Jump to content

Build Theme!
  •  
  • Unreplied Topics 61
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

godaddy.com redirects to porn site in IE & Firefox

Started by norrinthe , Mar 20 2007 11:33 PM

  • Please log in to reply
4 replies to this topic

#1 norrinthe

norrinthe

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 20 March 2007 - 11:33 PM

I have not found any other urls effected but when I try to go to www.godaddy.com it redirects to a porn site and
it does it in IE and Firefox.

Here is my HijackThis file:

Logfile of HijackThis v1.99.1
Scan saved at 10:01:01 PM, on 3/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Reemul\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB002" /M "Stylus C62"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124503018171
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {EA297219-593E-408D-BFD4-2D43E203550D} (strprint.trprints) - https://mcp.microsof...scriptPrint.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{21C8BC47-7C5D-47CE-9DAC-677FBACD57FD}: NameServer = 85.255.116.51,85.255.112.96
O17 - HKLM\System\CCS\Services\Tcpip\..\{39E276E2-1872-4E7C-AE69-E184413DE4F5}: NameServer = 85.255.116.51,85.255.112.96
O17 - HKLM\System\CCS\Services\Tcpip\..\{F44F3C33-E61A-4257-888A-F6C683CE60A0}: NameServer = 85.255.116.51,85.255.112.96
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.96
O17 - HKLM\System\CS1\Services\Tcpip\..\{21C8BC47-7C5D-47CE-9DAC-677FBACD57FD}: NameServer = 85.255.116.51,85.255.112.96
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.96
O17 - HKLM\System\CS2\Services\Tcpip\..\{21C8BC47-7C5D-47CE-9DAC-677FBACD57FD}: NameServer = 85.255.116.51,85.255.112.96
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.96
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\dmjoj.exe (file missing)

    Advertisements

Register to Remove

#2 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 21 March 2007 - 03:23 PM

Hello norrinthe and welcome to the forums here at Tom Coyote.

You have a Wareout infection.

But first, you are running HijackThis from a temporary directory. I recommend that you move HJT to it's own permanent folder so any backups that HJT makes will not be accidently deleted.

Please do the following:Create a new permanent folder in a convenient location that you will remember. To do this: Open Windows Explorer.
Select the drive or folder that you would like to put HJT
From the menu select File > New > Folder
Rename the folder to something you will remember (ie HJT, HijackThis, ect...)
Now move HJT to the new folder that you created.
------------------------------------------------------------------------------------------

I recommend you print out these instructions for reference, since you will have to restart your computer during the fix.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O17 - HKLM\System\CCS\Services\Tcpip\..\{21C8BC47-7C5D-47CE-9DAC-677FBACD57FD}: NameServer = 85.255.116.51,85.255.112.96
O17 - HKLM\System\CCS\Services\Tcpip\..\{39E276E2-1872-4E7C-AE69-E184413DE4F5}: NameServer = 85.255.116.51,85.255.112.96
O17 - HKLM\System\CCS\Services\Tcpip\..\{F44F3C33-E61A-4257-888A-F6C683CE60A0}: NameServer = 85.255.116.51,85.255.112.96
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.96
O17 - HKLM\System\CS1\Services\Tcpip\..\{21C8BC47-7C5D-47CE-9DAC-677FBACD57FD}: NameServer = 85.255.116.51,85.255.112.96
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.96
O17 - HKLM\System\CS2\Services\Tcpip\..\{21C8BC47-7C5D-47CE-9DAC-677FBACD57FD}: NameServer = 85.255.116.51,85.255.112.96
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.51 85.255.112.96

Then close all windows except this one and press Fix checked.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new HijackThis log.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

------------------------------------------------------------------------------------

Also, there is a service running that I can't really find any information on.

Please go to http://virusscan.jotti.org, click on Browse, and upload the following file for analysis:

C:\WINDOWS\system32\dmjoj.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If Jotti is too busy you can try these.

http://www.kaspersky...anforvirus.html
http://www.virustota.../en/indexf.html

Regards,
Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#3 norrinthe

norrinthe

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 22 March 2007 - 06:08 PM

Thanks alot for your help Indigenus it worked. Here are the reports:

Logfile of HijackThis v1.99.1
Scan saved at 5:01:39 PM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB002" /M "Stylus C62"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124503018171
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {EA297219-593E-408D-BFD4-2D43E203550D} (strprint.trprints) - https://mcp.microsof...scriptPrint.CAB
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
Service: "Windows Management Service" = C:\WINDOWS\System32\dmjoj.exe

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"="cszix.exe"
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}6283057C44FA-00DA-8A94-8AA1-D6C1AFCC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}290E508D4653-4CF8-4CB4-8337-70C40EE4{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "mydmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}B5289D52E404-F80B-2274-B194-DA8F12BA{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}5AA27C13E8C3-BBBB-FCF4-75A3-F6CE0458{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}5F56F648D821-161A-62E4-79F8-2EC0C47A{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}4A79320F54A1-D8B9-D614-7C6C-A83E3DFC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}A0C51C4C3681-295A-1144-C209-8A1AB81C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}808D46DC38E0-B3BB-6644-E625-0E8EF935{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}01C5EFB849D9-D6F8-4C04-1BF9-C59FF630{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}C5D1185B5925-174A-C344-A17D-D3AEF8C5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}09518C71CA6D-701B-1554-93D7-92EC5878{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}7EA3348D9CEC-582A-D9F4-0810-1F8D2C28{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}FF921C803153-EE18-AA54-31B8-395C2518{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}9BD4BD20AA6E-295B-9184-7FD0-8656242D{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}2D2B8CF65EBE-87BA-2C84-6DE2-A007BA4B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}4F491719C341-B1AB-79A4-656A-B2BB1F75{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}5D4ABCFB8AC3-69D9-94D4-43B8-3F00D2C2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}8E129929C432-BF7A-5AB4-CC14-5310BA58{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}1FF35C2D5016-FD99-7C84-BCA8-605FAFFD{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}AE05252CC0F7-C358-3DC4-DA31-F2B587D7{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}8BAAD5FF7F39-65DA-D924-E56F-DF7B120C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}240B41427626-433B-F9C4-1000-3141F3E0{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}59CC238BA1C5-2C08-2864-980D-83F4CD6A{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}D45704208B79-757A-E154-ACF2-E4D37E9B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}4BA42A9F4EB3-2E89-52C4-F458-22F80CBB{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}86B1D419829A-22A8-F154-D47A-B8419A2F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}B0D155D958E9-4B4B-3654-7C82-EC488A84{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}2C82AF4B3AB5-B7B9-2114-C319-2FDB0B81{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}3652494DDABA-BEEA-D0E4-397A-CDE9AA1A{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}ACA22F4332A5-959A-DC74-49D1-E875F752{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}8C31A93EB57E-1779-A524-F5EE-F33D4FE0{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}0305577A9E9E-A268-C8E4-B890-572DB1DE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}683786861863-E549-A664-4CF1-7079813F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}AA4B03F6A322-5EFA-5954-5F0E-0BD681D6{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}90403CAB61D3-5679-5E34-9D65-F574869E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}D018E98BF572-2648-9F64-4C32-931A961B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}8BECD80B9979-C98B-B114-7524-858898A2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}82305EFC891C-56D9-CC54-6A55-B3B4D652{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}524E593240B8-2E78-6BE4-3B43-812E4B65{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}ACE441B25DDA-3D79-4EF4-4DAA-3169EE5F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}E474851F6469-D019-FF14-1712-3601F044{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}2CF7486B9AFB-398B-4074-CDB8-01E7C261{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}D6E5A86EAA7A-69CA-5F24-72CB-63C37ADE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}1F6070BA2F93-9B98-CAD4-F64F-A2A5FD23{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}3E3A8FE93F81-FABA-D474-A02B-CC333850{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}C92A27ED08BA-715B-AD24-5A6C-C001290C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}41C20243B53D-F108-5594-ABD2-3F5813A9{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}E98809606937-BD3A-B824-5DDA-7FCE3F4C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}69628B45888D-5098-7984-1ECC-FDDB347A{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}DA194DDF6859-7BAA-2734-2FF2-34C2F03C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}1B19C993FB9A-564B-F8D4-01AA-182FBA30{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}5D4DF5C5718F-BBB8-2DE4-C60E-7F141129{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}8C2DC821B3D9-B99B-7164-B9F3-AAFFC824{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}5228024AB3C1-D1FB-0DD4-3BFD-AC32F1EE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}CED5C2DB3877-A1BB-5984-D3EA-37B9942E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}381E20877672-65B9-2C64-BCD5-0772EEF9{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}055B313672D9-5279-D8D4-F817-6C02F026{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}979017A2D25B-07BA-E7B4-1AEE-F6C463E7{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}580243F4D470-C38A-FBB4-D4E2-F86BF50E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}17C39B095695-76CA-33A4-FAF6-1201E116{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}DAD424BC4B39-9E0B-9674-0AB7-7019A258{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}88DE8A761769-4ED8-2034-E503-9F254F09{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}67AF7C142D27-3B38-4C14-DF17-99762E1F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}29527599219F-F319-35E4-F36D-F98EFBD6{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}9BCEE5BC9E48-7399-B454-2DB4-13A92E7A{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}1A55E522B6EC-6AF8-E854-38AD-BBD023CC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}99824B4BB686-EFCB-4CC4-5AD1-FBAF24DA{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}D62315A866DB-02AB-BBD4-2308-A28C96BC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}DCED09AF3779-E95B-1DA4-A748-8F6E86DB{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}6D06FCD2F08B-A078-0B94-2317-E8E9AB02{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}51F8D1A100C9-9E8B-9414-0061-2535BFC1{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}3991EA4C1212-00A9-E214-144E-DE985DD1{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}33F1028E1799-79F9-1D94-CDC2-4ABD9D1B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}CE8B778CCC96-D30A-2EC4-0E32-F682D71F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}A56DEF2E90FE-0DA9-67F4-917F-72843834{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}598528B234C8-15BB-2FF4-A06F-A1B48EC0{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}EC84CD7D5CD1-9A2B-3D04-77DE-C1D6A032{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}0D8CA7F1EC3D-432B-4724-33A9-54203DC0{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}67C3A444E9BD-917B-38C4-8F75-AA28C8DC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}F9E6497650C6-E13A-7B24-48FE-3A1D8466{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}8C779137675A-DC9B-61A4-B21E-41AA6BF8{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}AE62DF9E8DD5-90DB-5564-2A8B-8D12E98D{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}355C1C39030A-3EBA-5844-1123-B73536D5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}2CA059101CC8-6029-1A34-24CA-684BBD4B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}EE3A7E149668-C40A-DE64-F74C-1D31ABDA{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}36FFD7C214C3-5E3A-2FC4-CB1A-09FC0418{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}A1F66FAC4E75-39A9-D7E4-1758-86504CAC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}7BA211FC9F02-4BAA-9894-FFDA-160269FC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}6DBAA33EDA5F-E4E8-A9F4-AA48-AA372892{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}32572DA19921-870A-2974-87DE-2074458E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}A1EFE369DB3E-B1AB-B274-D60F-94147FF4{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}8FF664318DEB-8FEB-7314-16E7-2038FD5C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}EE351AB046A3-0A28-4824-6C55-B7E05A64{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}7D83737CA73E-7758-F6D4-3B2A-23BBA04D{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}6B1BB51602EB-E8EB-3284-8693-8484BD35{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}0D0FEEBA9EA7-2DAA-DEB4-1F5E-5A948E85{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}DC855A718309-7ACA-28B4-3F3B-F290AC75{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}14662DFA7766-0659-3444-A526-5F2FB034{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}0E58E743BF84-C548-C724-E581-3C49FB55{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}9145A47AD939-FC49-8B54-A183-8C04BE24{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}30828FD788AD-9FEB-A9D4-6671-CA90F298{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}0FEEE258D116-8549-D014-3BD7-68BB8A3B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4AB96A135509-D52A-A4B4-FB73-3E126289{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "jojmd" Deleted
....
»»»»» Misc files.
C:\WINDOWS\system32\{4275A582-6026-466C-AF78-BA9ED7B88836}.exe Deleted
C:\WINDOWS\system32\{52AD48B0-B0F9-4F22-90A1-7D74B683A3B0}.exe Deleted
C:\WINDOWS\system32\{6CBAE17D-1A5A-4541-A589-996D8ABFD812}.exe Deleted
C:\WINDOWS\system32\{DBB172A6-7DA3-425F-B8E4-D6A60F7F336F}.exe Deleted
C:\WINDOWS\System32\kernel32.exe Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

C:\WINDOWS\system32\csbuw.exe 34831 08/04/2004
C:\WINDOWS\system32\cszix.exe 52751 02/05/2007


Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A960"="\"C:\\Program Files\\Dell AIO Printer A960\\dlbfbmgr.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SoundMan"="SOUNDMAN.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"EPSON Stylus C62 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S0BIC1.EXE /P23 \"EPSON Stylus C62 Series\" /O6 \"USB002\" /M \"Stylus C62\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

#4 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 23 March 2007 - 09:06 AM

Excellent :thumbup:

I believe these files are bad but I want to make sure. Please go to http://virusscan.jotti.org, click on Browse, and upload the following files for analysis:

C:\WINDOWS\system32\csbuw.exe
C:\WINDOWS\system32\cszix.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If Jotti is too busy you can try these.

http://www.kaspersky...anforvirus.html
http://www.virustota.../en/indexf.html

Regards,
Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#5 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 31 March 2007 - 09:02 AM

Do you still need help here? Please let me know. Thanks, Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·