1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

goldbiz malware

Discussion in 'Malware and Virus Removal Archive' started by subghost, 2006/09/28.

  1. 2006/09/28
    subghost

    subghost Inactive Thread Starter

    Joined:
    2006/09/28
    Messages:
    3
    Likes Received:
    0
    I followed the instructions from previous posters who had this problem, although I was pretty daunted by all the lines of text, thought it would be way to hard to fix.

    Anyway, here's my..um...Hijack this...stuff.


    Fixwareout ver 1.003
    Last edited 8/11/2006
    Post this report in the forums please

    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\yeymd
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AD5A79352FA0-287A-8034-BC40-9A7F9E28{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
    ...

    Microsoft (R) Windows Script Host Version 5.6
    Random Runs removed from HKLM
    ...

    PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

    »»»»» Searching by size/names...

    »»»»»
    Search five digit cs, dm and jb files.
    This WILL/CAN also list Legit Files, Submit them at Virustotal
    C:\WINDOWS\SYSTEM32\CSCIC.EXE 51,724 2006-09-27
    C:\WINDOWS\SYSTEM32\DMRTN.EXE 61,016 2004-08-04
    C:\WINDOWS\SYSTEM32\DMYEY.EXE 61,016 2004-08-04

    Other suspects.
    Directory of C:\WINDOWS\system32

    »»»»» Misc files.

    »»»»» Checking for older varients covered by the Rem3 tool.


    Is there anything else I need to do?
    Thanks in advance. I can't believe you guys do all this out of the goodness of your hearts. Thought I'd have to restart my whole system and lose everything.
     
    subghost,
    #1
  2. 2006/09/29
    subghost

    subghost Inactive Thread Starter

    Joined:
    2006/09/28
    Messages:
    3
    Likes Received:
    0
    This isn't working at all. Must be doing something wrong.
     
    subghost,
    #2


  3. to hide this advert.

  4. 2006/09/29
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Hello and welcome to WindowsBBS Forums.

    OK, we need to get an idea of what was on your system, so lets fun HijackThis! please. And do not under any circumstances run any tools unless specifically asked to and only do as instructed, no extra steps. With one false move, you can render your Os totally useless.

    Please download HiJackThis v:1.99.1zip.
    DL the zip file to your desktop, then create a new folder on your C drive, called 'HJT' or 'HijackThis'. Then unzip the files to the new folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

    Run the program, and press Scan. You will notice the Scan button will turn into a "Save Log" button. Save the log and Post that log onto this topic. DO NOT DELETE or modify anything yet, as some of it is needed to keep your system in proper working order.
     
    TeMerc,
    #3
  5. 2006/09/29
    subghost

    subghost Inactive Thread Starter

    Joined:
    2006/09/28
    Messages:
    3
    Likes Received:
    0
    Logfile of HijackThis v1.99.1
    Scan saved at 5:57:47 PM, on 9/29/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\LG Software\Battery Miser 2005\batterymiser.exe
    C:\Program Files\LG Software\On Screen Display\Hotkey.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\lg_swupdate\tmcheck.exe
    C:\Documents and Settings\Mark Dougherty\My Documents\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com.au/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://10.0.0.138/
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [LG Intelligent Update] "C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [batterymiser] "C:\Program Files\LG Software\Battery Miser 2005\batterymiser.exe "
    O4 - HKLM\..\Run: [KeybdUtility] "C:\Program Files\LG Software\On Screen Display\Hotkey.exe "
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [signup] D:\hb5.exe
    O4 - HKLM\..\Run: [IPO3] "C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe" -aUtOsTaRtFrOmReG
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R230 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE /P30 "EPSON Stylus Photo R230 Series" /O6 "USB001" /M "Stylus Photo R230 "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    O4 - HKLM\..\Run: [dmauo.exe] C:\WINDOWS\system32\dmauo.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [CUCore Agent] "C:\PROGRA~1\COMMON~1\FIRSTV~1\ConfAgent.exe /minimize "
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} - https://www.cuworld.com/PIC/inner_pic/packages/CUworld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153118805593
    O16 - DPF: {70E6E083-6690-4129-A34D-F90094EEB4ED} (AWCVoiceClient Control) - http://www.anywebcam.com/awc/html/common/voice/voice.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0D9A2797-F108-4C67-AAFD-86CAD1702D95}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2813D968-32C7-449E-89F8-CD51D91A978C}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{48179D53-8234-4EE9-8A0B-B2D505A8F3B7}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4EBFDD42-0DE0-4AB5-B3A8-051A15984A3D}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{557DC711-F515-4037-8A51-626C008FC646}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{71CAAD4A-F490-4333-807A-083FBC8BE34E}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{76A77CFB-0EAB-4757-9DAE-3F469C8E7755}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7C793BA8-1B8A-4A56-8427-C744E3B7C1A2}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{82B39D9F-60C4-477F-8DC2-A9E9C2C7C70D}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9823E1E8-A396-4E47-9F82-B028AD617B22}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{98BA7498-8AA6-40C7-819C-D5D528C52075}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BA9B350D-1394-41D8-9259-85631E79B563}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CC6D66DE-7A30-45E3-9BAD-993154BB32A4}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CEC617F2-3EBC-4DF2-A598-C7E7A5F5BF13}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D1D1F68E-4633-463F-BB56-C079BF3BADD3}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D626D2BD-B2F5-4C61-B7AE-9F06BDAB15A4}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EE47D6ED-3DE1-442B-8535-897EA7100CB8}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EF19DF6E-1D37-49F4-AC20-078EE7112952}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.98 85.255.112.142
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0D9A2797-F108-4C67-AAFD-86CAD1702D95}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.98 85.255.112.142
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0D9A2797-F108-4C67-AAFD-86CAD1702D95}: NameServer = 85.255.116.98,85.255.112.142
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.98 85.255.112.142
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    Hope that's right.
     
    Last edited: 2006/09/29
    subghost,
    #4
  6. 2006/09/29
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    OK, lets get cleaning.

    Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

    We have a couple of files where Google results provide no information, so lets et them scanned.

    Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:
    C:\WINDOWS\system32\dmauo.exe<<<--this file
    D:\hb5.exe<<<--this file

    Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

    Be patient as this site is usually very busy.

    Also please submit the file to Norman Sandbox File Submission. A valid email is required but there is no worry as the site is fully trustful. They will send you back a details analysis of the file and please post contents of the analysis back here.

    Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.


    O4 - HKLM\..\Run: [signup] D:\hb5.exe

    O4 - HKLM\..\Run: [dmauo.exe] C:\WINDOWS\system32\dmauo.exe


    O16 - DPF: {70E6E083-6690-4129-A34D-F90094EEB4ED} (AWCVoiceClient Control) - http://www.anywebcam.com/awc/html/co...oice/voice.ocx


    O17 - HKLM\System\CCS\Services\Tcpip\..\{0D9A2797-F108-4C67-AAFD-86CAD1702D95}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{2813D968-32C7-449E-89F8-CD51D91A978C}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{48179D53-8234-4EE9-8A0B-B2D505A8F3B7}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4EBFDD42-0DE0-4AB5-B3A8-051A15984A3D}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{557DC711-F515-4037-8A51-626C008FC646}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{71CAAD4A-F490-4333-807A-083FBC8BE34E}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{76A77CFB-0EAB-4757-9DAE-3F469C8E7755}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{7C793BA8-1B8A-4A56-8427-C744E3B7C1A2}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{82B39D9F-60C4-477F-8DC2-A9E9C2C7C70D}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{9823E1E8-A396-4E47-9F82-B028AD617B22}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{98BA7498-8AA6-40C7-819C-D5D528C52075}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{BA9B350D-1394-41D8-9259-85631E79B563}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{CC6D66DE-7A30-45E3-9BAD-993154BB32A4}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{CEC617F2-3EBC-4DF2-A598-C7E7A5F5BF13}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{D1D1F68E-4633-463F-BB56-C079BF3BADD3}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{D626D2BD-B2F5-4C61-B7AE-9F06BDAB15A4}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{EE47D6ED-3DE1-442B-8535-897EA7100CB8}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\..\{EF19DF6E-1D37-49F4-AC20-078EE7112952}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.98 85.255.112.142

    O17 - HKLM\System\CS1\Services\Tcpip\..\{0D9A2797-F108-4C67-AAFD-86CAD1702D95}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.98 85.255.112.142

    O17 - HKLM\System\CS2\Services\Tcpip\..\{0D9A2797-F108-4C67-AAFD-86CAD1702D95}: NameServer = 85.255.116.98,85.255.112.142

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.98 85.255.112.142

    Reboot, into safe mode, this way:
    Turn on the computer
    Immediately begin tapping the <F8> key.
    Use the arrow keys to highlight Safe Mode and press the <Enter> key.

    Also, enable the 'Show Hidden Folders' option, like this:
    Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.

    And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
    C:\WINDOWS\system32\dmauo.exe<<<--this file
    D:\hb5.exe<<<--this file

    To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

    Post a new HJT log back into this thread please.
     
    TeMerc,
    #5

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...