View Full Version : Spybot and other scans crash - Cannot access System32 folder
Hi
While I was away on holiday last week I got a call from a friend who was house/cat sitting for us saying,
"Dont panic but I think I have managed to pick up a virus on your PC."
He says it came from some browser highjack where he clicked on the wrong button or something. Great...
Much worse, he says he also clicked on the wrong button when Tea Timer popped up asking permission for a registry change!! This may be due to the annoying 'button text not displaying properly bug.'
He says that in a desperate attempt to save the situation he ran AVG, Ad-Aware, Spybot and Ewido, all of which crashed. Some scans showed that it wasn't until they reached the System32 Folder that they crashed. He says that before they crashed a couple of scans referred to various corrupted or malicious files in System32.
This is where it gets really worrying...
He decided to manually delete them but couldn't gain access through explorer to System32. Eventually he was able to locate the offending(?) files via windows search and then deleted them.
I thought that maybe he couldn't gain access to System32 because he was only using an account with limited permissions. If only that was the case!!
When I got back I tried to access the folder from the Administrator's account to discover the same problem. You just get a blank window and have to end the process with task manager.
I have since run an online Bit Defender scan which also crashed at C:\WINDOWS\System32\ZoneLabs\
At this point it was saying it was reading file 27052 out of 27050 (huh?)
Before that it had found 2 Viruses and 5 Infected files which it couldn't disinfect but it said it had deleted them. They were as folows:
C:\WINDOWS\System32\dmhip.exe
C:\WINDOWS\System32\dmjup.exe
C:\WINDOWS\System32\dmkif.exe
C:\WINDOWS\System32\dmtold.exe
- All of which were infected with MemScan:Trojan.Agent.QB
and
C:\WINDOWS\System32\tiryt.exe
- Which was infected with MemScan:Trojan.Downloader.Agent.ACH
After this I ran Spybot in Safe Mode:
It crashed while running bot check on file 5125 of 406804: Win32.Sober
Next came an Ewido scan:
It crashed at C:\WINDOWS\temp - but not before it found these infections:
Process: [444]VM_00D60000 Infection: Downloader.Agent.uj
Process: [468]VM_00C70000 Infection: Downloader.Agent.uj
Process: [1552]VM_009D0000 Infection: Downloader.Agent.uj
Process: [2004]VM_00AD0000 Infection: Downloader.Agent.uj
Process: [2028]VM_00390000 Infection: Downloader.Agent.uj
Process: [164]VM_00A20000 Infection: Downloader.Agent.uj
Process: [180]VM_003B0000 Infection: Downloader.Agent.uj
Process: [188]VM_00960000 Infection: Downloader.Agent.uj
Process: [284]VM_009E0000 Infection: Downloader.Agent.uj
Process: [324]VM_00880000 Infection: Downloader.Agent.uj
Process: [856]VM_009F0000 Infection: Downloader.Agent.uj
Process: [1180]VM_00A20000 Infection: Trojan.small.fb
Process: [928]VM_008B0000 Infection: Downloader.Agent.uj
I was asked if I wanted to delete these, I clicked yes so hopefully they are all gone now.
(who can tell??)
Last of all here's my HighJackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 18:42:13, on 15/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\1_Non Windows Software\Administrative\Ewido antimalware\prog files\ewido
anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\1_Non Windows Software\Administrative\Zonealarm\Prog Files\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\1_Non Windows Software\Administrative\Spybot\Prog Files\Spybot - Search &
Destroy\TeaTimer.exe
C:\Program Files\1_Non Windows Software\Graphics\Acrobat 5\Prog Files\Distillr\AcroTray.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\1_Non Windows Software\Administrative\Hijack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sra3.guardian.co.uk/home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sra3.guardian.co.uk/home/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\1_non windows
software\graphics\acrobat 5\prog files\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\1_NONW~1\ADMINI~1\Spybot\PROGFI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\1_Non Windows
Software\Administrative\Zonealarm\Prog Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\1_Non Windows Software\Administrative\Spybot\Prog
Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\1_Non Windows Software\Graphics\Acrobat 5\Prog
Files\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\1_Non Windows Software\Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\1_NONW~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file
missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -
{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://www.google.co.uk
O15 - Trusted Zone: http://sra3.guardian.co.uk
O15 - Trusted Zone: *.markusjannson.net
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.spammotel.com
O15 - Trusted Zone: www.sunbelt-software.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62BC2843-ACBE-4C73-84B8-E147FD4844B2}: NameServer =
85.255.113.147,85.255.112.188
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.147 85.255.112.188
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.147 85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.147 85.255.112.188
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems
Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\1_Non Windows
Software\Administrative\Ewido antimalware\prog files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Please Help, I'm at the end of the line here... I know it must be bad if I can't even get into the System32 folder.
Any help would be most gratefully received.
Glen
Sorry forgot to mention,
every time I try to go to any legitimate spyware removal software websites from a search engine my browser gets redirected to dodgy spyware removal sites!! I can only get to this website by going to it through my favourites.
Cheers
Glen
LonnyRJones
2006-08-19, 13:34
Hi Vexta
Please post a fresh hijackthis log, try to post it withiout the formating getting messed up, might have to turn word wrap off or on in oder to do so.
Post a report from this tool if any FILES show
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.
Here's the HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:33:51, on 20/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\1_Non Windows Software\Administrative\Ewido antimalware\prog files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\1_Non Windows Software\Administrative\Zonealarm\Prog Files\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\1_Non Windows Software\Administrative\Spybot\Prog Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\1_Non Windows Software\Graphics\Acrobat 5\Prog Files\Distillr\AcroTray.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\1_Non Windows Software\Administrative\Hijack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sra3.guardian.co.uk/home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sra3.guardian.co.uk/home/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\1_non windows software\graphics\acrobat 5\prog files\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\1_NONW~1\ADMINI~1\Spybot\PROGFI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\1_Non Windows Software\Administrative\Zonealarm\Prog Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\1_Non Windows Software\Administrative\Spybot\Prog Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\1_Non Windows Software\Graphics\Acrobat 5\Prog Files\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\1_Non Windows Software\Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\1_NONW~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://www.google.co.uk
O15 - Trusted Zone: http://sra3.guardian.co.uk
O15 - Trusted Zone: *.markusjannson.net
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: *.passport.com
O15 - Trusted Zone: *.spammotel.com
O15 - Trusted Zone: www.sunbelt-software.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62BC2843-ACBE-4C73-84B8-E147FD4844B2}: NameServer = 85.255.113.147,85.255.112.188
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.147 85.255.112.188
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.147 85.255.112.188
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.147 85.255.112.188
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\1_Non Windows Software\Administrative\Ewido antimalware\prog files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Unfortunately Blacklight crashed when it got to System32 (there's a pettern emerging here!) so I couldn't save a logfile although before it crashed it said it had found 26 items in System32.
Also now, AVG resident keeps popping up saying it had found a virus while opening c:\WINDOWS\System32\{289854FD-0833-420f-BD83-D1BABD30A0BF}.exe
Trojan horse Generic.XKS
it seems to be unable to heal this virus or move it to the vault...
Also since my last post I did another Ewido scan, this time of just the memory and it came up with the same reading as before, so before when it said it had removed it it hadn't.
here's the report
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:21:31, 20/08/2006
+ Report-Checksum: 831D1C0
+ Scan result:
[436] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning
[460] VM_00C70000 -> Downloader.Agent.uj : Error during cleaning
[1572] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning
[1916] VM_00AD0000 -> Downloader.Agent.uj : Error during cleaning
[1936] VM_00390000 -> Downloader.Agent.uj : Error during cleaning
[1948] VM_00A20000 -> Downloader.Agent.uj : Error during cleaning
[1956] VM_003B0000 -> Downloader.Agent.uj : Error during cleaning
[1964] VM_00960000 -> Downloader.Agent.uj : Error during cleaning
[2000] VM_009E0000 -> Downloader.Agent.uj : Error during cleaning
[308] VM_00880000 -> Downloader.Agent.uj : Error during cleaning
[708] VM_009F0000 -> Downloader.Agent.uj : Error during cleaning
::Report End
Please help... it seems that whatever is in there (System32) has locked the folder down and isn't allowing access to it!
Any help is desperately appreciated.
Cheers
Glen
LonnyRJones
2006-08-20, 15:21
Please disable SpybotSD TeaTimer for now
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon and Uncheck the box next to Teatimer.
"resident tea timer"protection of all-over system settings) active"
Close SpyBot.
We will remind you to turn it on later
Where is the blacklite log ?
Ok done that... awaiting further instruction.
As said in last post Blacklight crashed as it reached System32, so was unable to provide a logfile.
PS: one other thing I've noticed is that I now seem to be unable to download any AVG updates, virus defs etc.
LonnyRJones
2006-08-21, 14:06
Hi
Restart your PC then before doing any other tasks try blacklite again.
let me know if you get the same problem ?
It will show some legit files so do not choose to rename any yet.
Here an update.
Since my last post I took some advice from the techsupportguy forum and downloaded and run fixwareout which yeilded some success and has enabled me to get back into System32... hoorah!
So after updating the AVG I've run a scan which found six infections which I was able to manually delete from the System32 folder.
Here is the report from AVG:
Partition table (MBR) - OK - Quick checked
Boot sector of disk C: - OK - Quick checked
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load - Scanned
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit - Scanned
System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell - Scanned
System registry exefile\shell\open\command - Scanned
System registry scrfile\shell\open\command - Scanned
System registry scrfile\shell\config\command - Scanned
System registry batfile\shell\open\command - Scanned
System registry cmdfile\shell\open\command - Scanned
System registry comfile\shell\open\command - Scanned
System registry piffile\shell\open\command - Scanned
System registry giffile\shell\open\command - Scanned
System registry htmlfile\shell\open\command - Scanned
System registry htafile\shell\open\command - Scanned
System registry jpegfile\shell\open\command - Scanned
System registry txtfile\shell\open\command - Scanned
System registry regfile\shell\open\command - Scanned
System registry cplfile\shell\cplopen\command - Scanned
System registry Word.Document.8\shell\open\command - Scanned
System registry WordPad.Document.1\shell\open\command - Scanned
System registry inffile\shell\open\command - Scanned
System registry vbsfile\shell\open\command - Scanned
System registry vbefile\shell\open\command - Scanned
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe - OK - Quick checked
C:\Program Files\1_Non Windows Software\Administrative\Zonealarm\Prog Files\ZoneAlarm\zlclient.exe - OK - Quick checked
C:\Program Files\1_Non Windows Software\Office\Office10\WINWORD.EXE - OK - Quick checked
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe - OK - Quick checked
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe - OK - Quick checked
C:\Program Files\Internet Explorer\IEXPLORE.EXE - OK - Quick checked
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe - OK - Quick checked
C:\WINDOWS\regedit.exe - OK - Quick checked
C:\WINDOWS\system32\dmgtt.exe - Reading error - Error
C:\WINDOWS\system32\mshta.exe - OK - Quick checked
C:\WINDOWS\system32\rundll32.exe - OK - Quick checked
C:\WINDOWS\system32\shell32.dll - OK - Quick checked
C:\WINDOWS\system32\shimgvw.dll - OK - Quick checked
C:\WINDOWS\system32\kernel32.dll - OK - Quick checked
C:\WINDOWS\system32\wsock32.dll - OK - Quick checked
C:\WINDOWS\system32\user32.dll - Change - Changed
C:\WINDOWS\system32\shell32.dll - Change - Changed
C:\WINDOWS\system32\ntoskrnl.exe - Change - Changed
C:\WINDOWS\system32\drivers\etc\hosts - OK - Quick checked
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load - Scanned
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce - Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit - Scanned
System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell - Scanned
System registry exefile\shell\open\command - Scanned
System registry scrfile\shell\open\command - Scanned
System registry scrfile\shell\config\command - Scanned
System registry batfile\shell\open\command - Scanned
System registry cmdfile\shell\open\command - Scanned
System registry comfile\shell\open\command - Scanned
System registry piffile\shell\open\command - Scanned
System registry giffile\shell\open\command - Scanned
System registry htmlfile\shell\open\command - Scanned
System registry htafile\shell\open\command - Scanned
System registry jpegfile\shell\open\command - Scanned
System registry txtfile\shell\open\command - Scanned
System registry regfile\shell\open\command - Scanned
System registry cplfile\shell\cplopen\command - Scanned
System registry Word.Document.8\shell\open\command - Scanned
System registry WordPad.Document.1\shell\open\command - Scanned
System registry inffile\shell\open\command - Scanned
System registry vbsfile\shell\open\command - Scanned
System registry vbefile\shell\open\command - Scanned
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe - OK - Quick checked
C:\Program Files\1_Non Windows Software\Administrative\Zonealarm\ProgFiles\ZoneAlarm\zlclient.exe - OK - Quick checked
C:\Program Files\1_Non Windows Software\Office\Office10\WINWORD.EXE - OK - Quick checked
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe - OK - Quick checked
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe - OK - Quick checked
C:\Program Files\Internet Explorer\IEXPLORE.EXE - OK - Quick checked
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe - OK - Quick checked
C:\WINDOWS\regedit.exe - OK - Quick checked
C:\WINDOWS\system32\dmgtt.exe - Reading error - Error
C:\WINDOWS\system32\mshta.exe - OK - Quick checked
C:\WINDOWS\system32\rundll32.exe - OK - Quick checked
C:\WINDOWS\system32\shell32.dll - OK - Quick checked
C:\WINDOWS\system32\shimgvw.dll - OK - Quick checked
C:\WINDOWS\system32\{0DB666BF-5E3F-4629-BDB8-4AA027BADA52}.exe - Deleted
C:\WINDOWS\system32\{6894E334-9296-474A-83A5-EF48C254BD46}.exe - Deleted
C:\WINDOWS\system32\{7A40CA18-EED2-4AC8-9143-948DF8067B82}.exe - Deleted
C:\WINDOWS\system32\{9F8F2882-CA65-4488-BE9E-92B029F0CB57}.exe - Deleted
C:\WINDOWS\system32\{E1824839-CD7D-4CF1-A829-D05B12028A7A}.exe - Deleted
C:\WINDOWS\system32\{FD952359-D169-4FD3-BEDC-351D87F6D8B0}.exe - Deleted
I was also able to run a spybot scan which found and fixed three problem. unfortunately I couldn't find any facility to save a logfile from spybot.
I've just run Ewido and it found a couple of dodgy things which I told to remove.
Here's the log file:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 17:19:32, 21/08/2006
+ Report-Checksum: 55DA452F
+ Scan result:
[1916] VM_016D0000 -> Trojan.Small.fb : Error during cleaning
C:\Documents and Settings\Shimbers\Cookies\shimbers@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup
::Report End
Then I ran Blacklight again, here's the log:
08/21/06 17:21:14 [Info]: BlackLight Engine 1.0.46 initialized
08/21/06 17:21:14 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/21/06 17:21:15 [Note]: 7019 4
08/21/06 17:21:15 [Note]: 7005 0
08/21/06 17:21:19 [Note]: 7006 0
08/21/06 17:21:19 [Note]: 7011 1916
08/21/06 17:21:20 [Note]: 7026 0
08/21/06 17:21:20 [Note]: 7026 0
08/21/06 17:21:38 [Note]: FSRAW library version 1.7.1019
08/21/06 17:33:08 [Note]: 7007 0
Lastly here's the most recent HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 17:35:14, on 21/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\1_Non Windows Software\Administrative\Ewido antimalware\prog files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
I've still got a nagging doubt that there's something nasty still lurking in there. :confused:
LonnyRJones
2006-08-22, 04:17
Post a link to your thread at techsupportguy
We understand why people ask for help in sometimes several forums, to get quicker help, but doing so has the opposite effect, you take more time from available helpers.
Either continue here or there and in the future don't multi forum post.
PS: By the way I'm the creator of fixwareout
Hi
Sorry about that, :( as you say I'm just desparate to get this problem sorted ASAP.
Here's the link to Tech Support Guy: http://forums.techguy.org/security/493488-nasty-virus-problem-cant-access.html
You seem to be very busy here at Spybot forums so as I'm getting faster replies from Tech Support Guy, I'll continue my posts there. Didn't realise it'd be a problem but am now rightly castigated. :blush: Thanks for all your help so far.
Glen
LonnyRJones
2006-08-22, 17:11
You should post there and ask for your topic to be closed
last i looked you had made another post within an hour
Once thats done we can continue.
OK Lonny I've asked for the Tech Support Guy thread to be closed. So we can continue. I'm assuming you've read the last HijackThis logfile I posted on that thread, if not here it is:
Logfile of HijackThis v1.99.1
Scan saved at 11:59:45, on 22/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\1_Non Windows Software\Administrative\Zonealarm\Prog Files\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\1_Non Windows Software\Graphics\Acrobat 5\Prog Files\Distillr\AcroTray.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\1_Non Windows Software\Administrative\Hijack This\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sra3.guardian.co.uk/home/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\1_non windows software\graphics\acrobat 5\prog files\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\1_NONW~1\ADMINI~1\Spybot\PROGFI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\1_Non Windows Software\Administrative\Zonealarm\Prog Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dmwbf.exe] C:\WINDOWS\system32\dmwbf.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\1_Non Windows Software\Graphics\Acrobat 5\Prog Files\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\1_Non Windows Software\Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\1_NONW~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
And here's the Fixwareout Log:
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\vlqmd
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMQLV.EXE 62,009 2004-08-04
Other suspects.
Directory of C:\WINDOWS\system32
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
Now what???? ;)
LonnyRJones
2006-08-22, 17:49
Re-download and run fixwareout, Its been changed it a bit.
same instructions:
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
Fixwareout:
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\fbwmd
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmwbf.exe"=-
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMWBF.EXE 62,009 2004-08-04
Other suspects.
Directory of C:\WINDOWS\system32
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 18:04:35, on 22/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\1_Non Windows Software\Administrative\Zonealarm\Prog Files\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\1_Non Windows Software\Graphics\Acrobat 5\Prog Files\Distillr\AcroTray.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\1_Non Windows Software\Administrative\Hijack This\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sra3.guardian.co.uk/home/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\1_non windows software\graphics\acrobat 5\prog files\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\1_NONW~1\ADMINI~1\Spybot\PROGFI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\1_Non Windows Software\Administrative\Zonealarm\Prog Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\1_Non Windows Software\Graphics\Acrobat 5\Prog Files\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\1_Non Windows Software\Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\1_NONW~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
LonnyRJones
2006-08-23, 04:38
C:\WINDOWS\SYSTEM32\DMQLV.EXE < delete that file
If Spysweeper is uninstalled this (harmless) leftover can be fixed using Hijackthis
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
=================
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
Are there any current problems ?
Hi
Can't find either "C:\WINDOWS\SYSTEM32\DMQLV.EXE"
or
"O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)"
I've done another HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:28:44, on 23/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\1_Non Windows Software\Administrative\Zonealarm\Prog Files\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\1_Non Windows Software\Graphics\Acrobat 5\Prog Files\Distillr\AcroTray.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\1_Non Windows Software\Administrative\Hijack This\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sra3.guardian.co.uk/home/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\1_non windows software\graphics\acrobat 5\prog files\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\1_NONW~1\ADMINI~1\Spybot\PROGFI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\1_Non Windows Software\Administrative\Zonealarm\Prog Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\1_Non Windows Software\Graphics\Acrobat 5\Prog Files\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\1_Non Windows Software\Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\1_NONW~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I haven't noticed any problems, shall I start doing other virus/spyware scans yet?
LonnyRJones
2006-08-23, 12:51
You have killbox right ?
Run it and paste in the bolded line below then click the red button, use standard file delete
C:\WINDOWS\SYSTEM32\DMQLV.EXE
============================
Run Hijackthis, scan and place a check next to this item then click fix checked.
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
"shall I start doing other virus/spyware scans yet?"
I suggest checking for problems again with SpyBot then your updated antivirus program.
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
I tried to delete the file using Killbox (Standard File Delete) - It said the file doesn't exist, so I tried again using 'Delete on reboot' and I got a dialog box saying 'PendingFileRenameOperations Registry Data has been removed by External Process!'
I Scanned with HijackThis and fixed checked
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
Then did another HijackThis Scan, here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 17:48:59, on 23/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\1_Non Windows Software\Administrative\Zonealarm\Prog Files\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\1_Non Windows Software\Graphics\Acrobat 5\Prog Files\Distillr\AcroTray.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\1_Non Windows Software\Administrative\Hijack This\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sra3.guardian.co.uk/home/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\1_non windows software\graphics\acrobat 5\prog files\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\1_NONW~1\ADMINI~1\Spybot\PROGFI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\1_Non Windows Software\Administrative\Zonealarm\Prog Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\1_Non Windows Software\Graphics\Acrobat 5\Prog Files\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\1_Non Windows Software\Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\1_NONW~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
LonnyRJones
2006-08-23, 21:26
Now see if Blacklite will run, if so post its log.
I ran Blacklight and it said that no hidden processes were found and didn't give me an option to save a log...
LonnyRJones
2006-08-24, 14:41
Good
Post back in a few days, in the meantime keep an eye out for problems and let us know of them.
This topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.
Thank you Lonny.