View Full Version : Pipas.A removal help
spybot keeps picking up Pipas.A, I ran hijackthis and ewido.
Logfile of HijackThis v1.99.1
Scan saved at 3:37:03 PM, on 7/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\alg.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [ybmqj.exe] C:\WINDOWS\system32\ybmqj.exe
O4 - HKLM\..\Run: [dmeph.exe] C:\WINDOWS\system32\dmeph.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151118464187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{192F11E3-6165-4115-BADD-952FC68ECD1D}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{320FD394-C3DB-4091-91D4-7454B952F7CE}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BD91198-E2E3-495E-882C-0CB3277631BD}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EB49E8E-FC77-4F74-A7A0-5090EB62B6FD}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{D34DD9A3-B804-4D9B-A3B7-DB74F608DF41}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 4:01:30 PM 7/5/2006
+ Scan result:
C:\Documents and Settings\AQUA\Cookies\aqua@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\AQUA\Cookies\aqua@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\AQUA\Cookies\aqua@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\AQUA\Cookies\aqua@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\AQUA\Cookies\aqua@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
[456] VM_013D0000 -> Trojan.DNSChanger.ef : Error during cleaning.
C:\System Volume Information\_restore{41353561-F560-425A-B5B7-0A4E9D7A7BD7}\RP40\A0005805.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{41353561-F560-425A-B5B7-0A4E9D7A7BD7}\RP40\A0005832.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{41353561-F560-425A-B5B7-0A4E9D7A7BD7}\RP40\A0005844.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{41353561-F560-425A-B5B7-0A4E9D7A7BD7}\RP40\A0005853.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{41353561-F560-425A-B5B7-0A4E9D7A7BD7}\RP40\A0005863.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{41353561-F560-425A-B5B7-0A4E9D7A7BD7}\RP40\A0005884.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{41353561-F560-425A-B5B7-0A4E9D7A7BD7}\RP40\A0005891.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
[3928] VM_00A00000 -> Trojan.Pakes : Error during cleaning.
C:\System Volume Information\_restore{41353561-F560-425A-B5B7-0A4E9D7A7BD7}\RP40\A0005893.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{0F79AD52-2BBC-433B-B6B8-7ECE3250317F}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{41353561-F560-425A-B5B7-0A4E9D7A7BD7}\RP40\A0005892.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{20C4ABE7-92A9-447B-8951-49575896F0A1}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
::Report end
spybot keeps picking up Pipas.A,
Hello
Please follow the instructions to run an on-line anti virus program
Click:
BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)
Post the results of the Anti virus scan into this topic in order for a helper to assist you.
Thank you.
Previous topic:
http://forums.spybot.info/showthread.php?t=3281
panda online scan log.
sorry for not responding to the last post i made. I followed the malware removal guide and the problem seemed to be fixed, i just thought you needed to see the logs for record purposes.
Activescan.txt
Incident Status Location
Adware:adware/cws Not disinfected c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\AQUA\Cookies\aqua@advertising[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\AQUA\Cookies\aqua@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\AQUA\Cookies\aqua@doubleclick[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\AQUA\Desktop\SmitfraudFix\Process.exe
Virus:W32/Bagle.pwdzip Disinfected C:\Documents and Settings\AQUA\Desktop\SmitfraudFix.zip
Virus:Trj/Ruins.MB Disinfected C:\Documents and Settings\AQUA\Local Settings\Temp\xxx.jpg
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{A40C413C-3F46-4EC4-9A02-EAB2B210FAF5}.exe[KillAndClean.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{A40C413C-3F46-4EC4-9A02-EAB2B210FAF5}.exe[KillAndCleanUpdate.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{C7B3E5F5-B83A-4064-B9E2-F54324B8DCAA}.exe[KillAndClean.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\{C7B3E5F5-B83A-4064-B9E2-F54324B8DCAA}.exe[KillAndCleanUpdate.exe]
hi
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}96CD52B5265F-81FB-ADE4-2118-6F1EB342{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1A0F69857594-1598-B744-9A29-7EBA4C02{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0598708074E4-8F18-72F4-86BE-49FD0373{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0BCAC7EB67FF-7A49-D0A4-1ECF-A1AF4EF9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F7130523ECE7-8B6B-B334-CBB2-25DA97F0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AACD8B42345F-2E9B-4604-A38B-5F5E3B7C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}390F3405F0EE-0A89-EE94-79FC-349625CC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5CB716602E4A-4AA8-E994-5FCA-EF20820A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FCB9D55FED35-9FEB-71B4-6AC8-D5BBAE7F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E09761E1D466-E889-BDF4-95B2-0C9C3C5B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3F44CC4CB51B-78A9-F964-FEEF-6F33B04D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A034930332CF-22AA-B944-C780-EA6ACD72{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3F88C7E67122-4CBA-4554-9460-6310C725{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}92417FA46ABA-5F68-E054-0845-70F012F3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3716DFB2719E-CF39-E7E4-36BC-824F2EC9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9B582782E58D-C2B9-C104-8D4E-EDD297D9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}334B44E4D424-03D8-6474-B682-E8ED45FE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}03B8B46DA97B-B5E8-AE54-0C82-5F1FBDE3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}149FC6A044BD-AFD9-CB14-A3F6-0A70B6A1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4E76CA974162-1E18-32B4-5375-FB0C3DE1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}949EBCF51A25-4EA9-3194-DE05-DC09B71A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D3D389CA1868-D96A-ADA4-BB9E-AF20E8CC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7012DDBD5DBC-224B-7064-FFC2-2CB75FFE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A084219A3E81-7A39-C204-B2A6-75A2A251{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}365120B64E5B-A7EA-F104-C5FD-C6604D5B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}48DDFA2146D6-B0C8-73B4-DD7B-890FF778{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6AAA591C9B85-1189-DDE4-B89B-8D0390D2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}43D69F64F90A-7A5A-1254-D67E-39624761{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ECE985BEA3AD-952A-2F84-AA49-1C82A5A2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}418A7219C2D5-7DF8-5F44-4EFD-EBD12E64{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mdymd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}139B578F71FD-4EA8-3304-E493-D6A75263{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E5EADCD0CA17-7B5B-B4C4-7490-2E7C9A82{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4231111DD942-7AC8-34F4-13CC-5467E2C4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}556D81EF18B0-CCDA-2FD4-663C-F390BF87{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BDDBF63CD48D-A6C8-2014-58CB-790817EB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9CEBEEB29433-106A-E3A4-ACEF-287069D4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmydm.exe"=-
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMYDM.EXE 44,053 2004-08-04
Other suspects
Directory of C:\WINDOWS\system32
{C7B3E5F5-B83A-4064-B9E2-F54324B8DCAA}.exe
{A40C413C-3F46-4EC4-9A02-EAB2B210FAF5}.exe
Logfile of HijackThis v1.99.1
Scan saved at 9:10:45 AM, on 7/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [aioro.exe] C:\WINDOWS\system32\aioro.exe
O4 - HKLM\..\Run: [dmqmq.exe] C:\WINDOWS\system32\dmqmq.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151118464187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{192F11E3-6165-4115-BADD-952FC68ECD1D}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{320FD394-C3DB-4091-91D4-7454B952F7CE}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BD91198-E2E3-495E-882C-0CB3277631BD}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EB49E8E-FC77-4F74-A7A0-5090EB62B6FD}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{D34DD9A3-B804-4D9B-A3B7-DB74F608DF41}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
Download and Save Blacklight (http://www.f-secure.com/blacklight/try.shtml) to your desktop:
Double-click blbeta.exe then accept the agreement, click > scan then > next
You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
k, here it is.
07/10/06 11:16:49 [Info]: BlackLight Engine 1.0.42 initialized
07/10/06 11:16:49 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/10/06 11:16:50 [Note]: 7019 4
07/10/06 11:16:50 [Note]: 7005 0
07/10/06 11:16:53 [Note]: 7006 0
07/10/06 11:16:53 [Note]: 7011 148
07/10/06 11:16:53 [Note]: 7026 0
07/10/06 11:16:53 [Note]: 7026 0
07/10/06 11:16:57 [Note]: FSRAW library version 1.7.1019
07/10/06 11:17:54 [Note]: 7007 0
hi
are tou sure that this was everythin? so no hidden items were found :)
thats a good thing
can you now post a fresh hijackthis log
are there any more problems ?
Yeah, i scanned again just now and it was pretty much the same thing.
07/11/06 22:58:43 [Info]: BlackLight Engine 1.0.42 initialized
07/11/06 22:58:43 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/11/06 22:58:43 [Note]: 7019 4
07/11/06 22:58:43 [Note]: 7005 0
07/11/06 22:58:51 [Note]: 7006 0
07/11/06 22:58:51 [Note]: 7011 2040
07/11/06 22:58:51 [Note]: 7026 0
07/11/06 22:58:51 [Note]: 7026 0
07/11/06 22:58:54 [Note]: FSRAW library version 1.7.1019
07/11/06 22:59:42 [Note]: 7007 0
spybot still picks up Pipas.A and i keep getting mcafee torjan warnings Downloader.ASI, Spy-Agent.i and Adclicker-Bw
Logfile of HijackThis v1.99.1
Scan saved at 11:06:02 PM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [dmsjh.exe] C:\WINDOWS\system32\dmsjh.exe
O4 - HKLM\..\Run: [cmsip.exe] C:\WINDOWS\system32\cmsip.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151118464187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{192F11E3-6165-4115-BADD-952FC68ECD1D}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{320FD394-C3DB-4091-91D4-7454B952F7CE}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EB49E8E-FC77-4F74-A7A0-5090EB62B6FD}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{D34DD9A3-B804-4D9B-A3B7-DB74F608DF41}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
hi
print this, or save the text as a notepad file
Please download the Killbox by Option^Explicit (http://www.downloads.subratam.org/KillBox.exe).
Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\SYSTEM32\DMYDM.EXE
C:\WINDOWS\system32\{C7B3E5F5-B83A-4064-B9E2-F54324B8DCAA}.exe
C:\WINDOWS\system32\{A40C413C-3F46-4EC4-9A02-EAB2B210FAF5}.exe
C:\WINDOWS\system32\dmsjh.exe
C:\WINDOWS\system32\cmsip.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try Killbox again.
upon reboot open hiajckthis, click do a system scan only
checkmark these:
O4 - HKLM\..\Run: [dmsjh.exe] C:\WINDOWS\system32\dmsjh.exe
O4 - HKLM\..\Run: [cmsip.exe] C:\WINDOWS\system32\cmsip.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{192F11E3-6165-4115-BADD-952FC68ECD1D}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{320FD394-C3DB-4091-91D4-7454B952F7CE}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EB49E8E-FC77-4F74-A7A0-5090EB62B6FD}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{D34DD9A3-B804-4D9B-A3B7-DB74F608DF41}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
Ok i ran killbox did not get any PendingFileRenameOperations prompts. Two 04 lines from hijackthis that you told me to delete where not there.
O4 - HKLM\..\Run: [dmsjh.exe] C:\WINDOWS\system32\dmsjh.exe
O4 - HKLM\..\Run: [cmsip.exe] C:\WINDOWS\system32\cmsip.exe
btw this is some of the files that mcafee keeps picking up.
downloader.ASI
{299c9982-5b5d-414b-993d-f9be56468567
spyagent.i
{CB3FEF41-5C53-4842-94EE-0E05CFOA338}.exe
spyagent.i
{7D4AAE3D-AE55-A5E5-B7D6-SFA28C4DFF13}.exe
adclicker.Bw
{B0A75FCB-8CDC-40DA-A33F-DFE180672BD4}.exe
QFav-4
{22DD10EE-510D-4414-A2B2-824FF29079C2}
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8E706BC4C5D9-3F2A-E714-E919-EFB2AE38{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3E864B16F5EA-8A78-5B44-56EC-64CFDF6A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}691543123721-6FC8-B3D4-DFF2-2AAE40F6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9BA0F4EEF31E-8409-A2F4-D2FC-FB7EF5DC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3B03B0442416-2B78-4B14-547E-B414348D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BEECEAA4E023-838B-88D4-A318-16657245{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}33D51FA038A3-1C99-30C4-6C20-21270678{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2C53565D2829-187A-41A4-5D4F-C46AB3E3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C7F256C26ADF-C2A9-6404-CBA1-722C1EDC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}031B48CC1F14-82F9-C1A4-4EED-72CFAE7F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1B08139BA6DA-1419-F5A4-D4CA-41EB4265{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}984AA452A601-F1BA-5F44-F60B-726C7AE5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\kjxmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}40CBC1854721-58AA-89E4-7E64-27F6D800{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8D73829D0BF6-EDB9-F914-7491-518922D3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}249CCE625F7D-CB2B-1B84-8F5D-B2883C67{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E13B8B60CC53-E5F8-6364-343A-E30D3734{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7B32C27E32E9-3D49-3E64-9E07-96B9D6D1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DD6CD6830021-29FA-A1E4-A1F2-E3296F27{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmxjk.exe"=-
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMXJK.EXE 44,053 2004-08-04
Other suspects
Directory of C:\WINDOWS\system32
{BB11475D-5FEB-4BAB-A1CA-3F123CC79B90}.exe
{42B968F5-75D2-4161-B3CE-83E4261A7F75}.exe
Logfile of HijackThis v1.99.1
Scan saved at 9:42:38 AM, on 7/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hijackthis\HijackThis.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [eslfn.exe] C:\WINDOWS\system32\eslfn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151118464187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{192F11E3-6165-4115-BADD-952FC68ECD1D}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{320FD394-C3DB-4091-91D4-7454B952F7CE}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BD91198-E2E3-495E-882C-0CB3277631BD}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EB49E8E-FC77-4F74-A7A0-5090EB62B6FD}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{D34DD9A3-B804-4D9B-A3B7-DB74F608DF41}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
hi
hmm it still shows signs of infections
open hiajckthis, click do a system scan only, checkmark these:
O4 - HKLM\..\Run: [eslfn.exe] C:\WINDOWS\system32\eslfn.exe
then close all other programs( including your browser), except hiajckthis, and click fix checked
run killbox again,
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\SYSTEM32\DMXJK.EXE
C:\WINDOWS\SYSTEM32\{BB11475D-5FEB-4BAB-A1CA-3F123CC79B90}.exe
C:\WINDOWS\SYSTEM32\{42B968F5-75D2-4161-B3CE-83E4261A7F75}.exe
C:\WINDOWS\SYSTEM32\{7D4AAE3D-AE55-A5E5-B7D6-SFA28C4DFF13}.exe
C:\WINDOWS\SYSTEM32\{CB3FEF41-5C53-4842-94EE-0E05CFOA338}.exe
C:\WINDOWS\SYSTEM32\{B0A75FCB-8CDC-40DA-A33F-DFE180672BD4}.exe
C:\WINDOWS\SYSTEM32\{299c9982-5b5d-414b-993d-f9be56468567}.exe
C:\WINDOWS\SYSTEM32\{22DD10EE-510D-4414-A2B2-824FF29079C2}.exe
C:\WINDOWS\system32\eslfn.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
after reboot run fixwareout again, see instructions above. post its report files contents here
finally rescan with hijackthis and post the resulting log here
hey, once again the file you told me to delete from hijackthis
O4 - HKLM\..\Run: [eslfn.exe] C:\WINDOWS\system32\eslfn.exe is not there. Insted of it is
O4 - HKLM\..\Run: [jefpp.exe] C:\WINDOWS\system32\jefpp.exe
These are trojan files? could i have some kind of a worm which is creating these entries. :fear:
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D148999A9276-B9DB-3264-2E52-ADEF4545{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E4DD4EAFCD47-4E99-7C24-AC7C-27018E08{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DFE9388E72EC-E919-DC14-AFE2-7956804A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}44391B2DFC55-6B9B-7AE4-9544-64023029{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3A66EC2C0E44-85DA-56E4-449B-0064C21A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9FEF1F7C488C-136B-B7F4-A831-65205961{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}029CD85E7A76-D418-84D4-D85A-DFB246C3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}76586465EB9F-D399-B414-D5B5-2899C992{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}833A0F3C50E0-EE49-2484-35C5-14FEF3BC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}31FFD4C82AF5-6D7B-5E54-55EA-D3EAA4D7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4DB276081EFD-F33A-AD04-CDC8-BCF57A0B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2C97092FF428-2B2A-4144-D015-EE01DD22{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CD1F8D3E7AF0-30BA-BB74-1D9A-4E431AB9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0BBAA1400AFB-2E9A-DB14-5EEF-01848380{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FC5C0C3C68F7-924B-4434-3F0F-93795C5C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}495021248F4F-99A8-1874-1240-6523033C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B2E492941376-E4A9-38C4-32C6-0FB23957{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5EA5C4FCF4DA-D02A-B254-1C3C-1DE2C2EB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DA464656C870-3818-5D04-4B13-DA6B7FA6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2E2965421A0B-4799-18D4-5ED2-6BF4EDC7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}51AF2348BFCE-A258-94A4-CA0D-C14C3895{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}69BAEA0B7165-3CDA-E3D4-9BFC-BF4CA2E7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}81C791A74976-A1F9-B894-DC68-0E639A57{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}713715963B1A-BC18-F794-0DB4-32570EA1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BDC63FC0AD57-5C09-6884-828E-27852920{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}745F97E1E400-2019-E404-2771-3C259935{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CD73D08964B8-5918-5E24-6D98-29E0204B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}527C249287BE-03CB-0674-7D01-35EE4536{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}906527D51704-56AA-FEE4-059A-B33E6BA5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FC30F80C8068-3F39-CE54-0FE2-A49D0143{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}60CC8D65BF1B-FD9A-E724-E344-25B03994{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}39421C832ABF-BF5B-98C4-D392-11CAB5A5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}28329A3ECF86-9539-4004-D6C8-B9F62424{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6CF904052D1E-FFCB-7134-24B9-63649D29{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F202D0C21992-2AD8-44D4-1E07-EABD24B0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A7B45CE00577-70CA-E974-15C5-3DD0F6FB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CCA2E4C73D8A-D16A-7774-51AA-5E4FD901{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}50A3BD734D2D-019B-98A4-7DF4-2CABAF57{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8D137094A481-828B-8314-90D3-F55D084A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}101140D9B40C-086B-B084-E864-EB31B68E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7E1B17D5C9B3-22AB-B414-BE83-B30862C4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}672C9C515E62-057B-1294-32DD-AFB01B60{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}46F1A0327739-6BEA-0E94-7399-08966EF7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}35CC7646BB5D-27B9-03E4-3082-4B0BB7EB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B3BFCB81C89B-1AA8-5E24-EA2A-BA6CB60F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8D1B56B23762-47EA-5BB4-6668-D0A1532F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7A729C321CBF-B21B-A7C4-824F-9A1AC36D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7E1972030C6E-7AE9-B6E4-6FEA-45E4DFB0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}77DCEA7FAC18-3D29-8534-8DE9-A62C63B8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9D517664F814-A56A-F014-BBD4-8D7433D8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}60A03A87CE71-1F3B-A0A4-9AD3-06DED5A2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}621E9C573797-3AD9-3CB4-9D2B-F301DB95{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8937DE6AD327-B3F9-04D4-3A70-B078B602{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D232585B68CE-F079-5834-6698-1523FAF6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4793478DF333-872A-D764-C61B-44B40B5F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}293965444A4E-34CA-5DF4-06B4-8AD9CC00{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}43A997491169-C22A-E514-E794-4B488189{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}92FB0C94518B-FECB-3B74-F149-19DFDEB9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C57E44AC0A90-656A-5E94-5B1F-17F7BC71{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}863E4829C9D8-4499-FB24-7E8E-F3A89E06{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}887D7FCB43F0-D489-BFE4-F4C5-D8C8C2F4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1AEA81125732-172B-4D24-5470-690471FE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EEA35C726CC0-A3CA-56C4-9906-E6030589{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6A164E8CD4E7-336A-DD54-A061-4DDC00EA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}53D1A0A97D96-5069-2EA4-D6D9-2107ADB5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}21E1234E78A9-1B3A-71D4-795B-2984DA23{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0A849F206CD8-39AA-9674-1414-B1FACC9B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8F85EF490FF0-199A-5A14-9FF0-E031D34C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B91050BBD340-4189-BBE4-4101-43366A73{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3B41AFAD74BF-E14B-C9E4-C7E5-ECCA96AF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E2CA73A9DCCD-CEE9-1544-EFF8-3E5C49D3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4793D87B398D-0049-31B4-2BAA-B9E04167{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D207C93CB6ED-F8A8-7624-4A02-7D41E9BF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}62AF814BA72F-F78B-E9A4-90AB-AA59979D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}49A8EBF857B9-9679-BE04-0B79-4D8C3279{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF2519E2BC05-6C6A-8D84-233C-72AF0DF9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0579239179C0-9099-D434-0314-740F8067{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}70D741C24AAC-E319-3944-E0C9-332263A6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5DB95CEF6A66-6EA8-28D4-C16A-7434426A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2CFE3679E569-E809-5BE4-FE1B-6AEA97B4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2EEE290D1BA9-AB19-0EE4-D0B7-592C28F3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4145964F59E9-E3CA-EE74-921A-386D883A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0B36A569D9B8-888B-C774-0CFF-0676AD71{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DD345794C975-D689-08B4-4072-1462C9FC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4C6A0F1FFC22-F1F8-0154-ADB7-D9D8E93B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2E3D7768D3A9-454B-8A24-0379-D4195C3D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}430EAD9FEB0F-C6CA-14A4-778F-D790FFA8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}02720C757824-4A18-CB84-CE37-43798AD4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B74A2A91943E-99E8-9154-239D-EC5A5349{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}63E617EFC9F5-B7F8-5354-0093-D8984118{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B6953E7CC0E7-64A8-4D74-84E7-9D9C0066{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}734FCA4DE38F-7E98-2864-7310-841E8791{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C50FBEC1DBF6-DBC8-0544-1CD0-E82259F4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}23661C7D2CC6-9A58-6094-C6D2-B46D614B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E53AE0F3EE68-197A-3B54-5F88-2D3CFA52{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D40691A0902C-4BE9-EF54-5590-94C62910{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5857400E49A9-F718-E0F4-8EE7-57D7CA63{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2D786AA8F8B7-5708-15B4-0EFC-933BAC21{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}425701662959-8B59-0504-58CE-55C0E2CE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}63C2CC375A00-E9B8-47D4-9936-09198902{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AAD8A3C67CDD-C8CA-1BA4-5A51-BE80ABAA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4034B8D11A58-2F09-C784-4251-3573C528{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7931A6FEDB09-E49A-1414-CB15-263CF08F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2B4FA7483AA3-12D9-B364-B1C9-693B3021{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6A0137FAE2AC-A2AA-4C34-6A88-D4C8BF1C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}70723828F687-9CE8-C734-C017-FA375A41{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BA5F593358A9-6ED9-36E4-AB0B-0045BDE5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EDAEC43768F7-EEA9-43F4-172C-C52579B6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A983EF44251D-8C9A-4AF4-CB31-2AAECB36{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}98AC93C32CA8-6C6A-5194-5DB1-4AA75443{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2364386986C5-9C5A-D3F4-8FD4-39840FBA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8E8F7BD4579D-3C6B-ED94-A39B-6D9C344C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1E43526C6F0F-56F9-5FD4-B7D4-E6409278{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FA586CF5B146-827A-9824-64D9-6A0C733D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}193055C772A5-C39A-4534-E0C3-6D3244F5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6BE0E4A3E173-AA49-5164-C8C6-BF17ACBE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}125E2DAED8D0-3B69-DF84-9FF5-B5AF7055{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}510CEF47BF6D-82BB-2C24-533F-FE76FCE4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A0688AAA5968-845A-1194-C21B-37B5D5EE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}97DBA7A2FEE7-AB9A-BF64-9146-CC7007C6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E418BD018A00-2889-6D14-4B42-E691A2B4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}77F869877BFA-BAFB-9634-B37F-297A8612{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7CA63B58BAB9-9BBA-C564-28A4-9C223003{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C6EFF95E529A-9FEB-3394-F75C-ABDB1A29{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FB1F892790E4-7189-7E24-C818-650899AF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}83EE84BA20E5-76B8-93C4-A32F-AF8207A1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}45586E128BE2-BC98-5154-57A7-4BC75A5F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}58F73B4FE7DD-6BEA-F7F4-6248-A6296821{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2557B9D38588-EE1A-3214-2558-5226A743{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D1C0F6DC0791-B698-1624-7EC2-0AB17759{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3D73BFB7724A-F53B-2C64-27A3-29102829{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2430522E22ED-2A1A-8F94-4090-05FDACEC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E9B2A4AB92D5-A099-BEC4-FD67-63D5DE00{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0AAC2FAD76C1-3268-8BE4-D974-8B65E836{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5DD6CBE66AD4-42A9-97D4-DB3B-51E6866A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B10EED695A8B-DA2A-13D4-CF1E-075C24B3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2F4C78CE978C-2518-1864-BBCA-2DDE20B1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9798C723B4AA-543B-F7B4-7A62-25B8F175{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9823755689A1-402B-F054-BD6E-9FCC63E2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C28B97B33F11-F799-3F04-27A8-55B60769{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A54D3E05C0F5-E7B8-E214-52FF-9F836C16{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E8EC08CD542E-07BB-4BE4-2947-FD9DFA20{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}10F5522C3412-1F1B-24D4-6144-E3BA2C04{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A1C97603C126-B588-F244-5471-39BB060B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C766F9730DB0-F5FB-BCB4-69B9-442F4816{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AD110B45E6A0-3729-4E54-3203-5B46AA74{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}620253470754-172B-C864-D481-60306C03{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C8D3F48A5192-EDE9-34C4-DB3F-BA359A06{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5ECB9960C67A-C8C8-ACD4-566D-F47FDF15{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3C295AC6FEE3-0B6A-7724-EC9B-BC135DD9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9E907515100A-AC0B-CF14-BE0F-2C931B4E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}884021E88851-AE58-5C14-B1A0-2AA44378{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8BF76C674B14-218A-8084-A342-FBB9733C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2DB5941FFAA9-8F19-4924-47DA-4735A94D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9E5077D29AB8-30F9-6C14-9484-49105651{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}47C3D0124B71-D0FA-6BD4-ED65-52E3A6F2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2FD009069EC7-23EA-AA24-01F8-73E2E46A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AE6F7CB8F44F-15DA-A064-66CA-48EE988E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D57C2AAF99BC-5FAA-6234-C5EB-922B8C05{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9EDB5B2E68B3-34A9-11F4-C300-47F10E79{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BC6C90B11440-BC29-5844-6F60-E9DE81B7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2B611A459904-9B6B-2DE4-0AA2-FA533621{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A7FB1DFFE518-8B69-C7F4-B7C1-793AF5AD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}80A826D3DDD9-27BB-5344-92DE-BCE53312{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4AEAE54734C2-A08B-BC24-6C5D-20178F9B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3E5B1F397887-E828-69D4-4F33-A22A3E86{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1F949186412D-A0C8-2544-1B94-CC79C6F9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D828303126BE-CBEB-5374-1873-E7AEBB8A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B2BE75DC11E2-3BDB-4104-4ECA-A295F547{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BBB4879BE793-227A-0014-F14A-CE2EB244{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}08124A6FB58F-E128-9534-0762-A413453B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A60663762BC9-D5EA-1EF4-2F3D-052F83A7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}492F89D3D4F2-024B-9D54-3A9A-1320EFC4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6790F83BA9AB-7AC8-1F44-07BD-ABBAE01D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9B281AC23206-7CAB-DD04-DE5F-CD5D6CAA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8613EED1F9CD-8989-AC14-28A0-53B5AEE5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EC6E4F18E48E-F4AB-5564-2879-B4A17828{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...
Didn't fit sry.
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32
{24CD45FF-EB25-4203-9639-66BD32D21090}.dll
{50C8B229-BE5C-4326-AAF5-CB99FAA2C75D}.exe
{A4086597-2EFA-41CD-919E-CE27E8839EFD}.exe
Logfile of HijackThis v1.99.1
Scan saved at 9:13:39 PM, on 7/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hijackthis\HijackThis.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [jefpp.exe] C:\WINDOWS\system32\jefpp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151118464187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{192F11E3-6165-4115-BADD-952FC68ECD1D}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{320FD394-C3DB-4091-91D4-7454B952F7CE}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BD91198-E2E3-495E-882C-0CB3277631BD}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EB49E8E-FC77-4F74-A7A0-5090EB62B6FD}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{D34DD9A3-B804-4D9B-A3B7-DB74F608DF41}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
hi
its a rootkit trojan, not a worm.
open hiajckthis, click do a system scan only.
checkmark these entries:
O4 - HKLM\..\Run: [jefpp.exe] C:\WINDOWS\system32\jefpp.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{192F11E3-6165-4115-BADD-952FC68ECD1D}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{320FD394-C3DB-4091-91D4-7454B952F7CE}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BD91198-E2E3-495E-882C-0CB3277631BD}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EB49E8E-FC77-4F74-A7A0-5090EB62B6FD}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{D34DD9A3-B804-4D9B-A3B7-DB74F608DF41}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\..\{015491C1-FD0F-424F-AAF3-4CB016A58011}: NameServer = 85.255.114.20,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.20 85.255.112.175
if you have rebooted after posting that previous log there may be a new random 04 run entry, similarish to the ones before. fix it too if there
then close all other programs, and click fix checked
opne killbox, copy paste these:
C:\WINDOWS\system32\{24CD45FF-EB25-4203-9639-66BD32D21090}.dll
C:\WINDOWS\system32\{50C8B229-BE5C-4326-AAF5-CB99FAA2C75D}.exe
C:\WINDOWS\system32\{A4086597-2EFA-41CD-919E-CE27E8839EFD}.exeC:\WINDOWS\system32\jefpp.exe
the click the delete button, i think you know the drill by now
allow the reboot, once the machine is back up run fixwareout again
post its reboot and a fresh hjt log
I think the torjan warnings are gone. :bigthumb:
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4E8761FC20E4-F258-B624-2EFD-F79EA166{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}83092073181A-0E9A-1664-E2F4-6CE9D4E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1C4099C272F7-5138-5464-874E-AE734BD1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3ACAE540DFA4-8C79-18B4-99CE-1F53849C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BBC0BC488A2A-1D49-24A4-D5F0-726AFE6B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7BC14E8A697E-06C8-0D34-EB84-98A26867{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F6A300C66C7A-A358-9004-7504-27926583{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CC5705E57CEA-5859-3AD4-B318-826A99A5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4CD218B30BDF-FD28-5384-8EC1-DA3BF61B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0FE52771CA4F-3619-0194-E53D-08D216BE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E246D8A1730B-640B-72B4-A2FA-24FFEA08{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4005CC651CC9-2289-7924-343E-C88D58A9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8492A038965E-B1FA-57B4-F1CF-AB14AED0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E40CD5176D87-E3CB-BAF4-66FE-4F1C0848{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9100AD4679FA-9CF8-F264-B3D4-2FB52105{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1634456B0E26-84BB-9BE4-A1B0-C0C9DB1B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C052D7673B23-1ADA-5954-3238-D6B0D3F4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A0D7EAF3199F-42EB-5274-E172-0CA2D472{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}55A89555FAEA-147B-2054-1B6E-48CE80A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F85FF01C851F-DA08-4E84-2028-3F5ED04B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D0DD6CE179D9-2F8B-2624-A162-8EAD631D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2A763C981C55-A66A-5724-6E4C-5B7283B4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3E7BEE10F482-39FB-2754-9F40-A76A8B3A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A5DA8D61224D-7098-2984-07D4-FF757AFD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1507155D3F35-3BF9-56F4-9C6D-A1ECDD6F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B3670C4411F7-E42A-6A54-D5E5-365351C6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5B9835DE2CEB-BECB-5314-64A8-DEBFC31A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}70D8F8D854C8-7D2B-D734-266C-32110A88{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6ED0DA5C16BB-EA4A-6744-89F6-84C1761C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0B3ABF66F856-F29B-5C44-0075-3C9F3CF6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}03C81F33EC59-9208-A734-2904-F68A62AA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7521AA6CFB2C-0ADA-5794-D5F3-DC15C9EB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9E14DB1F8E04-48EA-7FE4-A5F4-62060D45{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4BEFFE3AAB21-E518-3CD4-095C-F880B977{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E108323E9BC5-9F9A-E8F4-9FD4-F25F4610{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}56277BD9A3E1-466A-DD34-6F0C-0FEC19B4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E640AE18DA4C-5698-B624-5D57-7125FF24{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3F33147C0595-CFB8-D764-D23E-29518F65{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FE4B2448BE43-C2EA-49B4-F598-22649341{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8279729EA872-45AA-9154-2E8C-89249E85{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EC6D06BBB302-AC5B-3F84-FBF7-04FBACC4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5F43B2284390-C338-8CE4-442D-AB49FC8D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}75375F64C18D-9FDB-A6C4-153F-FC333176{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0B3C6C67AA49-8C9B-76D4-2617-3C9F3C81{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6B99D04F6BB5-EAA8-7CA4-AEE5-090F992A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CC59F2407164-CE6B-7324-A2EB-6D50D74E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A6FD786565DE-916A-8F24-3249-CECDBF8D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CACA08B48481-2CCA-1D14-F632-05C87698{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BF81A3983DF9-1288-3E54-AF11-3CFB47DF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D2A9533906D0-D1E8-05A4-9710-3A2E5BE6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}276084DCE46E-6468-A124-1B20-1F655F46{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}869354E5C513-3CCA-A3F4-0634-BA1A5D5C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AB128BD1D2F6-DC49-5A44-D477-9E2DAC22{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}38EBEEAE11ED-D428-FE74-5608-54864DE8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AED58517EE2F-34B8-C534-812E-6B55F158{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}108F551ACACA-648B-3004-6234-274606CE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C1B127C3FD14-1A79-EEF4-F8CE-DDC56CA7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3F512BC4E6A5-EAEB-D3F4-8D9D-19DC40A2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1755F53242A6-046A-03E4-C9A3-2DA02EBE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}371B21BFFB0B-11C8-B544-5FDF-2DDD3A3D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8CF3DAC10634-CFB9-E624-08F2-3ED04A40{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F764E086948A-AE09-08E4-77DD-42AE601C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0BB4ABD32CA8-97EA-A2E4-8CBF-36EC28C0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}315008025ED4-889A-A7E4-A133-2B0242C7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F1FAD482F75D-0EFA-E3B4-C65F-17AF3DD9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7BBB30A1C115-5FB8-0424-46CC-ECC7E03A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8D0E6CE235E1-958B-5614-3324-BD77228E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9D8C7613A24D-4999-B644-BFAA-30697C57{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1730349D3D86-F1F9-66E4-5609-41580D27{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}021DEBBE8202-8D18-7964-31FC-B3474394{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}356C1E60BC2C-3808-D6A4-C4C1-8D06C6B4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}23FE63E3CEDC-E6C8-FCF4-C662-C8782738{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}87472A0FE0D3-F0A8-1124-9794-5F302EBA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F4C2E29BA2AC-AD49-3044-F113-3C180A01{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}802891B4D7AB-5FC9-9CA4-99C6-F90CC52E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}195894502906-0EFA-3844-4E13-ADE5E241{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3B8E33AF57D5-F888-0094-09F0-1C3D4639{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E41B3BE17177-4F78-5764-231A-2B96BC09{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}99D50EAEF06B-E58A-2A74-4077-BFE22C48{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D3E44EB9059F-6D7B-C114-5300-15A69D1E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A08FFF626FCC-D648-9F44-CEF2-FF8D150B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}75BE1E5818A8-1BEA-7C84-64B9-8D775FD1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ACD94E0356D1-BE1B-1664-5CD9-2A488CE9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}55930DE2CCA6-91DA-6D14-F68C-C906ACCA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}96671CBFDED4-7FE9-F944-F917-5C7D0C59{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3B5ED9528151-7D3A-9F24-031D-B92850C9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6CE25146A662-C468-1834-5CB9-FA2FCAA9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BD9E48A0CFA1-FC48-B7D4-F558-FF5D1709{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4A36B494E449-8398-4664-6D6D-7A7C5FFF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}79B2393F550D-198B-A494-A1B0-8461499D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}58D1340D7F0A-DD78-1E14-EFA8-B8BB6119{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}884AC6612724-73E9-7864-937D-808F99B7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}64180B623C7E-D4EA-3254-4958-9F7ABD1A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CC6E32FED5C7-357B-57D4-0D0E-2CAD6136{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}72DD6E7011CA-775A-C164-9278-EF586014{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E5D4D688FC16-670A-6EE4-0961-B82F8587{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9F187DB1B01F-9EEB-2E84-F030-4B6E6D8E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}374C247F1EFF-9888-AF04-BB78-525442E9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0287AF3EC44A-4C5B-D5B4-D36E-23018882{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2B1EC6D36EAF-B3DA-3BF4-57F0-692D2BFB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}34D4942320C6-16AB-F514-2306-11134DBA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8184862D9BA7-E91B-33A4-B1F5-B5910A17{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}89AD8258EDBC-8FB8-C254-EB55-415BC566{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}30C4B762402B-844B-1594-6ADC-A046CF0B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AF1271F87272-9FBB-E374-9507-80F37556{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0C1E200FB096-BD5A-8414-E9FD-BE878C54{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B88DB940F85B-90C8-C424-B904-716E6757{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}004A16ED3BAF-6628-B6C4-A14B-ECDE74CD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}98F0D2FF2AD3-6E4A-0744-9494-1C95AD0D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}25DDADB1E343-E859-2AA4-3719-2EEF812F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D961B217ABC7-5A09-29A4-40E9-4750750B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6DFD689AB111-FECB-AF14-A8B6-F9A7B6D5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A764C50E056E-EE6B-D5A4-0B08-060A504A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6427B9D399B2-748A-FB54-2DA6-7234175A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}632B2858EFDD-ADEB-B934-1D15-BE93DDD8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}50A437E0B2B9-AC99-C134-6712-A2D77C39{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C6F8D86FAC9C-AE09-2B24-486B-7B030E1B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7C613544DF73-1ADB-C784-D64F-71FDE85A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}59103922F18A-0B1A-4E34-0536-3E75363F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}288C6533D16E-8939-3474-E180-3B0F635C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F56D307E6AF1-EEB8-7BE4-4A29-A399DECE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}55B567EC1743-ACAA-CE64-0232-5B72459E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3EB6E63E988B-DA78-5F74-368C-BEE67F1D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}43896F4EC987-12F8-4164-F15E-331E1215{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BC2928672B59-B539-69D4-C785-1DB9912B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5C1BB9FF4970-D3FA-6154-031C-604B8FF2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}181C30F18237-5BB8-95A4-9538-51863AB9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}98A76CB62721-4E2A-6234-B0BC-9536945E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}72A7C57C1386-5568-1E84-54F5-BB6D3B0D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}59164ECC38CA-5B2A-9A04-9F05-61F16E50{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}11B63C8A649E-57D8-9844-9A52-938F1428{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}29ADE5702727-AAEA-8904-78F1-96EA22F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5EF5D957D342-2509-6CF4-4EBD-39C165A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9B5B09CA1702-D1EB-9CF4-D293-68FF395B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F9B27428489A-C0F8-5174-2E3C-9CB294E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C86F6E3AB85C-7ADA-C824-3994-8493A7C2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FFE372D4A7BE-BA19-B204-61B1-A15B80C7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C9626785F123-5C6A-0D24-8768-2A42BFB9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D9A86F9C9339-1F79-81D4-522B-1FC30F07{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}20E762458D05-B85B-CDC4-C6AB-B1E2455E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}88588F23FDFA-E2DB-47B4-3FBA-40E5091F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E318F59DFD26-DD7B-F904-5218-544A406E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}40B6CEECABDF-10F9-1304-8643-340065FD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6622EC0715CE-FD19-CA84-58C1-9EA40783{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}53E22BAB1FEF-0CBA-3DC4-DD4D-BE784E54{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}144C5167934E-628A-61E4-936E-9AAC38B5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B0337EEA1372-B82A-2B74-49B5-6F2FA616{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BE86A013DBB8-3C9A-0324-4D80-E3AAAA7D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0799EA843868-87EA-AC94-9110-163E353A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4C0AA9424565-953A-94D4-44D0-1E1F72C9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C7B979C53DDF-3D08-D0D4-E288-65C1E578{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32
{45E487EB-D4DD-4CD3-ABC0-FEF1BAB22E35}.exe
{70F03CF1-B225-4D18-97F1-9339C9F68A9D}.exe
{0A561C93-DBE4-4FC6-9052-243D759D5FE5}.exe
{9BA36815-8359-4A59-8BB5-73281F03C181}.exe
{ECED993A-92A4-4EB7-8BEE-1FA6E703D65F}.exe
{8DDD39EB-51D1-439B-BEDA-DDFE8582B236}.exe
{D0DA59C1-4949-4470-A4E6-3DA2FF2D0F89}.exe
{665CB514-55BE-452C-8BF8-CBDE8528DA98}.exe
{E8D6E6B4-030F-48E2-BEE9-F10B1BD781F9}.exe
{9116BB8B-8AFE-41E1-87DD-A0F7D0431D85}.exe
{ABE203F5-4979-4211-8A0F-3D0EF0A27478}.exe
{E82277DB-4233-4165-B859-1E532EC6E0D8}.exe
{851F55B6-E218-435C-8B43-F2EE71585DEA}.exe
{FD74BFC3-11FA-45E3-8821-9FD3893A18FB}.exe
{671333CF-F351-4C6A-BDF9-D81C46F57357}.exe
{AA26A86F-4092-437A-8029-95CE33F18C30}.exe
{F6DDCE1A-D6C9-4F65-9FB3-53F3D5517051}.exe
{0A08EC84-E6B1-4502-B741-AEAF55598A55}.exe
{0DEA41BA-FC1F-4B75-AF1B-E569830A2948}.exe
{1DB437EA-E478-4645-8315-7F272C9904C1}.exe
{A4086597-2EFA-41CD-919E-CE27E8839EFD}.exe
Logfile of HijackThis v1.99.1
Scan saved at 11:08:04 PM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151118464187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
hi
thats some fine work there my friend
there still are a couple of suspects, but the main infection seems gone
see this list:
{45E487EB-D4DD-4CD3-ABC0-FEF1BAB22E35}.exe
{70F03CF1-B225-4D18-97F1-9339C9F68A9D}.exe
{0A561C93-DBE4-4FC6-9052-243D759D5FE5}.exe
{9BA36815-8359-4A59-8BB5-73281F03C181}.exe
{ECED993A-92A4-4EB7-8BEE-1FA6E703D65F}.exe
{8DDD39EB-51D1-439B-BEDA-DDFE8582B236}.exe
{D0DA59C1-4949-4470-A4E6-3DA2FF2D0F89}.exe
{665CB514-55BE-452C-8BF8-CBDE8528DA98}.exe
{E8D6E6B4-030F-48E2-BEE9-F10B1BD781F9}.exe
{9116BB8B-8AFE-41E1-87DD-A0F7D0431D85}.exe
{ABE203F5-4979-4211-8A0F-3D0EF0A27478}.exe
{E82277DB-4233-4165-B859-1E532EC6E0D8}.exe
{851F55B6-E218-435C-8B43-F2EE71585DEA}.exe
{FD74BFC3-11FA-45E3-8821-9FD3893A18FB}.exe
{671333CF-F351-4C6A-BDF9-D81C46F57357}.exe
{AA26A86F-4092-437A-8029-95CE33F18C30}.exe
{F6DDCE1A-D6C9-4F65-9FB3-53F3D5517051}.exe
{0A08EC84-E6B1-4502-B741-AEAF55598A55}.exe
{0DEA41BA-FC1F-4B75-AF1B-E569830A2948}.exe
{1DB437EA-E478-4645-8315-7F272C9904C1}.exe
{A4086597-2EFA-41CD-919E-CE27E8839EFD}.exe
those files are located in system32 folder, they need to be deleted
i would like you to perform an online virus scan:Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Sweet, thanks a lot for sticking with me and helping me out.
Incident Status Location
Adware:adware/adsmart Not disinfected c:\t.inx
Virus:Trj/Ruins.MB Disinfected C:\!KillBox\dmxjk.exe
Virus:Trj/Ruins.MB Disinfected C:\!KillBox\dmydm.exe
Adware:Adware/CWS Not disinfected C:\!KillBox\{42B968F5-75D2-4161-B3CE-83E4261A7F75}.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\AQUA\Cookies\aqua@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\AQUA\Cookies\aqua@ad.yieldmanager[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\AQUA\Cookies\aqua@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\AQUA\Cookies\aqua@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\AQUA\Cookies\aqua@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\AQUA\Cookies\aqua@doubleclick[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\AQUA\Cookies\aqua@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\AQUA\Desktop\New Folder\SmitfraudFix\Process.exe
Virus:Trj/Ruins.MB Disinfected C:\Documents and Settings\AQUA\Local Settings\Temp\xxx.jpg
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Virus:Trj/Ruins.MB Disinfected C:\WINDOWS\system32\yzdrg.exe
Adware:Adware/CWS Not disinfected C:\WINDOWS\system32\{1DB437EA-E478-4645-8315-7F272C9904C1}.exe
Adware:Adware/CWS Not disinfected C:\WINDOWS\system32\{A4086597-2EFA-41CD-919E-CE27E8839EFD}.exe
hi
delete these files
C:\WINDOWS\system32\{1DB437EA-E478-4645-8315-7F272C9904C1}.exe[/COLOR]
C:\WINDOWS\system32\{A4086597-2EFA-41CD-919E-CE27E8839EFD}.exe
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
reboot
post a final hiajckthis log
are there still problems ?
No, everything seems to be fine now. Thanks again. :bigthumb:
Logfile of HijackThis v1.99.1
Scan saved at 9:18:25 PM, on 7/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\3aLab\iRadio\iRadio.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151118464187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
hi
looks clean to me
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore (http://www.bleepingcomputer.com/forums/tutorial63.html)
or
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers (http://www.bleepingcomputer.com/forums/tutorial43.html)
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/tutorial48.html)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.