help removing virus

Logfile of HijackThis v1.99.1
Scan saved at 19:19:10, on 10/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\f2449074.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {930B5240-EFD5-94CB-DF66-5A916DA355E8} - DCC_send.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [f2449074.exe] C:\WINDOWS\System32\f2449074.exe
O4 - HKLM\..\Run: [dialer423] prcmon.exe
O4 - HKLM\..\Run: [keybdll] typeconf.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dmtbj.exe] C:\WINDOWS\System32\dmtbj.exe
O4 - HKCU\..\Run: [f2449074.exe] C:\Documents and Settings\brenda heads\Local Settings\Application Data\f2449074.exe
O4 - HKCU\..\Run: [ms-its] xsetup.exe
O4 - HKCU\..\Run: [ActionScr] ATLIEHELPER.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {140418F0-1128-2713-C55D-75DD40FB2B88} - http://85.255.114.166/1/rdgFR2505.exe
O16 - DPF: {2CAB2B32-C045-59D0-5698-29406C629937} - http://85.255.114.166/1/rdgFR2505.exe
O16 - DPF: {2D0C9F0D-8CDF-373E-7541-669F6C67C943} - http://85.255.114.166/1/rdgFR2505.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149866720500
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E5DF4F4-F872-47CC-AC2E-E302E1FF5279}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{97FBABF4-ED55-4AC7-9434-BCFCBC6EE4D6}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{98C948F6-D760-4D4D-91E7-A2B6E4E21885}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CS1\Services\Tcpip\..\{4E5DF4F4-F872-47CC-AC2E-E302E1FF5279}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CS2\Services\Tcpip\..\{4E5DF4F4-F872-47CC-AC2E-E302E1FF5279}: NameServer = 85.255.116.34,85.255.112.231
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Ive tried everything to remove whats on my PC; following all of your sticky threads but i cannot seem to remove it for good. Any help is appreciated

Thanks

 

Please print out these instructions or save them as text file.

Fix with HjT (open HijackThis, click do a system scan, checkmark these and press fix checked):

O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [f2449074.exe] C:\WINDOWS\System32\f2449074.exe
O4 - HKLM\..\Run: [dialer423] prcmon.exe
O4 - HKLM\..\Run: [keybdll] typeconf.exe
O4 - HKLM\..\Run: [dmtbj.exe] C:\WINDOWS\System32\dmtbj.exe
O4 - HKCU\..\Run: [f2449074.exe] C:\Documents and Settings\brenda heads\Local Settings\Application Data\f2449074.exe
O4 - HKCU\..\Run: [ms-its] xsetup.exe
O4 - HKCU\..\Run: [ActionScr] ATLIEHELPER.exe

O16 - DPF: {140418F0-1128-2713-C55D-75DD40FB2B88} - http://85.255.114.166/1/rdgFR2505.exe
O16 - DPF: {2CAB2B32-C045-59D0-5698-29406C629937} - http://85.255.114.166/1/rdgFR2505.exe
O16 - DPF: {2D0C9F0D-8CDF-373E-7541-669F6C67C943} - http://85.255.114.166/1/rdgFR2505.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E5DF4F4-F872-47CC-AC2E-E302E1FF5279}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{97FBABF4-ED55-4AC7-9434-BCFCBC6EE4D6}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{98C948F6-D760-4D4D-91E7-A2B6E4E21885}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CS1\Services\Tcpip\..\{4E5DF4F4-F872-47CC-AC2E-E302E1FF5279}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CS2\Services\Tcpip\..\{4E5DF4F4-F872-47CC-AC2E-E302E1FF5279}: NameServer = 85.255.116.34,85.255.112.231

Please download ewido anti malware it is a free version of the program -> http://www.ewido.net/en/download/

1. Install ewido security suite
2. When installing, under "Additional Options" uncheck..
* Install background guard
* Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
6. You will need to update ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates -> http://www.ewido.net/en/download/updates/

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

[*]Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
[*]The fix will begin; follow the prompts.
[*]You will be asked to reboot your computer; please do so.
[*]Your system may take longer than usual to load; this is normal.

Make you hidden and system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Boot in safe mode -> http://www.pchell.com/support/safemode.shtml

Delete if found:

C:\WINDOWS\System32\f2449074.exe
C:\WINDOWS\System32\dmtbj.exe
C:\Documents and Settings\brenda heads\Local Settings\Application Data\f2449074.exe

Please do a search:
"Run "Start">"Search">"All Files and Folders"> enter RtlFindVal.exe in "All or part of file name". Select "More advanced options". Check-mark "Search System Folders", "Search hidden files and folders", and "Search subfolders". Click "Search". Right click the file and select delete.

Repeat the search step above with these:

prcmon.exe
typeconf.exe
xsetup.exe
ATLIEHELPER.exe

Then launch ewido:

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* You will be prompted to clean the first infection.
* Select "Perform action on all infections", then proceed.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

Reboot back to normal mode
Send ewido report a fresh HjT log along with contents of c:\fixwareout\report.txt.

 

my PC is fixed now that was just what i needed; thanks a lot tapiiri!!

 

Good to hear, That wareout rootkit, what was in your comp, is sometimmes hard to remove. Thats why I ask to send asked reports.