Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Trojan got me...

  1. #1
    Junior Member
    Join Date
    Jul 2006
    Posts
    9

    Default Trojan got me...

    I'm not sure how rid of it I really am, explorer has some issues with searching, Spybot S&D is running deathly slow, and I know I have BHO that doesn't want to go away that I don't want, please help.


    HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:45:26 PM, on 7/12/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\SCardSvr.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINNT\system32\hidserv.exe
    C:\Lotus\Notes\ntmulti.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
    C:\WINNT\system32\MSTask.exe
    C:\sdprimer.exe
    C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Sophos\AutoUpdate\ALMon.exe
    C:\Program Files\palmOne\HOTSYNC.EXE
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\WINNT\system32\HPZipm12.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\ebless\Desktop\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer (IE6SP1)
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    O1 - Hosts: localhost 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\qomlj.dll
    O2 - BHO: (no name) - {E0D9B302-8063-48E1-AEDA-45C07398F054} - C:\Program Files\microsoft frontpage\tejovigax.dll (file missing)
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [3826jgtq] C:\WINNT\system32\3826jgtq.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [sys02317364074] C:\WINNT\sys02317364074.exe
    O4 - HKLM\..\Run: [ms05364074317] C:\WINNT\ms05364074317.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [igico.exe] C:\WINNT\system32\igico.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Sametime Meeting Room Client ST31 -
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail1.wrberkley.com/AICBDM01/iNotes6.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.in...lInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1128014352248
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128014341242
    O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - http://meetings.wrbc/sametime/stmeet...TJNILoader.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wrbts.ads.wrberkley.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{06DCABB5-9C5C-4B7E-97A1-45BBCF15CB43}: NameServer = 85.255.115.115,85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7456EEF1-79CE-4CDA-AEB6-F8E0ED283E54}: NameServer = 85.255.115.115,85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9330DF28-EB57-4ED7-99B1-26881C7F6B18}: NameServer = 85.255.115.115,85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F08509D1-ACA3-437C-89FD-7DF091C94D05}: NameServer = 85.255.115.115,85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F2BD0EB5-1456-4228-977E-0368837CD993}: NameServer = 85.255.115.115,85.255.112.152
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wrbts.ads.wrberkley.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.115 85.255.112.152
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wrbts.ads.wrberkley.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.115 85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.115 85.255.112.152
    O20 - AppInit_DLLs: c:\winnt\system32\regedit.dll rundll32.dll C:\WINNT\system32\rundll32.dll
    O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
    O20 - Winlogon Notify: qomlj - C:\WINNT\SYSTEM32\qomlj.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Lotus\Notes\ntmulti.exe
    O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
    O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
    O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
    O23 - Service: SD Primer Agent (SDPrimer) - Computer Associates International, Inc. - C:\sdprimer.exe
    O23 - Service: Sophos AutoUpdate Service - Sophos plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

  2. #2
    Junior Member
    Join Date
    Jul 2006
    Posts
    9

    Default

    I should also note that I have run Ad Aware through, and have Sophos Anti Virus which did detect two trojans and deleted them, they kept coming back, but since rebooting after running Ad Aware I haven't seen them. Other than that I have been unable to run my Spybot all the way through as it is running deathly slow, thought maybe some of my problems could have something to do with that. Thanks for any help.

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,263

    Default

    Hello and sorry for the wait.
    If you are still in need of assistance please go here and post a link back to this topic to flag a helper.

    If you have waited four days for advice post here.
    Microsoft MVP Reconnect 2018
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Please disable SpybotSD TeaTimer for now
    To disable SpybotSD TeaTimer:
    Open Spybot and click on Mode and check Advanced Mode
    Check yes to next window.
    Click on Tools in bottom left hand corner.
    Click on Resident icon and Uncheck the box next to Teatimer.
    "resident tea timer"protection of all-over system settings) active"
    Close SpyBot.
    We will remind you to turn it on later

    Start Hijackthis and place a check next to these items If there.
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    O1 - Hosts: localhost 127.0.0.1
    O2 - BHO: (no name) - {E0D9B302-8063-48E1-AEDA-45C07398F054} - C:\Program Files\microsoft frontpage\tejovigax.dll (file missing)
    O4 - HKLM\..\Run: [3826jgtq] C:\WINNT\system32\3826jgtq.exe
    O4 - HKLM\..\Run: [sys02317364074] C:\WINNT\sys02317364074.exe
    O4 - HKLM\..\Run: [ms05364074317] C:\WINNT\ms05364074317.exe
    O4 - HKLM\..\Run: [igico.exe] C:\WINNT\system32\igico.exe

    O17 - HKLM\System\CCS\Services\Tcpip\..\{06DCABB5-9C5C-4B7E-97A1-45BBCF15CB43}: NameServer = 85.255.115.115,85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7456EEF1-79CE-4CDA-AEB6-F8E0ED283E54}: NameServer = 85.255.115.115,85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9330DF28-EB57-4ED7-99B1-26881C7F6B18}: NameServer = 85.255.115.115,85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F08509D1-ACA3-437C-89FD-7DF091C94D05}: NameServer = 85.255.115.115,85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F2BD0EB5-1456-4228-977E-0368837CD993}: NameServer = 85.255.115.115,85.255.112.152
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.115 85.255.112.152
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.115 85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.115 85.255.112.152

    O20 - AppInit_DLLs: c:\winnt\system32\regedit.dll rundll32.dll C:\WINNT\system32\rundll32.dll
    ====================================
    Hit fix checked and close Hijackthis.(not to worry about a hijackthis error)

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/file...Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts.
    You will be asked to reboot your computer; please do so.
    Your system may take longer than usual to load; this is normal.
    Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  5. #5
    Junior Member
    Join Date
    Jul 2006
    Posts
    9

    Default

    First, TeaTimer was already unchecked, however I did disengage the resident. Also, I know ewido says this BHO is a virus, and blocks it, although ewido did not run when I restarted...

    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\qomlj.dll



    Logfile of HijackThis v1.99.1
    Scan saved at 5:39:05 PM, on 7/17/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\SCardSvr.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINNT\system32\hidserv.exe
    C:\Lotus\Notes\ntmulti.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
    C:\WINNT\system32\MSTask.exe
    C:\sdprimer.exe
    C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Sophos\AutoUpdate\ALMon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
    C:\Program Files\palmOne\HOTSYNC.EXE
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
    C:\WINNT\system32\HPZipm12.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\ebless\Desktop\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\qomlj.dll
    O2 - BHO: RegiFastObj Class - {C67A62C7-A68D-484C-9617-880C1F70D3F7} - C:\PROGRA~1\RegiFast\RegiFast.dll (file missing)
    O2 - BHO: (no name) - {E0D9B302-8063-48E1-AEDA-45C07398F054} - (no file)
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ms05364074317] C:\WINNT\ms05364074317.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Sametime Meeting Room Client ST31 -
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.in...lInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1128014352248
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128014341242
    O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - http://meetings.wrbc/sametime/stmeet...TJNILoader.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wrbts.ads.wrberkley.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{008B724E-BE9E-4C31-9384-483C759D4B01}: NameServer = 85.255.115.115,85.255.112.152
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wrbts.ads.wrberkley.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{008B724E-BE9E-4C31-9384-483C759D4B01}: NameServer = 85.255.115.115,85.255.112.152
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wrbts.ads.wrberkley.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{008B724E-BE9E-4C31-9384-483C759D4B01}: NameServer = 85.255.115.115,85.255.112.152
    O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
    O20 - Winlogon Notify: qomlj - C:\WINNT\SYSTEM32\qomlj.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Lotus\Notes\ntmulti.exe
    O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
    O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
    O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
    O23 - Service: SD Primer Agent (SDPrimer) - Computer Associates International, Inc. - C:\sdprimer.exe
    O23 - Service: Sophos AutoUpdate Service - Sophos plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe



    Fixwareout ver 1.003
    Last edited 07/1/2006
    Post this report in the forums please

    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}49FF42B969A8-F95B-7C14-3B5E-012475DA{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E168B9F63D3F-9D1A-1CB4-4326-A62FB3BE{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}017B6E7514D0-2E29-5A04-BA76-3486A2DB{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}765992B93649-C58A-A694-40A4-39B8D046{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}29A54E9782BD-B1F8-EC14-7E85-CED433D2{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1502BD786F5E-EFBA-89E4-2629-A6985901{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}519386306880-DAE9-1594-2CB5-775425FC{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BD545D9C1301-0B7A-E4D4-6A72-454327C0{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ABB5FCAFE6A2-9629-9524-9C7A-795AA875{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2C44606667D1-5B3B-AED4-77EB-11C80C26{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7C8E56D8B58F-98D8-2314-1FA5-D3E88948{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AFF7DF7C4BF0-4999-EC74-D7B8-4F847212{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}29F3FED0C04F-0F6A-0544-CBA2-8D34D3DC{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9AD94B084E93-2368-2ED4-2D2E-1E8880BB{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
    ...

    Microsoft (R) Windows Script Host Version 5.6
    Random Runs removed from HKLM
    "dmeum.exe"=-
    ...

    PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
    Example ipsec6.exe is legitimate

    Search by size and names...
    * csr.exe C:\WINNT\System32\CSTXW.EXE

    Misc files

    Checking for older varients covered by the Rem3 tool


    Search five digit cs, dm and jb files
    This WILL/CAN also list Legit Files, Submit them at Virustotal
    C:\WINNT\SYSTEM32\CSTXW.EXE 51,298 2006-06-21
    Other suspects
    Directory of C:\WINNT\system32
    {45EF996F-7EBD-48FA-A063-9AC044F11D09}.exe
    {C728ED36-F243-4F02-96A8-59690FFBFBC4}.exe
    {C9B94FC2-7ED5-4ABD-9030-AFD055917939}.exe

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Manualy delete these files
    C:\WINNT\SYSTEM32\CSTXW.EXE
    C:\WINNT\system32\{45EF996F-7EBD-48FA-A063-9AC044F11D09}.exe
    C:\WINNT\system32\{C728ED36-F243-4F02-96A8-59690FFBFBC4}.exe
    C:\WINNT\system32\{C9B94FC2-7ED5-4ABD-9030-AFD055917939}.exe
    ================
    Do a file search for dmeum.exe in the windows\system32 folder, if it exists
    let us know ? i would apperciate a copy


    You apperently did not turn tea timer off as suggested, please do so now
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    It is running

    Please download VundoFix.exe
    to your desktop.
    Double-click VundoFix.exe to run it.
    Put a check next to Run VundoFix as a task.
    You will receive a message saying vundofix will close and re-open in a minute or less.
    Click OK.
    When VundoFix re-opens, Click scan for vundo, when it is finished scanning >
    If no files were found
    Right click the list box then select add files and add
    C:\WINNT\system32\qomlj.dll

    do the same for this file
    C:\WINNT\system32\jlmoq.*
    Click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Wait two mimutes then turn your computer back on.
    Please post the contents of C:\vundofix.txt and a new HiJackThis log.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  7. #7
    Junior Member
    Join Date
    Jul 2006
    Posts
    9

    Default

    Vundofix is not rebooting itself after checking run as a task. Should I possibly run anyway? Thanks.

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Most times people dont wait long enough or the services that it requires are not running

    Go start run type in services.msc hit ok
    Ensure the services "Task Scheduler" and "Secondary Logon" are set to auto and running (on win 2k:Task Scheduler and RunAs service)
    Then restart the PC and run VundoFix as a task
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  9. #9
    Junior Member
    Join Date
    Jul 2006
    Posts
    9

    Default

    Both are started and automatic. I've waited several minutes and the program does not restart. When I click on it, the box is still checkable to run as task, so that's telling me it's not running as a task as far as I can tell. Glitch or upgrade to Vundo? I've also tried redownloading VundoFix to no avail. Thanks for the help.

  10. #10
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Restart your pc if you havent yet run vondo fix as a task, if after a few minutes it does not start
    Go start programs > accessories > system tools > task > Scheduled Tasks
    right click on At1(of similur) and choose run.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •