Solved: Winlogon Notify, Trojan.Pakes and Mywebsearch

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

salor

Thread Starter
Joined
Jul 11, 2006
Messages
10
Hi guys,

I have Windows 2000 5.00.2195. My web explorer appears to have been hijacked yesterday. There are no buttons at the top of the explorer box (above the address bar) and I now get pop ups, get redirected alot or sometimes get a blank webpage and hyperlinks on webpages don't often work. Plus, without a back button, it's a !*#@? pain to get around.

Ewido found and quarantined some cookies and mywebsearch stuff. It also logged the following entry:

[924] VM_029A0000 -> Trojan.Pakes : Error during cleaning

1) Aftwer the Ewido scan, I restarted and HJT found mywebsearch backups (HJT no.s: O2, O4, O8, O16, R3) and other, unidentifiable backups (HJT no.s: O4, O17). Deleting them and restarting does not seem to have had much effect, however, as the backups continue to appear on HJT logs even after successive deletions and restartings.

2) HJT has also found something called "Winlogon Notify" (see below). It suggested I delete the two files on reboot but I cannot find the files, even with Folder Options set to "view hidden files" and even after I searched C:\ with Windows Explorer . Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:18:57 AM, on 7/11/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware2\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack This!\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globeandmail.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00014.exe"
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll
O20 - Winlogon Notify: obbn13t - C:\WINNT\SYSTEM32\obbn13t.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware2\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Thanks for any help. If you give me any instructions, please note that hyperlinks tend not to work on my computer.
 
Joined
Jul 8, 2002
Messages
14,681
Save KillBox to your Desktop

Run HijackThis and click Do a system scan only
Put a checkmark next to each of the following entries that appear:

O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00014.exe"
O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll
O20 - Winlogon Notify: obbn13t - C:\WINNT\SYSTEM32\obbn13t.dll

Click Fix Checked and exit HijackThis

Run KillBox and select Delete on Reboot
Copy this list of file locations to your clipboard:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00014.exe
C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll
C:\WINNT\SYSTEM32\obbn13t.dll
Go to File>>Paste from clipboard. Click All Files
Press the button with a red circle with an X in it, then Yes when prompted to restart your computer
WARNING: Your computer will be restarted. Any unsaved work in open applications will be lost.​
Run HijackThis and click Do a system scan and save a log file
Your HijackThis log will open in Notepad. Post the contents of the log here
 

salor

Thread Starter
Joined
Jul 11, 2006
Messages
10
Brendan,

Sorry for the delay. My browser won't let me download Killbox from any website that i"ve tried, including Subratam.org. I downloaded it at work but my firewall at work won't let me email a zipped copy to my home email! Any suggestions, aside from trying to email from another, non-firewall protected computer?
 
Joined
Jul 8, 2002
Messages
14,681
Save The Avenger to your Desktop

Copy the contents of the following box to your clipboard:

Files to delete:
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00014.exe
C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll
C:\WINNT\SYSTEM32\obbn13t.dll

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\1_32bean32_1reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\obbn13t
Run The Avenger and click OK
Select Input script manually and click the magnifying glass icon
In the View/edit script box, right-click and choose Paste
Click Done. Press the button with a picture of a green light
Choose Yes when prompted to execute the script and click Yes when asked to reboot your computer
Post the contents of the file C:\Avenger.txt
 

salor

Thread Starter
Joined
Jul 11, 2006
Messages
10
Thanks for the idea about Avenger. In the end, I managed to get a copy of Killbox onto my computer. Scanned and removed with HJT per your instructions and then ran Killbox and deleted on reboot the files you marked. When I ran Internet Explorer, I had my normal buttons back and didn't get redirected from the techguys.org so things are looking up (though I see on the below log that Winlogon Notify still appears). Here is the HJTlog:

Logfile of HijackThis v1.99.1
Scan saved at 10:51:33 PM, on 7/12/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware2\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
C:\Program Files\Hijack This!\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globeandmail.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Hijack This!\HijackThis.exe /startupscan
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll (file missing)
O20 - Winlogon Notify: obbn13t - obbn13t.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware2\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

If you want me to still download and run The Avenger, then let me know. Time for bed!
 

salor

Thread Starter
Joined
Jul 11, 2006
Messages
10
Just noticed that the three files you asked me to delete now appear in the HJT backup list.
 
Joined
Jul 8, 2002
Messages
14,681
You can fix these entries in HijackThis:

O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll (file missing)
O20 - Winlogon Notify: obbn13t - obbn13t.dll (file missing)

And let me know if you're still having any problems
 

salor

Thread Starter
Joined
Jul 11, 2006
Messages
10
Fixed the entries with HJT. Deleted all my backups (1/2 of them were for mywebsearch and the winlogon files were backed-up too). Rebooted and nothing reappeared either in the HJT log or in its backup files list. Browser works normally now. Many thanks. BTW, (1) what is the rat in your avatar hitting and (2) why was Killbox successful at removing the entries on reboot but HJT was not (I tried several times to remove on reboot w/ HJT prior to logging onto techguys)?

Logfile of HijackThis v1.99.1
Scan saved at 8:25:31 AM, on 7/13/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware2\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijack This!\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globeandmail.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Hijack This!\HijackThis.exe /startupscan
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware2\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
 

salor

Thread Starter
Joined
Jul 11, 2006
Messages
10
I've been surfing a bit and everything fine 95% - the odd time my browser will get redirected and all my buttons at the top of the screen will disappear, as if the hijacker was still in my computer. HJT log appears clean, no backupfiles and i don't see any really obviously bad processes running. Any guesses?
 

salor

Thread Starter
Joined
Jul 11, 2006
Messages
10
i was redirected to www11.zapmeta.com.

i just ran an ewido scan and it found the trojan pakes again and - again, could not remove and quarantine it (Winlogon Notify, however, does not show up on an HJT scan). The trojan was found in a 'memory' scan:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:03:28 AM, 7/15/2006
+ Report-Checksum: 1C11EA4D

+ Scan result:

[804] VM_00C00000 -> Trojan.Pakes : Error during cleaning


::Report End
 
Joined
Jul 8, 2002
Messages
14,681
Let's try this

Save FixWareOut to your Desktop

Run FixWareout and click Next>>Insatll
Make sure Run Fixit is checked and click Finish, then follow the onscreen prompts
Allow your computer to restart when asked to do so. Follow the prompts that appear when the computer turns back on

Find the fixwareout.txt file and post the contents
 

salor

Thread Starter
Joined
Jul 11, 2006
Messages
10
here is the log of fixwareout:


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F9710C22C709-3C5B-24C4-045B-9CAA5D87{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A94CFFFB9E2E-3999-D3A4-474F-EE86C031{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}703F9A8DCC47-BDA8-DE34-BB12-94D62268{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C14F30072C1F-EA3A-44C4-D552-CA5E054D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4572528F471C-5488-2744-C12F-59B19C45{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4A003BE1F60B-DF9A-D794-C03E-D54F34FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\zzjmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmjzz.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINNT\System32\CSSOV.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSSOV.EXE 51,267 2006-07-10
C:\WINNT\SYSTEM32\DMJZZ.EXE 44,076 2002-07-22
Other suspects
Directory of C:\WINNT\system32
{FF43F45D-E30C-497D-A9FD-B06F1EB300A4}.exe
{54C91B95-F21C-4472-8845-C174F8252754}.exe
{D450E5AC-255D-4C44-A3AE-F1C27003F41C}.exe
{86226D49-21BB-43ED-8ADB-74CCD8A9F307}.exe
{130C68EE-F474-4A3D-9993-E2E9BFFFC49A}.exe
 
Joined
Jul 8, 2002
Messages
14,681
Save The Avenger to your Desktop

Copy the contents of the following box to your clipboard:
Files to delete:
C:\WINNT\SYSTEM32\CSSOV.EXE
C:\WINNT\SYSTEM32\DMJZZ.EXE
C:\WINNT\SYSTEM32\{FF43F45D-E30C-497D-A9FD-B06F1EB300A4}.exe
C:\WINNT\SYSTEM32\{54C91B95-F21C-4472-8845-C174F8252754}.exe
C:\WINNT\SYSTEM32\{D450E5AC-255D-4C44-A3AE-F1C27003F41C}.exe
C:\WINNT\SYSTEM32\{86226D49-21BB-43ED-8ADB-74CCD8A9F307}.exe
C:\WINNT\SYSTEM32\{130C68EE-F474-4A3D-9993-E2E9BFFFC49A}.exe
Run The Avenger and click OK
Select Input script manually and click the magnifying glass icon
In the View/edit script box, right-click and choose Paste
Click Done. Press the button with a picture of a green light
Choose Yes when prompted to execute the script and click Yes when asked to reboot your computer
Post the contents of the file C:\Avenger.txt

See if Ewido finds anything after that.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top