Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijackthis Log.


  • This topic is locked This topic is locked
9 replies to this topic

#1 makieks

makieks

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 01 October 2008 - 11:16 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:56, on 2.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
D:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
D:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
D:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
D:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
D:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINNT\system32\devldr32.exe
D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINNT\system32\svchost.exe
D:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
D:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
D:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\WINNT\system32\vmnat.exe
C:\WINNT\system32\vmnetdhcp.exe
D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
D:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
D:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
D:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
D:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
D:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
D:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINNT\system32\Restore\rstrui.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.fi/ie_rsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Olive - {24E606DD-0340-4D58-8FC5-F3D277EC2C35} - C:\WINNT\nkefbltdqrw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: dkwqgnbe - {5314C6A2-514A-4B70-8185-A9C8FE0A4CFF} - C:\WINNT\dkwqgnbe.dll
O4 - HKLM\..\Run: [F-Secure Manager] "D:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "D:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: xgpsarbm - {98391067-1B11-4AC7-B603-CFAF0ED51EC8} - C:\WINNT\xgpsarbm.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - D:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - D:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\hpzipm12.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINNT\privacy_danger\index.htm

--
End of file - 5415 bytes


thats for sure that the last line is eraseable, but is there more

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:38 PM

Posted 01 October 2008 - 11:27 PM

Hello there :)

Some things we'll do the same, but some others will be different, so please look carefully. :thumbsup:

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

If you've turned off System Restore, then please PLEASE turn it back on. If you leave it off then we'll have nothing to go back to should something happen and we need it.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 makieks

makieks
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 01 October 2008 - 11:49 PM

ComboFix 08-10-01.02 - M„kinen 2008-10-02 7:37:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1035.18.482 [GMT 3:00]
Sijainti: D:\HiJackThis\ComboFix.exe
* Uusi palautuspiste luotu
* Resident AV is active


VAROITUS - recovery console hasnt been installet PALAUTUSKONSOLIA EI OLE ASENNETTU !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\dkwqgnbe.dll
C:\WINNT\fkebanrw.exe
C:\WINNT\nkefbltdqrw.dll
C:\WINNT\xgpsarbm.dll
E:\Users\Mäkinen.ORAVALA-PC\Cookies\mäkinen@turvapc[2].txt

.
((((((((((((((((((((((((((((((((((((((( Ajurit/Palvelut )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VMWARE_NAT_SERVICE
-------\Service_VMware NAT Service


((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-09-02 to 2008-10-02 )))))))))))))))))
.

2008-10-01 19:14 . <KANSIO> E:\Users\Mäkinen.ORAVALA-PC\Application Data\Malwarebytes
2008-10-01 19:14 . 2008-10-01 19:14 <KANSIO> d-------- E:\Users\All Users.WINNT\Application Data\Malwarebytes
2008-10-01 19:14 . 2008-10-01 19:14 <KANSIO> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-10-01 19:14 . 2008-09-10 00:07 38,528 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-10-01 19:14 . 2008-09-10 00:07 17,200 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-10-01 18:49 . 2008-10-01 20:18 <KANSIO> d-------- D:\Program Files\SpyNoMore
2008-10-01 10:28 . <KANSIO> E:\Users\Mäkinen.ORAVALA-PC\Application Data\TmpRecentIcons
2008-10-01 10:28 . 2008-10-01 19:14 <KANSIO> d-------- D:\Program Files\TS-2009
2008-09-21 18:30 . 2008-09-21 18:30 <KANSIO> d-------- C:\WINNT\system32\fi-fi
2008-09-21 18:30 . 2008-09-21 18:30 <KANSIO> d-------- C:\WINNT\system32\fi
2008-09-21 18:30 . 2008-09-21 18:30 <KANSIO> d-------- C:\WINNT\system32\bits
2008-09-21 18:30 . 2008-09-21 18:30 <KANSIO> d-------- C:\WINNT\l2schemas
2008-09-21 18:22 . 2008-09-21 18:31 <KANSIO> d-------- C:\WINNT\ServicePackFiles
2008-09-19 17:58 . 2004-08-03 22:41 1,041,536 --------- C:\WINNT\system32\drivers\hsfdpsp2.sys
2008-09-19 17:45 . 2004-09-14 16:06 701,440 --------- C:\WINNT\system32\drivers\ati2mtag.sys
2008-09-16 07:54 . <KANSIO> E:\Users\Mäkinen.ORAVALA-PC\Application Data\Sun
2008-09-16 07:54 . 2008-09-16 07:54 <KANSIO> d-------- C:\WINNT\Sun
2008-09-15 10:51 . 2008-09-15 10:51 <KANSIO> d-------- D:\Program Files\3D Home Architect
2008-09-15 10:47 . 2008-09-15 10:47 <KANSIO> d-------- C:\WINNT\Downloaded Installations
2008-09-08 17:51 . <KANSIO> E:\Users\Mäkinen.ORAVALA-PC\Application Data\Printparade
2008-09-08 17:49 . 2008-09-08 18:04 <KANSIO> d-------- D:\Program Files\PrintParade Studio
2008-09-08 17:49 . 2003-06-25 10:17 374,272 --a------ C:\WINNT\system32\Dav3_32.dll
2008-09-08 17:49 . 2003-06-24 12:35 143,360 --a------ C:\WINNT\system32\leon3_32.dll
2008-09-06 20:27 . 2008-10-02 06:56 <KANSIO> d-------- E:\Users\NetworkService.NT-HALLINTA.000\Application Data\VMware
2008-09-06 20:26 . <KANSIO> E:\Users\Mäkinen.ORAVALA-PC\Application Data\VMware
2008-09-06 20:24 . 2008-09-06 20:24 <KANSIO> d-------- E:\Users\LocalService.NT-HALLINTA.000\Application Data\VMware
2008-09-06 20:23 . 2007-10-08 09:26 150,064 --a------ C:\WINNT\system32\vmnat.exe
2008-09-06 20:23 . 2007-10-08 09:26 121,392 --a------ C:\WINNT\system32\vmnetdhcp.exe
2008-09-06 20:23 . 2007-10-08 09:26 50,992 -ra------ C:\WINNT\system32\vmnetbridge.dll
2008-09-06 20:23 . 2007-10-08 09:26 28,592 -ra------ C:\WINNT\system32\drivers\vmnetbridge.sys
2008-09-06 20:23 . 2007-10-08 09:27 25,008 --a------ C:\WINNT\system32\drivers\vmnetuserif.sys
2008-09-06 20:23 . 2007-10-08 09:26 17,712 -ra------ C:\WINNT\system32\drivers\vmnet.sys
2008-09-06 20:23 . 2007-10-08 09:26 16,816 -ra------ C:\WINNT\system32\drivers\vmnetadapter.sys
2008-09-06 20:23 . 2007-10-08 09:26 13,104 -ra------ C:\WINNT\system32\vnetinst.dll
2008-09-06 20:22 . 2007-10-08 09:27 436,784 --a------ C:\WINNT\system32\vnetlib.dll
2008-09-06 20:22 . 2007-10-08 09:27 20,912 --a------ C:\WINNT\system32\drivers\VMkbd.sys
2008-09-06 20:22 . 2008-09-06 20:22 1,024 --a------ C:\.rnd
2008-09-06 20:19 . 2008-10-02 06:56 <KANSIO> d-------- E:\Users\All Users.WINNT\Application Data\VMware
2008-09-06 20:18 . 2008-09-06 20:18 <KANSIO> d-------- D:\Program Files\VMware
2008-09-06 20:18 . 2008-09-06 20:18 <KANSIO> d-------- D:\Program Files\Common Files\VMware

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-02 03:56 --------- d-----w E:\Users\NetworkService.NT-HALLINTA.000\Application Data\VMware
2008-10-02 03:56 --------- d-----w E:\Users\All Users.WINNT\Application Data\VMware
2008-10-01 15:13 --------- d-----w E:\Users\Mäkinen.ORAVALA-PC\Application Data\Azureus
2008-10-01 07:27 --------- d-----w D:\Program Files\DivX
2008-10-01 07:24 --------- d-----w D:\Program Files\AC3Filter
2008-09-28 13:16 --------- d-----w D:\Program Files\Beetle Bug 2
2008-09-15 07:54 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-09-15 07:47 --------- d-----w D:\Program Files\Common Files\InstallShield
2008-09-06 17:24 --------- d-----w E:\Users\LocalService.NT-HALLINTA.000\Application Data\VMware
2008-09-06 17:18 --------- d-----w D:\Program Files\VMware
2008-08-28 10:54 --------- d-----w D:\Program Files\Common Files\xing shared
2008-08-28 10:54 --------- d-----w D:\Program Files\Common Files\Real
2008-08-28 10:52 --------- d-----w E:\Users\Mäkinen.ORAVALA-PC\Application Data\Real
2008-08-23 19:28 --------- d-----w D:\Program Files\Gabest
2008-08-23 18:40 --------- d-----w D:\Program Files\Real
2008-08-23 16:57 --------- d-----w D:\Program Files\WinAVI Video Converter
2008-08-21 14:33 --------- d-----w E:\Users\Mäkinen.ORAVALA-PC\Application Data\Mozilla
2008-08-19 11:29 --------- d-----w E:\Users\Mäkinen.ORAVALA-PC\Application Data\progeSOFT
2008-08-19 10:51 --------- d-----w D:\Program Files\progeSOFT
2008-08-17 11:46 16,400 ----a-w E:\Users\Mäkinen.ORAVALA-PC\Application Data\GDIPFONTCACHEV1.DAT
2008-08-10 16:37 --------- d-----w E:\Users\Mäkinen.ORAVALA-PC\Application Data\IMSIDesign
2008-08-10 16:35 --------- d-----w D:\Program Files\IMSIDesign
2008-04-25 17:28 524,288 ---ha-w E:\Users\Järjestelmänvalvoja\NTUSER.DAT
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"="D:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" [2007-05-25 183208]
"F-Secure TNB"="D:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 740208]
"MSConfig"="C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 171008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-04-14 C:\WINNT\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"= ctwdm32.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"TapiSrv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Azureus\\Azureus.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 FSFW;F-Secure Firewall Driver;C:\WINNT\system32\drivers\fsdfw.sys [2008-04-26 51072]
R1 F-Secure HIPS;F-Secure HIPS;D:\Program Files\F-Secure Internet Security\HIPS\fshs.sys [2008-04-26 41184]
R2 cis1284;cis1284;C:\WINNT\system32\drivers\cis1284.sys [2001-03-14 48472]
R2 MSSQL$HLP;SQL Server (HLP);D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;D:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 59760]
S4 F-Secure Filter;F-Secure File System Filter;D:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 40048]
S4 F-Secure Recognizer;F-Secure File System Recognizer;D:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 25456]
.
- - - - POISTETUT JÄMÄRIVIT - - - -

BHO-{24E606DD-0340-4D58-8FC5-F3D277EC2C35} - C:\WINNT\nkefbltdqrw.dll
Toolbar-{5314C6A2-514A-4B70-8185-A9C8FE0A4CFF} - C:\WINNT\dkwqgnbe.dll
SSODL-xgpsarbm-{98391067-1B11-4AC7-B603-CFAF0ED51EC8} - C:\WINNT\xgpsarbm.dll


.
------- Täydentävä tarkistus -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: Vie Microsoft E&xceliin - D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-02 07:44:37
Windows 5.1.2600 Service Pack 3 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fsbl]
"ImagePath"="\??\D:\Program Files\F-Secure Internet Security\Anti-Virus\fsbldrv.sys"
.
------------------------ Muut prosessit ------------------------
.
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
D:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
D:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32.exe
D:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
D:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
D:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\system32\devldr32.exe
D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
D:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
D:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
D:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
D:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
D:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
D:\Program Files\F-Secure Internet Security\FWES\program\fsdfwd.exe
D:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
D:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
D:\Program Files\F-Secure Internet Security\FSAUA\program\licmgr.exe
.
**************************************************************************
.
Valmistumisajankohta: 2008-10-02 7:47:08 - kone käynnistettiin uudelleen
ComboFix-quarantined-files.txt 2008-10-02 04:46:58

Ennen ajoa: 5˙614˙333˙952 tavua vapaana
Ajon jälkeen: 5,792,976,896 tavua vapaana

195 --- E O F --- 2008-09-22 20:47:19


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:49, on 2.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
D:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
D:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
D:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
D:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINNT\system32\devldr32.exe
D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINNT\system32\svchost.exe
D:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
D:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
D:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
D:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
D:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
D:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
D:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\WINNT\system32\wuauclt.exe
D:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [F-Secure Manager] "D:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "D:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - D:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - D:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\hpzipm12.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4796 bytes

Edited by makieks, 01 October 2008 - 11:50 PM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:38 PM

Posted 01 October 2008 - 11:54 PM

Hello,

Very good! :thumbsup:

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6_u_7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
I see you have MBAM.....can you run a scan with it and post the report please? How is it running now? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 makieks

makieks
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 02 October 2008 - 12:20 AM

Thanks for all your help. here is MBAM log

Malwarebytes' Anti-Malware 1.28
Tietokantaversio: 1221
Windows 5.1.2600 Service Pack 3

2.10.2008 8:18:16
mbam-log-2008-10-02 (08-18-16).txt

Tarkistustyyppi: Pikatarkistus
Tarkistetut kohteet: 47372
Kulunut aika: 8 minute(s), 8 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 0
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 0

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
(Haitallisia kohteita ei löydetty)

IT' CLEAN :thumbsup:

#6 makieks

makieks
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 02 October 2008 - 12:30 AM

I useally do not get any viruses or maleware to my computer thanks to F-Secure internet security.
But I'm sort of "addicted" to Brison preak. So I downloaded the lates episode from torrent site and opened the .avi file with BsPlayer. It showed a black screen with text similar to: "Warning: New codec needed, download should start automatically." But bsplayer doesnt find codecs on its own. so i opened the .avi with Real player and it wanted to instal the xvid codec. Then everythin went wrong. And I was even middle of horry to go out of town and left the computer open.

Computer was open, infected and connected to net about 6 hours before I had the time to look at it. Pritty bad.
And there isn even a new xvid codec update at all. I all ready had the newest one on my pc. Damn one can be stupid some time. :thumbsup:

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:38 PM

Posted 02 October 2008 - 12:45 AM

Hello,

Don't think you're stupid, just take it as a lesson to learn from. :thumbsup:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

You have some excellent protection in place, so you get spared "The Speech"! :)

http://mvps.org/winhelp2002/unwanted.htm

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 makieks

makieks
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 02 October 2008 - 12:53 AM

thanks again. take care :thumbsup:

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:38 PM

Posted 02 October 2008 - 01:24 AM

You're most welcome. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:38 PM

Posted 06 October 2008 - 05:20 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users