Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

Please Help me fix my browser

This is a discussion on Please Help me fix my browser within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. This is my log, please tell me what to delete. Every time i search and click on one of the


 
 
Thread Tools Search this Thread
Old 08-27-2006, 07:40 AM   #1
Registered Member
 
Join Date: Aug 2006
Posts: 5
OS: xp



This is my log, please tell me what to delete.
Every time i search and click on one of the results it brings me to all different sites. ARGGGHH

Logfile of HijackThis v1.99.1
Scan saved at 10:39:51 AM, on 8/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\Projselector.exe
C:\PROGRA~1\ROXIO\EASYCD~1\AUDIOC~1\Rxplayer.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaDB.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ken\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ww2.wpri.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0CDBD604-4612-33C7-E374-FCB905743FE9} - C:\WINDOWS\iesv.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129045337421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1129046423562
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://wildjack.microgaming.com/wildjack/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{88A5FAE2-4684-4C57-927B-CC282E2AAE7F}: NameServer = 85.255.113.93,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{91387A84-5B26-43BD-8214-C7944B49C633}: NameServer = 85.255.113.93,85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.23
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pptp32 - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

__________________
kapp70 is offline  
Old 08-27-2006, 09:17 AM   #2
TSF Team, Emeritus
 
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04


Hi there and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.


We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".


regards
alba

__________________
Retired member of


Member of UNITE

Go raibh maith agat
alba is offline  
Old 08-27-2006, 11:16 PM   #3
TSF Team, Emeritus
 
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04


Hi kapp70

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================


Before proceeding any further, please create a new directory - C:\PROGRAM FILES\HIJACKTHIS\
Re-locate your HijackThis files to the new directory


===============================================

Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.


=================

Then download & Install - http://downloads.subratam.org/Fixwareout.exe

When you reach the final page of the installation process, make sure "Run fixit" is checked.
Follow the on-screen prompts & reboot your computer when instructed to do so.

**Do not be alarmed if your computer takes longer than usual to load.

FixWareOut will produce a logfile, report.txt located within the C:\fixwareout folder


=================

After running FixwareOut & rebooting ...

Please download ATF Cleaner - http://www.atribune.org/ccount/click.php?id=1

=================

Download Ewido Anti-Malware - http://www.ewido.net/en/download/
  • Install Ewido Anti-Malware
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update.
If you are having problems with the updater, you can use this link to manually update Ewido
http://download.ewido.net/ewido-sign...ll-current.exe
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet.

=================

Download haxfix.exeand save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:

1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing "Enter"
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread, once you have carried out my instructions

===============================================

Run HijackThis. Click "Do a System Scan Only" , and place a check next to the following items (if found):

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0CDBD604-4612-33C7-E374-FCB905743FE9} - C:\WINDOWS\iesv.dll (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{88A5FAE2-4684-4C57-927B-CC282E2AAE7F}: NameServer = 85.255.113.93,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{91387A84-5B26-43BD-8214-C7944B49C633}: NameServer = 85.255.113.93,85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.23



Please remember to close all other windows, including browsers then click Fix checked.

===============================================


Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program

=================

Running Additional Scanners

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner & select the Scan tab
  • Click Complete System Scan to begin scanning.
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop.
** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

=================

REBOOT TO NORMAL MODE

Establish an internet connection & perform an online scan with Internet Explorer at http://www.kaspersky.com/service?chapter=161739400
Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

=================

Please Run a scan with HiJackThis and save the log

===============================================

In your next post, please include fresh logs from:
  • haxlog.txt
  • FixWareout's log
  • HiJackThis log
  • Online Scan
  • Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________
Retired member of


Member of UNITE

Go raibh maith agat
alba is offline  
Old 08-29-2006, 07:33 AM   #4
Registered Member
 
Join Date: Aug 2006
Posts: 5
OS: xp


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E273964D8291-88B9-5994-88A2-D9AECE4B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0A93953C904B-C11B-D124-28DC-456D85B8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7B9E0A320B97-2599-21D4-C7E1-07E1C5B7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9F8E27B05D13-E5D8-2F34-4ABD-09B6F801{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}741679E4EA23-D47B-D674-299B-24F89286{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F159792A6838-C8CB-A764-2625-F7EEDCB0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}32D4AA8F59C9-F698-AD84-F064-1D20ABE8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}071B52A744EB-A95B-0604-67C6-4A1269B6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0CE25CBF7856-D768-AFA4-7F12-E5D2F433{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}87583A8A29BC-B798-BC84-9382-768EADC6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}24367ECFD0A8-7CE8-F434-E3E7-721FECC6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4802ADD77054-6879-ADF4-6BF5-EE53AF56{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0878B138AFA9-0779-F074-05C9-3DB363AD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F01D2A3B9E84-EC1A-DA44-11C9-8E6C500E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}85E64A233CC5-906A-DC14-7464-9044AD69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B875EE50AA4F-241A-5D84-F6AE-81D75938{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C7A39A33E93D-D978-6764-ACA9-22EA4196{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5775E5D1DF5D-9239-A974-A219-47310E13{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6CCED8F616C8-64FB-0E04-73D1-E368BA5C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D2F3DE5658A8-0E78-F454-7DFD-C1544553{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F5F00FF886F2-5B69-20A4-4C65-8D259674{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B9737BE6FE9B-3808-ACD4-6138-E355824C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9D97ED21709A-D7AA-3874-7299-E14BD7C0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}75B91403DA10-47BA-65C4-973B-9CFE4647{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7BA881B7C34E-41FA-2444-2FEB-6226CC6F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D4D2FC72DE03-043B-9114-31BF-BDE5EEBC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EACCE3B25FDF-90CA-E1B4-AA3E-98E8D723{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}739BBF71B1E1-8A6A-80E4-F198-3E521C9D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C3303F668541-E51B-27C4-30A2-396B850F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6F0F80E74970-4B9A-CF94-4D9E-F93397C6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DA352140076D-30F9-F144-07CB-9807598A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B1F2BA73D163-304B-AA54-FD31-D4A311FC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DB3A4BB122C5-2ABA-22E4-A8BB-312AF35E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EAF1BBE13661-2E99-E324-36DA-03D7A9BA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}88A7D241EA3C-FB5A-81E4-439A-AFEEA684{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A9698977CFA7-245B-B954-7159-17B9857A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E8D20AEDD9AC-D078-B3F4-D732-18EBFD8A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A0C7298A5972-7E4B-0E04-A5E1-815B2EB9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D71170514371-5689-AEC4-F7DE-6BE38C40{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}29A12AF7C953-0429-E8C4-3FD3-1C360311{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A056FC4E4BC7-3259-0424-8A07-D0C884B3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D5C2E632DFB3-54BA-0DD4-6349-B3F5E36D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}16CAF76C92BB-03C8-5814-6C99-AFFBA009{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7D63F3AA5CCA-77F8-13C4-6507-5AD6C269{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}77581BD7A46B-1F8A-8C54-0DEA-EEEDB7B0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}177F7F63C372-64F9-4854-264A-795B6DDC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AAAA9C48EB92-7ADB-0B24-D3BA-5C5B1894{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1BDBAAF0F70C-A249-C384-E00C-96E5970C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0CCC0BD3F178-848A-95B4-AF4A-877550BB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7A8B3935FD6F-3599-1E84-A583-D4735118{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EFA9B786315E-B8F8-4CC4-3B70-C78BB142{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}82C04B07AC0E-66AA-BA24-F95C-09B0DB70{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B067880E4FDE-8D19-A544-5940-058E2F34{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D78067E8222C-C4EB-A254-B354-26FF9F02{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6FC08F90FB09-1A38-5A54-C2B5-B230F9E2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}497D8B4AC6A0-C1EB-F364-71FB-B6D166BB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}65C75BFADC61-48CB-E404-45CC-41642766{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B99FA2312D07-2888-CDF4-F3A0-8E259793{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1C6BF3887316-67C8-6E14-5EB6-9C449520{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CED44DC1E17E-B3B9-23C4-27F2-6ADE99CE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6E33B799E000-537A-8594-A2C0-55EF56E5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}72A2C1C76232-06E8-4674-3855-785A6FDA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7F20A53F14B8-BBB9-0854-FF8C-E68807B4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}76BD3752FED5-0228-6EF4-D411-B4DB8D27{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C8D231BE8604-D86A-6E64-7841-9D5F8299{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BAA5E1E5BF9F-7CDA-D414-9836-B5D82626{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2E8D77AD1F36-7B4B-6064-7BC3-E2FF3CFC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9A2F162F24A1-4D3B-C724-12E9-559BEAED{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6DFEBB251EBD-5C28-0C94-F42B-9334C8EF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B35828B8C06A-853B-BEB4-0E9F-2328E2A5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0B434EAB3ED3-129A-E304-129D-E4DE6688{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0DFE41826BF6-4F79-3AA4-CCE5-F5C274B6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}59264A8C7C65-5609-6AB4-FFE2-0D3BECA0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}17D6A4DD0EF1-A72A-A454-9776-32F28879{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B5BE1A48A19C-F90A-DA04-8323-008EF9CC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1FBC0C9D73BE-13FB-9A54-89C8-AB9E207A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}72729A20FD6A-43F9-5974-5279-81E456CD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7FA2FB3A4D7C-5879-1404-5B28-17078AE3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}84A91DA4EC8F-5D28-D654-95D4-DA9EAF9B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D627686DC4B1-184B-2DF4-943C-BE34BE7A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}78784BE698F9-87EA-2984-3E2F-52D22F20{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}82E11F4A518A-13AA-FC54-04B9-BA35910B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EDA6CB9203A9-B4BA-DEA4-F152-EA0F1535{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}45C5EDE784B5-8E18-4BF4-B79F-CDA1FA5C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7DA96211D157-DC28-4F84-894C-74EE3B2D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}54107C82520C-9B68-A5A4-21F0-2CDA1F78{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF3EC1A43E48-1ED9-B274-D4A0-E40E3801{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}889CE6CCA58E-D009-1004-D4E3-B1FDA223{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D4DECA89B8FA-927A-C4F4-DF38-33856663{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9671D8033003-9DE8-D494-29FA-FA114C72{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0008146D2FB3-E77A-B394-E6A1-E26E7FC4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FC226EA378EC-47E9-1394-EC60-2F0386E7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7BED85410C23-49FA-3CE4-0C6B-A2A25887{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\hotmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmtoh.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
* csr.exe C:\WINDOWS\System32\CSFCI.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSFCI.EXE 51,250 2006-07-25
C:\WINDOWS\SYSTEM32\DMTOH.EXE 61,978 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
__________________
kapp70 is offline  
Old 08-29-2006, 07:35 AM   #5
Registered Member
 
Join Date: Aug 2006
Posts: 5
OS: xp


HAXFIX logfile - by Marckie
______________
version 4.13
Tue 08/29/2006 10:32:32.42

checking for haxdoor
--------------------
checking for a3d files....
a3d files found
ps.a3d

checking for matching notify keys....
matching notify keys found
pptp

checking for matching services....
matching services found
pptp64

checking for matching safeboot services....
matching safeboot services found
pptp32.sys
pptp64.sys


Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found

checking for other goldunfiles....


Finished
__________________
kapp70 is offline  
Old 08-29-2006, 09:25 AM   #6
TSF Team, Emeritus
 
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04


hi kapp70

I need to see the other requested logs, can you post them here as well

alba

__________________
Retired member of


Member of UNITE

Go raibh maith agat
alba is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 04:34 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts