View Full Version : Clever virus, malware or something
Hi all,
got a problem with my laptop, but I still have my desktop Pc.
My AVG gave 3 virus alerts, but wouldn't let me do anything with them as access to file was denied, all were Trojans. Full system scans get stuck 'not responding' .
Adaware runs, finds 5 items but then gest stuck 'not responding' at a System32 file...once called xircom, once called zonedon.
Spybot runs at an absolute crawl....it's take around 48hrs! Previously all A/V and antispyware apps. were fine.
I can't access Windows system32 folder either...........Windows ends up ' not responding'
Any help appreciated.........laptop left powered-on after HJT log taken.
Pete
Logfile of HijackThis v1.99.1
Scan saved at 12:01:31, on 30/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\EMS Free Surfer Companion\fs30.exe
C:\WINDOWS\System32\wltray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\User\My Documents\Peter\HELPHELP\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\EMS Free Surfer Companion\fs30.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get siteinfo data (fsc) - C:\Program Files\EMS Free Surfer Companion\fslauncher.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09F56747-B8EE-484E-9F15-B317655A31B1}: NameServer = 85.255.116.126,85.255.112.119
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B8044B5-6186-44D7-BF08-AC8285357E82}: NameServer = 85.255.116.126,85.255.112.119
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.126 85.255.112.119
O17 - HKLM\System\CS1\Services\Tcpip\..\{09F56747-B8EE-484E-9F15-B317655A31B1}: NameServer = 85.255.116.126,85.255.112.119
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.126 85.255.112.119
O17 - HKLM\System\CS2\Services\Tcpip\..\{09F56747-B8EE-484E-9F15-B317655A31B1}: NameServer = 85.255.116.126,85.255.112.119
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.126 85.255.112.119
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
LonnyRJones
2006-08-03, 08:54
Hi
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
ok thanks.............here we go then
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1A7802C79045-676A-8354-E296-088824D8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F44274282D3D-DF18-8C44-42DD-7E002AF6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}02916C71A5AC-227A-98F4-BF82-A42E82AD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8D4577BAD20A-E2D8-D0D4-2992-0335B83A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CA3BEFF5BA1E-E8AA-6BC4-5747-5897C3C1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0A12828F69E2-930A-A074-02DE-879E3585{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}879520C2E207-5A2A-A094-7448-806B7247{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0102454B5B83-14DA-2094-88D7-D199DD14{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C48BE31C462D-8C79-0EB4-C4B6-7BD2379E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}259CF8792572-9A99-FDF4-C7D2-8FEDE327{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}918D782D786D-D8AA-3824-805C-71B7CF72{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5B21F3C8EBAC-8D8A-E4C4-92C0-701C9359{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}575D04F262F8-BA4B-C734-5245-43F880A9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6C430EC56F79-7C5A-C894-BBA8-0FF814E5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}05404DE1A37A-95FB-D0E4-5085-D6C058BA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BA0FFD429C4E-3769-9644-4B41-1BEEAA44{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A878A457B083-E548-94A4-C155-2CE2D66E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B9BD2C1D69C0-DB19-8354-61D0-6E435A58{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}886516975179-BC79-ABD4-87EC-D46DE3AB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CF4D0FD4FEEF-A2B9-09C4-CC5D-25DD4A06{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}39C064C21C83-CFA9-0DF4-7A2B-1C94BD1B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}11B438CF58EE-140A-A334-EC4C-2D52A71A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}175532DD83F4-6AA9-95E4-87C7-2385202B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}87836BEEF814-D238-15E4-6903-AE0A653C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}52FF76384E8B-7EE9-9844-98CB-EEBADE77{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8184368FF41A-8DFA-EEF4-334C-31750934{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AC3FCF9E07DA-87EA-AEC4-63B4-027CDC79{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C15B40C972DB-0EC9-A984-C8DC-221A2589{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2B4D399BF7FF-4CF9-6034-6CF3-D9EF19A8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DC2ABE4FD76B-6029-F8C4-7342-669E2D96{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C01A5A0A6DF2-99AB-6044-D262-21450D9A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F0F0FEB0C32D-82F8-5804-155C-5CF52120{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C711583C8DF4-0FDB-BD54-BF08-4D3633D2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FBA1E85B92A0-C92B-7924-DAD2-13938744{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A57D1B2CA7FF-4429-2854-2395-11AAC15C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9E67B2CFE095-EDBA-3844-1E14-4602EDE6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7719D1C3A9D-1868-E554-AD5A-BA9C5F57{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9AE7DA315030-DD3B-6C54-70BC-3551B2F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E4B8E6103CAE-77BB-B5C4-2707-06103068{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}40C7C77A1738-9218-B394-4361-FD835BFC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mzsmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmszm.exe"=-
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
C:\WINDOWS\SYSTEM32\RDPCLIP.EXE
* csr.exe C:\WINDOWS\System32\CSBTC.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSBTC.EXE 51,217 2006-07-29
C:\WINDOWS\SYSTEM32\DMOGQ.EXE 62,000 2003-07-16
C:\WINDOWS\SYSTEM32\DMSZM.EXE 62,000 2003-07-16
Other suspects
Directory of C:\WINDOWS\system32
{CFB538DF-1634-493B-8129-8371A77C7C04}.exe
{86030160-7072-4C5B-BB77-EAC3016E8B4E}.exe
{8F2B1553-CB07-45C6-B3DD-030513AD7EA9}.exe
{75F5C9AB-A5DA-455E-8681-D9A3C1D9177B}.exe
{6EDE2064-41E1-4483-ABDE-590EFC2B76E9}.exe
{C51CAA11-5932-4582-9244-FF7AC2B1D75A}.exe
{44783931-2DAD-4297-B29C-0A29B58E1ABF}.exe
{2D3363D4-80FB-45DB-BDF0-4FD8C385117C}.exe
{02125FC5-C551-4085-8F28-D23C0BEF0F0F}.exe
{A9D05412-262D-4406-BA99-2FD6A0A5A10C}.exe
{69D2E966-2437-4C8F-9206-B67DF4EBA2CD}.exe
{8A91FE9D-3FC6-4306-9FC4-FF7FB993D4B2}.exe
{9852A122-CD8C-489A-9CE0-BD279C04B51C}.exe
{97CDC720-4B36-4CEA-AE78-AD70E9FCF3CA}.exe
{43905713-C433-4FEE-AFD8-A14FF8634818}.exe
{77EDABEE-BC89-4489-9EE7-B8E48367FF25}.exe
{C356A0EA-3096-4E51-832D-418FEEB63878}.exe
{B2025832-7C78-4E59-9AA6-4F38DD235571}.exe
{A17A25D2-C4CE-433A-A041-EE85FC834B11}.exe
{B1DB49C1-B2A7-4FD0-9AFC-38C12C460C93}.exe
{60A4DD52-D5CC-4C90-9B2A-FEEF4DF0D4FC}.exe
{BA3ED64D-CE78-4DBA-97CB-971579615688}.exe
{85A534E6-0D16-4538-91BD-0C96D1C2DB9B}.exe
{E66D2EC2-551C-4A49-845E-380B754A878A}.exe
{44AAEEB1-14B4-4469-9673-E4C924DFF0AB}.exe
{AB850C6D-5805-4E0D-BF59-A73A1ED40450}.exe
{5E418FF0-8ABB-498C-A5C7-97F65CE034C6}.exe
{9539C107-0C29-4C4E-A8D8-CABE8C3F12B5}.exe
{27FC7B17-C508-4283-AA8D-D687D287D819}.exe
{723EDEF8-2D7C-4FDF-99A9-2752978FC952}.exe
{E9732DB7-6B4C-4BE0-97C8-D264C13EB84C}.exe
{41DD991D-7D88-4902-AD41-38B5B4542010}.exe
{7427B608-8447-490A-A2A5-702E2C025978}.exe
{5853E978-ED20-470A-A039-2E96F82821A0}.exe
{1C3C7985-7475-4CB6-AA8E-E1AB5FFEB3AC}.exe
{A38B5330-2992-4D0D-8D2E-A02DAB7754D8}.exe
{DA28E24A-28FB-4F89-A722-CA5A17C61920}.exe
{6FA200E7-DD24-44C8-81FD-D3D28247244F}.exe
#######################
Logfile of HijackThis v1.99.1
Scan saved at 22:52:14, on 03/08/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\EMS Free Surfer Companion\fs30.exe
C:\WINDOWS\System32\wltray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\EMS Free Surfer Companion\fs30.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get siteinfo data (fsc) - C:\Program Files\EMS Free Surfer Companion\fslauncher.htm
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\EMS Free Surfer Companion\FS30.exe
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Many thanks
Pete
BTW, an interesting thing just happened. After I ran Fixwareout etc. I got an AVG virus message for a system32 file. I haven't had one for days during all of my scans. I took the chance to move it to the virus vault.
LonnyRJones
2006-08-04, 00:46
Hi
If spysweeper is not installed anylonger fix thios item using hijackthis
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
Uninstall ewido and go get the new version, update and do a full scan, afterwards update and run your antivirus program.
Delete these files if they still exist at these locations only
:\WINDOWS\SYSTEM32\CSBTC.EXE
C:\WINDOWS\SYSTEM32\DMOGQ.EXE
C:\WINDOWS\SYSTEM32\DMSZM.EXE
C:\WINDOWS\system32\{CFB538DF-1634-493B-8129-8371A77C7C04}.exe
C:\WINDOWS\system32\{86030160-7072-4C5B-BB77-EAC3016E8B4E}.exe
C:\WINDOWS\system32\{8F2B1553-CB07-45C6-B3DD-030513AD7EA9}.exe
C:\WINDOWS\system32\{75F5C9AB-A5DA-455E-8681-D9A3C1D9177B}.exe
C:\WINDOWS\system32\{6EDE2064-41E1-4483-ABDE-590EFC2B76E9}.exe
C:\WINDOWS\system32\{C51CAA11-5932-4582-9244-FF7AC2B1D75A}.exe
C:\WINDOWS\system32\{44783931-2DAD-4297-B29C-0A29B58E1ABF}.exe
C:\WINDOWS\system32\{2D3363D4-80FB-45DB-BDF0-4FD8C385117C}.exe
C:\WINDOWS\system32\{02125FC5-C551-4085-8F28-D23C0BEF0F0F}.exe
C:\WINDOWS\system32\{A9D05412-262D-4406-BA99-2FD6A0A5A10C}.exe
C:\WINDOWS\system32\{69D2E966-2437-4C8F-9206-B67DF4EBA2CD}.exe
C:\WINDOWS\system32\{8A91FE9D-3FC6-4306-9FC4-FF7FB993D4B2}.exe
C:\WINDOWS\system32\{9852A122-CD8C-489A-9CE0-BD279C04B51C}.exe
C:\WINDOWS\system32\{97CDC720-4B36-4CEA-AE78-AD70E9FCF3CA}.exe
C:\WINDOWS\system32\{43905713-C433-4FEE-AFD8-A14FF8634818}.exe
C:\WINDOWS\system32\{77EDABEE-BC89-4489-9EE7-B8E48367FF25}.exe
C:\WINDOWS\system32\{C356A0EA-3096-4E51-832D-418FEEB63878}.exe
C:\WINDOWS\system32\{B2025832-7C78-4E59-9AA6-4F38DD235571}.exe
C:\WINDOWS\system32\{A17A25D2-C4CE-433A-A041-EE85FC834B11}.exe
C:\WINDOWS\system32\{B1DB49C1-B2A7-4FD0-9AFC-38C12C460C93}.exe
C:\WINDOWS\system32\{60A4DD52-D5CC-4C90-9B2A-FEEF4DF0D4FC}.exe
C:\WINDOWS\system32\{BA3ED64D-CE78-4DBA-97CB-971579615688}.exe
C:\WINDOWS\system32\{85A534E6-0D16-4538-91BD-0C96D1C2DB9B}.exe
C:\WINDOWS\system32\{E66D2EC2-551C-4A49-845E-380B754A878A}.exe
C:\WINDOWS\system32\{44AAEEB1-14B4-4469-9673-E4C924DFF0AB}.exe
C:\WINDOWS\system32\{AB850C6D-5805-4E0D-BF59-A73A1ED40450}.exe
C:\WINDOWS\system32\{5E418FF0-8ABB-498C-A5C7-97F65CE034C6}.exe
C:\WINDOWS\system32\{9539C107-0C29-4C4E-A8D8-CABE8C3F12B5}.exe
C:\WINDOWS\system32\{27FC7B17-C508-4283-AA8D-D687D287D819}.exe
C:\WINDOWS\system32\{723EDEF8-2D7C-4FDF-99A9-2752978FC952}.exe
C:\WINDOWS\system32\{E9732DB7-6B4C-4BE0-97C8-D264C13EB84C}.exe
C:\WINDOWS\system32\{41DD991D-7D88-4902-AD41-38B5B4542010}.exe
C:\WINDOWS\system32\{7427B608-8447-490A-A2A5-702E2C025978}.exe
C:\WINDOWS\system32\{5853E978-ED20-470A-A039-2E96F82821A0}.exe
C:\WINDOWS\system32\{1C3C7985-7475-4CB6-AA8E-E1AB5FFEB3AC}.exe
C:\WINDOWS\system32\{A38B5330-2992-4D0D-8D2E-A02DAB7754D8}.exe
C:\WINDOWS\system32\{DA28E24A-28FB-4F89-A722-CA5A17C61920}.exe
C:\WINDOWS\system32\{6FA200E7-DD24-44C8-81FD-D3D28247244F}.exe
Are there any problems now ?
If not now is the time to visit windowsupdate
Oh thank you.
I've done as you said. AVG and all other scanners working ok now.
AVG found & killed 35 viruses, from the original 3. I think it had been replicating itself.
Access to the system32 folder is ok too.
I've just DL'd SP2 to install and more to follow.
I don't know what that Fixwareout is exactly, but it sure worked a treat.
Once again , many thanks :bigthumb:
LonnyRJones
2006-08-08, 04:25
Hows that PC ?
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
Running fine now,
I've installed SP2 & already use Spybot S&D, Adaware, AVG, Zonealarm and Spywareblaster. I mostly surf using Firefox with noscript, but got infected when a site wouldn't open with the browser, so I opened it in IE and bingo bango......Web dialogs and start of problems. At one point, a scanner by BitDefender said I had a viral hook too, but not any more.
Like I said, that Fixwareout worked brilliantly. I was surprised at how tenacious this thing was also, preventing apps. running properly and finding it , and denying access to the system32 folder. I'd also love to be able to help out other people in similar situations.
Cheers,
Pete :bigthumb:
LonnyRJones
2006-08-10, 10:45
F-Secures blacklite will also deal with most of that infections files
https://europe.f-secure.com/blacklight/try.shtml
legitimate files can and do show at times.
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
Best regards
Lonn
I'd also love to be able to help out other people in similar situations.
Classroom. (http://forums.tomcoyote.org/index.php?showtopic=1421)
Malware University. (http://forum.malwareremoval.com/viewtopic.php?t=233&sid=8e15568c06cefe00ffbeee9fc989314b)
Boot Camp Admission. (http://forums.spywareinfo.com/index.php?showtopic=34#)
:D:
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.
Glad we could help. :)