Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Redirect, Hjt Log In Post


  • This topic is locked This topic is locked
10 replies to this topic

#1 Rookie1mbit

Rookie1mbit

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 23 April 2006 - 10:56 AM

Hi.

I get weird Google searches when clicking links,along with redirects to other weird looking sites.
Ran ad.aware(locks up during the registry scan),spybot s&d(found like 20 red entries,removed them,didnt help),spywareblaster(no help),and cwshredder(no coolwebsearch found on the pc).
Also ran Housecall from Trend Micro online,found a bunch of stuff,deleted it,didnt help.
Oh,and ran the Norman virusscan,which I have installed.

Heres my hjt-log:(the webstart.dk is my prefered start site).

Logfile of HijackThis v1.99.1
Scan saved at 17:48:39, on 23-04-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mgabg.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\Bin\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programmer\TDC Internet\WrOS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\WINNT\Mixer.exe
C:\WINNT\system32\PDesk.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Programmer\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Programmer\Logitech\Video\LogiTray.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
C:\Norman\bin\ZLH.EXE
C:\Programmer\EdgeCAM\Cam\edgecls.exe
C:\Programmer\MSN Toolbar Suite\DS\02.05.0001.1119\da-dk\bin\WindowsSearch.exe
C:\WINNT\system32\LVComS.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Norman\Npf\BIN\npfmsg2.exe
C:\Programmer\MSN Toolbar Suite\DS\02.05.0001.1119\da-dk\bin\WindowsSearchIndexer.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\hjemme\Skrivebord\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.webstart.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.webstart.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.webstart.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.webstart.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.webstart.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.webstart.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webstart.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.webstart.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webstart.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.dk/0SEDADK/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.webstart.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.webstart.dk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Toolbar Suite\TB\02.05.0000.1105\da-dk\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\MSDXM.OCX
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Toolbar Suite\TB\02.05.0000.1105\da-dk\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinPoET] C:\Programmer\TDC Internet\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [CXMon] "C:\Programmer\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmer\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmer\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Matrox PC-VCR Scheduler] "C:\Programmer\Matrox Video Tools\PC-VCRScheduler.exe"
O4 - HKLM\..\Run: [dmlpm.exe] C:\WINNT\system32\dmlpm.exe
O4 - Startup: GOTCHA!.lnk = C:\Programmer\Prescient Systems\GOTCHA!\Gotcha32.exe
O4 - Global Startup: EdgeCLS6.75.lnk = C:\Programmer\EdgeCAM\Cam\edgecls.exe
O4 - Global Startup: Windows-pc-søgning.lnk = C:\Programmer\MSN Toolbar Suite\DS\02.05.0001.1119\da-dk\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Programmer\MSN Toolbar Suite\TB\02.05.0000.1105\da-dk\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Åbn på ny baggrundsfane - res://C:\Programmer\MSN Toolbar Suite\TAB\02.05.0000.1105\da-dk\msntabres.dll/229?3d4086d31ebf435c8da315fa7c952ed5
O8 - Extra context menu item: Åbn på ny forgrundsfane - res://C:\Programmer\MSN Toolbar Suite\TAB\02.05.0000.1105\da-dk\msntabres.dll/230?3d4086d31ebf435c8da315fa7c952ed5
O12 - Plugin for .mid: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tiff: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...InkCSP-1204.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://hamburgcam.axiscam.net:8080/activex/AMC.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://195.41.18.51/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://netbank.danskebank.dk/html/activex/...anskeSikker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A893FD2-F4B6-4F41-A616-926381314053}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{6196A09C-2621-4D53-8079-C48E2599DCC3}: NameServer = 85.255.115.6,85.255.112.20
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\MSupdate.exe (file missing)
O23 - Service: windows notify network (windows network notify service) - Unknown owner - C:\WINNT\csrssc.exe (file missing)
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Programmer\TDC Internet\WrOS.EXE

















Any help is greatly appreciated.

Regards.Rooks,Denmark.

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:20 PM

Posted 23 April 2006 - 11:15 AM

Click here to download ewido anti-malware - it is a trial version of the program.
  • Install ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen.
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Then:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido.

Rescan with HJT and post a new log here together with the ewido log so that any remnants can be removed manually.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 Rookie1mbit

Rookie1mbit
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 23 April 2006 - 01:07 PM

Thanks for the quick answer.

Heres the HJT-log:

Logfile of HijackThis v1.99.1
Scan saved at 20:02:54, on 23-04-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mgabg.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\Bin\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programmer\TDC Internet\WrOS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\WINNT\Mixer.exe
C:\WINNT\system32\PDesk.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Programmer\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Programmer\Logitech\Video\LogiTray.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
C:\Norman\bin\ZLH.EXE
C:\Programmer\EdgeCAM\Cam\edgecls.exe
C:\Programmer\MSN Toolbar Suite\DS\02.05.0001.1119\da-dk\bin\WindowsSearch.exe
C:\WINNT\system32\LVComS.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Norman\Npf\BIN\npfmsg2.exe
C:\Programmer\MSN Toolbar Suite\DS\02.05.0001.1119\da-dk\bin\WindowsSearchIndexer.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\svchost.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\hjemme\Skrivebord\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.webstart.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.webstart.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.webstart.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.webstart.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.webstart.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.webstart.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webstart.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.webstart.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webstart.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.dk/0SEDADK/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.webstart.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.webstart.dk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Toolbar Suite\TB\02.05.0000.1105\da-dk\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\MSDXM.OCX
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Toolbar Suite\TB\02.05.0000.1105\da-dk\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinPoET] C:\Programmer\TDC Internet\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [CXMon] "C:\Programmer\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmer\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmer\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Matrox PC-VCR Scheduler] "C:\Programmer\Matrox Video Tools\PC-VCRScheduler.exe"
O4 - HKLM\..\Run: [dmlpm.exe] C:\WINNT\system32\dmlpm.exe
O4 - Startup: GOTCHA!.lnk = C:\Programmer\Prescient Systems\GOTCHA!\Gotcha32.exe
O4 - Global Startup: EdgeCLS6.75.lnk = C:\Programmer\EdgeCAM\Cam\edgecls.exe
O4 - Global Startup: Windows-pc-søgning.lnk = C:\Programmer\MSN Toolbar Suite\DS\02.05.0001.1119\da-dk\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Programmer\MSN Toolbar Suite\TB\02.05.0000.1105\da-dk\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Åbn på ny baggrundsfane - res://C:\Programmer\MSN Toolbar Suite\TAB\02.05.0000.1105\da-dk\msntabres.dll/229?3d4086d31ebf435c8da315fa7c952ed5
O8 - Extra context menu item: Åbn på ny forgrundsfane - res://C:\Programmer\MSN Toolbar Suite\TAB\02.05.0000.1105\da-dk\msntabres.dll/230?3d4086d31ebf435c8da315fa7c952ed5
O12 - Plugin for .mid: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tiff: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...InkCSP-1204.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://hamburgcam.axiscam.net:8080/activex/AMC.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://195.41.18.51/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://netbank.danskebank.dk/html/activex/...anskeSikker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A893FD2-F4B6-4F41-A616-926381314053}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{6196A09C-2621-4D53-8079-C48E2599DCC3}: NameServer = 85.255.115.6,85.255.112.20
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\MSupdate.exe (file missing)
O23 - Service: windows notify network (windows network notify service) - Unknown owner - C:\WINNT\csrssc.exe (file missing)
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Programmer\TDC Internet\WrOS.EXE

















And here's the Ewido-log:




---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 20:02:22, 23-04-2006
+ Report-Checksum: 69C515C8

+ Scan result:

[172] VM_00B90000 -> Downloader.Agent.uj : Error during cleaning
[168] VM_00A00000 -> Downloader.Agent.uj : Error during cleaning
[1020] VM_00840000 -> Downloader.Agent.uj : Error during cleaning
[1536] VM_01850000 -> Downloader.Agent.uj : Error during cleaning
[1164] VM_00950000 -> Downloader.Agent.uj : Error during cleaning
[1496] VM_008C0000 -> Downloader.Agent.uj : Error during cleaning
[876] VM_00910000 -> Downloader.Agent.uj : Error during cleaning
[1240] VM_011B0000 -> Downloader.Agent.uj : Error during cleaning
[1560] VM_00890000 -> Downloader.Agent.uj : Error during cleaning
[1576] VM_00C80000 -> Downloader.Agent.uj : Error during cleaning
[1580] VM_008C0000 -> Downloader.Agent.uj : Error during cleaning
[1588] VM_00A50000 -> Downloader.Agent.uj : Error during cleaning
[1688] VM_00B40000 -> Downloader.Agent.uj : Error during cleaning
[712] VM_01260000 -> Downloader.Agent.uj : Error during cleaning
[1740] VM_00CF0000 -> Downloader.Agent.uj : Error during cleaning
[1756] VM_008D0000 -> Downloader.Agent.uj : Error during cleaning
[1800] VM_00910000 -> Downloader.Agent.uj : Error during cleaning
[1788] VM_00F80000 -> Downloader.Agent.uj : Error during cleaning
[1220] VM_00D30000 -> Downloader.Agent.uj : Error during cleaning
C:\Documents and Settings\hjemme\Cookies\hjemme@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\hjemme\Cookies\hjemme@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\hjemme\Cookies\hjemme@sexlist[1].txt -> TrackingCookie.Sexlist : Cleaned with backup
C:\Documents and Settings\hjemme\Lokale indstillinger\Temp\Cookies\hjemme@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\hjemme\Lokale indstillinger\Temp\Cookies\hjemme@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\hjemme\Lokale indstillinger\Temp\Cookies\hjemme@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\hjemme\Lokale indstillinger\Temp\Cookies\hjemme@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Programmer\TDC Internet\WrDialer.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\temp\180SAInstaller.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup
C:\temp\180SAInstaller.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup
C:\WINNT\system32\dgmail.exe/jenlope.exe -> Backdoor.SdBot : Cleaned with backup
C:\WINNT\system32\explorers.exe/il.dbx -> Worm.Randon : Cleaned with backup
C:\WINNT\system32\feurer.exe/pudday.exe -> Backdoor.SdBot : Cleaned with backup
C:\WINNT\system32\il.dbx -> Worm.Randon : Cleaned with backup
C:\WINNT\system32\scansql.exe -> Not-A-Virus.NetTool.Win32.SQLAccount.180 : Cleaned with backup


::Report End







Regards.Rookie,Denmark.

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:20 PM

Posted 23 April 2006 - 01:27 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin, follow the prompts. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load, this is normal.

At the end of the fix, you may need to restart your computer again. Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O4 - HKLM\..\Run: [dmlpm.exe] C:\WINNT\system32\dmlpm.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A893FD2-F4B6-4F41-A616-926381314053}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{6196A09C-2621-4D53-8079-C48E2599DCC3}: NameServer = 85.255.115.6,85.255.112.20

Exit HijackThis. Now lets check some settings on your system. In the Windows Control Panel - if you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.

(That option might not be available on some systems)

Next click Start>run type cmd and hit OK, copy and paste the following:

ipconfig /flushdns

then hit enter, type exit hit enter.

Reboot and post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 Rookie1mbit

Rookie1mbit
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 23 April 2006 - 02:11 PM

Ok,the 04 -post was not there.
The tcp/ip settings were OK.

here's the fresh HJT-log:



Logfile of HijackThis v1.99.1
Scan saved at 21:06:56, on 23-04-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\mgabg.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\Bin\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programmer\TDC Internet\WrOS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\bin\NJEEVES.EXE
C:\WINNT\Mixer.exe
C:\WINNT\system32\PDesk.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Programmer\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Programmer\Logitech\Video\LogiTray.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
C:\Norman\bin\ZLH.EXE
C:\Programmer\EdgeCAM\Cam\edgecls.exe
C:\Programmer\MSN Toolbar Suite\DS\02.05.0001.1119\da-dk\bin\WindowsSearch.exe
C:\WINNT\system32\LVComS.exe
C:\Programmer\MSN Toolbar Suite\DS\02.05.0001.1119\da-dk\bin\WindowsSearchIndexer.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Norman\Npf\BIN\npfmsg2.exe
C:\Documents and Settings\hjemme\Skrivebord\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.webstart.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.webstart.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webstart.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.dk/0SEDADK/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.webstart.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.webstart.dk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Toolbar Suite\TB\02.05.0000.1105\da-dk\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\MSDXM.OCX
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Toolbar Suite\TB\02.05.0000.1105\da-dk\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinPoET] C:\Programmer\TDC Internet\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [CXMon] "C:\Programmer\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmer\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmer\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Matrox PC-VCR Scheduler] "C:\Programmer\Matrox Video Tools\PC-VCRScheduler.exe"
O4 - Startup: GOTCHA!.lnk = C:\Programmer\Prescient Systems\GOTCHA!\Gotcha32.exe
O4 - Global Startup: EdgeCLS6.75.lnk = C:\Programmer\EdgeCAM\Cam\edgecls.exe
O4 - Global Startup: Windows-pc-søgning.lnk = C:\Programmer\MSN Toolbar Suite\DS\02.05.0001.1119\da-dk\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Programmer\MSN Toolbar Suite\TB\02.05.0000.1105\da-dk\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Åbn på ny baggrundsfane - res://C:\Programmer\MSN Toolbar Suite\TAB\02.05.0000.1105\da-dk\msntabres.dll/229?3d4086d31ebf435c8da315fa7c952ed5
O8 - Extra context menu item: Åbn på ny forgrundsfane - res://C:\Programmer\MSN Toolbar Suite\TAB\02.05.0000.1105\da-dk\msntabres.dll/230?3d4086d31ebf435c8da315fa7c952ed5
O12 - Plugin for .mid: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tiff: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...InkCSP-1204.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://hamburgcam.axiscam.net:8080/activex/AMC.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://195.41.18.51/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey®) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab
O16 - DPF: {F6A56D95-A3A3-11D2-AC26-400000058481} (Danske e-Sec) - https://netbank.danskebank.dk/html/activex/...anskeSikker.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\MSupdate.exe (file missing)
O23 - Service: windows notify network (windows network notify service) - Unknown owner - C:\WINNT\csrssc.exe (file missing)
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Programmer\TDC Internet\WrOS.EXE















And here's the Fixwareout-report:




Fixwareout ver 1.003
Last edited 04/09/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\cvvmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
* csr.exe C:\WINNT\System32\CSITQ.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool












Thanks again.


Regards.Rookie,Denmark.

#6 Rookie1mbit

Rookie1mbit
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 23 April 2006 - 02:15 PM

Aight,tried the IE out; seems like the redirs are gone,and it works MUCH faster now.


Lemme know is there's anything more to do or not.



Regards.Rooks,Denmark.

#7 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:20 PM

Posted 23 April 2006 - 03:27 PM

Click here to download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the 'Full Path of File to Delete' box, copy and paste the following, clicking the red 'Delete File' button (red circle with a white X) after pasting each one:

C:\WINNT\System32\CSITQ.EXE
C:\WINNT\system32\dmlpm.exe

Click 'Exit' when done. Let me know how it is now.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#8 Rookie1mbit

Rookie1mbit
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 23 April 2006 - 03:44 PM

Seems to be working like a charm!

The dmlmp.exe "seems not to exist",though...

Wasn't that the one that was supposed to be under the o4 in HJT too?



I'll reboot in the morning,check again,and report again by then.


Regards.Rooks.

#9 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:20 PM

Posted 23 April 2006 - 04:10 PM

Yes, I was making sure it was gone. Post back tomorrow and let me know how it is running.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#10 Rookie1mbit

Rookie1mbit
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 23 April 2006 - 11:48 PM

Ok,booted up this morning,no probs.
The "C:\WINNT\system32\dmlpm.exe" is still not there,and the browser runs perfectly fine!



Thanks a bunch man!

Regards.Rooks,Denmark.

#11 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:20 PM

Posted 24 April 2006 - 12:33 AM

You're welcome - glad to help :thumbsup:

To help keep you clean follow the recommendations in the article here:

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users