Win32:Small-EK [Trj], Win32:Adan-094 [Adw]

**maverick39** · 2006-06-30, 15:14

Anyone can help getting rid of this nasty thing? every 5 min or so my computer tries to download some files containing those 2 mentioned in the message title. Avast stops them but it still annoys the hell out of me.
Here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:10:33 PM, on 30/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {B32B69F1-02B7-A715-8EDA-55D6471B121A} - XTermInit.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dflnl.exe] C:\WINNT\system32\dflnl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [EXE32EXE] SysEntry.exe
O4 - HKLM\..\Run: [barint] SetupExeDll.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [mdydm.exe] C:\WINNT\system32\mdydm.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [bhoserv] nmdllw.exe
O4 - HKCU\..\Run: [JAguAr] xsetup.exe
O4 - HKCU\..\Run: [zantu] Trayz.exe
O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com.au/chat/RSVPChat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{43565C60-53C2-4B2D-BD85-9125E5E8F00B}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{594444A1-0193-46C0-A4E7-DA85D8ED075F}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B750E90-5DFC-4837-B3FF-878278547A0E}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0372996-9328-4B7B-9F85-AC58CE7DD1A9}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3E904CB-77E4-443D-815E-7B176A3E5BCB}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.51 85.255.112.187
O17 - HKLM\System\CS1\Services\Tcpip\..\{43565C60-53C2-4B2D-BD85-9125E5E8F00B}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.51 85.255.112.187
O17 - HKLM\System\CS2\Services\Tcpip\..\{43565C60-53C2-4B2D-BD85-9125E5E8F00B}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.51 85.255.112.187
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

**pskelley** · 2006-06-30, 16:21

Hello and welcome to the forum. If you still need help and are not receiving it elsewhere, you are a victin of hijackers in the Ukraine.
See this: http://whois.domaintools.com/85.255.115.51 My first suggestion is to stay offline as much as possible, they do have access to your computer.

Turn off Microsoft AntiSpyware, it will stop changes we must make:
Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
You may want to review this information, but wait until we are done to do any downloading I do not request:
http://russelltexas.com/malware/defender.htm

Thanks to LonnyRJones, Swandog46, AutoDad and any others who helped with this fix.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

(hold those logs until the end of the instructions)

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

_____________________________________________

(some items may be gone, don't be concerned, just don't miss any)

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - URLSearchHook: (no name) - {B32B69F1-02B7-A715-8EDA-55D6471B121A} - XTermInit.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [dflnl.exe] C:\WINNT\system32\dflnl.exe
O4 - HKLM\..\Run: [EXE32EXE] SysEntry.exe
O4 - HKLM\..\Run: [barint] SetupExeDll.exe
O4 - HKLM\..\Run: [mdydm.exe] C:\WINNT\system32\mdydm.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [bhoserv] nmdllw.exe
O4 - HKCU\..\Run: [JAguAr] xsetup.exe
O4 - HKCU\..\Run: [zantu] Trayz.exe
(Next two are resourse wasters associated with Alexa, if you don't use Alexa get rid of them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{43565C60-53C2-4B2D-BD85-9125E5E8F00B}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{594444A1-0193-46C0-A4E7-DA85D8ED075F}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B750E90-5DFC-4837-B3FF-878278547A0E}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0372996-9328-4B7B-9F85-AC58CE7DD1A9}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3E904CB-77E4-443D-815E-7B176A3E5BCB}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.51 85.255.112.187
O17 - HKLM\System\CS1\Services\Tcpip\..\{43565C60-53C2-4B2D-BD85-9125E5E8F00B}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.51 85.255.112.187
O17 - HKLM\System\CS2\Services\Tcpip\..\{43565C60-53C2-4B2D-BD85-9125E5E8F00B}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.51 85.255.112.187

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

(you will need to search for the ones with no location)

nmdllw.exe <<< file

SysEntry.exe <<< file

SetupExeDll.exe <<< file

Trayz.exe <<< file

xsetup.exe <<< file

C:\WINNT\system32\dflnl.exe <<< file

C:\WINNT\system32\mdydm.exe <<< file

C:\Program Files\KillAndClean\ <<< folder

C:\Windows\Prefetch\ >>> delete the contents (s)
Prefetch info: http://www.windowsnetworking.com/art...efetch-XP.html

Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

restart the computer and post C:\fixwareout\report.txt, a new HJT log and any comments you think will help. How is the computer running now?

Thanks...pskelley
Safer Networking Forums

**maverick39** · 2006-07-01, 05:10

Thanks for looking into it. I've just finished running Fixwareout and posting logs as requested (fixwareout log in the attached file).

Logfile of HijackThis v1.99.1
Scan saved at 12:07:16 PM, on 1/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {B32B69F1-02B7-A715-8EDA-55D6471B121A} - XTermInit.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\{094662EF-5F26-48F4-A1AA-0F29A43AC6D0}.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\{094662EF-5F26-48F4-A1AA-0F29A43AC6D0}.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [EXE32EXE] SysEntry.exe
O4 - HKLM\..\Run: [barint] SetupExeDll.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [fduxb.exe] C:\WINNT\system32\fduxb.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [bhoserv] nmdllw.exe
O4 - HKCU\..\Run: [JAguAr] xsetup.exe
O4 - HKCU\..\Run: [zantu] Trayz.exe
O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com.au/chat/RSVPChat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{43565C60-53C2-4B2D-BD85-9125E5E8F00B}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{594444A1-0193-46C0-A4E7-DA85D8ED075F}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B750E90-5DFC-4837-B3FF-878278547A0E}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0372996-9328-4B7B-9F85-AC58CE7DD1A9}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3E904CB-77E4-443D-815E-7B176A3E5BCB}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.51 85.255.112.187
O17 - HKLM\System\CS1\Services\Tcpip\..\{43565C60-53C2-4B2D-BD85-9125E5E8F00B}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.51 85.255.112.187
O17 - HKLM\System\CS2\Services\Tcpip\..\{43565C60-53C2-4B2D-BD85-9125E5E8F00B}: NameServer = 85.255.115.51,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.51 85.255.112.187
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

**pskelley** · 2006-07-01, 13:43

Thanks for returning the information. Please do not attach logs, rather copy and paste them, thanks.

The creator of Fixwareout is interested in a file that may be on your computer. Before you start the removal process, would you search for: C:\WINNT\system32\fduxb.exe
If it is present, then go here: http://www.thespykiller.co.uk/forum/...p?action=forum
You do not need to register, just look for "Uploads" and follow those simple directions...thanks

Your Java progam is out of date: C:\Program Files\Java\j2re1.4.2_11\ Please use the instructions in the follow like to update to the newest version before you pick up another bad infection through that security breach.
http://forums.spybot.info/showpost.p...80&postcount=2

Changes have just been made in the fix, please remove all of Fix from your computer and then redownload it again from the same links, then do the complete fix again, thanks.

This fix which works all of the time, has totally failed. When this happens it is almost always that proceedures were not followed exactly. The complete infection is still in your log. I would like you to read over the instructions a couple of times, then making sure you have no distractions, do the complete fix again. This time communicate any issues you have as you run the fix.

Make sure you turn Microsoft AntiSpyware off until your are done, it may very well be clocking your progress, instructions posted earlier.

Thanks...

**maverick39** · 2006-07-01, 15:23

Yeah it didn't work. The only thing I forgot to do is run the ipconfig /flushdns. I'm going to go through the whole procedure again now. Will let you know. Thanks

**maverick39** · 2006-07-01, 16:00

I think it worked now. thanks god. hijackthis log below

Logfile of HijackThis v1.99.1
Scan saved at 10:56:23 PM, on 1/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com.au/chat/RSVPChat.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

**maverick39** · 2006-07-01, 16:04

....and the fixwareout log. By the way, what do you think are the "other suspects" files in my C:\WINNT\system32 directory. Should I delete them?
I'm pretty sure they were not there before.........

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5371775ED646-47F9-F3E4-C816-D6338C69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4ED406397E7F-671A-7824-87F5-5454E89B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D3A1E181FFF9-4A3B-1A34-C410-7B469E27{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}97023996F372-5C7A-B034-FD46-769D2C8F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D162A1C50348-3CB9-EA54-D0F0-9315AC73{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}02F4D81A40C7-7C88-17E4-4790-4BB8C65C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C7C850C1F08D-36B8-6D54-E7C1-4C1B43CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B0EF6F1AA46A-AC9A-C5E4-8E03-D6976459{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C5802B05A39D-F68A-2754-1FB7-FD4EDB5B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}641B5656779D-D80A-B0A4-CC3F-9F338CC5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9BE64F410924-D44B-7184-070F-805DF165{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}95A88B64D02A-756A-0D34-99A9-EDB84A58{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F2E1B68ADD27-F298-9EB4-7039-FD491547{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}71C7D2C8C939-F70B-42C4-1286-8D17FE87{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6833F7981EEC-1DBB-5F74-C39D-A579160B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B225E00CE23B-E298-8E24-F25F-16EE8795{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D7CC45757303-9ACB-C384-FD9F-1740BE84{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C91073BFFAD6-C288-5514-EFA5-A28BA5D2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}039DAEFE05F4-BF5B-10E4-411F-FD551606{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2C6C95F53C54-2658-81B4-080C-0FBEE58C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}28E6C90B8684-47BB-5604-5112-9A87E708{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}68223A7460BD-40B8-9294-8343-88334601{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1094985FCDE1-00D8-AE24-B544-1A6135F3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0CBC227D42E7-358A-FFC4-4B64-FA6BED6A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C55A2E6A0D78-422A-BBE4-C84C-51FA55E3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8C45091BD4EE-B43B-C5B4-FA0C-0AA7C665{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF03877DDDC5-672A-96D4-9855-0B5DDAAC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AF33DFDE3FE8-7689-3664-F88A-2C24EFA2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}543E88691BB6-F42A-AC74-6238-74A2930F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6E541394AA1F-4039-D0E4-C37F-7B3995E0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8D3962D7B7B9-1AE9-A594-F939-99614F41{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C696C9B3D914-3CF8-4F64-BA99-94667F13{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DDF7E4788D3A-2A79-7EB4-1679-9F210C4D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AC0487CD0EF4-51F8-6A64-FA66-ED5DB790{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7C75FDAC7B4C-06D9-3CA4-9386-8F7295C3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1BAC4CE7676C-FF89-0DA4-D1FD-DE5FE195{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}37307CC8B8A9-5588-47C4-101E-A2ACAE24{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1E17D08EF6DE-C9DA-A624-9360-2397A64D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}19CE24DC8B58-097A-42B4-3CBC-EF80BD47{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}83B373CB6B5F-5D6B-CE94-5D0A-B9B11A1A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C85C1E664012-64E9-06C4-E14F-BB1A0289{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B68A2F874D46-355B-BE24-B15E-0F9FF05C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6C3708C5F622-5919-11D4-1BA4-9EAB8DE6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"mtpte.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINNT\System32\CSCZN.EXE
* csr.exe C:\WINNT\System32\CSTJB.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSCZN.EXE 51,211 2006-06-28
C:\WINNT\SYSTEM32\CSTJB.EXE 51,211 2006-07-01
Other suspects
Directory of C:\WINNT\system32
{6ED8BAE9-4AB1-4D11-9195-226F5C8073C6}.exe
{C50FF9F0-E51B-42EB-B553-64D478F2A86B}.exe
{9820A1BB-F41E-4C60-9E46-210466E1C58C}.exe
{A1A11B9B-A0D5-49EC-B6D5-F5B6BC373B38}.exe
{74DB08FE-CBC3-4B24-A790-85B8CD42EC91}.exe
{D46A7932-0639-426A-AD9C-ED6FE80D71E1}.exe
{42EACA2A-E101-4C74-8855-9A8B8CC70373}.exe
{591EF5ED-DF1D-4AD0-98FF-C6767EC4CAB1}.exe
{3C5927F8-6839-4AC3-9D60-C4B7CADF57C7}.exe
{097BD5DE-66AF-46A6-8F15-4FE0DC7840CA}.exe
{D4C012F9-9761-4BE7-97A2-A3D8874E7FDD}.exe
{31F76649-99AB-46F4-8FC3-419D3B9C696C}.exe
{14F41699-939F-495A-9EA1-9B7B7D2693D8}.exe
{0E5993B7-F73C-4E0D-9304-F1AA493145E6}.exe
{F0392A47-8326-47CA-A24F-6BB19688E345}.exe
{566C7AA0-C0AF-4B5C-B34B-EE4DB19054C8}.exe
{3E55AF15-C48C-4EBB-A224-87D0A6E2A55C}.exe
{A6DEB6AF-46B4-4CFF-A853-7E24D722CBC0}.exe
{3F5316A1-445B-42EA-8D00-1EDCF5894901}.exe
{10643388-3438-4929-8B04-DB0647A32286}.exe
{807E78A9-2115-4065-BB74-4868B09C6E82}.exe
{C85EEBF0-C080-4B18-8562-45C35F59C6C2}.exe
{606155DF-F114-4E01-B5FB-4F50EFEAD930}.exe
{2D5AB82A-5AFE-4155-882C-6DAFFB37019C}.exe
{48EB0471-F9DF-483C-BCA9-30375754CC7D}.exe
{5978EE61-F52F-42E8-892E-B32EC00E522B}.exe
{B061975A-D93C-47F5-BBD1-CEE1897F3386}.exe
{78EF71D8-6821-4C24-B07F-939C8C2D7C17}.exe
{745194DF-9307-4BE9-892F-72DDA86B1E2F}.exe
{85A48BDE-9A99-43D0-A657-A20D46B88A59}.exe
{561FD508-F070-4817-B44D-429014F46EB9}.exe
{5CC833F9-F3CC-4A0B-A08D-D9776565B146}.exe
{B5BDE4DF-7BF1-4572-A86F-D93A50B2085C}.exe
{9546796D-30E8-4E5C-A9CA-A64AA1F6FE0B}.exe
{AC34B1C4-1C7E-45D6-8B63-D80F1C058C7C}.exe
{C56C8BB4-0974-4E71-88C7-7C04A18D4F20}.exe
{37CA5139-0F0D-45AE-9BC3-84305C1A261D}.exe
{F8C2D967-64DF-430B-A7C5-273F69932079}.exe
{72E964B7-014C-43A1-B3A4-9FFF181E1A3D}.exe
{B98E4545-5F78-4287-A176-F7E793604DE4}.exe
{4917CCD6-CD50-4F75-9D40-684A327A4616}.exe
{3877191D-4EFC-4923-ACE6-ECC6A56FF53F}.exe
{9B71578D-E435-4763-92AB-1A15A00B982B}.exe
{E45A0F91-6726-41B1-A758-893353D9EBF7}.exe
{A9D7D5E6-245F-4222-B6EA-29D632EA9D9C}.exe
{E40349B7-4EAF-4AAA-9225-57DC84C33D7A}.exe
{2F3B41C6-38AB-4BF5-8503-1FCB063CB30E}.exe
{80C2EA62-2039-42E5-B7D0-48D09988F8B6}.exe
{E338ED1E-682A-45A8-9F8F-5A14066B38F7}.exe
{591B8D19-AF00-4149-9267-90013810E373}.exe
{65A6D22E-E27A-43D9-BBCF-F56643F19624}.exe
{DFA7D327-13AE-462A-A96B-594C5988C59D}.exe
{B179DCAA-A611-4727-AF95-833323368236}.exe
{E5EF7EF2-2852-448C-A627-74E7AF8C45BA}.exe
{AB69C0F2-D87D-442E-9719-1DE603EC8B78}.exe
{ADDD1745-CB95-45ED-BC67-0826F7233ABF}.exe
{03DDC2EE-38E8-433B-95B2-D2D9D01F10B4}.exe
{38FED392-908A-4161-A4A9-98FE8D90B796}.exe
{3A77DE4D-14F3-48EF-BDBF-FDDA262E4537}.exe
{FE589216-0893-44DB-A5FB-176AAD3D9C0C}.exe
{AE7D241B-3C74-447E-B2E2-C3E2709CD33B}.exe
{5EC51C5C-9844-4B65-BBED-873472149C5B}.exe
{63AF5934-4C93-4D2A-A892-D7C6A15B1C88}.exe
{7E3265DF-A939-48B3-9260-5A5FDA32D4AA}.exe
{7C6C263B-74C0-4492-A419-3C7BFC5D132C}.exe
{39986D85-2C70-4F43-94E9-6C951BA54440}.exe
{C2CA3957-A1FF-4A42-B4AA-FC350B9C7370}.exe
{D7B7532A-33F8-44BD-ABEC-664CA7DF9119}.exe
{CA2E3885-7CC6-4C59-BDB3-AB153C42D756}.exe
{46ED5A67-E094-4BCC-9EFB-2B27F2079DB3}.exe
{34A7D8C0-6E6B-4475-8096-A04CE2D25B99}.exe
{DEA5EA34-7309-4931-8706-AD56A079EA42}.exe
{80798094-3FEC-4601-BB11-13D1CF74991F}.exe
{F1763FBF-1C99-4E00-91B5-5E1A699AAE0C}.exe
{9B6F7921-DC3D-4323-A574-D69BCC6AF1C5}.exe
{7AF768A7-01B7-4C87-A0D1-17DC7C285E2D}.exe
{48E8C102-1DF6-427D-A74A-962F7C3B6A26}.exe
{D29C2E83-ADB0-4D00-8149-B657E33FCCEE}.exe
{36B7DC1A-F13F-4F1C-8592-DEB4590332E2}.exe
{6AEA7043-A168-48D8-8429-826DA9189363}.exe
{68AB273F-CB6D-49F5-AD8B-E60ED8B4F447}.exe
{4C2EC82D-9EC5-4019-93A8-529E5AE0C088}.exe
{76287959-68E9-44A7-AB4C-E9DE19E03BBB}.exe
{1FC74BD6-746C-451B-8211-C147EC639478}.exe
{56AD2FBC-579A-47B4-9C8B-78CA8F73CCD9}.exe
{03AA8FFF-67C3-440D-84FF-B59E6CAE1C93}.exe
{9895DC64-7D32-41E3-BF61-B2FB3CCB3FE5}.exe
{67B72864-384F-4BBD-BA63-2D6EE9C459B3}.exe
{34E1C37F-C079-403C-AF12-6EB412FC9CBB}.exe
{5C2689D0-7041-4614-93DF-B27910C8A344}.exe
{9F170F45-CF3C-4C4D-AB25-8502DD0FC92A}.exe
{05FA6B21-143A-4B3E-ABF8-0BFAF0729ACB}.exe
{E3B9BC5A-A601-41D1-BE63-29E47D8F139B}.exe
{0AFCB813-4722-4F16-90D9-141DB0B08C8F}.exe
{C9B648A5-4B59-4D1F-A65E-6904DC80DFA9}.exe
{0909DD6F-7D47-467F-BC07-18250BCBACA7}.exe
{F79CAD71-3F78-46C0-A48A-DAEC8EB75E93}.exe
{5E88A5F2-4CCB-4062-9FF9-3EEF3C7D2FC0}.exe
{5123D23F-0DE7-415B-9F54-75116B986F2D}.exe
{C4085278-D372-4D89-9B14-3703DA7D7FD8}.exe
{AF9B42AA-AD61-4474-92CB-9C131AF57911}.exe
{B9038D5A-ED3A-4D2D-855A-66E59DD60B8D}.exe
{FC269B0C-AADE-4295-83AB-715779073E10}.exe
{B0FCF24D-F4E0-4E4B-A632-79BB03F14116}.exe
{412349A3-3E38-47AA-8BCF-02592670C7F3}.exe
{70A59B3D-1979-4D55-934C-272587A13FEF}.exe
{D20195DF-9233-41C6-8A1F-D52830040773}.exe
{F8DD102E-19EE-447F-89ED-2B7228E9D03B}.exe
{1DC72627-CE31-483F-8F36-0C90300F06A6}.exe
{4B16AC65-EB91-4EF9-8709-A1ACA4EFC75F}.exe
{0240D6A9-C7D9-45E5-AF01-5806C1F1BB12}.exe
{7D383264-A742-4A24-A75D-1A76690852FF}.exe
{104B80DF-1D17-434D-897A-6AEA6A0C7907}.exe
{9AAD320A-6996-4062-AD01-9397B79727A6}.exe
{548713F2-85D2-4440-BFD5-5A858C5DD23B}.exe
{A7B64F05-3558-40F4-945B-90A8EA0304E2}.exe
{457A82C1-0F1E-4D8F-A5DB-1DF6E30CE101}.exe
{ABBCFDE8-BED2-4E3C-B552-1817D5A8B307}.exe
{6751BDF3-C3F1-4E82-8B89-F17694292990}.exe
{94A7F79A-7DDC-47E5-896D-664B020AA76B}.exe
{2E349077-C036-421A-B669-6A2F06D3115C}.exe
{88BF3E0B-714A-4AA1-9CEC-B5B5342B37EC}.exe
{7F91BF9E-F1A1-48FA-A8F1-FA1AD8FDB363}.exe
{1B76F539-528D-46EC-8762-E566FEC804B9}.exe
{ADE343D5-D9B9-4658-9BDD-A8D716D81737}.exe
{EB4DFFC5-7B11-4D86-B70B-1E7C593AC29E}.exe
{60FFA022-C794-4531-A2F8-084F6E2ABF6A}.exe
{6C20E973-9159-47DB-AF5B-67073ACD4ED8}.exe
{B421A9A0-CA94-4405-9EC3-3689075CEF8B}.exe
{1CD6E3D1-4FD8-4F76-BF6C-ACB54D145612}.exe

**pskelley** · 2006-07-01, 16:22

Sorry, I had to get some breakfast, yeah, you got it that time, good job my friend

Were you able to upload that file for Lonny?

I would like to look at the Fixwareout report from that last run and if you would, update your ewido, run a complete system scan and post the results for me, we will make sure nothing is lurking.

Update that Java program, many folks are getting some bad infections in through that open door.

C:\Program Files\Gadu-Gadu\gg.exe <<< is that really Polish instant messaging?

Make sure you update to Windows Defender, it's free and I think they stopped updating MAS.

Give me the Fixwareout report and the ewido scan report and I will have some important closing information and get you on your way.

Oops, now I only need the ewido scan results. The files you are asking about, I could not comment without looking at each one. You can use these free online scans to find out, don't want to remove something you need:

http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

scan these to, I believe they can go.

C:\WINNT\System32\CSCZN.EXE
C:\WINNT\System32\CSTJB.EXE

Thanks...Phil

**maverick39** · 2006-07-04, 13:54

Hi Phil,

Sorry I haven't been in touch.
Thank you and the others for your help. You guys are very good, I'm glad I've subscribed. Keep up the good work in helping other people.

I did run ewido right after applying the fix and it picked up a few nasty things, which I put in quarantine. Unfortunately there is no report, but there are 3 strange files in Quarantine. If you want to have a look I can attach them.

Yes, gadu gadu is polish. I am of polish origin living in australia.

Cheers

Marek.

**pskelley** · 2006-07-04, 14:34

G'day Marek, thanks for the feedback. I can't be sure you are clean of the Wareout infection without the reports I requested.
If you have files in quarantine (ewido) once you allow a little time to make sure removing them did not effect your computer, you can open the quarantine folder and delete the contents.

I'll have to say, without seeing the reports, if you computer is running ok: here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

Safe surfing...tashi

will close your topic in a few days.

Cheers...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Thread: Win32:Small-EK [Trj], Win32:Adan-094 [Adw]

Thread Tools

Display

Win32:Small-EK [Trj], Win32:Adan-094 [Adw]

hi pskelley

hi there

Posting Permissions