Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Baseline - 2nd post, more info


  • This topic is locked This topic is locked
30 replies to this topic

#1 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 27 February 2007 - 03:58 PM

OK, first of all, apologies for initial post (titled "help!"), which I made BEFORE I located the posting instructions and the article titled "Before Posting A HijackThis Log". I read somewhere not to reply to my own post, and I couldn't find a way to edit that previous post, so I'm starting over. Again, I'm sorry for any confusion this may cause.

As I said inthat initial post, the main preoblem I've experienced was unsuccessful startup, with multiple re-boots, etc., and the computer freezing while still in startup. The computer is a used ThinkPad, which seemed OK at first but problems seemed to accumulate. I installed Norton Systemworks to try to clean it up, but that terribly slowed down performance, so I uninstalled and went with Trend Micro PC-cillin (which is currently out of date, I want to make sure it's the best before I pay to update - SUGGESTIONS?) I had already been running Spybot S&D, and I downloaded Ad-Aware SE Plus on advice from Google Help Center.

There were some viruses/spyware/etc. captured/quarantined/cleaned by those programs, but performance was still poor. Started researching, found PCWorld article on "Common PC Problems Solved". First, I downloaded & ran Hederer's ERUNT (which I have not re-run since doing all of the scans suggested in the TomCoyote Self Help post. QUESTION: when I get clean, do I need to delete that file to avoid re-infection from that registry?)

Step 2 was an even more thorough malware check, and when Ad-Aware froze during the scan, I went to another PCWorld article titled "How Can I Tell if my PC Has a Virus?", which led me to check the msconfig utility's startup tab. I was already planning on tweaking my autoloaders, hoping that would help the slow startup process, so that was when I "unchecked" the suspicious files (dmwnd.exe, dmcef.exe, etc., 26 like that in all), as well as those which Sysinfo.org recommended disabling (not needed or wanted).

That step helped, but because of the suspicious autoloaders and Ad-Aware's behavior, I also ran Bitdefender's online virus scan, which detected (and hopefully cleaned) A BUNCH of Trojan activity. I'm not sure a logfile was created, I'm unable to locate one at this time. After running Bitdefender, I ran ERUNT's NTREGOPT utility to clean up the Registry a bit further. Disk Defrag was not necessary. Not feeling very secure after the results from Bitdefender, I decided to run HijackThis and participate in the forum.

After registering with TomCoyote and making my initial post, I discovered the "Before Posting" instructions! OOOPS!!! Then ...

I updated Spbot & re-ran. Found & fixed Pipas-A. Launched Ad-Aware, updated, re-ran. Froze at same place (could tell was frozen because clock froze too, and Task Mgr. showed the app "not running"). I downloaded & ran AVG Anti-Spyware, made recommended changes to settings, rebooted in Safe mode, and ran scan. 2 items were quarantined: Downloader.Agent.uj (high), and SpyMarshall (med). I DISCOVERED AN ERROR IN YOUR INSTRUCTIONS: when I went to "Reports" icon (step #6 in AVG scan instructions), it showed "No Reports Available". Being a novice, I went to the next step and closed AVG to reboot in normal mode, losing that report. Also, the instructions say to post that AVG report with a NEW HijackThis log - the instructions never said to run/post a "baseline" or "old" one!

Restart was REALLY slow(even though many autoloaders were still unchecked). All of the desktop icons did not load. The Trend Micro autoload icon was not in the toolbar. Only items present were clock, volume, yellow update shield, and the "out of date" message balloon from the red security shield icon.

I gave it 1/2 hour, then used Task Mgr. to restart (again. redundant?) The "End Program" box came up for explorer.exe - not responding. Went through the startup cycle up to the point where the box warning that Trend Micro's Evaluation Version expired came up, where everything froze again. Decided to reboot in Safe mode, again using Task Mgr. Had to "end program" for both _CLS_PCCGUIDE and explorer.exe. Booted fine in Safe mode, again checked startup tab in msconfig, had same settings as when it worked fine previously, so tried rebooting normally. Again, very slow for toolbar & desktop icons to appear, but eventually everything seemed to come up OK, so I went to bed.

This morning, computer was functioning normally, so I ran AVG again, with a similar result to the previous scan, and this is when I discovered the error in the instructions. Step #6 should read: CLICK "SAVE REPORT" ON SCAN PAGE, NOTE WHERE SAVED. Here is that report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:00:33 pm 02/27/2007

+ Scan result:



[2000] VM_00B30000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[292] VM_003E0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[3808] VM_008E0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[4008] VM_009F0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[672] VM_003C0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[700] VM_00D60000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[724] VM_00C70000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).


::Report end


I then ran HijackThis for the first time. Here is that log file:
Logfile of HijackThis v1.99.1
Scan saved at 10:47:24 am, on 02/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passpor...rf?lc=1033&id=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138728641538
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B519670-F7F3-4E75-BF25-085F0DD18A9C}: NameServer = 85.255.114.75,85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7DB259E-CC34-43D4-B827-FBDF3B66AEFD}: NameServer = 85.255.114.75,85.255.112.71
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

I then ran the ATF Cleaner. Then went back into msconfig and chose "Normal" startup on the "general" tab (to recheck all of the autoloaders) including the suspicious entries. Restarted (OK boot, not great, but not terribly slow). Rand Ad-Aware ands successfully completed a full system scan with 0 critical objects. YAY!!! Ran HijackThis again, and here is that log file (this time including the suspicious & unnecessary autoloaders):
Logfile of HijackThis v1.99.1
Scan saved at 01:51:19 pm, on 02/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passpor...rf?lc=1033&id=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [exe.zxumd] C:\WINDOWS\system32\dmuxz.exe
O4 - HKLM\..\Run: [exe.zibmd] C:\WINDOWS\system32\dmbiz.exe
O4 - HKLM\..\Run: [exe.wremd] C:\WINDOWS\system32\dmerw.exe
O4 - HKLM\..\Run: [exe.vuymd] C:\WINDOWS\system32\dmyuv.exe
O4 - HKLM\..\Run: [exe.ulamd] C:\WINDOWS\system32\dmalu.exe
O4 - HKLM\..\Run: [exe.uftmd] C:\WINDOWS\system32\dmtfu.exe
O4 - HKLM\..\Run: [exe.uawmd] C:\WINDOWS\system32\dmwau.exe
O4 - HKLM\..\Run: [exe.qzbmd] C:\WINDOWS\system32\dmbzq.exe
O4 - HKLM\..\Run: [exe.qvemd] C:\WINDOWS\system32\dmevq.exe
O4 - HKLM\..\Run: [exe.pxgmd] C:\WINDOWS\system32\dmgxp.exe
O4 - HKLM\..\Run: [exe.pojmd] C:\WINDOWS\system32\dmjop.exe
O4 - HKLM\..\Run: [exe.oaymd] C:\WINDOWS\system32\dmyao.exe
O4 - HKLM\..\Run: [exe.mismd] C:\WINDOWS\system32\dmsim.exe
O4 - HKLM\..\Run: [exe.lzfmd] C:\WINDOWS\system32\dmfzl.exe
O4 - HKLM\..\Run: [exe.lfpmd] C:\WINDOWS\system32\dmpfl.exe
O4 - HKLM\..\Run: [exe.lbgmd] C:\WINDOWS\system32\dmgbl.exe
O4 - HKLM\..\Run: [exe.kqvmd] C:\WINDOWS\system32\dmvqk.exe
O4 - HKLM\..\Run: [exe.hngmd] C:\WINDOWS\system32\dmgnh.exe
O4 - HKLM\..\Run: [exe.hgomd] C:\WINDOWS\system32\dmogh.exe
O4 - HKLM\..\Run: [exe.guimd] C:\WINDOWS\system32\dmiug.exe
O4 - HKLM\..\Run: [exe.fzpmd] C:\WINDOWS\system32\dmpzf.exe
O4 - HKLM\..\Run: [exe.fuemd] C:\WINDOWS\system32\dmeuf.exe
O4 - HKLM\..\Run: [exe.fpxmd] C:\WINDOWS\system32\dmxpf.exe
O4 - HKLM\..\Run: [exe.fenmd] C:\WINDOWS\system32\dmnef.exe
O4 - HKLM\..\Run: [exe.fecmd] C:\WINDOWS\system32\dmcef.exe
O4 - HKLM\..\Run: [exe.dnwmd] C:\WINDOWS\system32\dmwnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138728641538
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B519670-F7F3-4E75-BF25-085F0DD18A9C}: NameServer = 85.255.114.75,85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7DB259E-CC34-43D4-B827-FBDF3B66AEFD}: NameServer = 85.255.114.75,85.255.112.71
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

And that is where I'm at. Whew! Please tell me I'm close!!!
Thanks so much for your help ...

    Advertisements

Register to Remove


#2 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 27 February 2007 - 06:43 PM

You are running HJT from a temporary file
We will be cleaning out all of you temp. files later you will need to make a new folder for HijackThis.
Instructions can be found here.

I was already planning on tweaking my autoloaders, hoping that would help the slow startup process, so that was when I "unchecked" the suspicious files (dmwnd.exe, dmcef.exe, etc., 26 like that in all), as well as those which Sysinfo.org recommended disabling (not needed or wanted).

Not a good idea after you move hijackthis.



Please click on start, then run, and type msconfig and then press enter.
When the window opens click on the startup tab and make sure there are checkmarks in every entry.
Then press ok until you are out of the program. If it asks to reboot, do not reboot.

Now please create a new Hijackthis Log and post it as a reply.

#3 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 27 February 2007 - 09:08 PM

Do I need to make new folder (i.e., put HJT on my desktop) first or run/post new log before that move? Also, want to note that the final HJT log from my initial post was created after I used msconfig to restart in "normal" mode, with all autoloaders checked. Nothing should have changed since ... so I think I already did what you're asking! Thanks ...

#4 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 27 February 2007 - 09:21 PM

Do I need to make new folder (i.e., put HJT on my desktop) first

Yes

#5 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 28 February 2007 - 10:30 AM

:D And here it is:

Logfile of HijackThis v1.99.1
Scan saved at 09:12:27 am, on 02/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passpor...rf?lc=1033&id=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [exe.zxumd] C:\WINDOWS\system32\dmuxz.exe
O4 - HKLM\..\Run: [exe.zibmd] C:\WINDOWS\system32\dmbiz.exe
O4 - HKLM\..\Run: [exe.wremd] C:\WINDOWS\system32\dmerw.exe
O4 - HKLM\..\Run: [exe.vuymd] C:\WINDOWS\system32\dmyuv.exe
O4 - HKLM\..\Run: [exe.ulamd] C:\WINDOWS\system32\dmalu.exe
O4 - HKLM\..\Run: [exe.uftmd] C:\WINDOWS\system32\dmtfu.exe
O4 - HKLM\..\Run: [exe.uawmd] C:\WINDOWS\system32\dmwau.exe
O4 - HKLM\..\Run: [exe.qzbmd] C:\WINDOWS\system32\dmbzq.exe
O4 - HKLM\..\Run: [exe.qvemd] C:\WINDOWS\system32\dmevq.exe
O4 - HKLM\..\Run: [exe.pxgmd] C:\WINDOWS\system32\dmgxp.exe
O4 - HKLM\..\Run: [exe.pojmd] C:\WINDOWS\system32\dmjop.exe
O4 - HKLM\..\Run: [exe.oaymd] C:\WINDOWS\system32\dmyao.exe
O4 - HKLM\..\Run: [exe.mismd] C:\WINDOWS\system32\dmsim.exe
O4 - HKLM\..\Run: [exe.lzfmd] C:\WINDOWS\system32\dmfzl.exe
O4 - HKLM\..\Run: [exe.lfpmd] C:\WINDOWS\system32\dmpfl.exe
O4 - HKLM\..\Run: [exe.lbgmd] C:\WINDOWS\system32\dmgbl.exe
O4 - HKLM\..\Run: [exe.kqvmd] C:\WINDOWS\system32\dmvqk.exe
O4 - HKLM\..\Run: [exe.hngmd] C:\WINDOWS\system32\dmgnh.exe
O4 - HKLM\..\Run: [exe.hgomd] C:\WINDOWS\system32\dmogh.exe
O4 - HKLM\..\Run: [exe.guimd] C:\WINDOWS\system32\dmiug.exe
O4 - HKLM\..\Run: [exe.fzpmd] C:\WINDOWS\system32\dmpzf.exe
O4 - HKLM\..\Run: [exe.fuemd] C:\WINDOWS\system32\dmeuf.exe
O4 - HKLM\..\Run: [exe.fpxmd] C:\WINDOWS\system32\dmxpf.exe
O4 - HKLM\..\Run: [exe.fenmd] C:\WINDOWS\system32\dmnef.exe
O4 - HKLM\..\Run: [exe.fecmd] C:\WINDOWS\system32\dmcef.exe
O4 - HKLM\..\Run: [exe.dnwmd] C:\WINDOWS\system32\dmwnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138728641538
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B519670-F7F3-4E75-BF25-085F0DD18A9C}: NameServer = 85.255.114.75,85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7DB259E-CC34-43D4-B827-FBDF3B66AEFD}: NameServer = 85.255.114.75,85.255.112.71
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#6 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 28 February 2007 - 05:38 PM

Download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc....Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

Once the desktop loads a text that will open (report.txt)
Please save this file, we'll need to see it, it will list some files and paths we need to see.

#7 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 28 February 2007 - 07:50 PM

File didn't come up, but I searched C: drive and found it. Here is report.txt: Fixwareout Last edited 2/11/2007 Post this report in the forums please ... »»»»»Prerun check HKLM\SOFTWARE\~\Winlogon\ "System"="cspsv.exe" »»»»» System restarted Also have patterns.txt, runback.txt, and runs.txt

#8 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 28 February 2007 - 08:41 PM

Can you run it again. Post the log here. And also post a new hijackthis log.

#9 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 28 February 2007 - 09:42 PM

fixwareout log:


Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "0" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "xedocne" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "gib_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwoh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23plhps" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "mgcppp" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "tesvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "32refaselif" Deleted
C:\WINDOWS\System32\cspsv.exe Deleted
....
»»»»» Misc files.
C:\Documents and Settings\Administrator\Application Data\Install.dat Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"="ltmsg.exe 9"
"POINTER"="C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe"
"AS00_WPN511"="C:\\Program Files\\NETGEAR\\WPN511\\Utility\\WPN511.exe -hide"
"exe.kulmd"="C:\\WINDOWS\\system32\\dmluk.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2005\\pccguide.exe\""
"TrackPointSrv"="tp4mon.exe"
"exe.xgzmd"="C:\\WINDOWS\\system32\\dmzgx.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"exe.zxumd"="C:\\WINDOWS\\system32\\dmuxz.exe"
"exe.zibmd"="C:\\WINDOWS\\system32\\dmbiz.exe"
"exe.wremd"="C:\\WINDOWS\\system32\\dmerw.exe"
"exe.vuymd"="C:\\WINDOWS\\system32\\dmyuv.exe"
"exe.ulamd"="C:\\WINDOWS\\system32\\dmalu.exe"
"exe.uftmd"="C:\\WINDOWS\\system32\\dmtfu.exe"
"exe.uawmd"="C:\\WINDOWS\\system32\\dmwau.exe"
"exe.qzbmd"="C:\\WINDOWS\\system32\\dmbzq.exe"
"exe.qvemd"="C:\\WINDOWS\\system32\\dmevq.exe"
"exe.pxgmd"="C:\\WINDOWS\\system32\\dmgxp.exe"
"exe.pojmd"="C:\\WINDOWS\\system32\\dmjop.exe"
"exe.oaymd"="C:\\WINDOWS\\system32\\dmyao.exe"
"exe.mismd"="C:\\WINDOWS\\system32\\dmsim.exe"
"exe.lzfmd"="C:\\WINDOWS\\system32\\dmfzl.exe"
"exe.lfpmd"="C:\\WINDOWS\\system32\\dmpfl.exe"
"exe.lbgmd"="C:\\WINDOWS\\system32\\dmgbl.exe"
"exe.kqvmd"="C:\\WINDOWS\\system32\\dmvqk.exe"
"exe.hngmd"="C:\\WINDOWS\\system32\\dmgnh.exe"
"exe.hgomd"="C:\\WINDOWS\\system32\\dmogh.exe"
"exe.guimd"="C:\\WINDOWS\\system32\\dmiug.exe"
"exe.fzpmd"="C:\\WINDOWS\\system32\\dmpzf.exe"
"exe.fuemd"="C:\\WINDOWS\\system32\\dmeuf.exe"
"exe.fpxmd"="C:\\WINDOWS\\system32\\dmxpf.exe"
"exe.fenmd"="C:\\WINDOWS\\system32\\dmnef.exe"
"exe.fecmd"="C:\\WINDOWS\\system32\\dmcef.exe"
"exe.dnwmd"="C:\\WINDOWS\\system32\\dmwnd.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 08:39:45 pm, on 02/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passpor...rf?lc=1033&id=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [exe.kulmd] C:\WINDOWS\system32\dmluk.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [exe.xgzmd] C:\WINDOWS\system32\dmzgx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [exe.zxumd] C:\WINDOWS\system32\dmuxz.exe
O4 - HKLM\..\Run: [exe.zibmd] C:\WINDOWS\system32\dmbiz.exe
O4 - HKLM\..\Run: [exe.wremd] C:\WINDOWS\system32\dmerw.exe
O4 - HKLM\..\Run: [exe.vuymd] C:\WINDOWS\system32\dmyuv.exe
O4 - HKLM\..\Run: [exe.ulamd] C:\WINDOWS\system32\dmalu.exe
O4 - HKLM\..\Run: [exe.uftmd] C:\WINDOWS\system32\dmtfu.exe
O4 - HKLM\..\Run: [exe.uawmd] C:\WINDOWS\system32\dmwau.exe
O4 - HKLM\..\Run: [exe.qzbmd] C:\WINDOWS\system32\dmbzq.exe
O4 - HKLM\..\Run: [exe.qvemd] C:\WINDOWS\system32\dmevq.exe
O4 - HKLM\..\Run: [exe.pxgmd] C:\WINDOWS\system32\dmgxp.exe
O4 - HKLM\..\Run: [exe.pojmd] C:\WINDOWS\system32\dmjop.exe
O4 - HKLM\..\Run: [exe.oaymd] C:\WINDOWS\system32\dmyao.exe
O4 - HKLM\..\Run: [exe.mismd] C:\WINDOWS\system32\dmsim.exe
O4 - HKLM\..\Run: [exe.lzfmd] C:\WINDOWS\system32\dmfzl.exe
O4 - HKLM\..\Run: [exe.lfpmd] C:\WINDOWS\system32\dmpfl.exe
O4 - HKLM\..\Run: [exe.lbgmd] C:\WINDOWS\system32\dmgbl.exe
O4 - HKLM\..\Run: [exe.kqvmd] C:\WINDOWS\system32\dmvqk.exe
O4 - HKLM\..\Run: [exe.hngmd] C:\WINDOWS\system32\dmgnh.exe
O4 - HKLM\..\Run: [exe.hgomd] C:\WINDOWS\system32\dmogh.exe
O4 - HKLM\..\Run: [exe.guimd] C:\WINDOWS\system32\dmiug.exe
O4 - HKLM\..\Run: [exe.fzpmd] C:\WINDOWS\system32\dmpzf.exe
O4 - HKLM\..\Run: [exe.fuemd] C:\WINDOWS\system32\dmeuf.exe
O4 - HKLM\..\Run: [exe.fpxmd] C:\WINDOWS\system32\dmxpf.exe
O4 - HKLM\..\Run: [exe.fenmd] C:\WINDOWS\system32\dmnef.exe
O4 - HKLM\..\Run: [exe.fecmd] C:\WINDOWS\system32\dmcef.exe
O4 - HKLM\..\Run: [exe.dnwmd] C:\WINDOWS\system32\dmwnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138728641538
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B519670-F7F3-4E75-BF25-085F0DD18A9C}: NameServer = 85.255.114.75,85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7DB259E-CC34-43D4-B827-FBDF3B66AEFD}: NameServer = 85.255.114.75,85.255.112.71
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#10 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 01 March 2007 - 06:17 AM

Download The Avenger Copyright © Swandog46
You must extract avenger.exe to your desktop, before you run it.
The Avenger must be run from a user account with administrator privileges,
and ONLY works on Windows 2000 and XP, and only on 32-bit versions!

Copy all the text contained in the code box below to your Clipboard.

Files to delete:
C:\WINDOWS\system32\dmluk.exe
C:\WINDOWS\system32\dmzgx.exe
C:\WINDOWS\system32\dmuxz.exe
C:\WINDOWS\system32\dmbiz.exe
C:\WINDOWS\system32\dmerw.exe
C:\WINDOWS\system32\dmyuv.exe
C:\WINDOWS\system32\dmalu.exe
C:\WINDOWS\system32\dmtfu.exe
C:\WINDOWS\system32\dmwau.exe
C:\WINDOWS\system32\dmbzq.exe
C:\WINDOWS\system32\dmevq.exe
C:\WINDOWS\system32\dmgxp.exe
C:\WINDOWS\system32\dmjop.exe
C:\WINDOWS\system32\dmyao.exe
C:\WINDOWS\system32\dmsim.exe
C:\WINDOWS\system32\dmfzl.exe
C:\WINDOWS\system32\dmpfl.exe
C:\WINDOWS\system32\dmgbl.exe
C:\WINDOWS\system32\dmvqk.exe
C:\WINDOWS\system32\dmgnh.exe
C:\WINDOWS\system32\dmogh.exe
C:\WINDOWS\system32\dmiug.exe
C:\WINDOWS\system32\dmpzf.exe
C:\WINDOWS\system32\dmeuf.exe
C:\WINDOWS\system32\dmxpf.exe
C:\WINDOWS\system32\dmnef.exe
C:\WINDOWS\system32\dmcef.exe
C:\WINDOWS\system32\dmwnd.exe


The above script is for this user only, if you need help please start your own thread.


Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt
Paste the contents of the file into your reply.



Close all programs leaving only HijackThis running. Place a check against each of the following,

O4 - HKLM\..\Run: [exe.kulmd] C:\WINDOWS\system32\dmluk.exe
O4 - HKLM\..\Run: [exe.xgzmd] C:\WINDOWS\system32\dmzgx.exe
O4 - HKLM\..\Run: [exe.zxumd] C:\WINDOWS\system32\dmuxz.exe
O4 - HKLM\..\Run: [exe.zibmd] C:\WINDOWS\system32\dmbiz.exe
O4 - HKLM\..\Run: [exe.wremd] C:\WINDOWS\system32\dmerw.exe
O4 - HKLM\..\Run: [exe.vuymd] C:\WINDOWS\system32\dmyuv.exe
O4 - HKLM\..\Run: [exe.ulamd] C:\WINDOWS\system32\dmalu.exe
O4 - HKLM\..\Run: [exe.uftmd] C:\WINDOWS\system32\dmtfu.exe
O4 - HKLM\..\Run: [exe.uawmd] C:\WINDOWS\system32\dmwau.exe
O4 - HKLM\..\Run: [exe.qzbmd] C:\WINDOWS\system32\dmbzq.exe
O4 - HKLM\..\Run: [exe.qvemd] C:\WINDOWS\system32\dmevq.exe
O4 - HKLM\..\Run: [exe.pxgmd] C:\WINDOWS\system32\dmgxp.exe
O4 - HKLM\..\Run: [exe.pojmd] C:\WINDOWS\system32\dmjop.exe
O4 - HKLM\..\Run: [exe.oaymd] C:\WINDOWS\system32\dmyao.exe
O4 - HKLM\..\Run: [exe.mismd] C:\WINDOWS\system32\dmsim.exe
O4 - HKLM\..\Run: [exe.lzfmd] C:\WINDOWS\system32\dmfzl.exe
O4 - HKLM\..\Run: [exe.lfpmd] C:\WINDOWS\system32\dmpfl.exe
O4 - HKLM\..\Run: [exe.lbgmd] C:\WINDOWS\system32\dmgbl.exe
O4 - HKLM\..\Run: [exe.kqvmd] C:\WINDOWS\system32\dmvqk.exe
O4 - HKLM\..\Run: [exe.hngmd] C:\WINDOWS\system32\dmgnh.exe
O4 - HKLM\..\Run: [exe.hgomd] C:\WINDOWS\system32\dmogh.exe
O4 - HKLM\..\Run: [exe.guimd] C:\WINDOWS\system32\dmiug.exe
O4 - HKLM\..\Run: [exe.fzpmd] C:\WINDOWS\system32\dmpzf.exe
O4 - HKLM\..\Run: [exe.fuemd] C:\WINDOWS\system32\dmeuf.exe
O4 - HKLM\..\Run: [exe.fpxmd] C:\WINDOWS\system32\dmxpf.exe
O4 - HKLM\..\Run: [exe.fenmd] C:\WINDOWS\system32\dmnef.exe
O4 - HKLM\..\Run: [exe.fecmd] C:\WINDOWS\system32\dmcef.exe
O4 - HKLM\..\Run: [exe.dnwmd] C:\WINDOWS\system32\dmwnd.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B519670-F7F3-4E75-BF25-085F0DD18A9C}: NameServer = 85.255.114.75,85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7DB259E-CC34-43D4-B827-FBDF3B66AEFD}: NameServer = 85.255.114.75,85.255.112.71


Click on Fix Checked when finished and exit HijackThis.

Reboot and post a log from hijackthis and avenger.txt.

    Advertisements

Register to Remove


#11 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 01 March 2007 - 11:44 AM

I'm concerned I may have done something wrong downloading/extracting Avenger: black command window on reboot said "could not find" several items, and the following log doesn't look encouraging:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fkpoyncq

*******************

Script file located at: \??\C:\Documents and Settings\dtduvvfc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\dmluk.exe not found!
Deletion of file C:\WINDOWS\system32\dmluk.exe failed!

Could not process line:
C:\WINDOWS\system32\dmluk.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmzgx.exe not found!
Deletion of file C:\WINDOWS\system32\dmzgx.exe failed!

Could not process line:
C:\WINDOWS\system32\dmzgx.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmuxz.exe not found!
Deletion of file C:\WINDOWS\system32\dmuxz.exe failed!

Could not process line:
C:\WINDOWS\system32\dmuxz.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmbiz.exe not found!
Deletion of file C:\WINDOWS\system32\dmbiz.exe failed!

Could not process line:
C:\WINDOWS\system32\dmbiz.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmerw.exe not found!
Deletion of file C:\WINDOWS\system32\dmerw.exe failed!

Could not process line:
C:\WINDOWS\system32\dmerw.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmyuv.exe not found!
Deletion of file C:\WINDOWS\system32\dmyuv.exe failed!

Could not process line:
C:\WINDOWS\system32\dmyuv.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmalu.exe not found!
Deletion of file C:\WINDOWS\system32\dmalu.exe failed!

Could not process line:
C:\WINDOWS\system32\dmalu.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmtfu.exe not found!
Deletion of file C:\WINDOWS\system32\dmtfu.exe failed!

Could not process line:
C:\WINDOWS\system32\dmtfu.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmwau.exe not found!
Deletion of file C:\WINDOWS\system32\dmwau.exe failed!

Could not process line:
C:\WINDOWS\system32\dmwau.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmbzq.exe not found!
Deletion of file C:\WINDOWS\system32\dmbzq.exe failed!

Could not process line:
C:\WINDOWS\system32\dmbzq.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmevq.exe not found!
Deletion of file C:\WINDOWS\system32\dmevq.exe failed!

Could not process line:
C:\WINDOWS\system32\dmevq.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmgxp.exe not found!
Deletion of file C:\WINDOWS\system32\dmgxp.exe failed!

Could not process line:
C:\WINDOWS\system32\dmgxp.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmjop.exe not found!
Deletion of file C:\WINDOWS\system32\dmjop.exe failed!

Could not process line:
C:\WINDOWS\system32\dmjop.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmyao.exe not found!
Deletion of file C:\WINDOWS\system32\dmyao.exe failed!

Could not process line:
C:\WINDOWS\system32\dmyao.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmsim.exe not found!
Deletion of file C:\WINDOWS\system32\dmsim.exe failed!

Could not process line:
C:\WINDOWS\system32\dmsim.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmfzl.exe not found!
Deletion of file C:\WINDOWS\system32\dmfzl.exe failed!

Could not process line:
C:\WINDOWS\system32\dmfzl.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmpfl.exe not found!
Deletion of file C:\WINDOWS\system32\dmpfl.exe failed!

Could not process line:
C:\WINDOWS\system32\dmpfl.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmgbl.exe not found!
Deletion of file C:\WINDOWS\system32\dmgbl.exe failed!

Could not process line:
C:\WINDOWS\system32\dmgbl.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmvqk.exe not found!
Deletion of file C:\WINDOWS\system32\dmvqk.exe failed!

Could not process line:
C:\WINDOWS\system32\dmvqk.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmgnh.exe not found!
Deletion of file C:\WINDOWS\system32\dmgnh.exe failed!

Could not process line:
C:\WINDOWS\system32\dmgnh.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmogh.exe not found!
Deletion of file C:\WINDOWS\system32\dmogh.exe failed!

Could not process line:
C:\WINDOWS\system32\dmogh.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmiug.exe not found!
Deletion of file C:\WINDOWS\system32\dmiug.exe failed!

Could not process line:
C:\WINDOWS\system32\dmiug.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmpzf.exe not found!
Deletion of file C:\WINDOWS\system32\dmpzf.exe failed!

Could not process line:
C:\WINDOWS\system32\dmpzf.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmeuf.exe not found!
Deletion of file C:\WINDOWS\system32\dmeuf.exe failed!

Could not process line:
C:\WINDOWS\system32\dmeuf.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmxpf.exe not found!
Deletion of file C:\WINDOWS\system32\dmxpf.exe failed!

Could not process line:
C:\WINDOWS\system32\dmxpf.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmnef.exe not found!
Deletion of file C:\WINDOWS\system32\dmnef.exe failed!

Could not process line:
C:\WINDOWS\system32\dmnef.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmcef.exe not found!
Deletion of file C:\WINDOWS\system32\dmcef.exe failed!

Could not process line:
C:\WINDOWS\system32\dmcef.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dmwnd.exe not found!
Deletion of file C:\WINDOWS\system32\dmwnd.exe failed!

Could not process line:
C:\WINDOWS\system32\dmwnd.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


Here is the HJT log after running, fix checked, and reboot:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:26 am, on 03/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passpor...rf?lc=1033&id=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138728641538
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#12 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 01 March 2007 - 05:57 PM

Shoot - might have messed up further - have been working on another computer - glanced over & saw this one did not have Ad-Watch SE active, opened it, instantly saw registry modifications taking place, clicked on them to see more detail and lo & behold it's the same programs HijackThis just deleted - also showing "tracking cookie blocked" after each entry. Should I re-run Avenger & HijackThis?

#13 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 01 March 2007 - 07:51 PM

Download and install AVG Anti-Spyware (ewido). Then scan and post the report here.
Instructions and download link can be found here.
Delete what it finds before saving the log.

Reboot and rescan with hijackthis post the log here with the AVG log.

#14 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 01 March 2007 - 10:57 PM

Thanks so much for your help & patience with me! I had already downloaded AVG (1st post of this thread) - no updates avail.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 09:33:09 pm 03/01/2007

+ Scan result:



C:\WINDOWS\system32\seven.exe -> Adware.SpySheriff : Cleaned.


::Report end


and, as I mentioned in the previous post, the dm---.exe files are back, reappearing after I activated Ad-Watch SE:


Logfile of HijackThis v1.99.1
Scan saved at 09:44:53 pm, on 03/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passpor...rf?lc=1033&id=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [exe.wremd] C:\WINDOWS\system32\dmerw.exe
O4 - HKLM\..\Run: [exe.vuymd] C:\WINDOWS\system32\dmyuv.exe
O4 - HKLM\..\Run: [exe.mismd] C:\WINDOWS\system32\dmsim.exe
O4 - HKLM\..\Run: [exe.lzfmd] C:\WINDOWS\system32\dmfzl.exe
O4 - HKLM\..\Run: [exe.fecmd] C:\WINDOWS\system32\dmcef.exe
O4 - HKLM\..\Run: [exe.hgomd] C:\WINDOWS\system32\dmogh.exe
O4 - HKLM\..\Run: [exe.kqvmd] C:\WINDOWS\system32\dmvqk.exe
O4 - HKLM\..\Run: [exe.dnwmd] C:\WINDOWS\system32\dmwnd.exe
O4 - HKLM\..\Run: [exe.qvemd] C:\WINDOWS\system32\dmevq.exe
O4 - HKLM\..\Run: [exe.pojmd] C:\WINDOWS\system32\dmjop.exe
O4 - HKLM\..\Run: [exe.ulamd] C:\WINDOWS\system32\dmalu.exe
O4 - HKLM\..\Run: [exe.guimd] C:\WINDOWS\system32\dmiug.exe
O4 - HKLM\..\Run: [exe.zxumd] C:\WINDOWS\system32\dmuxz.exe
O4 - HKLM\..\Run: [exe.uftmd] C:\WINDOWS\system32\dmtfu.exe
O4 - HKLM\..\Run: [exe.oaymd] C:\WINDOWS\system32\dmyao.exe
O4 - HKLM\..\Run: [exe.lfpmd] C:\WINDOWS\system32\dmpfl.exe
O4 - HKLM\..\Run: [exe.fpxmd] C:\WINDOWS\system32\dmxpf.exe
O4 - HKLM\..\Run: [exe.fuemd] C:\WINDOWS\system32\dmeuf.exe
O4 - HKLM\..\Run: [exe.pxgmd] C:\WINDOWS\system32\dmgxp.exe
O4 - HKLM\..\Run: [exe.uawmd] C:\WINDOWS\system32\dmwau.exe
O4 - HKLM\..\Run: [exe.lbgmd] C:\WINDOWS\system32\dmgbl.exe
O4 - HKLM\..\Run: [exe.zibmd] C:\WINDOWS\system32\dmbiz.exe
O4 - HKLM\..\Run: [exe.fenmd] C:\WINDOWS\system32\dmnef.exe
O4 - HKLM\..\Run: [exe.hngmd] C:\WINDOWS\system32\dmgnh.exe
O4 - HKLM\..\Run: [exe.qzbmd] C:\WINDOWS\system32\dmbzq.exe
O4 - HKLM\..\Run: [exe.fzpmd] C:\WINDOWS\system32\dmpzf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138728641538
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#15 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 02 March 2007 - 06:11 AM

Remove ad-awareSE then delete the folder. You can reinstall it after we are done.

Close all Browser and Program Windows and have HijackThis fix the following.
Do this by checking the box beside each and then clicking on Fix checked.

O4 - HKLM\..\Run: [exe.wremd] C:\WINDOWS\system32\dmerw.exe
O4 - HKLM\..\Run: [exe.vuymd] C:\WINDOWS\system32\dmyuv.exe
O4 - HKLM\..\Run: [exe.mismd] C:\WINDOWS\system32\dmsim.exe
O4 - HKLM\..\Run: [exe.lzfmd] C:\WINDOWS\system32\dmfzl.exe
O4 - HKLM\..\Run: [exe.fecmd] C:\WINDOWS\system32\dmcef.exe
O4 - HKLM\..\Run: [exe.hgomd] C:\WINDOWS\system32\dmogh.exe
O4 - HKLM\..\Run: [exe.kqvmd] C:\WINDOWS\system32\dmvqk.exe
O4 - HKLM\..\Run: [exe.dnwmd] C:\WINDOWS\system32\dmwnd.exe
O4 - HKLM\..\Run: [exe.qvemd] C:\WINDOWS\system32\dmevq.exe
O4 - HKLM\..\Run: [exe.pojmd] C:\WINDOWS\system32\dmjop.exe
O4 - HKLM\..\Run: [exe.ulamd] C:\WINDOWS\system32\dmalu.exe
O4 - HKLM\..\Run: [exe.guimd] C:\WINDOWS\system32\dmiug.exe
O4 - HKLM\..\Run: [exe.zxumd] C:\WINDOWS\system32\dmuxz.exe
O4 - HKLM\..\Run: [exe.uftmd] C:\WINDOWS\system32\dmtfu.exe
O4 - HKLM\..\Run: [exe.oaymd] C:\WINDOWS\system32\dmyao.exe
O4 - HKLM\..\Run: [exe.lfpmd] C:\WINDOWS\system32\dmpfl.exe
O4 - HKLM\..\Run: [exe.fpxmd] C:\WINDOWS\system32\dmxpf.exe
O4 - HKLM\..\Run: [exe.fuemd] C:\WINDOWS\system32\dmeuf.exe
O4 - HKLM\..\Run: [exe.pxgmd] C:\WINDOWS\system32\dmgxp.exe
O4 - HKLM\..\Run: [exe.uawmd] C:\WINDOWS\system32\dmwau.exe
O4 - HKLM\..\Run: [exe.lbgmd] C:\WINDOWS\system32\dmgbl.exe
O4 - HKLM\..\Run: [exe.zibmd] C:\WINDOWS\system32\dmbiz.exe
O4 - HKLM\..\Run: [exe.fenmd] C:\WINDOWS\system32\dmnef.exe
O4 - HKLM\..\Run: [exe.hngmd] C:\WINDOWS\system32\dmgnh.exe
O4 - HKLM\..\Run: [exe.qzbmd] C:\WINDOWS\system32\dmbzq.exe
O4 - HKLM\..\Run: [exe.fzpmd] C:\WINDOWS\system32\dmpzf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Reboot in safe mode, instructions here.
Some of these files my have hidden atributes.
Click Here Should you need instructions for Showing hidden files and folders in Windows.
Once in safe mode, Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file right click then select delete.
I think you will find thay are not there.
Delete the following file(s) listed in bold.

C:\WINDOWS\system32\dmerw.exe
C:\WINDOWS\system32\dmyuv.exe
C:\WINDOWS\system32\dmsim.exe
C:\WINDOWS\system32\dmfzl.exe
C:\WINDOWS\system32\dmcef.exe
C:\WINDOWS\system32\dmogh.exe
C:\WINDOWS\system32\dmvqk.exe
C:\WINDOWS\system32\dmwnd.exe
C:\WINDOWS\system32\dmevq.exe
C:\WINDOWS\system32\dmjop.exe
C:\WINDOWS\system32\dmalu.exe
C:\WINDOWS\system32\dmiug.exe
C:\WINDOWS\system32\dmuxz.exe
C:\WINDOWS\system32\dmtfu.exe
C:\WINDOWS\system32\dmyao.exe
C:\WINDOWS\system32\dmpfl.exe
C:\WINDOWS\system32\dmxpf.exe
C:\WINDOWS\system32\dmeuf.exe
C:\WINDOWS\system32\dmgxp.exe
C:\WINDOWS\system32\dmwau.exe
C:\WINDOWS\system32\dmgbl.exe
C:\WINDOWS\system32\dmbiz.exe
C:\WINDOWS\system32\dmnef.exe
C:\WINDOWS\system32\dmgnh.exe
C:\WINDOWS\system32\dmbzq.exe
C:\WINDOWS\system32\dmpzf.exe




If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

Edited by little eagle, 02 March 2007 - 06:13 AM.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users