Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Website Redirected

Started by smthomas , Mar 06 2006 03:25 PM

  • This topic is locked This topic is locked
9 replies to this topic

#1 smthomas

smthomas

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 06 March 2006 - 03:25 PM

Every time I do a yahoo search I get a list and when I click on a link I get redirected twice. The third time I click on the link I get the right site. At the bottom of the Internet Explorer is shows the following IP address: 855.255.115.163

I read a forum on this and it didn't help me. Here is my log. Please help.

shawnmichaelthomas@yahoo.com

Logfile of HijackThis v1.99.1
Scan saved at 3:56:31 PM, on 2/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\sthomas\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.norwood.c...?tab=PAPP_GUEST
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmcoo.exe] C:\WINDOWS\system32\dmcoo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1139438590646
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = norwoodaustin.com
O17 - HKLM\Software\..\Telephony: DomainName = norwoodaustin.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = norwoodaustin.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    Advertisements

Register to Remove

#2 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 06 March 2006 - 06:22 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items (if they appear):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O4 - HKLM\..\Run: [dmcoo.exe] C:\WINDOWS\system32\dmcoo.exe





If you see a new item that wasn't in your last log in the O4 section of HijackThis, five-letters long, starting with dm... for example:
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe (the *** stand for random letters)
or starting with hg***.exe for example:
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
or starting with cs***.exe for example:
O4 - HKLM\..\Run: [cscyd.exe] cscyd.exe
Check it as well. If you're not sure, leave it and only check the ones I asked you to check.


Then click Fix Checked. Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

#3 smthomas

smthomas

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 07 March 2006 - 07:47 AM

Here is the report Fixwareout ver 1.003 Last edited 1/12/2006 Post this report in the forums please Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\colmd PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Search by size and names... C:\WINDOWS\SYSTEM32\DMLOC.EXE »»»»» Misc files »»»»» Checking for older varients covered by the Rem3 tool I deleted 2 entried R1....red.clientapps.yaho...etc st st

#4 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 07 March 2006 - 08:24 AM

I need to see a new hijackthis log also please.

#5 smthomas

smthomas

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 07 March 2006 - 08:49 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:46:06 AM, on 3/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\sthomas\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmzri.exe] C:\WINDOWS\system32\dmzri.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1139438590646
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = norwoodaustin.com
O17 - HKLM\Software\..\Telephony: DomainName = norwoodaustin.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = norwoodaustin.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#6 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 07 March 2006 - 04:28 PM

Please follow the stesps for the wareout fix again and post a new wareout log and hijackthis log please.

#7 smthomas

smthomas

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 08 March 2006 - 09:18 AM

Here is the report:


Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\fpimd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMIPF.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool







Here is the hijack log file:



Logfile of HijackThis v1.99.1
Scan saved at 10:04:56 AM, on 3/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\fixwareout\SUB\BFU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\sthomas\My Documents\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [dmipf.exe] C:\WINDOWS\system32\dmipf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1139438590646
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = norwoodaustin.com
O17 - HKLM\Software\..\Telephony: DomainName = norwoodaustin.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = norwoodaustin.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#8 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 08 March 2006 - 06:09 PM

Download TheKillbox from here http://www.downloads...org/KillBox.zip Save to your Desktop and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\WINDOWS\system32\dmipf.exe

Next

Please download WebRoot SpySweeper from HERE >>> http://www.webroot.c...ode=af1&rc=3597 (It's a 2 week trial):
Click the Free Trial link under to "SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
Sweep Memory
Sweep Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Contents of Compressed Files
Sweep for Rootkits
Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply as well as a new hijackthsi log please.

#9 smthomas

smthomas

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 10 March 2006 - 12:47 PM

Problem solved. You rock!

st


Here is the session log form the webroot.



********
9:53 AM: | Start of Session, Friday, March 10, 2006 |
9:53 AM: Spy Sweeper started
9:53 AM: Sweep initiated using definitions version 630
9:53 AM: Starting Memory Sweep
9:58 AM: Found Trojan Horse: trojan-downloader-ruin
9:58 AM: Detected running threat: C:\WINDOWS\explorer.exe (ID = 81)
9:59 AM: Memory Sweep Complete, Elapsed Time: 00:05:31
9:59 AM: Starting Registry Sweep
9:59 AM: HKLM\software\microsoft\windows\currentversion\ruins\ (1 subtraces) (ID = 605128)
9:59 AM: Registry Sweep Complete, Elapsed Time:00:00:14
9:59 AM: Starting Cookie Sweep
9:59 AM: Found Spy Cookie: 2o7.net cookie
9:59 AM: sthomas@2o7[2].txt (ID = 1957)
9:59 AM: Found Spy Cookie: 7search cookie
9:59 AM: sthomas@7search[1].txt (ID = 2011)
9:59 AM: Found Spy Cookie: about cookie
9:59 AM: sthomas@about[2].txt (ID = 2037)
9:59 AM: Found Spy Cookie: specificclick.com cookie
9:59 AM: sthomas@adopt.specificclick[1].txt (ID = 3400)
9:59 AM: Found Spy Cookie: adrevolver cookie
9:59 AM: sthomas@adrevolver[2].txt (ID = 2088)
9:59 AM: sthomas@adrevolver[3].txt (ID = 2088)
9:59 AM: Found Spy Cookie: addynamix cookie
9:59 AM: sthomas@ads.addynamix[1].txt (ID = 2062)
9:59 AM: Found Spy Cookie: pointroll cookie
9:59 AM: sthomas@ads.pointroll[2].txt (ID = 3148)
9:59 AM: Found Spy Cookie: advertising cookie
9:59 AM: sthomas@advertising[1].txt (ID = 2175)
9:59 AM: Found Spy Cookie: apmebf cookie
9:59 AM: sthomas@apmebf[1].txt (ID = 2229)
9:59 AM: Found Spy Cookie: ask cookie
9:59 AM: sthomas@ask[1].txt (ID = 2245)
9:59 AM: Found Spy Cookie: atlas dmt cookie
9:59 AM: sthomas@atdmt[1].txt (ID = 2253)
9:59 AM: Found Spy Cookie: bluestreak cookie
9:59 AM: sthomas@bluestreak[2].txt (ID = 2314)
9:59 AM: Found Spy Cookie: burstnet cookie
9:59 AM: sthomas@burstnet[1].txt (ID = 2336)
9:59 AM: Found Spy Cookie: enhance cookie
9:59 AM: sthomas@c.enhance[1].txt (ID = 2614)
9:59 AM: Found Spy Cookie: goclick cookie
9:59 AM: sthomas@c.goclick[2].txt (ID = 2733)
9:59 AM: Found Spy Cookie: casalemedia cookie
9:59 AM: sthomas@casalemedia[2].txt (ID = 2354)
9:59 AM: Found Spy Cookie: commission junction cookie
9:59 AM: sthomas@commission-junction[2].txt (ID = 2455)
9:59 AM: Found Spy Cookie: findwhat cookie
9:59 AM: sthomas@findwhat[1].txt (ID = 2674)
9:59 AM: Found Spy Cookie: linksynergy cookie
9:59 AM: sthomas@linksynergy[2].txt (ID = 2926)
9:59 AM: Found Spy Cookie: mediaplex cookie
9:59 AM: sthomas@mediaplex[2].txt (ID = 6442)
9:59 AM: sthomas@microsofteup.112.2o7[1].txt (ID = 1958)
9:59 AM: sthomas@msnportal.112.2o7[1].txt (ID = 1958)
9:59 AM: Found Spy Cookie: qksrv cookie
9:59 AM: sthomas@qksrv[2].txt (ID = 3213)
9:59 AM: Found Spy Cookie: questionmarket cookie
9:59 AM: sthomas@questionmarket[2].txt (ID = 3217)
9:59 AM: Found Spy Cookie: realmedia cookie
9:59 AM: sthomas@realmedia[2].txt (ID = 3235)
9:59 AM: Found Spy Cookie: revenue.net cookie
9:59 AM: sthomas@revenue[1].txt (ID = 3257)
9:59 AM: Found Spy Cookie: serving-sys cookie
9:59 AM: sthomas@serving-sys[2].txt (ID = 3343)
9:59 AM: sthomas@spanish.about[1].txt (ID = 2038)
9:59 AM: Found Spy Cookie: spylog cookie
9:59 AM: sthomas@spylog[1].txt (ID = 3415)
9:59 AM: Found Spy Cookie: statcounter cookie
9:59 AM: sthomas@statcounter[2].txt (ID = 3447)
9:59 AM: Found Spy Cookie: webtrendslive cookie
9:59 AM: sthomas@statse.webtrendslive[2].txt (ID = 3667)
9:59 AM: Found Spy Cookie: tacoda cookie
9:59 AM: sthomas@tacoda[2].txt (ID = 6444)
9:59 AM: Found Spy Cookie: tribalfusion cookie
9:59 AM: sthomas@tribalfusion[2].txt (ID = 3589)
9:59 AM: Found Spy Cookie: coremetrics cookie
9:59 AM: sthomas@twci.coremetrics[1].txt (ID = 2472)
9:59 AM: Found Spy Cookie: upspiral cookie
9:59 AM: sthomas@upspiral[1].txt (ID = 3614)
9:59 AM: sthomas@www.upspiral[2].txt (ID = 3615)
9:59 AM: Found Spy Cookie: zedo cookie
9:59 AM: sthomas@zedo[1].txt (ID = 3762)
9:59 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02
9:59 AM: Starting File Sweep
10:00 AM: a0089269.exe (ID = 147)
10:00 AM: a0071359.exe (ID = 246)
10:00 AM: a0081402.exe (ID = 147)
10:00 AM: a0071368.exe (ID = 147)
10:00 AM: a0071395.exe (ID = 147)
10:00 AM: a0086075.exe (ID = 147)
10:00 AM: a0071406.exe (ID = 147)
10:01 AM: a0087525.exe (ID = 147)
10:01 AM: a0074717.exe (ID = 147)
10:01 AM: a0088488.exe (ID = 147)
10:01 AM: a0088722.exe (ID = 147)
10:01 AM: a0071397.exe (ID = 246)
10:01 AM: a0071384.exe (ID = 246)
10:01 AM: a0071745.exe (ID = 147)
10:01 AM: a0071426.exe (ID = 147)
10:01 AM: a0073715.exe (ID = 147)
10:01 AM: a0071417.exe (ID = 246)
10:01 AM: a0072091.exe (ID = 246)
10:02 AM: a0084734.exe (ID = 147)
10:02 AM: a0084909.exe (ID = 147)
10:02 AM: a0076047.exe (ID = 246)
10:03 AM: a0073709.exe (ID = 246)
10:03 AM: a0084716.exe (ID = 147)
10:03 AM: a0089461.exe (ID = 147)
10:03 AM: a0075047.exe (ID = 246)
10:03 AM: a0087391.exe (ID = 147)
10:04 AM: a0084726.exe (ID = 246)
10:04 AM: a0072062.exe (ID = 147)
10:04 AM: a0072128.exe (ID = 246)
10:04 AM: a0084742.exe (ID = 246)
10:04 AM: a0081394.exe (ID = 246)
10:04 AM: a0083546.exe (ID = 246)
10:04 AM: a0086055.exe (ID = 147)
10:04 AM: a0080727.exe (ID = 246)
10:04 AM: a0088819.exe (ID = 147)
10:04 AM: a0088000.exe (ID = 147)
10:04 AM: a0089238.exe (ID = 147)
10:04 AM: a0081427.exe (ID = 246)
10:05 AM: a0083594.exe (ID = 246)
10:05 AM: a0079164.exe (ID = 147)
10:05 AM: a0071759.exe (ID = 147)
10:05 AM: a0071735.exe (ID = 246)
10:05 AM: a0071770.exe (ID = 147)
10:05 AM: a0087255.exe (ID = 147)
10:05 AM: a0071869.exe (ID = 147)
10:05 AM: a0072045.exe (ID = 147)
10:05 AM: a0072108.exe (ID = 147)
10:05 AM: a0082427.exe (ID = 246)
10:05 AM: a0072142.exe (ID = 147)
10:05 AM: a0073138.exe (ID = 147)
10:05 AM: a0073150.exe (ID = 147)
10:06 AM: a0076155.exe (ID = 246)
10:06 AM: a0080345.exe (ID = 147)
10:06 AM: a0074709.exe (ID = 246)
10:06 AM: a0084751.exe (ID = 147)
10:06 AM: a0071665.exe (ID = 147)
10:06 AM: a0074826.exe (ID = 147)
10:06 AM: a0074817.exe (ID = 246)
10:07 AM: a0072095.exe (ID = 246)
10:07 AM: a0080815.exe (ID = 147)
10:07 AM: a0080879.exe (ID = 147)
10:07 AM: a0081373.exe (ID = 147)
10:07 AM: a0083604.exe (ID = 147)
10:07 AM: a0073324.exe (ID = 147)
10:07 AM: a0073688.exe (ID = 246)
10:07 AM: a0080163.exe (ID = 147)
10:08 AM: a0074791.exe (ID = 246)
10:08 AM: a0073315.exe (ID = 246)
10:08 AM: a0084762.exe (ID = 147)
10:08 AM: a0085221.exe (ID = 147)
10:08 AM: a0083554.exe (ID = 147)
10:08 AM: a0084770.exe (ID = 147)
10:08 AM: a0085009.exe (ID = 147)
10:08 AM: a0085158.exe (ID = 147)
10:09 AM: a0073141.exe (ID = 246)
10:09 AM: a0078156.exe (ID = 246)
10:09 AM: a0085325.exe (ID = 246)
10:10 AM: a0074800.exe (ID = 147)
10:10 AM: a0085330.exe (ID = 147)
10:10 AM: a0089264.exe (ID = 147)
10:11 AM: a0087768.exe (ID = 147)
10:11 AM: a0079156.exe (ID = 246)
10:11 AM: a0074876.exe (ID = 147)
10:11 AM: a0080736.exe (ID = 147)
10:11 AM: a0085402.exe (ID = 147)
10:11 AM: a0073696.exe (ID = 147)
10:11 AM: a0075055.exe (ID = 147)
10:11 AM: a0089284.exe (ID = 147)
10:11 AM: a0089417.exe (ID = 147)
10:11 AM: dmoqn.exe (ID = 147)
10:11 AM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || dmoqn.exe (ID = 0)
10:11 AM: a0073129.exe (ID = 246)
10:13 AM: a0085398.exe (ID = 246)
10:13 AM: a0088243.exe (ID = 147)
10:13 AM: a0088362.exe (ID = 147)
10:13 AM: csarc.exe (ID = 246)
10:13 AM: a0085663.exe (ID = 147)
10:13 AM: a0084758.exe (ID = 246)
10:13 AM: a0071178.exe (ID = 246)
10:13 AM: a0078215.exe (ID = 147)
10:14 AM: a0087109.exe (ID = 147)
10:14 AM: a0074868.exe (ID = 246)
10:14 AM: a0085563.exe (ID = 147)
10:14 AM: a0085410.exe (ID = 147)
10:14 AM: a0087780.exe (ID = 147)
10:15 AM: a0087163.exe (ID = 147)
10:15 AM: a0087175.exe (ID = 147)
10:15 AM: a0087169.exe (ID = 147)
10:15 AM: a0083436.exe (ID = 147)
10:15 AM: a0083428.exe (ID = 246)
10:15 AM: a0085217.exe (ID = 246)
10:15 AM: a0081435.exe (ID = 147)
10:15 AM: a0080411.exe (ID = 246)
10:15 AM: a0074953.exe (ID = 147)
10:16 AM: a0084603.exe (ID = 147)
10:16 AM: a0071235.exe (ID = 147)
10:16 AM: a0082484.exe (ID = 147)
10:17 AM: a0087128.exe (ID = 232868)
10:17 AM: a0071753.exe (ID = 246)
10:17 AM: a0071764.exe (ID = 246)
10:18 AM: a0071775.exe (ID = 246)
10:18 AM: a0085428.exe (ID = 147)
10:20 AM: a0080807.exe (ID = 246)
10:20 AM: a0073548.exe (ID = 147)
10:20 AM: a0080302.exe (ID = 147)
10:21 AM: a0080523.exe (ID = 246)
10:21 AM: a0080408.exe (ID = 147)
10:22 AM: a0080155.exe (ID = 246)
10:22 AM: a0076055.exe (ID = 147)
10:22 AM: a0085436.exe (ID = 147)
10:22 AM: a0077156.exe (ID = 246)
10:22 AM: a0080206.exe (ID = 246)
10:22 AM: a0076164.exe (ID = 147)
10:22 AM: a0080535.exe (ID = 246)
10:22 AM: a0077214.exe (ID = 147)
10:22 AM: a0080609.exe (ID = 246)
10:23 AM: a0080217.exe (ID = 147)
10:24 AM: a0080532.exe (ID = 147)
10:24 AM: a0073306.exe (ID = 147)
10:24 AM: a0071343.exe (ID = 147)
10:24 AM: a0085944.exe (ID = 147)
10:25 AM: a0080822.exe (ID = 246)
10:25 AM: a0085503.exe (ID = 147)
10:25 AM: a0084765.exe (ID = 246)
10:25 AM: a0087852.exe (ID = 147)
10:25 AM: a0087602.exe (ID = 147)
10:25 AM: a0087250.exe (ID = 147)
10:25 AM: a0080724.exe (ID = 246)
10:26 AM: a0080544.exe (ID = 147)
10:26 AM: a0087539.exe (ID = 147)
10:26 AM: a0080420.exe (ID = 147)
10:26 AM: a0080294.exe (ID = 246)
10:26 AM: a0080618.exe (ID = 147)
10:26 AM: a0074896.exe (ID = 246)
10:26 AM: a0073539.exe (ID = 246)
10:26 AM: a0087654.exe (ID = 147)
10:26 AM: a0080337.exe (ID = 246)
10:27 AM: a0073298.exe (ID = 246)
10:27 AM: a0071657.exe (ID = 246)
10:27 AM: a0072052.exe (ID = 246)
10:27 AM: a0071332.exe (ID = 246)
10:29 AM: a0080351.exe (ID = 246)
10:30 AM: a0085314.exe (ID = 147)
10:30 AM: a0084707.exe (ID = 246)
10:30 AM: a0085310.exe (ID = 246)
10:30 AM: a0084594.exe (ID = 246)
10:31 AM: a0081363.exe (ID = 246)
10:32 AM: a0084880.exe (ID = 246)
10:34 AM: a0084884.exe (ID = 147)
10:35 AM: a0084904.exe (ID = 246)
10:35 AM: a0085005.exe (ID = 246)
10:35 AM: a0085105.exe (ID = 246)
10:40 AM: a0087305.exe (ID = 147)
10:40 AM: a0087747.exe (ID = 147)
10:41 AM: a0088800.exe (ID = 147)
10:41 AM: a0088464.exe (ID = 147)
10:41 AM: a0088664.exe (ID = 147)
10:41 AM: a0087980.exe (ID = 147)
10:59 AM: Warning: Invalid Stream
11:00 AM: File Sweep Complete, Elapsed Time: 01:01:02
11:00 AM: Full Sweep has completed. Elapsed time 01:07:02
11:00 AM: Traces Found: 219
11:17 AM: Removal process initiated
11:17 AM: Quarantining All Traces: trojan-downloader-ruin
11:17 AM: Warning: Unable to quarantine C:\WINDOWS\explorer.exe. This is a protected operating system file.
11:18 AM: Failed to quarantine trojan-downloader-ruin
11:18 AM: Failed to quarantine C:\WINDOWS\explorer.exe
11:18 AM: Quarantining All Traces: 2o7.net cookie
11:18 AM: Quarantining All Traces: 7search cookie
11:18 AM: Quarantining All Traces: about cookie
11:18 AM: Quarantining All Traces: addynamix cookie
11:18 AM: Quarantining All Traces: adrevolver cookie
11:18 AM: Quarantining All Traces: advertising cookie
11:18 AM: Quarantining All Traces: apmebf cookie
11:18 AM: Quarantining All Traces: ask cookie
11:18 AM: Quarantining All Traces: atlas dmt cookie
11:18 AM: Quarantining All Traces: bluestreak cookie
11:18 AM: Quarantining All Traces: burstnet cookie
11:18 AM: Quarantining All Traces: casalemedia cookie
11:18 AM: Quarantining All Traces: commission junction cookie
11:18 AM: Quarantining All Traces: coremetrics cookie
11:18 AM: Quarantining All Traces: enhance cookie
11:18 AM: Quarantining All Traces: findwhat cookie
11:18 AM: Quarantining All Traces: goclick cookie
11:18 AM: Quarantining All Traces: linksynergy cookie
11:18 AM: Quarantining All Traces: mediaplex cookie
11:18 AM: Quarantining All Traces: pointroll cookie
11:18 AM: Quarantining All Traces: qksrv cookie
11:18 AM: Quarantining All Traces: questionmarket cookie
11:18 AM: Quarantining All Traces: realmedia cookie
11:18 AM: Quarantining All Traces: revenue.net cookie
11:18 AM: Quarantining All Traces: serving-sys cookie
11:18 AM: Quarantining All Traces: specificclick.com cookie
11:18 AM: Quarantining All Traces: spylog cookie
11:18 AM: Quarantining All Traces: statcounter cookie
11:18 AM: Quarantining All Traces: tacoda cookie
11:18 AM: Quarantining All Traces: tribalfusion cookie
11:18 AM: Quarantining All Traces: upspiral cookie
11:18 AM: Quarantining All Traces: webtrendslive cookie
11:18 AM: Quarantining All Traces: zedo cookie
11:18 AM: Warning: Launched explorer.exe
11:18 AM: Warning: Quarantine process could not restart Explorer.
11:18 AM: Preparing to restart your computer. Please wait...
11:18 AM: Removal process completed. Elapsed time 00:01:23
********
9:48 AM: | Start of Session, Friday, March 10, 2006 |
9:48 AM: Spy Sweeper started
9:49 AM: Your spyware definitions have been updated.
9:53 AM: | End of Session, Friday, March 10, 2006




Here is the logfile from Hijack

Logfile of HijackThis v1.99.1
Scan saved at 1:40:56 PM, on 3/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\sthomas\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1139438590646
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = norwoodaustin.com
O17 - HKLM\Software\..\Telephony: DomainName = norwoodaustin.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = norwoodaustin.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#10 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 10 March 2006 - 03:27 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·