PDA

View Full Version : I need help removing a pop up window and hijacked browser


KuriousOranj
2007-01-03, 04:38
I keep getting a pop up window saying that win32res.exe is sending private information and asking me to download malware. I have tried AVG anti-virus, Vundo fix, CWShredder, Spybot search and destroy and I still keep getting it. I no longer use Internet Explorer because it was hijacked (the home page keeps reverting to theonlybookmark.com). I am using Mozilla now, and I have Spybot, Lavasoft search ad , AVG anti-virus, and Outpost firewall. this is the hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 12:28:35 PM, on 1/3/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\loadqm.exe
C:\Program Files\Win32waex\mstss32wa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\DOCUME~1\oem\LOCALS~1\Temp\svchost.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://theonlybookmark.com/in.cgi?15
R3 - URLSearchHook: (no name) - {9DB1D003-875A-8114-66A5-7E95C2C615F7} - keybdll.dll (file missing)
R3 - URLSearchHook: (no name) - {634B2723-BAF4-108E-E8C6-E77619B77D53} - FLKPT.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\oem\LOCALS~1\Temp\MegaHost.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: SysMon Class - {D5EFDB0E-4F51-414F-B740-54A5C87A8957} - C:\DOCUME~1\oem\LOCALS~1\Temp\accute.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [mstss] C:\Program Files\Win32waex\mstss32wa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [Recoveru systems] C:\DOCUME~1\oem\LOCALS~1\Temp\svchost.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136156095657
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149670800067
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69A64B1D-B313-4166-AF3D-6EEE541B2E7C}: NameServer = 85.255.115.30,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{73E2002F-7584-4012-9D42-4447FA843EF4}: NameServer = 85.255.115.30,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O20 - AppInit_DLLs: C:\WINNT\System32\win_314.dll
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINNT\System32\frlxh.dll (file missing)
O21 - SSODL: PlKjZEDly - {056F19F7-AFC5-B35D-F911-3A9E4C4D8FCD} - C:\WINNT\System32\blvdjx.dll (file missing)
O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINNT\System32\jlkma32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINNT\System32\msasvc.exe (file missing)
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Mr_JAk3
2007-01-03, 08:02
Hi KuriousOranj and welcome to the Forums :)

One or more of the identified infections is a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning if you don't want to reformat but I can't promise that we can get you 100% clean.

Please let us know what you have decided to do in your next post:bigthumb:
KuriousOranj
2007-01-03, 08:25
Thanks for your reply mr. jak 3. I already changed all my passwords about three weeks ago and I don't log into any email accounts from this computer. Luckidly, I never do banking through the internet. If possible, I would like to clean it as much as possible. I understand that you can't guarantee that it would be 100% clean but I want to try at least. Reformatting my OS would be my last option as it would mean losing a lot of programs and files.
Mr_JAk3
2007-01-03, 17:12
Hi again, I'll be happy to help you with the cleaning :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

:bigthumb:
KuriousOranj
2007-01-04, 03:35
This is the SDFix report. I will post the new HJT and Fix wareout reports soon.


SDFix: Version 1.53
****************

Thu 01/04/2007 - 11:21:53.44

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:

MsaSvc

File Path:

C:\WINNT\System32\msasvc.exe

MsaSvc Deleted...

Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\UIHUY.EXE
C:\DOCUME~1\OEM\LOCALS~1\TEMP\MAXDD1~1.GAM
C:\DOCUME~1\oem\LOCALS~1\Temp\hdw9E.tmp
C:\DOCUME~1\oem\LOCALS~1\Temp\temp_4214039.bat
C:\WINNT\system32\drivers\etc\hosts.tim

Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINNT\system32
No streams found.
Final Check:

Remaining Services:
------------------

Rootkit PE386 Found!. Rootkit scan Needed...

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\arcldr.exe
C:\arcsetup.exe
C:\PAGEFILE.SYS
C:\CONFIG.SYS
C:\IO.SYS
C:\MSDOS.SYS
C:\WINNT\Temp\$_2341235.TMP
C:\Documents and Settings\oem\Local Settings\Temp\$b17a2e8.tmp

FINISHED!
KuriousOranj
2007-01-04, 03:54
Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csmeo.exe"

...
...
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\pgtshlld
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nidnsdr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ytpme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23lserspg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ifpnxesm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23rtcdaol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ibpnxesm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23rtcdool
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23naelch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lserspg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tnmgfcc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\21ipart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\dnerkbrgfc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1dedoc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llams_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\domdnb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\orcimlh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\emvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tset
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Random Runs removed from HKLM
...
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
C:\WINNT\System32\{6B5913F6-3B32-4190-BCFA-1F40EE7F1D23}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

...


Logfile of HijackThis v1.99.1
Scan saved at 11:52:03 AM, on 1/4/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\loadqm.exe
C:\Program Files\Win32waex\mstss32wa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\oem\LOCALS~1\Temp\svchost.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\unzipped\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {9DB1D003-875A-8114-66A5-7E95C2C615F7} - keybdll.dll (file missing)
R3 - URLSearchHook: (no name) - {634B2723-BAF4-108E-E8C6-E77619B77D53} - FLKPT.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\oem\LOCALS~1\Temp\MegaHost.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: SysMon Class - {D5EFDB0E-4F51-414F-B740-54A5C87A8957} - C:\DOCUME~1\oem\LOCALS~1\Temp\accute.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [mstss] C:\Program Files\Win32waex\mstss32wa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Recoveru systems] C:\DOCUME~1\oem\LOCALS~1\Temp\svchost.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136156095657
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149670800067
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69A64B1D-B313-4166-AF3D-6EEE541B2E7C}: NameServer = 85.255.115.30,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{73E2002F-7584-4012-9D42-4447FA843EF4}: NameServer = 85.255.115.30,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O20 - AppInit_DLLs: C:\WINNT\System32\win_314.dll
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINNT\System32\frlxh.dll (file missing)
O21 - SSODL: PlKjZEDly - {056F19F7-AFC5-B35D-F911-3A9E4C4D8FCD} - C:\WINNT\System32\blvdjx.dll (file missing)
O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINNT\System32\jlkma32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
KuriousOranj
2007-01-04, 04:17
Mr. Jak 3,
Also perhaps I should mention that my firewall keeps picking attempts to establish contact with 85.225.112.226, which seems to be operating in the Ukraine. When I log in to the internet, there are lots of Outbound messages towards that ISP.
Mr_JAk3
2007-01-04, 18:05
Hi :)


Also perhaps I should mention that my firewall keeps picking attempts to establish contact with 85.225.112.226, which seems to be operating in the Ukraine. When I log in to the internet, there are lots of Outbound messages towards that ISP.One of the infections you have is causing this. We'll get rid of it..

Okay you have another rootkit there too...

Download RustBFix from one of the following locations...

http://www.uploads.ejvindh.net/rustbfix.exe

http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe

...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
KuriousOranj
2007-01-05, 01:23
Thank you you so much for your help. These are the 3 reports:
************************* Rustock.b-fix -- By ejvindh *************************
Fri 01/05/2007 9:12:19.44

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
system32\lzx32.sys FOUND!
attempting to delete lzx32.sys from system32-folder


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\oqoqrqnc

*******************

Script file located at: \??\C:\Documents and Settings\pabcwsnh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 9:18:26 AM, on 1/5/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\NOTEPAD.EXE
C:\WINNT\loadqm.exe
C:\Program Files\Win32waex\mstss32wa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\oem\LOCALS~1\Temp\svchost.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\unzipped\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {9DB1D003-875A-8114-66A5-7E95C2C615F7} - keybdll.dll (file missing)
R3 - URLSearchHook: (no name) - {634B2723-BAF4-108E-E8C6-E77619B77D53} - FLKPT.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\oem\LOCALS~1\Temp\MegaHost.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: SysMon Class - {D5EFDB0E-4F51-414F-B740-54A5C87A8957} - C:\DOCUME~1\oem\LOCALS~1\Temp\accute.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [mstss] C:\Program Files\Win32waex\mstss32wa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Recoveru systems] C:\DOCUME~1\oem\LOCALS~1\Temp\svchost.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136156095657
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149670800067
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69A64B1D-B313-4166-AF3D-6EEE541B2E7C}: NameServer = 85.255.115.30,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{73E2002F-7584-4012-9D42-4447FA843EF4}: NameServer = 85.255.115.30,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O20 - AppInit_DLLs: C:\WINNT\System32\win_314.dll
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINNT\System32\frlxh.dll (file missing)
O21 - SSODL: PlKjZEDly - {056F19F7-AFC5-B35D-F911-3A9E4C4D8FCD} - C:\WINNT\System32\blvdjx.dll (file missing)
O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINNT\System32\jlkma32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Mr_JAk3
2007-01-05, 07:54
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

mstss32wa.exe

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. Fix the O6 entries too if you haven't locked Internet Explorer settings with eg Spybot S&D.
R3 - URLSearchHook: (no name) - {9DB1D003-875A-8114-66A5-7E95C2C615F7} - keybdll.dll (file missing)
R3 - URLSearchHook: (no name) - {634B2723-BAF4-108E-E8C6-E77619B77D53} - FLKPT.dll (file missing)
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\oem\LOCALS~1\Temp\MegaHost.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: SysMon Class - {D5EFDB0E-4F51-414F-B740-54A5C87A8957} - C:\DOCUME~1\oem\LOCALS~1\Temp\accute.dll
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [mstss] C:\Program Files\Win32waex\mstss32wa.exe
O4 - HKCU\..\Run: [Recoveru systems] C:\DOCUME~1\oem\LOCALS~1\Temp\svchost.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{69A64B1D-B313-4166-AF3D-6EEE541B2E7C}: NameServer = 85.255.115.30,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{73E2002F-7584-4012-9D42-4447FA843EF4}: NameServer = 85.255.115.30,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.30 85.255.112.226
O20 - AppInit_DLLs: C:\WINNT\System32\win_314.dll
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINNT\System32\frlxh.dll (file missing)
O21 - SSODL: PlKjZEDly - {056F19F7-AFC5-B35D-F911-3A9E4C4D8FCD} - C:\WINNT\System32\blvdjx.dll (file missing)
O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINNT\System32\jlkma32.dll (file missing)

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINNT\System32\{6B5913F6-3B32-4190-BCFA-1F40EE7F1D23}.exe
C:\WINNT\System32\win_314.dll
C:\WINNT\System32\frlxh.dll
C:\WINNT\System32\blvdjx.dll
C:\WINNT\System32\jlkma32.dll

Go to the My Computer and delete the following folders (if present):
C:\Program Files\Win32waex

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this: csmeo.exe and let me know if you can find it.



When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
KuriousOranj
2007-01-05, 17:29
Jak 3, I couldn't find csmeo.exe. These are the results from the AVG report and the HJT report. Thank you so much for all your help.

Logfile of HijackThis v1.99.1
Scan saved at 1:25:33 AM, on 1/6/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Documents and Settings\oem\Desktop\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://theonlybookmark.com/in.cgi?15
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136156095657
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149670800067
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Documents and Settings\oem\Desktop\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe










---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:16:33 AM 1/6/2007

+ Scan result:



C:\WINNT\zim880ud.exe -> Adware.BestSearch : Cleaned with backup (quarantined).
C:\Recycled\Dc391.exe -> Adware.Casino : Cleaned with backup (quarantined).
C:\Recycled\Dc340.exe -> Backdoor.Small.nk : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/maxdd1.game -> Dialer.GBDialer.i : Cleaned with backup (quarantined).
C:\unzipped\hijackthis\backups\backup-20070106-001756-895.dll -> Downloader.Small.aul : Cleaned with backup (quarantined).
C:\FOUND.030\FILE0038.CHK -> Not-A-Virus.Constructor.Perl.Msdds.b : Cleaned with backup (quarantined).
C:\Recycled\Dc264.txt -> TrackingCookie.2o7 : Cleaned.
C:\Recycled\Dc329.txt -> TrackingCookie.Addynamix : Cleaned.
C:\Recycled\Dc288.txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Recycled\Dc286.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.29:C:\Documents and Settings\oem\Application Data\Mozilla\Firefox\Profiles\yz3qsv0h.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.48:C:\Documents and Settings\oem\Application Data\Mozilla\Firefox\Profiles\yz3qsv0h.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.49:C:\Documents and Settings\oem\Application Data\Mozilla\Firefox\Profiles\yz3qsv0h.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.52:C:\Documents and Settings\oem\Application Data\Mozilla\Firefox\Profiles\yz3qsv0h.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.53:C:\Documents and Settings\oem\Application Data\Mozilla\Firefox\Profiles\yz3qsv0h.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.54:C:\Documents and Settings\oem\Application Data\Mozilla\Firefox\Profiles\yz3qsv0h.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.55:C:\Documents and Settings\oem\Application Data\Mozilla\Firefox\Profiles\yz3qsv0h.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.56:C:\Documents and Settings\oem\Application Data\Mozilla\Firefox\Profiles\yz3qsv0h.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Recycled\Dc284.txt -> TrackingCookie.Sextracker : Cleaned.
C:\Recycled\Dc332.txt -> TrackingCookie.Sextracker : Cleaned.
C:\Recycled\Dc345.txt -> TrackingCookie.Sextracker : Cleaned.


::Report end
KuriousOranj
2007-01-05, 18:10
I did another search for "csmeo.exe" and found files that contained the text but not the file named "csmeo.exe". The files were: RegGNTCVWL-Global which is in the Sypbot-search and destroy/ snapshots folder. And also 9E082EE0d01 ,
6C249297d01, 9A0F3805d01, 2887940Cd01 in the Mozilla cache files. And in the Fixwareout report.
Mr_JAk3
2007-01-05, 20:08
Hi, gooood job :)

Looks like the csmeo doesn't exist anymore...
How is the computer running at the moment ?

One more scan:

Download F-Secure Blacklight (http://www.f-secure.com/blacklight/try_blacklight.html) and save it to your desktop.

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)
KuriousOranj
2007-01-06, 14:02
Jak 3, my computer seems to be working fine. The firewall does pick up what it terms as attack detections, attempts to connect trough ports 6346 and 3967. I don't know if this is normal, I thought maybe it's coming from port scanners. Anyway, aside from that, everything seems to be normal this is the Blacklight log.

fsbl-20070107055645

01/06/07 21:56:45 [Info]: BlackLight Engine 1.0.55 initialized
01/06/07 21:56:45 [Info]: OS: 5.0 build 2195 ()
01/06/07 21:56:45 [Note]: 7019 4
01/06/07 21:56:45 [Note]: 7005 0
01/06/07 21:56:56 [Note]: 7006 0
01/06/07 21:56:56 [Note]: 7011 900
01/06/07 21:56:56 [Note]: 7026 0
01/06/07 21:56:57 [Note]: 7026 0
01/06/07 21:57:09 [Note]: FSRAW library version 1.7.1021


I have a question, do you think it would be a good idea to completely uninstall explorer? Thank you for all your help! I really appreciate it!
KuriousOranj
2007-01-06, 14:48
There's one more thing maybe I should mention. In the DNS cache of the firewall, I still find a few suspicious entries, for example greeng.biz and biznes-expert.biz. Before something in my computer kept trying to connect with those websites but I would instruct the firewall not to allow it.
KuriousOranj
2007-01-06, 15:12
There's one more thing maybe I should mention. In the DNS cache of the firewall, I still find a few suspicious entries, for example greeng.biz and biznes-expert.biz. Before something in my computer kept trying to connect with those websites but I would instruct the firewall not to allow it.

By this I meant before I had those programs removed yesterday. Now it seems fine and the Pop up window is gone. It was just that I still saw those web addresses appearing in the DNS cache of the firewall. The computer is working much much better than before.
Mr_JAk3
2007-01-06, 15:31
Ok good, looks clean now :)

You have a few leftovers from Symantec running, we'll get rid of those.
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to Symantec Password Validation (ccPwdSvc)
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Scroll down to Symantec SPBBCSvc (SPBBCSvc)
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; ccPwdSvc
Answer Yes
Press Delete an NT service again.
Copy the following line to the box and press OK; SPBBCSvc
Answer Yes
Close HIjackThis
Then the first priority is to visit Windows Update (http://windowsupdate.microsoft.com) and get your system updated
-> Install important updates, the latest service pack for win 2000 is 4
(NOTE: You'll propably have to reboot and get back to the update several times before all of them are installed)

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)
KuriousOranj
2007-01-07, 14:30
Thank you for all your help! I really appreciate the time you devoted to help me. I tried to follow your instructions and I was able to disable the Symantec Password Validation and Symantec SPBBCSvc but when I tried to delete them through HijackTHis, I wasn't allowed to. I hope it's ok and that it doesn't make much of a difference.
Mr_JAk3
2007-01-07, 18:30
Ok, they're not bad but may slow your computer...

Let's try this:

Open Notepad and copy the following lines into a new document:


@echo off
sc stop "Symantec Password Validation"
sc delete "Symantec Password Validation"
sc stop "Symantec SPBBCSvc"
sc delete "Symantec SPBBCSvc"

Save the document to your desktop as Remove.bat and filetype: All Files
Go to your desktop and run the file Remove.bat and allow to run it if prompted. A window will open and close which is normal.

Restart the computer.

Run a scan with HijackThis and see if the following two lines are present (if it worked, they're not there):
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

Let me know :bigthumb:
KuriousOranj
2007-01-09, 04:08
Mr. Jak 3, Thank you, this time it worked. I can't find those lines in the HJT report:
Logfile of HijackThis v1.99.1
Scan saved at 12:09:42 PM, on 1/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Documents and Settings\oem\Desktop\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136156095657
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149670800067
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Documents and Settings\oem\Desktop\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe

Thank you for all your help!
Mr_JAk3
2007-01-09, 13:17
Ok looks good :)

Just fix these entries with HijackThis that came with windows updates:
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Then you're good to go :bigthumb:
KuriousOranj
2007-01-09, 19:07
Those entries disappeared by themselves. They are no longer there; unless they were deleted by AVG anti-spyware when I ran it. this is the latest log, I hope all is fine:
Logfile of HijackThis v1.99.1
Scan saved at 3:06:50 AM, on 1/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Documents and Settings\oem\Desktop\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136156095657
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149670800067
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Documents and Settings\oem\Desktop\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
Mr_JAk3
2007-01-09, 20:11
Yes AVG Anti-Spyware removes those too.

Looks good :bigthumb:
tashi
2007-01-11, 06:52
Glad we could help, as the problem appears to be resolved this topic has been archived. :bigthumb:

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.