Member Panel

I am a Firefighter with a home business. Norton could not stop trojan horses from loading, and now they want $70 to "walk me through removing them". I have already spent 6 hours on the phone with their customer service reps (who read off a screen). Please help. I have followed directions exactly. But during my SAFE ewidio scan I got a warning in the bottom right tray: "securitySuite.exe - corrupt file. \Windows\prefetch\WEUAUCLT.EXE - 12D825E.pf is corrupt and unreadable. Please run Chkdsk Utility."
Not sure how to run this but allowed the Scan Disk to run when it asked upon reboot; is this it? I will attach the report (3 files found and "cleaned".). My problem is my browser gets hijacked, my Norton System Works 2005 wont open (the icon is dead, can't open it other ways), and other IE (v.6.0) desktop icons get an error message. Please help me, I thnk you in advance!
see attached.

Hi there Andi , welcome to PCHF.

Did you follow the "Prework" instructions? Looks like system restore isn't disabled yet. Have a look there for instructions (see link in my sig below if needed)

I see already that you have a Wareout infection so lets get rid of that first:

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.
Finally, please post the contents of the logfile C:\fixwareout\report.txt, and an Hijackthis log file please.

just did more scanning with hijack this. see attached. Thank you.

I dont see the hjt log...:sad:


But please keep relevant things in one thread , il merge these for you.

Thanks for your help!
I'm sure I disabled System Restore manually, but will do again.
Not sure how to empty the prefetch folder, but can follow directions if you let me know how. Also, how do I run ChckDsk?

(BTW, whenever I try and restart, I get a window:
End Program:
"ccAPP" this program is not responding, click End Now to end. Changes will be lost (or something like that). I have to click End Now to get it to restart.

Here is the Fixwarout report

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\jsamd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\putesprpgd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

????? Search by size and names...
C:\WINDOWS\SYSTEM32\ENCODEX.EXE
C:\WINDOWS\SYSTEM32\CSFHF.EXE
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
C:\WINDOWS\SYSTEM32\DMASJ.EXE
C:\WINDOWS\SYSTEM32\DMLOX.EXE

????? Misc files

????? Checking for older varients covered by the Rem3 tool

trying to figure out how to attach. I cannot figure out "quickposts". i just don't see my attachments. will try again (text file).

see new attachment, will try and attach fixware report.