the scan.
Proud member of Alliance of Security Analysis Professionals since 2005. ASAP
0
Download killbox to your desktop from this link Killbox We will need it later in safe mode
The reason for posting the fixwareout log, as suggested in response #13 and #21, is to find all the bad files.
Run Hijack This again from safe mode and remove these items:
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE7782B-0322-4D1B-B6CB-4F7994981210}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA4E274E-9792-4B33-84D7-7EABA57186EF}: NameServer = 85.255.114.196,85.255.112.149
Exit Hijack This
Run Killbox from safe mode. Start Killbox place a tick next to [x]Delete on reboot "Press the All Files button"
Copy this whole list into the windows clipboard, all the bolded file paths below. Copy the following list of files to clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):C:\WINDOWS\SYSTEM32\CSARN.exe
Next in Killbox go to File > Paste from clipboard
"Click on the All Files button."
Next click on the button that has the red circle with the white X in the middle.
It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now.
Click Yes and let the computer reboot.If the computer does not automatiaclly reboot just restart it manually.
Run fixwareout once more and post it's log being sure that Norton's script blocking and any real time protection for antispyware tools is also turned off.
In case your host file has been damaged download "Hoster" from this link to your desktop Hoster Open it and click "Restore Microsoft's Original Host File". Then exit Hoster.
If you have system resore turned on you will need to purge it.
For instructions on how to purge system restore click Here
To create a new restore point go Start>Run>type "msconfig" without the quotes>ok>Launch System Restore>Tick the circle beside "create a restore point">next>name it anything you wish>Create>home>restart the computer.
Try the Kaspersky scan again.
Do a googe search for "spywareblaster" from and install it then be sure to update it, best antispyware tool out there.
0
I just got my reply back and it looks like Jabuck is on the right track (which I didn't doubt of course). I'll leave this with you as a reference.
One question for Jabuck: How did you come up with this line:
C:\WINDOWS\SYSTEM32\CSARN.exe
Reply is as follows.Please read these instructions carefully and then print out or copy this page to
Notepad in order to assist you when carrying out the fix.═ You should not have
any open browsers when you are following the procedures below.
Show Hidden Files
Go to My Computer > Tools > Folder Options > View tab and make sure that Show
hidden files and folders is enabled. Also make sure that the System files and
Folders are showing / visible. Uncheck the Hide protected operating system files
option.Downloads
Please download Cleanup! (http://cleanup.stevengould.org) or use this Alternate
Link (http://www.greyknight17.com/spy/CleanUp.exe) if the main link does not
work and install it. You will use this later.
I see you already have Ewido.═ Please update Ewido to the latest definition
files.On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually
update Ewido (http://www.ewido.net/en/download/updates/).
When you have finished updating, EXIT Ewido.Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make
backups.═ If you have any files in any TEMP directory and you need to keep them,
then please MOVE THEM NOW!Open Cleanup! by double-clicking the icon on your desktop (or from Start > All
Programs). Set the program up as follows:Click Options
Move the slider button down to Custom CleanUp!
Check the following:
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the ⌠Temporary Files■ tab and uncheck the box for ⌠Scan drives for
file matching■ if it▓s checked.Click OK, Press the CleanUp! button to start the program and reboot when
prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does
not make backups. If you have any documents or programs that are saved in any
Temporary Folders, please make a backup of these BEFORE running CleanUp! If you
have a 64 bit Operating System do NOT run Cleanup and let me know as we will use
another utility.Reboot
Reboot your system in Safe Mode.
Restart the computer. The computer begins processing a set of instructions
known as BIOS.
After hearing your computer beep once during startup, but before the Windows
icon appears, press F8 (dependent on your system this may be F5 or another key)
Instead of Windows loading as normal, a menu should appear
Use the arrow key to highlight Safe Mode and press Enter.HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (make sure you
do not miss any)
O2 - BHO: (no name) - {86C510E9-97EF-4749-914F-0280247BE3A6} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE7782B-0322-4D1B-B6CB-4F7994981210}:
NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA4E274E-9792-4B33-84D7-7EABA57186EF}:
NameServer = 85.255.114.196,85.255.112.149Please remember to close all other windows, including browsers then click Fix
checked.File Deletions
Please delete these files - (if you haven▓t already) only the files - if they
still exist.C:\WINDOWS\system32\dmchq.exe
C:\WINDOWS\system32\dmnfz.exe
C:\WINDOWS\system32\dmqlc.exe
C:\WINDOWS\system32\dmpsz.exe
C:\WINDOWS\system32\dmbgg.exe
C:\WINDOWS\system32\dmmao.exe
C:\WINDOWS\system32\dmpxp.exe
C:\WINDOWS\system32\dmysn.exe
C:\WINDOWS\system32\dmmzd.exe
C:\WINDOWS\system32\dmdqy.exe
C:\WINDOWS\system32\dmgdn.exe
C:\WINDOWS\system32\dmqcl.exe
C:\WINDOWS\system32\dmxkw.exe
C:\WINDOWS\system32\dmvlv.exe
C:\WINDOWS\system32\dmwpu.exe
C:\WINDOWS\system32\dmctx.exe
C:\WINDOWS\system32\dmzhu.exe
C:\WINDOWS\system32\dmfhi.exe
C:\WINDOWS\system32\dmkds.exe
C:\WINDOWS\system32\dmapq.exe
C:\WINDOWS\system32\dmldy.exe
C:\WINDOWS\system32\dmbri.exe
C:\WINDOWS\system32\dmekh.exe
C:\WINDOWS\system32\dmdtj.exe
C:\WINDOWS\system32\dmzdi.exe
C:\WINDOWS\system32\dmfof.exe
C:\WINDOWS\system32\dmsjc.exe
C:\WINDOWS\system32\dmqwb.exe
C:\WINDOWS\system32\dmxyy.exe
C:\WINDOWS\system32\dmyvp.exe
C:\WINDOWS\system32\dmjlo.exe
C:\WINDOWS\system32\dmchh.exe
C:\WINDOWS\system32\dmaei.exe
C:\WINDOWS\system32\dmazi.exe
C:\WINDOWS\system32\dmoqa.exe
C:\WINDOWS\system32\dmjyw.exe
C:\WINDOWS\system32\dmjbo.exe
C:\WINDOWS\system32\dmime.exe
C:\WINDOWS\system32\dmxpd.exe
C:\WINDOWS\system32\dmxwy.exe
C:\WINDOWS\system32\dmrti.exe
C:\WINDOWS\system32\dmfse.exe
C:\WINDOWS\system32\dmgjl.exe
C:\WINDOWS\system32\dmuwj.exe
C:\WINDOWS\system32\dmbhb.exe
C:\WINDOWS\system32\dmdnz.exe
C:\WINDOWS\system32\dmdsk.exe
C:\WINDOWS\system32\dmbdc.exe
C:\WINDOWS\system32\dmpls.exe
C:\WINDOWS\system32\dmdqf.exe
C:\WINDOWS\system32\dmvox.exe
C:\WINDOWS\system32\dmxzf.exe
C:\WINDOWS\system32\dmxvd.exe
C:\WINDOWS\system32\dmxbx.exe
C:\WINDOWS\system32\dmntq.exe
C:\WINDOWS\system32\dmgur.exe
C:\WINDOWS\system32\dmdzw.exe
C:\WINDOWS\system32\dmxdk.exe
C:\WINDOWS\system32\dmfvg.exe
C:\WINDOWS\system32\dmrcj.exe
C:\WINDOWS\system32\dmykf.exe
C:\WINDOWS\system32\dmuca.exe
C:\WINDOWS\system32\dmtgm.exe
C:\WINDOWS\system32\dmjze.exe
C:\WINDOWS\system32\dmwly.exe
C:\WINDOWS\system32\dmwyd.exe
C:\WINDOWS\system32\dmbhl.exe
C:\WINDOWS\system32\dmucy.exe
C:\WINDOWS\system32\dmgzr.exe
C:\WINDOWS\system32\dmfpp.exe
C:\WINDOWS\system32\dmbrh.exe
C:\WINDOWS\system32\dmqpj.exe
C:\WINDOWS\system32\dmbgs.exe
C:\WINDOWS\system32\dmqyd.exe
C:\WINDOWS\system32\dmqku.exe
C:\WINDOWS\system32\dmgrz.exe
C:\WINDOWS\system32\dmger.exeRun Ewido
Run Ewido with it's updated definitions (...it's important that all windows must
be closed)Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with Ewido it is finding cases of false positives.
═ You will need to step through the process of cleaning files one-by-one.
If Ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save Report button at the bottom of the
screen.
Save the report to your desktop
Close EwidoNOTE:═ Ewido scan will require at least an hour.
Reboot
Reboot your system in Normal Mode.Online Scan
Perform an online scan with Internet Explorer with Panda ActiveScan
(http://www.pandasoftware.com/products/activescan.htm)Click on the "Free To Use ActiveScan" located on the top right hand corner.
══ 1. Click Check Now and a "pop up" window will appear. *Please ensure that
your pop up blocker doesn't block it *
══ 2. Enter your e-mail address, country, and state & click Scan Now * The
download of the 8 MB Panda's ActiveX control will take place *Begin the scan by selecting My Computer
If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the
entry, as we will address this later.
Click on See report then click Save report*You needn't remain online while it's doing the scan but you have to re-connect
after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while
performing the online scanLogs required
Ewido Log
Panda Log
HijackThis LogPlease also let me know how your system is performing now and if you have any
specific problems.Stick with Jabuck, he'll have you fixed right up.
Proud member of Alliance of Security Analysis Professionals since 2005. ASAP
0
Thanks, Blood. Sorry for the late post.
Y'all were right, must have been Wareout. No more internet problems. I haven't re-installed the istant messenger, so I don't know the performance for that, yet. Serves me right for second-guessing y'all.
I'm going to try the cleaning in those last posts and get back with y'all with results.
Thanks again!
0
WOW! it's nice to an empty Ewido log!
ewido anti-malware - Scan report
+ Created on: 9:18:04 PM, 5/7/2006
+ Report-Checksum: 24C88F79+ Scan result:
No infected objects found.
::Report End
Here, though, is a BIG "but wait..." from Panda:
Incident Status LocationAdware:adware/cws Not disinfected c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
Potentially unwanted tool:application/unspypc Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-4734-477F-8257-27CD04F88779}
I tried to do a Kapersky scan, but still couldn't.Here is the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:48:10 PM, on 5/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\LVCOMSX.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Siemens\SpeedStream Wireless PCI\SSPCICfg.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Art Programs\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SpeedStream Wireless LAN Utility.lnk = C:\Program Files\Siemens\SpeedStream Wireless PCI\SSPCICfg.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
Nothing illegit is running...that I can tell.
Of course, I've been wrong before.Take a look if y'all can, please. What do y'all think? Am I clean?
0
Use killbox just as you did in response #26 and delete this coolwebsaerch file:
c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
Then do this registry edit to remove the unpsypc registry key:
Copy everything between the x's below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Regedit4[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-4734-477F-8257-27CD04F88779}]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear the registry entry.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
