Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had/have Virtumonde/vundo(or What It Was,still Is?), Help!


  • This topic is locked This topic is locked
8 replies to this topic

#1 DoM1-

DoM1-

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:05 PM

Posted 25 May 2008 - 04:37 PM

Hello there! :)

This is my first time here as a poster, i've been reading this site for a while thou.


After first annoying pop-ups :spacer: and slow loading times :thumbsup: and browsers :thumbsup: (ie + Ffox) stucking at firstpage (google.fi).* :angry:

(got pop-up Adresses blocked from F-secure for time being, so it pops up with just blank sites , but that is annoying too)
First i reconnected internet few times , then checkd connection with my Nokia N95 (has wlan)
everything saw fast and okay via it , so i got to conclusion its gotta be my pc. So i run

F-secure(bundled from internet provider Sonera) "deep scan" to see if there is something,
only some cookies(tracking cookies to poker sites and that kinda stuff) found. Removed.

Downed(took like hours to get so far) Ad-aware from lavasoftusa and run it ,
couldn't find nothing special apart cookies(again, wierd just removed those and didn't visit other sites then lavasoft).

So i decided to download some more of those progs. Had f-secure, Windows defender,
Malwarebytes scanner, Spybot, CCleaner, vondufix(after Superasw gave me a name)

and superantispyware to run scans. Found the bug "cleaned" it. restarted to "windows in safemode".
Again scanned with superantispyware (only prog of those that found it in the first place).

Didn't seem to find it anymore, restarted back to normal mode of vista.
Tested browsers , still slow, hmp. Uninstalled Firefox, messengered my friend to send me new clean Firefox and opera.

Now i got both running still ~okay, but im still afraid there is something bogus in this so i refused to open my IE.
So please if someone could check these logs and tell me did i got it removed or is there something else now buggin my pc?

I mainly use Firefox for browsing and have all kinda programs visiting my pc for few hours when i need em after that i normally delete em.
I think this one i got from a keygen of a movie converter :spacer:
Maybe next time ill ask my friends for legal copies , they play with video editing and things:P

And btw how many Rundll32 you should have up at one time?



Deckard's System Scanner v20071014.68
Run by DoM1- on 2008-05-25 23:58:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
7: 2008-05-25 20:25:58 UTC - RP234 - Windows Update
6: 2008-05-25 20:21:36 UTC - RP233 - Opera 9.27 ? ??????????
5: 2008-05-25 16:42:49 UTC - RP232 - Removed Ad-Aware
4: 2008-05-25 16:28:21 UTC - RP231 - Installed SUPERAntiSpyware Professional
3: 2008-05-25 06:26:06 UTC - RP230 - Ajoitettu tarkistuspiste


-- First Restore Point --
1: 2008-05-24 09:27:19 UTC - RP228 - Ajoitettu tarkistuspiste


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as DoM1-.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:00:00, on 26.5.2008 (yes i ran this at midnight :) )
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sonera Tietoturva\Common\FSM32.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\BUFFALO\clientmgrv\bin\cmvMain.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sonera Tietoturva\FSGUI\fsguidll.exe (finnish, sonera, F-secure "Sonera Tietoturva")
C:\Users\DoM1-\Desktop\dss.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Opera\Opera.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\DoM1-.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.fi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Sonera Tietoturva\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Sonera Tietoturva\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [d6b92399] rundll32.exe "C:\Users\DoM1-\AppData\Local\Temp\ttcwpyjj.dll",b
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BMd58a1005] Rundll32.exe "C:\Users\DoM1-\AppData\Local\Temp\kppmbabq.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Paikallinen palvelu')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'Paikallinen palvelu')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Verkkopalvelu')
O4 - Global Startup: ClientManagerV.lnk = C:\Program Files\BUFFALO\clientmgrv\bin\cmvMain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\Windows\system32\DPWLEvHd.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BWH32S - BUFFALO INC. - C:\Program Files\BUFFALO\clientmgrv\bin\BWH32S.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7197 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BUFADPT - \??\c:\windows\system32\bufadpt.sys
R1 F-Secure HIPS - \??\c:\program files\sonera tietoturva\hips\fshs.sys
R1 FSFW (F-Secure Firewall Driver) - c:\windows\system32\drivers\fsdfw.sys <Not Verified; F-Secure Corporation; F-Secure Internet Shield>

S3 Bufeap (BUFFALO EAP Driver) - c:\windows\system32\drivers\bufeap.sys <Not Verified; BUFFALO INC.; AirStation>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Standardi PS/2-näppäimistö
Device ID: ACPI\PNP0303\4&20D7719E&0
Manufacturer: (Standardinäppäimistöt)
Name: Standardi PS/2-näppäimistö
PNP Device ID: ACPI\PNP0303\4&20D7719E&0
Service: i8042prt

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia N95
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia N95
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-25 23:34:23 0 d-------- C:\Program Files\Trend Micro
2008-05-25 23:28:03 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-25 23:22:09 0 d-------- C:\Program Files\Opera
2008-05-25 19:31:14 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-05-25 19:29:16 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-25 19:28:43 0 d-------- C:\VundoFix Backups
2008-05-25 18:08:10 0 d-------- C:\Users\All Users\Malwarebytes
2008-05-24 22:07:20 0 d-------- C:\Users\All Users\Protexis
2008-05-24 15:05:28 368912 --a------ C:\Windows\system32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-05-24 15:05:28 0 d-------- C:\Program Files\Spy Cleaner Gold
2008-05-24 15:00:38 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-24 15:00:30 0 d-------- C:\Users\All Users\Lavasoft
2008-05-23 22:53:58 0 d-------- C:\Program Files\Lonely Cat Games
2008-05-22 13:55:21 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-22 13:53:50 0 d-------- C:\Users\All Users\Installations
2008-05-22 13:29:35 0 d-------- C:\Users\All Users\Nokia
2008-05-22 13:29:23 0 d-------- C:\Users\All Users\PC Suite
2008-05-22 13:28:58 0 d-------- C:\Windows\Downloaded Installations
2008-05-22 13:27:52 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-22 13:27:12 0 d-------- C:\Program Files\PC Connectivity Solution
2008-05-22 13:24:24 0 d-------- C:\Program Files\Nokia
2008-05-18 20:33:57 0 d-------- C:\Programs
2008-05-18 10:54:58 0 d-------- C:\Program Files\MediaMonkey
2008-05-12 21:55:39 0 d-------- C:\Users\All Users\Absolutist
2008-05-11 20:17:58 0 d-------- C:\Program Files\DC++
2008-05-04 03:30:40 0 d-------- C:\Windows\system32\appmgmt
2008-05-02 16:49:12 0 d-------- C:\Users\All Users\Futuremark
2008-05-02 14:43:06 0 d-------- C:\Windows\system32\Futuremark
2008-05-01 19:35:16 0 d-------- C:\PerfLogs
2008-05-01 19:18:10 171136 -rahs---- C:\grldr
2008-05-01 19:13:38 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® -käyttöjärjestelmä>
2008-05-01 18:16:56 0 d-------- C:\12a8680b8d2a3e159f4292
2008-04-30 12:03:30 84992 --a------ C:\Windows\Anime.dll <Not Verified; eXXtreME Softwares Limited; Anime Dynamic Link Library>
2008-04-27 07:19:43 0 d-------- C:\Users\All Users\Ubisoft



If found some odd progs / path names and stuff, must be 'cause of my Finnish Vista and some connected peripherals, drivers/progs.

Ill add that xtra.txt to attachment.

Thank you for replying :spacer: :thumbsup:

Attached Files


Edited by DoM1-, 25 May 2008 - 04:40 PM.


BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 PM

Posted 02 June 2008 - 07:29 PM

Welcome to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

I apologize for the wait, if your issues are not resolved, read the instructions posted above and then follow the directions below. If you no longer need help, I would appreciate a quick post letting me know so I can close your topic.

I see what is probably Vundo left in your HJT log. If you are still having malware issues, post a new HijackThis log using Add Reply (not Deckard's System Scan) and i'll take a look.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 DoM1-

DoM1-
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:05 PM

Posted 02 June 2008 - 08:40 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:00:00, on 26.5.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sonera Tietoturva\Common\FSM32.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\BUFFALO\clientmgrv\bin\cmvMain.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sonera Tietoturva\FSGUI\fsguidll.exe
C:\Users\DoM1-\Desktop\dss.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Opera\Opera.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\DoM1-.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.fi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Sonera Tietoturva\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Sonera Tietoturva\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [d6b92399] rundll32.exe "C:\Users\DoM1-\AppData\Local\Temp\ttcwpyjj.dll",b
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BMd58a1005] Rundll32.exe "C:\Users\DoM1-\AppData\Local\Temp\kppmbabq.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Paikallinen palvelu')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'Paikallinen palvelu')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Verkkopalvelu')
O4 - Global Startup: ClientManagerV.lnk = C:\Program Files\BUFFALO\clientmgrv\bin\cmvMain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\Windows\system32\DPWLEvHd.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BWH32S - BUFFALO INC. - C:\Program Files\BUFFALO\clientmgrv\bin\BWH32S.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7197 bytes




ps. Now i have to go to work, ill be back after ~9hours :thumbsup:

Edited by DoM1-, 02 June 2008 - 08:41 PM.


#4 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 PM

Posted 03 June 2008 - 05:57 AM

Thanks for returning your HJT log, please read and follow the directions carefully.

1) SUPERAntiSpyware <<< SAS may block the tools we use, turn it off until we finish (do you own this program?)

2) Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 DoM1-

DoM1-
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:05 PM

Posted 03 June 2008 - 08:08 AM

Here

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:00:00, on 26.5.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sonera Tietoturva\Common\FSM32.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\BUFFALO\clientmgrv\bin\cmvMain.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sonera Tietoturva\FSGUI\fsguidll.exe
C:\Users\DoM1-\Desktop\dss.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Opera\Opera.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\DoM1-.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.fi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Sonera Tietoturva\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Sonera Tietoturva\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [d6b92399] rundll32.exe "C:\Users\DoM1-\AppData\Local\Temp\ttcwpyjj.dll",b
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BMd58a1005] Rundll32.exe "C:\Users\DoM1-\AppData\Local\Temp\kppmbabq.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Paikallinen palvelu')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'Paikallinen palvelu')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Verkkopalvelu')
O4 - Global Startup: ClientManagerV.lnk = C:\Program Files\BUFFALO\clientmgrv\bin\cmvMain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\Windows\system32\DPWLEvHd.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BWH32S - BUFFALO INC. - C:\Program Files\BUFFALO\clientmgrv\bin\BWH32S.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7197 bytes


And the combofix log

ComboFix 08-06-01.6 - DoM1- 2008-06-03 15:41:40.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1035.18.1210 [GMT 3:00]
Running from: C:\Users\DoM1-\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\driver
C:\Windows\system32\driver\bcm43xx.cat
C:\Windows\system32\driver\RNDISMP.sys
C:\Windows\system32\driver\RNDISMPK.sys
C:\Windows\system32\driver\usb8023.sys
C:\Windows\system32\driver\usb8023k.sys

.
((((( Tiedostot, jotka on luotu seuraavalla aikav„lill„: 2008-05-03 to 2008-06-03 )))))))))))))))))
.

2008-06-02 17:28 . 2008-06-02 17:28 <KANSIO> d-------- C:\Program Files\OpenAL
2008-06-02 17:28 . 2008-06-02 17:28 409,600 --a------ C:\Windows\System32\wrap_oal.dll
2008-06-02 17:28 . 2008-06-02 17:28 114,688 --a------ C:\Windows\System32\OpenAL32.dll
2008-06-02 17:24 . 2008-06-02 17:24 <KANSIO> d-------- C:\Windows\Puzzle Quest
2008-05-27 21:17 . 2008-03-08 05:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-27 21:17 . 2008-03-08 07:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-05-27 00:00 . 2008-05-27 00:00 <KANSIO> d-------- C:\Program Files\DIFX
2008-05-27 00:00 . 2007-09-17 15:53 21,632 --a------ C:\Windows\System32\drivers\pccsmcfd.sys
2008-05-26 23:59 . 2008-05-27 00:00 <KANSIO> d----c--- C:\Windows\System32\DRVSTORE
2008-05-26 23:59 . 2008-05-26 23:59 <KANSIO> d-------- C:\Program Files\PC Connectivity Solution
2008-05-26 01:01 . 2008-05-26 01:01 <KANSIO> d-------- C:\Users\All Users\Apple Computer
2008-05-26 01:01 . 2008-05-26 01:01 <KANSIO> d-------- C:\ProgramData\Apple Computer
2008-05-26 01:01 . 2008-05-26 01:02 <KANSIO> d-------- C:\Program Files\QuickTime
2008-05-25 23:58 . 2008-05-25 23:58 <KANSIO> d-------- C:\Deckard
2008-05-25 23:34 . 2008-05-25 23:34 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-05-25 23:33 . 2008-03-12 23:21 678,408 --a------ C:\Windows\System32\gpprefcl.dll
2008-05-25 23:28 . 2008-05-25 23:28 <KANSIO> d-------- C:\Program Files\Microsoft Silverlight
2008-05-25 23:22 . 2008-05-25 23:22 <KANSIO> d-------- C:\Program Files\Opera
2008-05-25 19:31 . 2008-05-25 19:31 <KANSIO> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-05-25 19:31 . 2008-05-25 19:31 <KANSIO> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-05-25 19:30 . 2008-05-25 19:30 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-05-25 19:29 . 2008-05-25 19:29 <KANSIO> d-------- C:\Users\DoM1-\AppData\Roaming\SUPERAntiSpyware.com
2008-05-25 19:29 . 2008-05-25 19:29 <KANSIO> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-25 19:28 . 2008-05-25 19:28 <KANSIO> d-------- C:\VundoFix Backups
2008-05-25 18:09 . 2008-05-25 18:09 <KANSIO> d-------- C:\Users\DoM1-\AppData\Roaming\Malwarebytes
2008-05-25 18:08 . 2008-05-25 18:08 <KANSIO> d-------- C:\Users\All Users\Malwarebytes
2008-05-25 18:08 . 2008-05-25 18:08 <KANSIO> d-------- C:\ProgramData\Malwarebytes
2008-05-24 22:07 . 2008-05-24 22:07 <KANSIO> d-------- C:\Users\All Users\Protexis
2008-05-24 22:07 . 2008-05-24 22:07 <KANSIO> d-------- C:\ProgramData\Protexis
2008-05-24 15:05 . 2008-05-24 22:11 <KANSIO> d-------- C:\Program Files\Spy Cleaner Gold
2008-05-24 15:05 . 1998-04-24 00:00 368,912 --a------ C:\Windows\System32\vbar332.dll
2008-05-24 15:05 . 2004-03-09 03:30 152,848 --a------ C:\Windows\System32\COMDLG32.OCX
2008-05-24 15:00 . 2008-05-24 22:09 <KANSIO> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-24 15:00 . 2008-05-25 19:43 <KANSIO> d-------- C:\Users\All Users\Lavasoft
2008-05-24 15:00 . 2008-05-24 22:09 <KANSIO> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-05-24 15:00 . 2008-05-25 19:43 <KANSIO> d-------- C:\ProgramData\Lavasoft
2008-05-24 15:00 . 2008-05-24 22:09 <KANSIO> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-23 22:53 . 2008-05-23 22:53 <KANSIO> d-------- C:\Program Files\Lonely Cat Games
2008-05-22 19:37 . 2008-05-22 19:37 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-05-22 13:55 . 2008-05-27 00:02 <KANSIO> d-------- C:\Program Files\Common Files\Nokia
2008-05-22 13:53 . 2008-05-27 00:11 <KANSIO> d-------- C:\Users\All Users\Installations
2008-05-22 13:53 . 2008-05-27 00:11 <KANSIO> d-------- C:\ProgramData\Installations
2008-05-22 13:44 . 2008-05-22 13:44 <KANSIO> d-------- C:\Users\DoM1-\AppData\Roaming\NSeries
2008-05-22 13:36 . 2008-05-22 13:36 0 --ah----- C:\Windows\System32\drivers\Msft_User_PCCSWpdDriver_01_05_00.Wdf
2008-05-22 13:29 . 2008-05-27 00:12 <KANSIO> d-------- C:\Users\DoM1-\AppData\Roaming\Nokia
2008-05-22 13:29 . 2008-05-22 13:36 <KANSIO> d-------- C:\Users\All Users\PC Suite
2008-05-22 13:29 . 2008-05-22 13:29 <KANSIO> d-------- C:\Users\All Users\Nokia
2008-05-22 13:29 . 2008-05-22 13:36 <KANSIO> d-------- C:\ProgramData\PC Suite
2008-05-22 13:29 . 2008-05-22 13:29 <KANSIO> d-------- C:\ProgramData\Nokia
2008-05-22 13:28 . 2008-05-22 13:50 <KANSIO> d-------- C:\Windows\Downloaded Installations
2008-05-22 13:27 . 2008-05-27 00:10 <KANSIO> d-------- C:\Users\DoM1-\AppData\Roaming\PC Suite
2008-05-22 13:27 . 2008-05-27 00:01 <KANSIO> d-------- C:\Program Files\Common Files\PCSuite
2008-05-22 13:25 . 2008-02-01 15:17 90,624 --a------ C:\Windows\System32\nmwcdcls.dll
2008-05-22 13:24 . 2008-05-27 00:01 <KANSIO> d-------- C:\Program Files\Nokia
2008-05-18 20:33 . 2008-05-18 20:33 <KANSIO> d-------- C:\Programs
2008-05-18 10:54 . 2008-05-18 10:55 <KANSIO> d-------- C:\Program Files\MediaMonkey
2008-05-12 21:55 . 2008-05-12 21:55 <KANSIO> d-------- C:\Users\All Users\Absolutist
2008-05-12 21:55 . 2008-05-12 21:55 <KANSIO> d-------- C:\ProgramData\Absolutist
2008-05-11 20:17 . 2008-05-11 20:17 <KANSIO> d-------- C:\Program Files\DC++
2008-05-09 10:51 . 2008-05-09 10:51 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-05-04 03:24 . 2008-05-04 03:24 <KANSIO> dr------- C:\Windows\System32\config\systemprofile\Videos
2008-05-04 03:24 . 2008-05-04 03:24 <KANSIO> dr------- C:\Windows\System32\config\systemprofile\Searches
2008-05-04 03:24 . 2008-05-04 03:24 <KANSIO> dr------- C:\Windows\System32\config\systemprofile\Saved Games
2008-05-04 03:24 . 2008-05-04 03:24 <KANSIO> dr------- C:\Windows\System32\config\systemprofile\Pictures
2008-05-04 03:24 . 2008-05-04 03:24 <KANSIO> dr------- C:\Windows\System32\config\systemprofile\Music
2008-05-04 03:24 . 2008-05-04 03:24 <KANSIO> dr------- C:\Windows\System32\config\systemprofile\Links
2008-05-04 03:24 . 2008-05-04 03:24 <KANSIO> dr------- C:\Windows\System32\config\systemprofile\Downloads
2008-05-04 03:24 . 2008-05-04 03:24 <KANSIO> dr------- C:\Windows\System32\config\systemprofile\Documents

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 12:40 --------- d-----w C:\Users\DoM1-\AppData\Roaming\Azureus
2008-05-25 22:00 --------- d-----w C:\Program Files\Winamp
2008-05-25 22:00 --------- d-----w C:\Program Files\Java
2008-05-25 21:59 --------- d-----w C:\Users\DoM1-\AppData\Roaming\Winamp
2008-05-25 20:33 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-25 16:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 18:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-23 18:42 --------- d-----w C:\Program Files\Absolute MP3 Splitter
2008-05-15 00:02 --------- d-----w C:\Program Files\Windows Mail
2008-05-04 06:47 84,992 ----a-w C:\Windows\Anime.dll
2008-05-04 00:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-02 13:49 --------- d-----w C:\ProgramData\Futuremark
2008-05-01 16:53 --------- d-----w C:\ProgramData\NVIDIA
2008-05-01 16:47 174 --sha-w C:\Program Files\desktop.ini
2008-05-01 16:38 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-01 16:38 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-05-01 16:38 --------- d-----w C:\Program Files\Windows Journal
2008-05-01 16:38 --------- d-----w C:\Program Files\Windows Defender
2008-05-01 16:38 --------- d-----w C:\Program Files\Windows Collaboration
2008-05-01 16:38 --------- d-----w C:\Program Files\Windows Calendar
2008-05-01 16:26 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-01 16:26 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-01 15:16 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-05-01 15:16 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
2008-04-27 10:04 --------- d-----w C:\Users\DoM1-\AppData\Roaming\Command & Conquer 3 Kane's Wrath
2008-04-27 04:37 --------- d-----w C:\Users\DoM1-\AppData\Roaming\Ubisoft
2008-04-27 04:19 --------- d-----w C:\ProgramData\Ubisoft
2008-04-27 04:10 --------- d-----w C:\Users\DoM1-\AppData\Roaming\InstallShield
2008-04-22 05:53 27,672 ----a-r C:\Windows\system32\drivers\Entech.sys
2008-04-20 06:13 --------- d-----w C:\Program Files\Azureus
2008-04-11 14:23 38,400 ----a-w C:\Windows\System32\SoundSchemes.exe
2008-03-08 04:19 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:19 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:19 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 01:58 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-03-05 13:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 13:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 13:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 12:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 12:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
.

------- Sigcheck -------

.
(((((((((((((((((((((((((((((( Rekisterin k„ynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhji„ arvoja ja laillisia oletusarvoja ei n„ytet„

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 23:33 1233920]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-03 16:54 486856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53 1079808]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 23:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"="C:\Program Files\Sonera Tietoturva\Common\FSM32.exe" [2007-04-26 20:12 183208]
"F-Secure TNB"="C:\Program Files\Sonera Tietoturva\FSGUI\TNBUtil.exe" [2007-04-26 20:10 740208]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-04 23:59 4423680 C:\Windows\RtHDVCpl.exe]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 18:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 18:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 18:06 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
ClientManagerV.lnk - C:\Program Files\BUFFALO\clientmgrv\bin\cmvMain.exe [2008-02-23 18:02:42 138808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\Windows\system32\DPWLEvHd.dll 2006-10-09 17:27 99856 C:\Windows\System32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7E1B3BAE-6386-49F8-931F-C439B9F6BCFE}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{41D1F73E-3D1E-4A0B-8FC3-1FEE347FDB03}"= UDP:D:\pelit\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{13A19D6C-C254-402F-A7D8-BC74C3844E31}"= TCP:D:\pelit\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{7B0EA358-16B6-43BD-86D8-4423BE33830F}"= UDP:D:\pelit\Hellgate London\Launcher.exe:Hellgate: London
"{CF6EAA26-4515-4ED2-B6AA-4D586511868D}"= TCP:D:\pelit\Hellgate London\Launcher.exe:Hellgate: London
"{8B1BDAEC-3841-4EC7-A279-BCDECCC40501}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E1EE1912-9A12-44A1-A648-C43D974E9B73}"= UDP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{6F431D6B-599E-44A1-AA25-8F0068681C78}"= TCP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{74A32682-F176-4AC9-911B-090AC72519A3}"= UDP:D:\pelit\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{838F4551-9F51-44F1-84A9-84DDEF37A3A7}"= TCP:D:\pelit\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{DF338762-4CE7-42EE-BC28-F29F4A8B0823}"= UDP:D:\pelit\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{6D0EF374-F0AF-49E0-A1C4-A20949F11D6C}"= TCP:D:\pelit\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{6C1B529D-63FE-462F-91E9-43069412FFA1}"= UDP:D:\pelit\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{3761611E-E755-448E-AC62-A21E54E602FE}"= TCP:D:\pelit\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 BUFADPT;BUFADPT;C:\Windows\system32\BUFADPT.SYS [2005-07-06 06:52]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\atl01v32.sys [2007-03-15 23:41]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\Windows\system32\DRIVERS\dpK0Bx01.sys [2006-09-16 18:25]
S3 Bufeap;BUFFALO EAP Driver;C:\Windows\system32\DRIVERS\bufeap.sys [2007-02-21 04:34]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Sonera Tietoturva\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 20:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d26e1c9a-bb08-11dc-81c1-c3dd01c3f71c}]
\shell\AutoRun\command - I:\launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd93b662-bdd4-11dc-98e2-001d601c4aa5}]
\shell\AutoRun\command - J:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd93b663-bdd4-11dc-98e2-001d601c4aa5}]
\shell\AutoRun\command - K:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd93b664-bdd4-11dc-98e2-001d601c4aa5}]
\shell\AutoRun\command - M:\Setup.exe checkstart


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 15:55:28
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BUFFALO\clientmgrv\bin\BWH32S.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Sonera Tietoturva\Anti-Virus\fsgk32st.exe
C:\Program Files\Sonera Tietoturva\Common\FSMA32.EXE
C:\Program Files\Sonera Tietoturva\Anti-Virus\fsgk32.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
C:\Program Files\Sonera Tietoturva\Common\FSMB32.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Sonera Tietoturva\Common\FCH32.EXE
C:\Program Files\Sonera Tietoturva\Anti-Virus\fssm32.exe
C:\Program Files\Sonera Tietoturva\Common\FAMEH32.EXE
C:\Program Files\Sonera Tietoturva\Anti-Virus\fsqh.exe
C:\Program Files\Sonera Tietoturva\FSAUA\program\fsaua.exe
C:\Program Files\Sonera Tietoturva\FWES\program\fsdfwd.exe
C:\Program Files\Sonera Tietoturva\FSAUA\program\fsus.exe
C:\Program Files\Sonera Tietoturva\Anti-Virus\fsav32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Sonera Tietoturva\FSGUI\fsguidll.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
.
**************************************************************************
.
Completion time: 2008-06-03 16:05:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-03 13:04:11

Pre-Run: 18,591,563,776 tavua vapaana
Post-Run: 18,451,726,336 tavua vapaana

256 --- E O F --- 2008-05-29 19:05:07


Thank you!

#6 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 PM

Posted 03 June 2008 - 10:40 AM

You are posting old HijackThis logs??

May 25 2008, 05:37 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:00:00, on 26.5.2008 (yes i ran this at midnight )

Today, 09:08 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:00:00, on 26.5.2008

Today
ComboFix 08-06-01.6 - DoM1- 2008-06-03 15:41:40.1

Muut poistot <<< what does that mean?

Please post a new HijackThis log. Tell me how the computer is running now.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#7 DoM1-

DoM1-
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:05 PM

Posted 03 June 2008 - 01:07 PM

Muut poistot = Other removals , or something. muut=others . poistot = removingings. :thumbsup: well anyway :thumbsup:
Those files combo removed.

Now that you mentioned, didn't get the missing .dll warnings after restarts :thumbsup:
Its been running okay so far, just want to get rid off it completly :) And got many of my friends bombing me in messenger with some "Push here : www.xxxxxx.info" and , "Is this a pic of you : www.xxxxx.info" also included just "click : www.musicandbonus.info"... but well i aint clickin those :)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:02:02, on 3.6.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sonera Tietoturva\Common\FSM32.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Sonera Tietoturva\FSGUI\fsguidll.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\BUFFALO\clientmgrv\bin\cmvMain.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.fi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Sonera Tietoturva\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Sonera Tietoturva\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Paikallinen palvelu')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'Paikallinen palvelu')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Verkkopalvelu')
O4 - Global Startup: ClientManagerV.lnk = C:\Program Files\BUFFALO\clientmgrv\bin\cmvMain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\Windows\system32\DPWLEvHd.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe <<<<<<<<<<<<-------------- WHAT IS THIS? quicktime add?
O23 - Service: BWH32S - BUFFALO INC. - C:\Program Files\BUFFALO\clientmgrv\bin\BWH32S.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe <<<<<<<<<<<<------never heard of this kinda prog/company,maybe it came with windows?
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7146 bytes


Thats 'bout it :angry:

Edited by DoM1-, 03 June 2008 - 01:11 PM.


#8 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 PM

Posted 03 June 2008 - 01:38 PM

Thanks for the HJT log and the feedback,

I think this one i got from a keygen of a movie converter

http://www.google.com/search?hl=en&q=k...amp;btnG=Search

Let's clean a little.
Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Notes for Windows Vista users from the tool creator:
On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
Prefetch has been disabled on Windows Vista. As I'm not sure the effects that emptying prefetch on Windows Vista will have for the time being it I won't enable that function.


Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

http://windowshelp.microsoft.com/windows/e...E9156A1033.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiem...prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#9 DoM1-

DoM1-
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:05 PM

Posted 03 June 2008 - 01:44 PM

Well ,done the cleanings. should i still paste some logs or was that it? :thumbsup:

and if it was thank you very much. Now i know what progs and how to use em , then next time :)

Edited by DoM1-, 03 June 2008 - 01:44 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users