Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Need help (again) - can't even run HiJackThis


  • Please log in to reply
22 replies to this topic

#1 StigD

StigD

    Authentic Member

  • Authentic Member
  • PipPip
  • 46 posts

Posted 27 May 2006 - 05:17 AM

Can't post an HJT log, as the program stops running as soon as it opens. Had an infection with FakeMSN8Beta - and I thourght that SpyBot took care of it... but there seems to still be problems with csrss.exe. pls.......... :(

    Advertisements

Register to Remove


#2 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 27 May 2006 - 02:42 PM

Rename "HijackThis.exe" to something else... Like "stigd.exe", then give it a whirl
:)
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#3 StigD

StigD

    Authentic Member

  • Authentic Member
  • PipPip
  • 46 posts

Posted 27 May 2006 - 04:10 PM

did that mate... renamed it to TST.COM - and it still just opens and 3 sec. after closes again... Can't get a log. Tryed the EVIDO online scanner - and it found CoolWEB search and downloader.fugif After reboot - - and spybot scan, the same comes up...: --- Report generated: 2006-05-27 19:04 --- FakeMSN8Beta: Autorun settings (Registry value, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss FakeMSN8Beta: Autorun settings (Registry value, fixed) HKEY_USERS\S-1-5-21-2980883070-2775256524-249630050-10777\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss FakeMSN8Beta: User settings (Registry value, fixed) HKEY_USERS\S-1-5-21-2980883070-2775256524-249630050-10777\Software\Microsoft\Windows NT\CurrentVersion\Windows\run=...C:\WINDOWS\system32\*\csrss.exe... FakeMSN8Beta: User settings (Registry value, fixed) HKEY_USERS\S-1-5-21-2980883070-2775256524-249630050-10777\Software\Microsoft\Windows NT\CurrentVersion\Windows\load=...C:\WINDOWS\system32\*\csrss.exe... FakeMSN8Beta: Executable (File, fixed) C:\WINDOWS\system32\netstat.com FakeMSN8Beta: Executable (File, fixed) C:\WINDOWS\system32\taskkill.com --- Spybot - Search & Destroy version: 1.4 (build: 20050523) --- 2005-05-31 blindman.exe (1.0.0.1) 2005-05-31 SpybotSD.exe (1.4.0.3) 2006-05-27 TeaTimer.exe (1.4.0.2) 2006-04-11 unins000.exe (51.41.0.0) 2005-05-31 Update.exe (1.4.0.0) 2006-02-06 advcheck.dll (1.0.2.0) 2005-05-31 aports.dll (2.1.0.0) 2005-05-31 borlndmm.dll (7.0.4.453) 2005-05-31 delphimm.dll (7.0.4.453) 2005-05-31 SDHelper.dll (1.4.0.0) 2006-02-20 Tools.dll (2.0.0.2) 2005-05-31 UnzDll.dll (1.73.1.1) 2005-05-31 ZipDll.dll (1.73.2.0) 2006-05-26 Includes\Cookies.sbi (*) 2006-05-26 Includes\Dialer.sbi (*) 2006-05-26 Includes\Hijackers.sbi (*) 2006-05-26 Includes\Keyloggers.sbi (*) 2004-11-29 Includes\LSP.sbi (*) 2006-05-26 Includes\Malware.sbi (*) 2006-05-26 Includes\PUPS.sbi (*) 2006-05-26 Includes\Revision.sbi (*) 2006-05-26 Includes\Security.sbi (*) 2006-05-26 Includes\Spybots.sbi (*) 2005-02-17 Includes\Tracks.uti 2006-05-26 Includes\Trojans.sbi (*) THEN - I chose FIX - all gone - after reboot the same.. Tryed is in safe mode (with network to be able to login with my profile that has some rights)... scan and fix... reboot - same result Tryed the Trean Micro houscall - didn't find anything Tryed CWSShredder - newest version - didn't find anything HELP................ :(

Edited by StigD, 27 May 2006 - 04:13 PM.


#4 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 27 May 2006 - 04:27 PM

Please download/unzip this:

Registry Search by Bobbi Flekman

<Double-click> on regsearch.exe, and search for these:

csrss
wini.exe

It may take a while to run, so be patient. When finished, the search results will appear in your text editor,

Paste the contents of the results into your next post.
:)

Delete any of these files you can find:

C:\bx.exe

C:\WINDOWS\system32\netstat.com

C:\WINDOWS\system32\ping.com

C:\WINDOWS\system32\tracert.com

C:\WINDOWS\system32\tasklist.com

C:\WINDOWS\system32\taskkill.com

C:\WINDOWS\system32\regedit.com

C:\WINDOWS\system32\cmd.com

C:\WINDOWS\system32\xtc.tmp

BE VERY SURE THE FILES YOU DELETE MATCH THE NAMES GIVEN EXACTLY!!!

DELETING THE WRONG FILE CAN BE DISASTROUS!!!



P.S. - Rename HijackThis back to something that ends in "exe"

"com" is not a good choice at this time.
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#5 StigD

StigD

    Authentic Member

  • Authentic Member
  • PipPip
  • 46 posts

Posted 27 May 2006 - 05:09 PM

downloaded it... unpacked it... run it... and it closes imidiately like with HJT. Non of those .com files is on my pc. I'll try the regedit search for hŽthose strings. stigd

#6 StigD

StigD

    Authentic Member

  • Authentic Member
  • PipPip
  • 46 posts

Posted 27 May 2006 - 05:28 PM

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe" "MSMSGS"="\"C:\\Programmer\\Messenger\\msmsgs.exe\" /background" "H/PC Connection Agent"="\"C:\\Programmer\\Microsoft ActiveSync\\WCESCOMM.EXE\"" "PcSync"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog" "SpybotSD TeaTimer"="C:\\Programmer\\Spybot - Search & Destroy\\TeaTimer.exe" "csrss"=" ------------ [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] "DebugOptions"="2048" "Documents"="" "DosPrint"="no" "load"="C:\\WINDOWS\\system32\\rzggtboewj\\csrss.exe" "NetMessage"="no" "NullPort"="None" "Programs"="com exe bat pif cmd" "run"="C:\\WINDOWS\\system32\\rzggtboewj\\csrss.exe" "NetWarn"="0" "Device"="\\\\dkaarfs01\\hp color LaserJet 2550 PCL 6,winspool,Ne06:" ------------- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] "DebugOptions"="2048" "Documents"="" "DosPrint"="no" "load"="C:\\WINDOWS\\system32\\rzggtboewj\\csrss.exe" "NetMessage"="no" "NullPort"="None" "Programs"="com exe bat pif cmd" "run"="C:\\WINDOWS\\system32\\rzggtboewj\\csrss.exe" "NetWarn"="0" "Device"="\\\\dkaarfs01\\hp color LaserJet 2550 PCL 6,winspool,Ne06:" ---------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems] "Debug"=hex(2):00,00 "Kmode"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\ 00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,\ 69,00,6e,00,33,00,32,00,6b,00,2e,00,73,00,79,00,73,00,00,00 "Optional"=hex(7):50,00,6f,00,73,00,69,00,78,00,00,00,00,00 "Posix"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\ 00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,70,00,\ 73,00,78,00,73,00,73,00,2e,00,65,00,78,00,65,00,00,00 "Required"=hex(7):44,00,65,00,62,00,75,00,67,00,00,00,57,00,69,00,6e,00,64,00,\ 6f,00,77,00,73,00,00,00,00,00 "Windows"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\ 00,73,00,72,00,73,00,73,00,2e,00,65,00,78,00,65,00,20,00,4f,00,62,00,6a,00,\ 65,00,63,00,74,00,44,00,69,00,72,00,65,00,63,00,74,00,6f,00,72,00,79,00,3d,\ 00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,68,00,61,00,\ 72,00,65,00,64,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,3d,00,31,00,30,\ 00,32,00,34,00,2c,00,33,00,30,00,37,00,32,00,2c,00,35,00,31,00,32,00,20,00,\ 57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,3d,00,4f,00,6e,00,20,00,53,00,75,\ 00,62,00,53,00,79,00,73,00,74,00,65,00,6d,00,54,00,79,00,70,00,65,00,3d,00,\ 57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,65,00,72,00,76,00,65,\ 00,72,00,44,00,6c,00,6c,00,3d,00,62,00,61,00,73,00,65,00,73,00,72,00,76,00,\ 2c,00,31,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,3d,\ 00,77,00,69,00,6e,00,73,00,72,00,76,00,3a,00,55,00,73,00,65,00,72,00,53,00,\ 65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,00,69,\ 00,61,00,6c,00,69,00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,33,00,20,00,\ 53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,77,00,69,00,6e,\ 00,73,00,72,00,76,00,3a,00,43,00,6f,00,6e,00,53,00,65,00,72,00,76,00,65,00,\ 72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,00,69,00,61,00,6c,00,69,00,7a,\ 00,61,00,74,00,69,00,6f,00,6e,00,2c,00,32,00,20,00,50,00,72,00,6f,00,66,00,\ 69,00,6c,00,65,00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,3d,00,4f,00,66,\ 00,66,00,20,00,4d,00,61,00,78,00,52,00,65,00,71,00,75,00,65,00,73,00,74,00,\ 54,00,68,00,72,00,65,00,61,00,64,00,73,00,3d,00,31,00,36,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems\CSRSS] "CsrSrvSharedSectionBase"=dword:7f6f0000 ------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems\CSRSS] "CsrSrvSharedSectionBase"=dword:7f6f0000 ----------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\SysProcs] "csrss.exe"=dword:00000000 "smss.exe"=dword:00000000 "screg.exe"=dword:00000000 "lsass.exe"=dword:00000000 "spoolss.exe"=dword:00000000 "EventLog.exe"=dword:00000000 "netdde.exe"=dword:00000000 "clipsrv.exe"=dword:00000000 "lmsvcs.exe"=dword:00000000 "MsgSvc.exe"=dword:00000000 "winlogon.exe"=dword:00000000 "NETSTRS.EXE"=dword:00000000 "nddeagnt.exe"=dword:00000000 "os2srv.exe"=dword:00000000 "wfshell.exe"=dword:00000000 "win.com"=dword:00000000 "rdpclip.exe"=dword:00000000 "conime.exe"=dword:00000000 "proquota.exe"=dword:00000000 "imepadsv.exe"=dword:00000000 "ctfmon.exe"=dword:00000000 -------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Terminal Server\SysProcs] "csrss.exe"=dword:00000000 "smss.exe"=dword:00000000 "screg.exe"=dword:00000000 "lsass.exe"=dword:00000000 "spoolss.exe"=dword:00000000 "EventLog.exe"=dword:00000000 "netdde.exe"=dword:00000000 "clipsrv.exe"=dword:00000000 "lmsvcs.exe"=dword:00000000 "MsgSvc.exe"=dword:00000000 "winlogon.exe"=dword:00000000 "NETSTRS.EXE"=dword:00000000 "nddeagnt.exe"=dword:00000000 "os2srv.exe"=dword:00000000 "wfshell.exe"=dword:00000000 "win.com"=dword:00000000 "rdpclip.exe"=dword:00000000 "conime.exe"=dword:00000000 "proquota.exe"=dword:00000000 "imepadsv.exe"=dword:00000000 "ctfmon.exe"=dword:00000000 ------------------- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\CSRSS] "CsrSrvSharedSectionBase"=dword:7f6f0000 ------------- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\CSRSS] "CsrSrvSharedSectionBase"=dword:7f6f0000 ------------------ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\SysProcs] "csrss.exe"=dword:00000000 "smss.exe"=dword:00000000 "screg.exe"=dword:00000000 "lsass.exe"=dword:00000000 "spoolss.exe"=dword:00000000 "EventLog.exe"=dword:00000000 "netdde.exe"=dword:00000000 "clipsrv.exe"=dword:00000000 "lmsvcs.exe"=dword:00000000 "MsgSvc.exe"=dword:00000000 "winlogon.exe"=dword:00000000 "NETSTRS.EXE"=dword:00000000 "nddeagnt.exe"=dword:00000000 "os2srv.exe"=dword:00000000 "wfshell.exe"=dword:00000000 "win.com"=dword:00000000 "rdpclip.exe"=dword:00000000 "conime.exe"=dword:00000000 "proquota.exe"=dword:00000000 "imepadsv.exe"=dword:00000000 "ctfmon.exe"=dword:00000000 --------------- [HKEY_USERS\S-1-5-21-2980883070-2775256524-249630050-10777\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe" "MSMSGS"="\"C:\\Programmer\\Messenger\\msmsgs.exe\" /background" "H/PC Connection Agent"="\"C:\\Programmer\\Microsoft ActiveSync\\WCESCOMM.EXE\"" "PcSync"="C:\\Programmer\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog" "SpybotSD TeaTimer"="C:\\Programmer\\Spybot - Search & Destroy\\TeaTimer.exe" "csrss"="" --------------------- [HKEY_USERS\S-1-5-21-2980883070-2775256524-249630050-10777\Software\Microsoft\Windows NT\CurrentVersion\Windows] "DebugOptions"="2048" "Documents"="" "DosPrint"="no" "load"="C:\\WINDOWS\\system32\\rzggtboewj\\csrss.exe" "NetMessage"="no" "NullPort"="None" "Programs"="com exe bat pif cmd" "run"="C:\\WINDOWS\\system32\\rzggtboewj\\csrss.exe" "NetWarn"="0" "Device"="\\\\dkaarfs01\\hp color LaserJet 2550 PCL 6,winspool,Ne06:" ------------------ [HKEY_USERS\S-1-5-21-2980883070-2775256524-249630050-10777\Software\Microsoft\Windows NT\CurrentVersion\Windows] "DebugOptions"="2048" "Documents"="" "DosPrint"="no" "load"="C:\\WINDOWS\\system32\\rzggtboewj\\csrss.exe" "NetMessage"="no" "NullPort"="None" "Programs"="com exe bat pif cmd" "run"="C:\\WINDOWS\\system32\\rzggtboewj\\csrss.exe" "NetWarn"="0" "Device"="\\\\dkaarfs01\\hp color LaserJet 2550 PCL 6,winspool,Ne06:" ----------------- Hope u can use this... (Export from regedit) stig

#7 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 27 May 2006 - 09:22 PM

Copy and paste the contents of the quote box below into notepad.

Save it as file name: "fixme.reg" (not including the quotes). Save as file type: *All files* and save it on your Desktop.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=""
"run"=-

[HKEY_USERS\S-1-5-21-2980883070-2775256524-249630050-10777\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=""
"run"=-



Then, locate fixme.reg on your desktop and <double-click> it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Reboot.

Run HijackThis! and post a log file.
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#8 StigD

StigD

    Authentic Member

  • Authentic Member
  • PipPip
  • 46 posts

Posted 28 May 2006 - 05:32 AM

did it - and checked that it actually HAD removed the ref to csrss.exe....... Rebooted - and tryed HJT.. Same result - close before it could creat the logfile. Checked thrue regedit - and below was also back under load. C:\WINDOWS\system32\rzggtboewj\csrss.exe

#9 StigD

StigD

    Authentic Member

  • Authentic Member
  • PipPip
  • 46 posts

Posted 28 May 2006 - 06:14 AM

YES... Got a HJT.
Scanned and fixed with Spybot - and imported the reg-keyes.

Then I removed the battery from my laptop - and took away the power...... so it imidiately stoped running...

started again in safe mode......... AND HERE IS THE HJT log:
-------------------

Logfile of HijackThis v1.99.1
Scan saved at 14:05:36, on 28-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Install\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.computerworld.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://My.Gunnebo.NET
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Gunnebo.NET
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://segboprx01.gunnebo.net:8080;https=http://segboprx01.gunnebo.net:8080;ftp=http://segboprx01.gunnebo.net:8080;gopher=http://segboprx01.gunnebo.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.gunnebo.net;superoffice.troax.se;128.5.4.62;128.5.7.6;128.5.84.160;212.180.99.201;212.180.99.205;194.3.73.*;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7a932ed2-1737-4ab8-b84d-c71779958551} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programmer\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programmer\r\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HPWJTOOLBOX] C:\Programmer\Hewlett-Packard\hp business inkjet 2300 series\Toolbox\HPWJTBX.exe "-i"
O4 - HKLM\..\Run: [DataLayer] C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Programme\Apache2\bin\ApacheMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google-søgning - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Oversæt engelsk ord - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lignende sider - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Tilbage via links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Øjebliksbillede af side i cache - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Programmer\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Programmer\Titan Poker\casino.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Programmer\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Programmer\Noble Poker\casino.exe
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - C:\Programmer\nordicbetMPP\MPPoker.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Programmer\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://My.Gunnebo.NET
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.c...InkCSP-1204.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122499746406
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgba...G/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gunnebo.net
O17 - HKLM\Software\..\Telephony: DomainName = gunnebo.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gunnebo.net
O20 - Winlogon Notify: IntelWireless - C:\Programmer\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Apache2 - Unknown owner - C:\Programme\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Programmer\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Programmer\Borland\InterBase\bin\ibserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programmer\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programmer\Intel\Wireless\Bin\WLKeeper.exe

#10 StigD

StigD

    Authentic Member

  • Authentic Member
  • PipPip
  • 46 posts

Posted 28 May 2006 - 09:04 AM

Also did an evido online scan after that - and it found:
__________________________________________________
ewido security suite online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Adtech
Path: C:\Documents and Settings\stidos\Cookies\stidos@adtech[2].txt
Risk: Medium

Name: TrackingCookie.Falkag
Path: C:\Documents and Settings\stidos\Cookies\stidos@as1.falkag[1].txt
Risk: Medium

Name: Backdoor.VB.atw
Path: C:\WINDOWS\system32\rzggtboewj\csrss.exe
Risk: High

All removed sucessfull........ (- and the folder + file above with csrss.exe is gone)

New HJT after that:
----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 16:59:47, on 28-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Install\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.computerworld.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://My.Gunnebo.NET
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Gunnebo.NET
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://segboprx01.gunnebo.net:8080;https=http://segboprx01.gunnebo.net:8080;ftp=http://segboprx01.gunnebo.net:8080;gopher=http://segboprx01.gunnebo.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.gunnebo.net;superoffice.troax.se;128.5.4.62;128.5.7.6;128.5.84.160;212.180.99.201;212.180.99.205;194.3.73.*;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7a932ed2-1737-4ab8-b84d-c71779958551} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programmer\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programmer\r\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HPWJTOOLBOX] C:\Programmer\Hewlett-Packard\hp business inkjet 2300 series\Toolbox\HPWJTBX.exe "-i"
O4 - HKLM\..\Run: [DataLayer] C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Programme\Apache2\bin\ApacheMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google-søgning - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Oversæt engelsk ord - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lignende sider - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Tilbage via links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Øjebliksbillede af side i cache - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Programmer\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Programmer\Titan Poker\casino.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Programmer\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Programmer\Noble Poker\casino.exe
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - C:\Programmer\nordicbetMPP\MPPoker.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Programmer\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://My.Gunnebo.NET
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.c...InkCSP-1204.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122499746406
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgba...G/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gunnebo.net
O17 - HKLM\Software\..\Telephony: DomainName = gunnebo.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gunnebo.net
O20 - Winlogon Notify: IntelWireless - C:\Programmer\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Apache2 - Unknown owner - C:\Programme\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Programmer\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Programmer\Borland\InterBase\bin\ibserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programmer\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programmer\Intel\Wireless\Bin\WLKeeper.exe


I still keep it in safe mode with network - don't dare to reboot until I've heard from you again.

Stig

Edited by StigD, 28 May 2006 - 09:08 AM.

    Advertisements

Register to Remove


#11 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 28 May 2006 - 11:03 AM

Not a whole lot in there to complain about.

Unless you can/want to try some online virus scans in "safe mode", I say give it a go in "regular" mode and see what happens.

Trend-Micro Housecall
Put on 'Autoclean' and delete what it can't clean.

Panda Activescan
Accept default settings.

Etrust Security Advisor
Choose 'Cure' whatever is found, then delete if unsuccessful.

If you try more than one scan, reboot after each one.
:)
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#12 StigD

StigD

    Authentic Member

  • Authentic Member
  • PipPip
  • 46 posts

Posted 28 May 2006 - 05:14 PM

Well mate - it's ALL back.........

After that I manually removed it on this one..:
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=""
"run"=-
- as spybot didn't allow me to import the reg keys.

New HJT after reboot and the above:
Logfile of HijackThis v1.99.1
Scan saved at 01:05:10, on 29-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmer\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Apache2\bin\Apache.exe
C:\WINDOWS\system32\basfipm.exe
C:\Programmer\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Programme\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Programmer\Microsoft Firewall Client 2004\FwcAgent.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\Apache2\bin\Apache.exe
C:\WINDOWS\TEMP\QB5277.EXE
C:\Programme\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Programmer\Apoint\Apoint.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmer\Dell\QuickSet\quickset.exe
C:\Programmer\r\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmer\Apoint\Apntex.exe
C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\FÆLLES~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\FÆLLES~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmer\Digital Line Detect\DLG.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Programmer\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programme\Apache2\bin\ApacheMonitor.exe
C:\Programmer\Fælles filer\Logitech\KHAL\KHALMNPR.EXE
C:\Programmer\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmer\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmer\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Programmer\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Programmer\Outlook Express\msimn.exe
C:\Documents and Settings\stidos\Skrivebord\HJT\tst.exe (This one is HJT)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.computerworld.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://My.Gunnebo.NET
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Gunnebo.NET
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://segboprx01.gunnebo.net:8080;https=http://segboprx01.gunnebo.net:8080;ftp=http://segboprx01.gunnebo.net:8080;gopher=http://segboprx01.gunnebo.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.gunnebo.net;superoffice.troax.se;128.5.4.62;128.5.7.6;128.5.84.160;212.180.99.201;212.180.99.205;194.3.73.*;<local>
F3 - REG:win.ini: load=-
F3 - REG:win.ini: run=-
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7a932ed2-1737-4ab8-b84d-c71779958551} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programmer\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programmer\r\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HPWJTOOLBOX] C:\Programmer\Hewlett-Packard\hp business inkjet 2300 series\Toolbox\HPWJTBX.exe "-i"
O4 - HKLM\..\Run: [DataLayer] C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Programme\Apache2\bin\ApacheMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google-søgning - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Oversæt engelsk ord - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lignende sider - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Tilbage via links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Øjebliksbillede af side i cache - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Programmer\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Programmer\Titan Poker\casino.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Programmer\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Programmer\Noble Poker\casino.exe
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - C:\Programmer\nordicbetMPP\MPPoker.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Programmer\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://My.Gunnebo.NET
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.c...InkCSP-1204.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122499746406
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgba...G/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gunnebo.net
O17 - HKLM\Software\..\Telephony: DomainName = gunnebo.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gunnebo.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = gunnebo.net
O20 - Winlogon Notify: IntelWireless - C:\Programmer\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Apache2 - Unknown owner - C:\Programme\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Programmer\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Programmer\Borland\InterBase\bin\ibserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programmer\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programmer\Intel\Wireless\Bin\WLKeeper.exe

#13 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 28 May 2006 - 06:57 PM

Please disable Teatimer, it can interfere with the cleaning process:

How to Disable Teatimer

After we have cleaned your system, please be sure to reverse this process, and re-enable Teatimer.

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Run Hijack This!
Click "Do a systen scan only".
Then "check" the box to the left of these item(s):

F3 - REG:win.ini: load=-

F3 - REG:win.ini: run=-

O2 - BHO: (no name) - {7a932ed2-1737-4ab8-b84d-c71779958551} - (no file)

Then click "Fix checked" and close Hijack This!.

Reboot "copy/paste" a new log file into this thread. :)
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#14 StigD

StigD

    Authentic Member

  • Authentic Member
  • PipPip
  • 46 posts

Posted 29 May 2006 - 01:30 AM

New HJT log..:
Logfile of HijackThis v1.99.1
Scan saved at 09:22:48, on 29-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmer\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Apache2\bin\Apache.exe
C:\WINDOWS\system32\basfipm.exe
C:\Programme\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Programmer\Microsoft Firewall Client 2004\FwcAgent.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Programme\Apache2\bin\Apache.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programme\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\TEMP\OLA9AB.EXE
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Apoint\Apoint.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmer\Dell\QuickSet\quickset.exe
C:\Programmer\r\CyberLink\PowerDVD\DVDLauncher.exe
C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmer\Hewlett-Packard\hp business inkjet 2300 series\Toolbox\HPWJTBX.exe
C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe
C:\Programmer\Apoint\Apntex.exe
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\FÆLLES~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\Digital Line Detect\DLG.exe
C:\PROGRA~1\FÆLLES~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmer\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Programme\Apache2\bin\ApacheMonitor.exe
C:\Programmer\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmer\Fælles filer\Logitech\KHAL\KHALMNPR.EXE
C:\Programmer\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmer\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Programmer\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Documents and Settings\stidos\Skrivebord\HJT\tst.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.computerworld.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://My.Gunnebo.NET
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Gunnebo.NET
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://segboprx01.gunnebo.net:8080;https=http://segboprx01.gunnebo.net:8080;ftp=http://segboprx01.gunnebo.net:8080;gopher=http://segboprx01.gunnebo.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.gunnebo.net;superoffice.troax.se;128.5.4.62;128.5.7.6;128.5.84.160;212.180.99.201;212.180.99.205;194.3.73.*;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmer\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programmer\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programmer\r\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmer\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HPWJTOOLBOX] C:\Programmer\Hewlett-Packard\hp business inkjet 2300 series\Toolbox\HPWJTBX.exe "-i"
O4 - HKLM\..\Run: [DataLayer] C:\Programmer\Fælles filer\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Programme\Apache2\bin\ApacheMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google-søgning - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Oversæt engelsk ord - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lignende sider - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Tilbage via links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Øjebliksbillede af side i cache - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Programmer\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Programmer\Titan Poker\casino.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Programmer\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Programmer\Noble Poker\casino.exe
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - C:\Programmer\nordicbetMPP\MPPoker.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Programmer\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\programmer\microsoft firewall client 2004\fwcwsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://My.Gunnebo.NET
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.c...InkCSP-1204.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122499746406
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgba...G/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gunnebo.net
O17 - HKLM\Software\..\Telephony: DomainName = gunnebo.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gunnebo.net
O20 - Winlogon Notify: IntelWireless - C:\Programmer\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Apache2 - Unknown owner - C:\Programme\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Programmer\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Programmer\Borland\InterBase\bin\ibserver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programmer\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmer\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programmer\Intel\Wireless\Bin\WLKeeper.exe

I have enabled TeaTimer again... thats ok?

Stig

#15 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 29 May 2006 - 06:19 AM

The O2 BHO you just removed was asssociated with Spyaxe.

Have you run this fix for it yet?

Click Me

Is your "csrss.exe" problem gone?
:unsure:
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users