« previous next »
Pages: [1]

Author Topic: Can't delete Trojan Viruses  (Read 2526 times)

Offline Keeno

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Can't delete Trojan Viruses
« on: January 14, 2006, 07:48:41 AM »
AVG keeps warning me of about 3 different trojan horse viruses for example trojan horse clicker.FR but says access to the file is denied when I try to delete them.

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:35:58, on 14/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{030547D9-CCBA-4AC7-978C-872EF6AE744C}: NameServer = 85.255.116.39,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{385B2D7D-6238-4B57-9934-F03B9D1A61F9}: NameServer = 85.255.116.39,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{540B86B5-01C5-486A-9CDB-93269286A50D}: NameServer = 85.255.116.39 85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACAFD24E-B751-4BDE-A749-167B481F2ED2}: NameServer = 85.255.116.39,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{C80EAFD5-6D80-45A4-9D0E-43C71144A62A}: NameServer = 85.255.116.39,85.255.112.214
O17 - HKLM\System\CS1\Services\Tcpip\..\{030547D9-CCBA-4AC7-978C-872EF6AE744C}: NameServer = 85.255.116.39,85.255.112.214
O17 - HKLM\System\CS2\Services\Tcpip\..\{030547D9-CCBA-4AC7-978C-872EF6AE744C}: NameServer = 85.255.116.39,85.255.112.214
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Hopefully someone can help.

Thanks.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Can't delete Trojan Viruses
« Reply #1 on: January 15, 2006, 10:50:24 PM »
Can you do the following please

==Download and Install
Windows Cleanup! 4.0
Don't run it yet

==Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please  save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

Please Disable Microsoft AntiSpyware's realtime protections so it won't interfere in any fixes we try.
Keep this disabled until we know you are clean
Open Microsoft AntiSpyware.
Click on Options>>Settings
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it.  Click Next, then Install, then make sure "Run fixit" is checked and click Finish.  The fix will begin; follow the prompts.  You will be asked to reboot your computer; please do so.  Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts.  Afterwards, HijackThis will launch.  Please click Do a System Scan Only, and check the following items:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab

O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{030547D9-CCBA-4AC7-978C-872EF6AE744C}: NameServer = 85.255.116.39,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{385B2D7D-6238-4B57-9934-F03B9D1A61F9}: NameServer = 85.255.116.39,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{540B86B5-01C5-486A-9CDB-93269286A50D}: NameServer = 85.255.116.39 85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACAFD24E-B751-4BDE-A749-167B481F2ED2}: NameServer = 85.255.116.39,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{C80EAFD5-6D80-45A4-9D0E-43C71144A62A}: NameServer = 85.255.116.39,85.255.112.214
O17 - HKLM\System\CS1\Services\Tcpip\..\{030547D9-CCBA-4AC7-978C-872EF6AE744C}: NameServer = 85.255.116.39,85.255.112.214
O17 - HKLM\System\CS2\Services\Tcpip\..\{030547D9-CCBA-4AC7-978C-872EF6AE744C}: NameServer = 85.255.116.39,85.255.112.214

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART your Computer in
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Select Safe mode from the Startup menu

In safe mode

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
 
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

Reboot back to Normal mode
Back in Windows

Can i see the following please

1. Post a fresh hijackthis log
2. Post the full report from Ewido's
3. Post the report.txt from fixwareout in the following location
C:\fixwareout\report.txt

NOTE: Only if you are having troubles connecting to the internet after doing any of the above, please do the following
Go to Start -> Control Panel, and choose Network Connections.  Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.  Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.  Click OK twice, and restart your computer.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Keeno

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Can't delete Trojan Viruses
« Reply #2 on: January 20, 2006, 08:43:08 AM »
Logfile of HijackThis v1.99.1
Scan saved at 13:40:26, on 20/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [crifx.exe] C:\WINDOWS\System32\crifx.exe
O4 - HKLM\..\Run: [dmgft.exe] C:\WINDOWS\System32\dmgft.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{540B86B5-01C5-486A-9CDB-93269286A50D}: NameServer = 85.255.116.39 85.255.112.214
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


 
Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\uulmd
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
 
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSESW.EXE
C:\WINDOWS\SYSTEM32\LOGO_S~1.EXE
 
»»»»» Misc files
 
»»»»» Checking for older varients covered by the Rem3 tool


---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         13:19:11, 20/01/2006
 + Report-Checksum:      8242E31

 + Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
   :mozilla.16:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
   :mozilla.20:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.22:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.23:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.31:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
   :mozilla.32:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
   :mozilla.35:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
   :mozilla.38:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
   :mozilla.41:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   :mozilla.42:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   :mozilla.65:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.66:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.67:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.73:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.74:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.76:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
   :mozilla.78:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.80:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   :mozilla.81:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   :mozilla.107:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
   :mozilla.116:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.117:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.135:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
   :mozilla.136:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
   :mozilla.151:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.153:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.154:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.155:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.156:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.157:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.160:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.161:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.162:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.169:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.170:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.172:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   :mozilla.178:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.179:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
   :mozilla.181:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
   :mozilla.188:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.200:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.203:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.204:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.211:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.212:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.213:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.219:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.220:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.222:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
   :mozilla.223:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.243:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.244:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.246:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
   :mozilla.249:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.250:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.257:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.258:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.263:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   :mozilla.264:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.271:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
   :mozilla.272:C:\Documents and Settings\DK\Application Data\Mozilla\Firefox\Profiles\q2cq93d0.Default Users\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\80DEEC72-D96A-471F-8676-9BAC02\EBD965FC-D87D-48FD-B605-D3F943 -> Spyware.SBSoft : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\B5D6A76C-191E-4BD4-BAD6-E9717D\C7E21437-0273-474C-A0D5-1ADD6B -> Spyware.SBSoft : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\CD79150E-AFD3-4463-A735-3A2632\B1D2D0C2-CCEF-4633-A368-4F6919 -> Spyware.SBSoft : Cleaned with backup
   C:\WINDOWS\system32\config\systemprofile\Cookies\dk@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\WINDOWS\system32\config\systemprofile\Cookies\dk@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\WINDOWS\system32\config\systemprofile\Cookies\dk@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   C:\WINDOWS\system32\config\systemprofile\Cookies\dk@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   C:\WINDOWS\system32\config\systemprofile\Cookies\dk@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
   C:\WINDOWS\system32\csesw.exe -> Downloader.Agent.uj : Cleaned with backup
   C:\WINDOWS\system32\dflnl.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\WINDOWS\system32\dmyxd.exe -> Trojan.DNSChanger.aw : Cleaned with backup
   C:\WINDOWS\system32\ld9EC8.tmp -> Downloader.Zlob.dh : Cleaned with backup
   C:\WINDOWS\system32\logo_small.exe -> Downloader.Small.bwx : Cleaned with backup


::Report End

Thanks.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Can't delete Trojan Viruses
« Reply #3 on: January 20, 2006, 09:29:38 AM »
You waited too long to post back, you still have some bad entries in your log

Save these instructions to notepad or Print them out

Can you do the following again:
Make sure that Microsoft's anti-spyware protections are disabled
Delete your copy of FixWareout.exe and also open "MyComputer"
Double click to open LocalDisc C:
Delete the fixwareout folder

Redownload FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it.  Click Next, then Install, then make sure "Run fixit" is checked and click Finish.  The fix will begin; follow the prompts.  You will be asked to reboot your computer; please do so.  Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts.  Afterwards, HijackThis will launch.  Please click Do a System Scan Only, and check the following items:

O4 - HKLM\..\Run: [crifx.exe] C:\WINDOWS\System32\crifx.exe
O4 - HKLM\..\Run: [dmgft.exe] C:\WINDOWS\System32\dmgft.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{540B86B5-01C5-486A-9CDB-93269286A50D}: NameServer = 85.255.116.39 85.255.112.214

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer again
Back in Windows
Don't open a browser yet, instead

Go to START>>Run>>type in cmd
Hit OK
At the prompt type the following
ipconfig /flushdns
Hit ENTER

Can i see the following please

1. Post a fresh hijackthis log
2. Post the report.txt from fixwareout in the following location
C:\fixwareout\report.txt

NOTE: Only if you are having troubles connecting to the internet after doing any of the above, please do the following
Go to Start -> Control Panel, and choose Network Connections.  Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.  Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.  Click OK twice, and restart your computer.
« Last Edit: January 20, 2006, 09:35:54 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Keeno

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Can't delete Trojan Viruses
« Reply #4 on: January 24, 2006, 08:12:47 AM »
This site keeps giving me error pages when I try and get on the forum. Have been able to after following your instructions each time. I had to get someone else to get your instructions both times though.

Logfile of HijackThis v1.99.1
Scan saved at 13:07:54, on 24/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\VVSN\VVSN.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [dmuzu.exe] C:\WINDOWS\System32\dmuzu.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

 
Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\alamd
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
 
»»»»» Search by size and names...
 
»»»»» Misc files
 
»»»»» Checking for older varients covered by the Rem3 tool

By the way, two of items you instructed me to check were not it the hijackthis log. I could only check the one that was there.

Thanks.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Can't delete Trojan Viruses
« Reply #5 on: January 24, 2006, 08:09:25 PM »
Can you do the following please

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [dmuzu.exe] C:\WINDOWS\System32\dmuzu.exe


After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Access your add/remove programs via control panel and remove if found
SaveNow <<--or similiar
WhenU Search

Reboot your computer
Back in Windows

Find and delete this file if found
C:\WINDOWS\System32\dmuzu.exe <-this file
and this folder
C:\Program Files\VVSN <--this folder

Download and Install Spybot 1.4 from
HERE
 or HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check the boxes and then download all updates
After update is complete
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish any cleaning process

Come back here and post a fresh hijackthis log, let me know how things are running
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Keeno

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Can't delete Trojan Viruses
« Reply #6 on: January 30, 2006, 12:19:05 PM »
Logfile of HijackThis v1.99.1
Scan saved at 17:17:02, on 30/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dmcui.exe] C:\WINDOWS\System32\dmcui.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-p...-en/FlashAX.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{540B86B5-01C5-486A-9CDB-93269286A50D}: NameServer = 85.255.116.39 85.255.112.214
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

AVG has detected the same original viruses a couple of times but I've been able to delete them.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Can't delete Trojan Viruses
« Reply #7 on: January 31, 2006, 06:39:00 PM »
Still waiting too long to post back

Can you do the following again
Delete Fixwareout.exe and then navigate to
C:\fixwareout
Delete the fixwareout folder

download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe
Save it to your desktop
But DON'T run it yet

Print the rest of these instructions or save them too a text file on the desktop
Close This browser window
Open your task manager and ensure to end process on iexplore.exe if running

Find and delete this file
C:\WINDOWS\System32\dmcui.exe <-this file
Make sure that after you delete that file you don't open any browser windows

Double click to run FixWareout.exe
 Click Next, then Install, then make sure "Run fixit" is checked and click Finish.  The fix will begin
You must allow the fix to access the Internet if Sygates' prompts you
Follow all other prompts.  You will be asked to reboot your computer; please do so.  Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts.  Afterwards, HijackThis will launch.  Please click Scan, and check the following items (if they appear):


O4 - HKLM\..\Run: [dmcui.exe] C:\WINDOWS\System32\dmcui.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-p...-en/FlashAX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{540B86B5-01C5-486A-9CDB-93269286A50D}: NameServer = 85.255.116.39 85.255.112.214

If you see a new item that wasn't in your last log in the O4 section of HijackThis, five-letters long, starting with dm... for example:
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe (the *** stand for random letters)
or starting with hg***.exe for example:
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
or starting with cs***.exe for example:
O4 - HKLM\..\Run: [cscyd.exe] cscyd.exe
Check it as well. If you're not sure, leave it and only check the ones I asked you to check.


Then click Fix Checked. Close HijackThis, and click OK to proceed.

Back at your desktop

Post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.
« Last Edit: February 03, 2006, 01:59:37 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline ericgu

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Can't delete Trojan Viruses
« Reply #8 on: February 03, 2006, 01:06:49 PM »
HELP ME TOO PLEASE!

<LOG REMOVED>
« Last Edit: February 03, 2006, 01:31:43 PM by guestolo »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Can't delete Trojan Viruses
« Reply #9 on: February 03, 2006, 01:14:20 PM »
ericgu, can you please start your own topic
We're not done with this log yet, this will confuse the issue if you post in this thread
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline ericgu

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Can't delete Trojan Viruses
« Reply #10 on: February 03, 2006, 06:46:04 PM »
yeah sorry bout that. dont know where to post it tho.

I've started your own post
You can find it HERE
The topic title is called
ericgu's Hijackthis log
<guestolo>
« Last Edit: February 03, 2006, 07:55:34 PM by guestolo »
Logged

Offline monkeeman

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Can't delete Trojan Viruses
« Reply #11 on: February 06, 2006, 04:24:23 PM »
Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\climd
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
 
»»»»» Search by size and names...
 
»»»»» Misc files
 
»»»»» Checking for older varients covered by the Rem3 tool


Logfile of HijackThis v1.99.1
Scan saved at 21:20:40, on 06/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dmour.exe] C:\WINDOWS\System32\dmour.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{540B86B5-01C5-486A-9CDB-93269286A50D}: NameServer = 85.255.116.39 85.255.112.214
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe




keeno cant get on this forum and asked to post this for him

many thanks
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Can't delete Trojan Viruses
« Reply #12 on: February 06, 2006, 05:01:38 PM »
It's important that he follows these instructions exactly as posted
Have him print it out or save the instructions
or the infection will remain

Close all instances of Internet Explorer or any other browsers that are open

I asked him too disable Microsoft AntiSpyware realtime protections
Here are the instructions again, remember, if this is not done
There may be interference and the fixes we are try may be for Not
Quote
Please Disable Microsoft AntiSpyware's realtime protections so it won't interfere in any fixes we try.
Keep this disabled until we know you are clean
Open Microsoft AntiSpyware.
Click on Options>>Settings
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Search for and delete this file if found
C:\WINDOWS\System32\dmour.exe <-this file

May have to Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Double click to run FixWareout.exe
 Click Next, then Install, then make sure "Run fixit" is checked and click Finish.  The fix will begin
You must allow the fix to access the Internet if Sygates' prompts you
Follow all other prompts.  You will be asked to reboot your computer; please do so.  Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts.  Afterwards, HijackThis will launch.  Please click Scan, and check the following items (if they appear):


O4 - HKLM\..\Run: [dmour.exe] C:\WINDOWS\System32\dmour.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{540B86B5-01C5-486A-9CDB-93269286A50D}: NameServer = 85.255.116.39 85.255.112.214

If you see a new item that wasn't in your last log in the O4 section of HijackThis, five-letters long, starting with dm... for example:
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe (the *** stand for random letters)
or starting with hg***.exe for example:
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
or starting with cs***.exe for example:
O4 - HKLM\..\Run: [cscyd.exe] cscyd.exe
Check it as well. If you're not sure, leave it and only check the ones I asked you to check.
Then click Fix Checked. Close HijackThis, and click OK to proceed.


As you can see right now, the entry we are after is
04 - HKLM\..\Run: [dmour.exe] C:\WINDOWS\System32\dmour.exe
Which is located between these entries in the hijackthis log
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe

If a new entry is found in the log, it will probably still be between those 2 lines in the log
Fix the entry if it looks like the bad guy we're after

Back at your desktop

Post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

NOTE: The fix must be done as requested or it will be a stubborn one to fix
If he misses a step, it probably will not work
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Keeno

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Can't delete Trojan Viruses
« Reply #13 on: February 12, 2006, 03:56:29 PM »
This is the first time I've been able to access this forum for a while, I keep getting an error message.

 Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\oaimd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

Logfile of HijackThis v1.99.1
Scan saved at 18:01:14, on 09/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{540B86B5-01C5-486A-9CDB-93269286A50D}: NameServer = 85.255.116.39 85.255.112.214
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


I deleted the file dmiao, which was between the two you mentioned. Thanks
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Can't delete Trojan Viruses
« Reply #14 on: February 12, 2006, 04:04:35 PM »
Before you disappear again
Do this Right NOW!
Do a "System scan only" with Hijackthis and put a check next to these entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{540B86B5-01C5-486A-9CDB-93269286A50D}: NameServer = 85.255.116.39 85.255.112.214


After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Back in windows
Post a fresh hijackthis log

NOTE: Only if you are having troubles connecting to the internet after doing any of the above, please do the following
Go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Can't delete Trojan Viruses
« Reply #15 on: March 05, 2006, 04:48:40 PM »
Since the user has not returned, this topic is locked
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »