jbrandow

attempting to remove viruses

5 posts in this topic

I've tried running the AboutBuster in safe mode and receive the message "runtime error '6' overflow". I've also run CWshredder in safe mode. This is a copy of my hjt file. suggenstions on how to continue in my attempt to remove multiple virus. Thanks.

Logfile of HijackThis v1.99.1

Scan saved at 10:06:52 PM, on 3/6/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\WINDOWS\System32\nvdsvc32.exe

C:\WINDOWS\d3wm.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\wintask.exe

C:\Program Files\Internet Optimizer\optimize.exe

C:\Program Files\Wcil\Dxiww.exe

C:\Program Files\WebRebates4\webrebates.exe

C:\Program Files\Internet Optimizer\actalert.exe

C:\Program Files\Microsoft Money\System\mnyexpr.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\system32\sdkwj.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\WebRebates4\w11150.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Microsoft Works\MSWorks.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {166D5965-3523-FD3D-7653-2DD44AC66EB8} - (no file)

O2 - BHO: (no name) - {36602E34-564B-4F82-3460-40E15FF68B74} - (no file)

O2 - BHO: Class - {37E5E66E-C168-B55B-BE2E-8478ED77CD96} - C:\WINDOWS\system32\addbm.dll

O2 - BHO: (no name) - {43DB041A-707F-D568-FF53-1CC67ADD3B82} - (no file)

O2 - BHO: (no name) - {588E9107-C2D3-E0FF-D067-E37707B28CEA} - (no file)

O2 - BHO: (no name) - {79FB99E0-9529-0FF5-9D52-B42B3DCDEF49} - (no file)

O2 - BHO: (no name) - {8AF249B1-7F56-BD75-0375-407C171E89E5} - (no file)

O2 - BHO: (no name) - {8D5677A8-8EC4-A206-E11B-F72C0B1F7287} - (no file)

O2 - BHO: (no name) - {D8010B5A-E220-B876-B855-D2861F450A0C} - (no file)

O2 - BHO: (no name) - {DBFC5A92-4FA4-C151-1D59-8CA0FBBFD49C} - (no file)

O2 - BHO: (no name) - {E2EE3398-3679-6B34-51F3-26F80A4F6FA2} - (no file)

O2 - BHO: (no name) - {E63F1C8C-F268-E0E3-67B6-E79D4A5DD48E} - (no file)

O2 - BHO: (no name) - {EF3F1C7D-511A-0A1F-2915-8BF8D1F23F0D} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [sAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck

O4 - HKLM\..\Run: [C:\WINDOWS\System32\nvdsvc32.exe ] C:\WINDOWS\System32\nvdsvc32.exe

O4 - HKLM\..\Run: [d3wm.exe] C:\WINDOWS\d3wm.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe

O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [Zxghadyw] C:\Program Files\Wcil\Dxiww.exe

O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"

O4 - HKLM\..\Run: [win.exe] C:\WINDOWS\System32\win.exe

O4 - HKLM\..\Run: [NNSCAG638.EXEeorg] C:\WINDOWS\System32\NNSCAG638.EXEeorg

O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\System32\loadadv64

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm

O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O15 - Trusted Zone: http://click.getmirar.com (HKLM)

O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab

O23 - Service: Workstation NetLogon Service ( 11F

Share this post


Link to post
Share on other sites

Hi jbrandow,

Please hold on until I finish looking over your log.

Share this post


Link to post
Share on other sites

Hi jbrandow,

Please download ewido anti-malware it is a free version of the program.

  1. Install ewido anti-malware
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu

[*]Launch ewido, there should be an icon on your desktop, double-click it.

[*]The program will now open to the main screen.

[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

[*]You will need to update ewido to the latest definition files.

  • On the left hand side of the main screen click update.
  • Then click on Start Update.

[*]The update will start and a progress bar will show the updates being installed.

(the status bar at the bottom will display ("Update successful" )

If you are having problems with the updater, you can use this link to manually update ewido.

ewido manual updates

Once the updates are installed close ewido anti-malware.

**You should print out these directions if you forgot on simply copy/paste into notepad**

Then boot into safe mode.

Once in safe mode,

  • Open up Ewido
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
  • Close ewido anti-malware.

Then open up hijack this. Check the following boxes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zmbfs.dll/sp.html#37049%resultposition.net

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {166D5965-3523-FD3D-7653-2DD44AC66EB8} - (no file)

O2 - BHO: (no name) - {36602E34-564B-4F82-3460-40E15FF68B74} - (no file)

O2 - BHO: Class - {37E5E66E-C168-B55B-BE2E-8478ED77CD96} - C:\WINDOWS\system32\addbm.dll

O2 - BHO: (no name) - {43DB041A-707F-D568-FF53-1CC67ADD3B82} - (no file)

O2 - BHO: (no name) - {588E9107-C2D3-E0FF-D067-E37707B28CEA} - (no file)

O2 - BHO: (no name) - {79FB99E0-9529-0FF5-9D52-B42B3DCDEF49} - (no file)

O2 - BHO: (no name) - {8AF249B1-7F56-BD75-0375-407C171E89E5} - (no file)

O2 - BHO: (no name) - {8D5677A8-8EC4-A206-E11B-F72C0B1F7287} - (no file)

O2 - BHO: (no name) - {D8010B5A-E220-B876-B855-D2861F450A0C} - (no file)

O2 - BHO: (no name) - {DBFC5A92-4FA4-C151-1D59-8CA0FBBFD49C} - (no file)

O2 - BHO: (no name) - {E2EE3398-3679-6B34-51F3-26F80A4F6FA2} - (no file)

O2 - BHO: (no name) - {E63F1C8C-F268-E0E3-67B6-E79D4A5DD48E} - (no file)

O2 - BHO: (no name) - {EF3F1C7D-511A-0A1F-2915-8BF8D1F23F0D} - (no file)

O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"

O4 - HKLM\..\Run: [win.exe] C:\WINDOWS\System32\win.exe

O4 - HKLM\..\Run: [NNSCAG638.EXEeorg] C:\WINDOWS\System32\NNSCAG638.EXEeorg

O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm

O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O15 - Trusted Zone: http://click.getmirar.com (HKLM)

O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab

O23 - Service: Workstation NetLogon Service ( 11F

Share this post


Link to post
Share on other sites

ID: 4   Posted (edited)

Ducky has updated A:B to fix the overflow error in the last few hours..get latest version from HERE and run the NEW version in safemode..post the log from it also

Edited by jwbirdsong

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.