[Dutov loppa]

Hi,

I have read the differents topics on this site related to my problem. NaV and Ewido detected trojans : Hclean32.exe rdsndin ntfsnlpa.

They clean them but every times theu are coming back. Here you can find /
1) My Hijackthis log
2) My Silent runner log file
3) I have install fixeware.reg
4) i have rebooted
5) I made a rkfile log

6) I don't know what i have to kill with killbox.

Help me thanks



1)--------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 08:05:27, on 22/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\games\ewido\security suite\ewidoctrl.exe
C:\Program Files\games\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\zstatus.exe
C:\WINDOWS\explorer.exe
C:\Program Files\games\eDonkey2000\edonkey2000.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\games\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.128.4:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; ndjg.ndj.edu.lb;www.ndj.edu.lb
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\games\SPYBOT~1\SDHelper.dll (file missing)
O3 - Toolbar: (no name) - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LCD Clock] <NonRun>
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [xsetup] AliceSD.exe
O4 - HKCU\..\Run: [iehelper] sound64.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O8 - Extra context menu item: &Search - http://kx.bar.need2f...earch.html?p=KX
O17 - HKLM\System\CCS\Services\Tcpip\..\{05109B64-3F8E-4B22-AD3A-70BC45356D1A}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{05267E54-C61A-4683-9B55-6380A8582414}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C29FF0E-B44A-4504-AAE2-020865215EE8}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{A84E4520-E940-47DB-AA71-7CFA6F5F058D}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB15E117-B639-4870-96A4-AA65F022D456}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{05109B64-3F8E-4B22-AD3A-70BC45356D1A}: NameServer = 69.50.184.86,85.255.112.9
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\games\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\games\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



2) -------------------------------------------------------------


"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"xsetup" = "AliceSD.exe" [file not found]
"iehelper" = "sound64.exe" [file not found]
"NBJ" = ""C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"IW Controlcenter" = "C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE" ["VOB Computersysteme GmbH"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."]
"LCD Clock" = "<NonRun>" [file not found]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"]
"Media Access" = "C:\Program Files\Media Access\MediaAccK.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\games\SPYBOT~1\SDHelper.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWSHEXT.DLL" ["VoB Computersysteme GmbH"]
"{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWSHEXT.DLL" ["VoB Computersysteme GmbH"]
"{F5D92344-0A64-11D0-9956-0000E8096023}" = "InstantWrite Shellextension"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\iwshex.dll" ["VOB Computersysteme GmbH"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\games\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csmrs.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\System32\NavLogon.dll" ["Symantec Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\games\ewido\security suite\context.dll" ["ewido networks"]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\games\ewido\security suite\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Laure et Marc\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{4064EA35-578D-4073-A834-C96D82CBCF40}" = "&Save Flash" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

C-DillaSrv, C-DillaSrv, "C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE" ["C-Dilla Ltd"]
ewido security suite control, ewido security suite control, "C:\Program Files\games\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\games\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 58 seconds, including 9 seconds for message boxes)




3)------------------------------------------------------------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""



4) -------------------------------------------------------




5) ----------------------------------------------------------------------------------

C:\Documents and Settings\Laure et Marc\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\essai.scr: UPX!
C:\WINDOWS\system32\essai.scr: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\OneWaySerial.dll: pec2
C:\WINDOWS\system32\OneWay.dll: pec2
C:\WINDOWS\system32\DivX.dll: PEC2
C:\WINDOWS\OneWay.dll: pec2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\eiunin2.exe: UPX!
C:\WINDOWS\ss3unstl.exe: UPX!
Finished
bye

[Advertisements]

Hello

It is really important now you perform everything in the right order and you don't miss ant step!!

First of all, check if WareOut is present in your software > add/remove programs and uninstall it.
REBOOT afterwards.

Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure....light/try.shtml
Double-click blbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
If any items show have blacklite rename them except for "wbemtest.exe"
!! Do not rename "wbemtest.exe" its a windows file!!
The tool will ask if you want to reboot (restart) choose yes.

After you have rebooted...

Open notepad and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

Save this as fix.reg Choose to save as *all files and place it on your desktop.
This is how the regfix must look after you created it:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Download Find T.zip to root (C:\ )
http://forums.net-in...=post&id=156424
Extract the files inside also to root (C:\).
Read here how to unzip/extract properly:
http://metallica.gee...xplanation.html
Open the "Find T" folder and doubleclick runthis.bat
You'll get a log that will be saved in the same folder, I'll need it later.

It really needs to be extracted on your root (C:\) or it might not work!!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\games\SPYBOT~1\SDHelper.dll (file missing)
O3 - Toolbar: (no name) - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - (no file)
O4 - HKLM\..\Run: [LCD Clock] <NonRun>
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [xsetup] AliceSD.exe
O4 - HKCU\..\Run: [iehelper] sound64.exe
O8 - Extra context menu item: &Search - http://kx.bar.need2f...earch.html?p=KX
O17 - HKLM\System\CCS\Services\Tcpip\..\{05109B64-3F8E-4B22-AD3A-70BC45356D1A}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{05267E54-C61A-4683-9B55-6380A8582414}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C29FF0E-B44A-4504-AAE2-020865215EE8}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{A84E4520-E940-47DB-AA71-7CFA6F5F058D}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB15E117-B639-4870-96A4-AA65F022D456}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{05109B64-3F8E-4B22-AD3A-70BC45356D1A}: NameServer = 69.50.184.86,85.255.112.9

* Click on Fix Checked when finished and exit HijackThis.

Delete next manually (rightclick and choose delete):

C:\WINDOWS\system32\OneWaySerial.dll
C:\WINDOWS\system32\OneWay.dll
C:\WINDOWS\OneWay.dll
C:\WINDOWS\eiunin2.exe
C:\WINDOWS\ss3unstl.exe

(could be possible that Blacklite already deleted the last two)

Go to start > run and copy and paste next command : ipconfig /flushdns Click OK

* Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

* Download DelDomains.inf and save it to your desktop.
Rightclick on it and choose 'install'.

Post the log Blacklite created, it will be on your desktop also, named fsbl.xxxxxxx.log (the xxxxxxx stand for numbers) + post the log T Find created and a new hijackthislog.

[miekiemoes]

Hello

It is really important now you perform everything in the right order and you don't miss ant step!!

First of all, check if WareOut is present in your software > add/remove programs and uninstall it.
REBOOT afterwards.

Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure....light/try.shtml
Double-click blbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
If any items show have blacklite rename them except for "wbemtest.exe"
!! Do not rename "wbemtest.exe" its a windows file!!
The tool will ask if you want to reboot (restart) choose yes.

After you have rebooted...

Open notepad and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

Save this as fix.reg Choose to save as *all files and place it on your desktop.
This is how the regfix must look after you created it:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Download Find T.zip to root (C:\ )
http://forums.net-in...=post&id=156424
Extract the files inside also to root (C:\).
Read here how to unzip/extract properly:
http://metallica.gee...xplanation.html
Open the "Find T" folder and doubleclick runthis.bat
You'll get a log that will be saved in the same folder, I'll need it later.

It really needs to be extracted on your root (C:\) or it might not work!!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\games\SPYBOT~1\SDHelper.dll (file missing)
O3 - Toolbar: (no name) - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - (no file)
O4 - HKLM\..\Run: [LCD Clock] <NonRun>
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [xsetup] AliceSD.exe
O4 - HKCU\..\Run: [iehelper] sound64.exe
O8 - Extra context menu item: &Search - http://kx.bar.need2f...earch.html?p=KX
O17 - HKLM\System\CCS\Services\Tcpip\..\{05109B64-3F8E-4B22-AD3A-70BC45356D1A}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{05267E54-C61A-4683-9B55-6380A8582414}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C29FF0E-B44A-4504-AAE2-020865215EE8}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{A84E4520-E940-47DB-AA71-7CFA6F5F058D}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB15E117-B639-4870-96A4-AA65F022D456}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{05109B64-3F8E-4B22-AD3A-70BC45356D1A}: NameServer = 69.50.184.86,85.255.112.9

* Click on Fix Checked when finished and exit HijackThis.

Delete next manually (rightclick and choose delete):

C:\WINDOWS\system32\OneWaySerial.dll
C:\WINDOWS\system32\OneWay.dll
C:\WINDOWS\OneWay.dll
C:\WINDOWS\eiunin2.exe
C:\WINDOWS\ss3unstl.exe

(could be possible that Blacklite already deleted the last two)

Go to start > run and copy and paste next command : ipconfig /flushdns Click OK

* Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

* Download DelDomains.inf and save it to your desktop.
Rightclick on it and choose 'install'.

Post the log Blacklite created, it will be on your desktop also, named fsbl.xxxxxxx.log (the xxxxxxx stand for numbers) + post the log T Find created and a new hijackthislog.

[miekiemoes]

Extra step..

I want to know what it is, so can you go to next site:
http://virusscan.jotti.org/

On top you'll find: File to upload and scan.
Now browse to the next file:

C:\WINDOWS\system32\essai.scr

Click submit and let it scan.
Post the results also in your next reply.

[miekiemoes]

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

[miekiemoes]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.