Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Wanter


  • Please log in to reply
17 replies to this topic

#1 Hampus

Hampus

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 03 September 2006 - 06:35 AM

Hi
When I try to go from one webpage to another that is a pop up window, the computer just stands still for about 15 sec, and then stays at the first page. And sometimes I get redirected to a another webpage. i hope





Logfile of HijackThis v1.99.1
Scan saved at 13:29:03, on 2006-09-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program\Pepto Systems AB\EasyInvoice\EasyInvoiceClient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program\Internet Explorer\iexplore.exe
C:\Program\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Program\Personal\bin\Personal.exe
C:\Documents and Settings\Petri Kljutschnik\Start-meny\Program\Autostart\w32.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Documents and Settings\Petri Kljutschnik\Lokala inställningar\Temp\Temporär katalog 7 för hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.preventor.se/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.preventor.se/
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {391a72a1-108d-435a-875e-5b9048e11657} - C:\WINDOWS\System32\qetf.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PreloadApp] "c:\hp\drivers\printers\photosmart\hphprld.exe" c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] "C:\Program\HPQ\Notebook Utilities\hptasks.exe" /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AS00_Gear511] "C:\Program\NETGEAR\WG511SCU\Utility\Gear511.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "C:\Program\Norton Internet Security\cfgwiz.exe" /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [EasyInvoice(AMFA)] "C:\Program\Pepto Systems AB\EasyInvoice\EasyInvoiceClient.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [fiavm.exe] C:\WINDOWS\System32\fiavm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [KillAndClean] "C:\Program\KillAndClean\KillAndClean.exe"
O4 - Startup: w32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: &Google-sökning - res://c:\program\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Översätt engelskt ord - res://c:\program\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Bakåtlänkar - res://c:\program\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lagrad bild på sida - res://c:\program\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Liknande sidor - res://c:\program\google\GoogleToolbar2.dll/cmsimilar.html
O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.xxxtreams.com/data/xxxtreams/downloads/mmp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{120D0518-329F-4B4B-B582-CAC903D4A3DE}: NameServer = 85.255.114.69,85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D8432BD-C088-4179-B9F4-A1ED2FD0C0ED}: NameServer = 85.255.114.69,85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A48B9BD-51E2-48C8-B28D-6BF027C36395}: NameServer = 85.255.114.69,85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AD09289-5797-4A42-B663-69082A46A14B}: NameServer = 85.255.114.69,85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2C6EB61-0598-49D3-9265-70D41A0CABC9}: NameServer = 85.255.114.69,85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8508A07-581F-4CA4-8692-C9C8105CC57E}: NameServer = 85.255.114.69,85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8B55FED-9884-4E40-A22F-852F6B8C531F}: NameServer = 85.255.114.69,85.255.112.167
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.69 85.255.112.167
O17 - HKLM\System\CS1\Services\Tcpip\..\{120D0518-329F-4B4B-B582-CAC903D4A3DE}: NameServer = 85.255.114.69,85.255.112.167
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.69 85.255.112.167
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program\Norton Internet Security\comHost.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program\Webroot\Spy Sweeper\SpySweeper.exe

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 04 September 2006 - 10:41 AM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout

http://downloads.subratam.org/Fixwareout.exe
or
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed. )

Fix these with HJT – mark them, close IE, click fix checked

O17 - HKLM\System\CCS\Services\Tcpip\..\{120D0518-329F-4B4B-B582-CAC903D4A3DE}: NameServer = 85.255.114.69,85.255.112.167

O17 - HKLM\System\CCS\Services\Tcpip\..\{3D8432BD-C088-4179-B9F4-A1ED2FD0C0ED}: NameServer = 85.255.114.69,85.255.112.167

O17 - HKLM\System\CCS\Services\Tcpip\..\{6A48B9BD-51E2-48C8-B28D-6BF027C36395}: NameServer = 85.255.114.69,85.255.112.167

O17 - HKLM\System\CCS\Services\Tcpip\..\{7AD09289-5797-4A42-B663-69082A46A14B}: NameServer = 85.255.114.69,85.255.112.167

O17 - HKLM\System\CCS\Services\Tcpip\..\{A2C6EB61-0598-49D3-9265-70D41A0CABC9}: NameServer = 85.255.114.69,85.255.112.167

O17 - HKLM\System\CCS\Services\Tcpip\..\{C8508A07-581F-4CA4-8692-C9C8105CC57E}: NameServer = 85.255.114.69,85.255.112.167

O17 - HKLM\System\CCS\Services\Tcpip\..\{E8B55FED-9884-4E40-A22F-852F6B8C531F}: NameServer = 85.255.114.69,85.255.112.167

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.69 85.255.112.167

O17 - HKLM\System\CS1\Services\Tcpip\..\{120D0518-329F-4B4B-B582-CAC903D4A3DE}: NameServer = 85.255.114.69,85.255.112.167

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.69 85.255.112.167


If you have connection problems after this

* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .
· Double-click the Network Connections icon
· Right-click the Local Area Connection icon and select Properties.
· Hilight Internet Protocol (TCP/IP) and click the Properties button.
· Be sure Obtain DNS server address automatically is selected.
· OK your way out.


* Go to Start > Run and type in cmd
· Click OK.
· This will open a commad prompt.
· Type or copy and paste the following line in the command window:

ipconfig /flushdns
· Hit Enter
· Exit the command window

Do that before you restart.

=============
At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.

==================================
If you get an Autoexec nt error do the following

XP Fix - http://www.visualtour.com/downloads/

Scroll down to get XP Fix

And run FixWareout again.
========================

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· Run the application
· Clickon scanner
· then select the "Settings" tab.
· Once in the Settings screen click on "Recommended actions" and then select "Delete".
· Select "Automatically generate report after every scan"
· Un-Select "Only if threats were found"
· Click Complete System Scan and the scan will begin.
· When the scan is finished, Set all items to delete
· Apply all actions
· look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
RE-Boot
Post that log and a new HiJack log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 Hampus

Hampus
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 05 September 2006 - 03:54 AM

Hi
When I click on the links, my computer stops for 15 sec, and then goes back to Bleepingcomputer. I´ve tried to copy and paste the link in the adress field, but it doesnt work.

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 05 September 2006 - 08:55 AM

Can you get it from a friend of a CD or a Floppy
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 Hampus

Hampus
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 05 September 2006 - 09:14 AM

I tried on another computer, and it says that the webpage cant be shown!

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 05 September 2006 - 03:54 PM

Which one cause the Wareout link works for me
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 Hampus

Hampus
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 06 September 2006 - 02:57 AM

I was able to run subratam, but when I run it, it says BFU.exe is not present, unpacked or in proper location

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 06 September 2006 - 08:30 AM

YOu have to allow it to DL BFU in your firewall
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 Hampus

Hampus
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 07 September 2006 - 02:12 AM

How do I do that?

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 07 September 2006 - 03:36 PM

get it here

http://www.majorgeeks.com/Brute_Force_Unin..._BFU_d4714.html

Put it in the same folder as wareout
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 Hampus

Hampus
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 08 September 2006 - 03:18 AM

Fixwareout wasnt in a folder, so I created one, and I unpacked BFU ond put it in a folder, but it doesnt work. Could you please give me help step by step?

#12 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 08 September 2006 - 08:05 PM

DL fixwareout to C:\

Same with BFU

then run it from there
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#13 Hampus

Hampus
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 09 September 2006 - 11:39 AM

Thanx for your help, but I dont know if I´m stupid or if I dont understand your instructions. I did put them in C:, but I get the same errormessage again. What am I doing wrong?

#14 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 09 September 2006 - 04:03 PM

Are they all in the same folder
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#15 Hampus

Hampus
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 10 September 2006 - 08:32 AM

Hi. I finally understod what you were talking about. sorry for my stupidity :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 15:27:54, on 2006-09-10
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program\Pepto Systems AB\EasyInvoice\EasyInvoiceClient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Program\Personal\bin\Personal.exe
C:\Documents and Settings\Petri Kljutschnik\Start-meny\Program\Autostart\w32.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Documents and Settings\Petri Kljutschnik\Lokala inställningar\Temp\Temporär katalog 9 för hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.preventor.se/
O2 - BHO: (no name) - {391a72a1-108d-435a-875e-5b9048e11657} - C:\WINDOWS\System32\qetf.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PreloadApp] "c:\hp\drivers\printers\photosmart\hphprld.exe" c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] "C:\Program\HPQ\Notebook Utilities\hptasks.exe" /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AS00_Gear511] "C:\Program\NETGEAR\WG511SCU\Utility\Gear511.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "C:\Program\Norton Internet Security\cfgwiz.exe" /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [EasyInvoice(AMFA)] "C:\Program\Pepto Systems AB\EasyInvoice\EasyInvoiceClient.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: w32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: &Google-sökning - res://c:\program\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Översätt engelskt ord - res://c:\program\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Bakåtlänkar - res://c:\program\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lagrad bild på sida - res://c:\program\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Liknande sidor - res://c:\program\google\GoogleToolbar2.dll/cmsimilar.html
O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program\Norton Internet Security\comHost.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program\Webroot\Spy Sweeper\SpySweeper.exe






Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CB1ABFCA7FF5-88C8-1F44-6083-D7E8FB90{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F62597F5506D-8B0A-5794-A86D-EF45D938{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CD7C627A93E4-2DDB-F2E4-05CB-1CCD720B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D7A854E38F73-3ABA-E664-CB52-0D2160BC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E4DF63A97C7B-1F2B-F9E4-6C53-C92B34FD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}25E63F706FB5-866B-C024-D926-58F66C45{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}378E7B5A36BA-D339-2B14-FE2F-863132BA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ddamd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Random Runs removed from HKLM
"dmadd.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
C:\WINDOWS\SYSTEM32\CSJHO.EXE
* csr.exe C:\WINDOWS\System32\CSJHO.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSJHO.EXE 51 201 2006-08-30
C:\WINDOWS\SYSTEM32\DMADD.EXE 61 962 2002-09-11
C:\WINDOWS\SYSTEM32\DMVLL.EXE 61 962 2002-09-11

Other suspects.
Directory of C:\WINDOWS\system32
{54C66F85-629D-420C-B668-5BF607F36E52}.exe
{DF43B29C-35C6-4E9F-B2F1-B7C79A36FD4E}.exe
{CB0612D0-25BC-466E-ABA3-37F83E458A7D}.exe
{839D54FE-D68A-4975-A0B8-D6055F79526F}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users