I've tried most of the suggestions I've read on this forum but SE always hangs when it hits HKEY_LOCAL_MACHINE\Software\ I can't tell where in the registry it hangs, the display is truncated, that is all I can read. Adaware reports 1 critical item found but hangs before I can stop it and get a log created.

I'd appreciate any help that you can offer, I'm at my wit's end. At this point I don't know if the machine is infected or no.

Machine is Win2k 5.00.2195 Service Pack 4.

CHKDSK /r nothing reported.
Run Windows defender, nada. Clean checkup.
Run Easy Cleaner, no problems scanning registry.
Ran Microsoft's REGCLEAN.EXE which ran through the registry without a hesitation.
Run Defrag.
Ran cleansweep and emptied everything out.
Rootkit revealer came up blank.
Blacklight log posted below. It did find two hidden files. A Google search found nothing for them.
Adaware leaves no log as I can't get it to stop between when it detects a critical item and when I hit the stop button. It hangs pretty much immediately.
Not running SpySweeper.
Norton is Disabled when attempting to scan.
Adaware freezes in the same spot when I tried SafeMode.
Will post HiJack This log in the appropriate forum once I have it downloaded and figured out.



Blacklight Log --

07/26/06 22:03:21 [Info]: BlackLight Engine 1.0.42 initialized
07/26/06 22:03:21 [Info]: OS: 5.0 build 2195 (Service Pack 4)
07/26/06 22:03:21 [Note]: 7019 4
07/26/06 22:03:21 [Note]: 7005 0
07/26/06 22:03:41 [Note]: 7006 0
07/26/06 22:03:41 [Note]: 7011 1064
07/26/06 22:03:42 [Note]: 7026 0
07/26/06 22:03:42 [Note]: 7026 0
07/26/06 22:03:44 [Note]: FSRAW library version 1.7.1019
07/26/06 22:04:38 [Info]: Hidden file: c:\WINNT\system32\dmazb.exe
07/26/06 22:04:38 [Note]: 7002 32
07/26/06 22:04:38 [Note]: 7003 1
07/26/06 22:04:38 [Note]: 10002 1
07/26/06 22:04:39 [Info]: Hidden file: c:\WINNT\system32\cskdh.exe
07/26/06 22:04:39 [Note]: 7002 32
07/26/06 22:04:39 [Note]: 7003 1
07/26/06 22:04:39 [Note]: 10002 1
07/26/06 22:06:00 [Note]: 7007 0

This is the HiJackThis log to go with my Adaware freeze problem posted at http://www.lavasoftsupport.com/index.php?showtopic=2172



Logfile of HijackThis v1.99.1
Scan saved at 10:32:57 PM, on 7/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = grover:8080
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134791158856
O17 - HKLM\System\CCS\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D5FF9E3-2F0E-4F2C-AC29-7640D43EE8AF}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF1C41D0-5092-4BC5-9BF5-4F3A28E8721E}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBCB9F8E-A3B9-490F-88C5-72DA9CE1A797}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8A55930-99E8-41AB-A1C8-BD18130D7512}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.231
O17 - HKLM\System\CS1\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.231
O17 - HKLM\System\CS2\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.231
O23 - Service: Apache2 - Unknown owner - C:\apache\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

HiJackThis log is posted at http://www.lavasoftsupport.com/index.php?showtopic=2173

Hello,

Yes, malware is the reason why your adaware hangs. You are dealing with Trojan Pakes, so perform my steps in the right order..

I see you have Windows Defender running.
The real-time protection may interfere with the fixes, that's why I want you to turn it off.

To turn real-time protection off
Open Windows Defender. (Click Start, click Programs, and then click Windows Defender.)
Click Tools, and then click General Settings.
Under Real-time protection options, Uncheck the Turn on real-time protection (recommended) check box.
Then click Save.



* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: localhost 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D5FF9E3-2F0E-4F2C-AC29-7640D43EE8AF}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF1C41D0-5092-4BC5-9BF5-4F3A28E8721E}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBCB9F8E-A3B9-490F-88C5-72DA9CE1A797}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8A55930-99E8-41AB-A1C8-BD18130D7512}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.231
O17 - HKLM\System\CS1\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.231
O17 - HKLM\System\CS2\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 85.255.113.142,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.142 85.255.112.231

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

Thank you.

After running HiJackThis asking it to clean what you noted I had to repair C:\WINNT\system32\drivers\etc\hosts to get my localhost entry back. I then had to re-enter my DNS server info into my network setup to get back on line. I note that the HiJackThis log now reflects the proper name servers.

While running Fixwareout I almost immediately got an an error to the effect that the script can only import registry files. Didn't get it verbatim, wish I had.

Here is the Fixwareout log ---------------


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5052DBBB3E11-59A9-AD24-B894-56B7A12F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}35770ADC01A6-E8FB-0224-2D8D-96F966D0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C2769DF15E21-B538-0EA4-355E-B51F8AB3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D6F556B9CBC9-830B-5984-42FA-4768307F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DECB684A2A38-3678-D624-3536-67DF8833{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F6152F5F8073-51F8-B104-2AAB-3A493282{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}46EB15FA1F0C-1FF8-AD64-B291-B098D238{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\bmqmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINNT\System32\CSONN.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSONN.EXE 51,229 2006-07-16
C:\WINNT\SYSTEM32\DMQMB.EXE 61,960 2003-06-19
Other suspects
Directory of C:\WINNT\system32






and here is the new HiJackThis log --------------


Logfile of HijackThis v1.99.1
Scan saved at 8:23:23 PM, on 7/27/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\United Devices\UD.EXE
C:\Program Files\United Devices\ud_7174683.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = grover:8080
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [dmsbw.exe] C:\WINNT\system32\dmsbw.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134791158856
O17 - HKLM\System\CCS\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 68.87.96.3,63.251.4.129,63.251.4.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 68.87.96.3,63.251.4.129,63.251.4.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 68.87.96.3,63.251.4.129,63.251.4.130
O23 - Service: Apache2 - Unknown owner - C:\apache\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



I no longer see name servers that I do not recognise. UD agent immediatly connected properly this last reboot. That is what alreted me to a problem in the beginning of all this, UD could not connect.

There are still 3 .exe files that I can't identify listed in the Fixwareout log. Shall I be concerned?

Hello,


Yes, because you were dealing with a dns hijacker

I want you to give this another run, because most probably your Norton Scriptblocking service interfered with the fix here, and as I can see, the random startup entry didn't get deleted during the fix (and this is done through a vbs script)..

So perform next first..

* Disable the Script Blocking Service:

• To open Services, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Services.
• Find ScriptBlocking services, Right-click the service, and then click and then click Properties. On the General tab, under Startup, click Disabled.
• Under Service Status, click Stop button. Click Apply button.

* Disable the Script Blocking In Norton Settings:

• Start Norton Antivirus.
• Click Options. If a menu appears when you click Options, then click Norton Antivirus. The Norton Antivirus Options dialog box appears.
• Click Script Blocking.
• Uncheck Enable Script Blocking (recommended).
• Click OK

You can reenable it afterwards when everything is clean again.

Then search for, and delete next files:

C:\WINNT\SYSTEM32\CSONN.EXE
C:\WINNT\SYSTEM32\DMQMB.EXE

Then check and fix next entry in hijackthis again:

O4 - HKLM\..\Run: [dmsbw.exe] C:\WINNT\system32\dmsbw.exe

(it could be possible that this one already changed though - but it will start with O4 - HKLM\..\Run: [dm***.exe] C:\WINNT\system32\dm***.exe - the *** for random letters)

And then run the Fixwareout tool again.
Post the log from fixwareout in your next reply together with a new hijackthislog.

Ok, disabvled script blocking through the services administration panel and Norton's options panel.

Found and deleted C:\WINNT\SYSTEM32\CSONN.EXE
Did not find C:\WINNT\SYSTEM32\DMQMB.EXE

Used HiJackthis to remove O4 - HKLM\..\Run: [dmsbw.exe] C:\WINNT\system32\dmsbw.exe
It had not changed yet.

Found C:\WINNT\system32\dmsbw.exe but could not delete it. Sharing access violation, of course.


Fixwareout ran but I got the same error, cannot import op.reg. This from the Registry Editor Service.

Logs are below. You'll see that we have a new entry.
O4 - HKLM\..\Run: [dmhnr.exe] C:\WINNT\system32\dmhnr.exe

Fixwareout ------


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\wbsmd
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\DMSBW.EXE 61,960 2003-06-19
Other suspects
Directory of C:\WINNT\system32


HiJackThis ----

Logfile of HijackThis v1.99.1
Scan saved at 1:03:22 AM, on 7/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\United Devices\UD.EXE
C:\Program Files\United Devices\ud_7174683.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = grover:8080
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [dmhnr.exe] C:\WINNT\system32\dmhnr.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134791158856
O17 - HKLM\System\CCS\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 68.87.96.3,63.251.4.129,63.251.4.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 68.87.96.3,63.251.4.129,63.251.4.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 68.87.96.3,63.251.4.129,63.251.4.130
O23 - Service: Apache2 - Unknown owner - C:\apache\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

op.reg is a 0byte file, which would explain why the registry service will not import it. No idea if this is important or not.

Check and fix next entry in hijackthis:

O4 - HKLM\..\Run:[dmhnr.exe] C:\WINNT\system32\dmhnr.exe

Then let's use hijackthis delete on reboot for this one, because that's the one that is currently active but won't get deleted..

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINNT\system32\dmhnr.exe

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

Then delete the C:\WINNT\SYSTEM32\DMSBW.EXE manually, because that one will gett deleted now, since it was another dm***.exe active now.

Post a new hijackthislog in your next reply. Don't fix anything in it if another dm*** appears in it again, because that shows if the infection is still active or not and which one is loaded..

C:\WINNT\SYSTEM32\DMSBW.EXE didn't exist, so I could not remove it manually. My guess is that HiJackThis got it before it renamed itself.

New log is below, no new HKLM Run keys.

I *Think* this machine is clean now, but I'll wait on your prognosis before cracking open the champagne bottle.

Thank you so much for helping me out.

HiJackThis log --------

Logfile of HijackThis v1.99.1
Scan saved at 1:36:08 AM, on 7/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\United Devices\UD.EXE
C:\Program Files\United Devices\ud_7174683.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = grover:8080
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134791158856
O17 - HKLM\System\CCS\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 68.87.96.3,63.251.4.129,63.251.4.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 68.87.96.3,63.251.4.129,63.251.4.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{762C58F3-F2DA-47E1-BEFF-4A62E90415DA}: NameServer = 68.87.96.3,63.251.4.129,63.251.4.130
O23 - Service: Apache2 - Unknown owner - C:\apache\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Yes, looks clean again.
You may reenable your Windows Defender and Norton Scriptblocking service again.

Just perform a full scan with Norton+Adaware Se to get rid of the leftovers if still present.
Normally Adaware won't freeze anymore.

miekiemoes thank you very, very much. Your expertise is evident and awesome.

Glad I could help.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Also read: Simple and easy ways to keep your computer safe and secure on the Internet

Happy surfing again!

She definitely is awesome, I will agree 100%

Thank you for your help miekie. I'm going to merge these topics and move to "Resolved" (read only)

Navaho, if you should need it re-opened for any reason, please feel free to send me a request to open it.

For anyone else with similar issues please feel free to start a new topic of your own.