1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Winlogon Notify, Trojan.Pakes and Mywebsearch

Discussion in 'Virus & Other Malware Removal' started by salor, Jul 11, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. salor

    salor Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    10
    Hi guys,

    I have Windows 2000 5.00.2195. My web explorer appears to have been hijacked yesterday. There are no buttons at the top of the explorer box (above the address bar) and I now get pop ups, get redirected alot or sometimes get a blank webpage and hyperlinks on webpages don't often work. Plus, without a back button, it's a !*#@? pain to get around.

    Ewido found and quarantined some cookies and mywebsearch stuff. It also logged the following entry:

    [924] VM_029A0000 -> Trojan.Pakes : Error during cleaning

    1) Aftwer the Ewido scan, I restarted and HJT found mywebsearch backups (HJT no.s: O2, O4, O8, O16, R3) and other, unidentifiable backups (HJT no.s: O4, O17). Deleting them and restarting does not seem to have had much effect, however, as the backups continue to appear on HJT logs even after successive deletions and restartings.

    2) HJT has also found something called "Winlogon Notify" (see below). It suggested I delete the two files on reboot but I cannot find the files, even with Folder Options set to "view hidden files" and even after I searched C:\ with Windows Explorer . Here is the HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:18:57 AM, on 7/11/2006
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-malware2\ewidoctrl.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINNT\system32\wuauclt.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijack This!\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globeandmail.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00014.exe"
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll
    O20 - Winlogon Notify: obbn13t - C:\WINNT\SYSTEM32\obbn13t.dll
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware2\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

    Thanks for any help. If you give me any instructions, please note that hyperlinks tend not to work on my computer.
     
  2. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Save KillBox to your Desktop

    Run HijackThis and click Do a system scan only
    Put a checkmark next to each of the following entries that appear:

    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00014.exe"
    O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll
    O20 - Winlogon Notify: obbn13t - C:\WINNT\SYSTEM32\obbn13t.dll

    Click Fix Checked and exit HijackThis

    Run KillBox and select Delete on Reboot
    Copy this list of file locations to your clipboard:

    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00014.exe
    C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll
    C:\WINNT\SYSTEM32\obbn13t.dll
    Go to File>>Paste from clipboard. Click All Files
    Press the button with a red circle with an X in it, then Yes when prompted to restart your computer
    WARNING: Your computer will be restarted. Any unsaved work in open applications will be lost.​
    Run HijackThis and click Do a system scan and save a log file
    Your HijackThis log will open in Notepad. Post the contents of the log here
     
  3. salor

    salor Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    10
    Brendan,

    Sorry for the delay. My browser won't let me download Killbox from any website that i"ve tried, including Subratam.org. I downloaded it at work but my firewall at work won't let me email a zipped copy to my home email! Any suggestions, aside from trying to email from another, non-firewall protected computer?
     
  4. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Save The Avenger to your Desktop

    Copy the contents of the following box to your clipboard:
    Run The Avenger and click OK
    Select Input script manually and click the magnifying glass icon
    In the View/edit script box, right-click and choose Paste
    Click Done. Press the button with a picture of a green light
    Choose Yes when prompted to execute the script and click Yes when asked to reboot your computer
    Post the contents of the file C:\Avenger.txt
     
  5. salor

    salor Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    10
    Thanks for the idea about Avenger. In the end, I managed to get a copy of Killbox onto my computer. Scanned and removed with HJT per your instructions and then ran Killbox and deleted on reboot the files you marked. When I ran Internet Explorer, I had my normal buttons back and didn't get redirected from the techguys.org so things are looking up (though I see on the below log that Winlogon Notify still appears). Here is the HJTlog:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:51:33 PM, on 7/12/2006
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-malware2\ewidoctrl.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINNT\system32\wuauclt.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
    C:\Program Files\Hijack This!\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globeandmail.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Hijack This!\HijackThis.exe /startupscan
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll (file missing)
    O20 - Winlogon Notify: obbn13t - obbn13t.dll (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware2\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

    If you want me to still download and run The Avenger, then let me know. Time for bed!
     
  6. salor

    salor Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    10
    Just noticed that the three files you asked me to delete now appear in the HJT backup list.
     
  7. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    You can fix these entries in HijackThis:

    O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll (file missing)
    O20 - Winlogon Notify: obbn13t - obbn13t.dll (file missing)

    And let me know if you're still having any problems
     
  8. salor

    salor Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    10
    Fixed the entries with HJT. Deleted all my backups (1/2 of them were for mywebsearch and the winlogon files were backed-up too). Rebooted and nothing reappeared either in the HJT log or in its backup files list. Browser works normally now. Many thanks. BTW, (1) what is the rat in your avatar hitting and (2) why was Killbox successful at removing the entries on reboot but HJT was not (I tried several times to remove on reboot w/ HJT prior to logging onto techguys)?

    Logfile of HijackThis v1.99.1
    Scan saved at 8:25:31 AM, on 7/13/2006
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-malware2\ewidoctrl.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijack This!\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globeandmail.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Hijack This!\HijackThis.exe /startupscan
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware2\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
     
  9. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Its hitting a computer, and I don't know I haven't used Remove on Reboot.
     
  10. salor

    salor Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    10
    I've been surfing a bit and everything fine 95% - the odd time my browser will get redirected and all my buttons at the top of the screen will disappear, as if the hijacker was still in my computer. HJT log appears clean, no backupfiles and i don't see any really obviously bad processes running. Any guesses?
     
  11. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    What site are you getting redirected to?
     
  12. salor

    salor Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    10
    i was redirected to www11.zapmeta.com.

    i just ran an ewido scan and it found the trojan pakes again and - again, could not remove and quarantine it (Winlogon Notify, however, does not show up on an HJT scan). The trojan was found in a 'memory' scan:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 11:03:28 AM, 7/15/2006
    + Report-Checksum: 1C11EA4D

    + Scan result:

    [804] VM_00C00000 -> Trojan.Pakes : Error during cleaning


    ::Report End
     
  13. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Let's try this

    Save FixWareOut to your Desktop

    Run FixWareout and click Next>>Insatll
    Make sure Run Fixit is checked and click Finish, then follow the onscreen prompts
    Allow your computer to restart when asked to do so. Follow the prompts that appear when the computer turns back on

    Find the fixwareout.txt file and post the contents
     
  14. salor

    salor Thread Starter

    Joined:
    Jul 11, 2006
    Messages:
    10
    here is the log of fixwareout:


    Fixwareout ver 1.003
    Last edited 07/1/2006
    Post this report in the forums please

    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F9710C22C709-3C5B-24C4-045B-9CAA5D87{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A94CFFFB9E2E-3999-D3A4-474F-EE86C031{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}703F9A8DCC47-BDA8-DE34-BB12-94D62268{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C14F30072C1F-EA3A-44C4-D552-CA5E054D{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4572528F471C-5488-2744-C12F-59B19C45{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4A003BE1F60B-DF9A-D794-C03E-D54F34FF{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\zzjmd
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
    ...

    Microsoft (R) Windows Script Host Version 5.6
    Random Runs removed from HKLM
    "dmjzz.exe"=-
    ...

    PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
    Example ipsec6.exe is legitimate

    »»»»» Search by size and names...
    * csr.exe C:\WINNT\System32\CSSOV.EXE

    »»»»» Misc files

    »»»»» Checking for older varients covered by the Rem3 tool

    »»»»»
    Search five digit cs, dm and jb files
    This WILL/CAN also list Legit Files, Submit them at Virustotal
    C:\WINNT\SYSTEM32\CSSOV.EXE 51,267 2006-07-10
    C:\WINNT\SYSTEM32\DMJZZ.EXE 44,076 2002-07-22
    Other suspects
    Directory of C:\WINNT\system32
    {FF43F45D-E30C-497D-A9FD-B06F1EB300A4}.exe
    {54C91B95-F21C-4472-8845-C174F8252754}.exe
    {D450E5AC-255D-4C44-A3AE-F1C27003F41C}.exe
    {86226D49-21BB-43ED-8ADB-74CCD8A9F307}.exe
    {130C68EE-F474-4A3D-9993-E2E9BFFFC49A}.exe
     
  15. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Save The Avenger to your Desktop

    Copy the contents of the following box to your clipboard:
    Run The Avenger and click OK
    Select Input script manually and click the magnifying glass icon
    In the View/edit script box, right-click and choose Paste
    Click Done. Press the button with a picture of a green light
    Choose Yes when prompted to execute the script and click Yes when asked to reboot your computer
    Post the contents of the file C:\Avenger.txt

    See if Ewido finds anything after that.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/482259

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice