Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nail.exe


  • Please log in to reply
3 replies to this topic

#1 pjusken

pjusken

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 31 August 2005 - 05:15 PM

Hi guys
My computer has been infected with Nail.exe and possible other bad stuff. I am using F-secure antivirus software along with Microsoft Antispyware Beta application. The Antispyware do detect the Nail-stuff, but it seems like it is not able to remove it, because it still comming back. I have copied my HijackThis log, and hopefully you can analyse it and give me some suggestion to get rid of this.

Log:

Logfile of HijackThis v1.99.1
Scan saved at 00:04:06, on 01.09.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programfiler\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programfiler\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programfiler\F-Secure\Common\FSMA32.EXE
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\F-Secure\Anti-Virus\fssm32.exe
C:\Programfiler\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\F-Secure\Common\FCH32.EXE
C:\Programfiler\F-Secure\Common\FNRB32.EXE
C:\Programfiler\F-Secure\Common\FAMEH32.EXE
C:\Programfiler\F-Secure\Anti-Virus\fsqh.exe
C:\Programfiler\F-Secure\Anti-Virus\fsrw.exe
C:\Programfiler\F-Secure\FWES\Program\fsdfwd.exe
C:\Programfiler\F-Secure\Common\FIH32.EXE
C:\Programfiler\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\gdekwbf.exe
C:\Programfiler\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\Apoint2K\Apoint.exe
C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\Programfiler\F-Secure\Common\FSM32.EXE
C:\Programfiler\Apoint2K\Apntex.exe
C:\Programfiler\Scansoft\PaperPort\pptd40nt.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Programfiler\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programfiler\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pksheyep.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.4000.1001\no\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.4000.1001\no\msntb.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programfiler\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programfiler\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programfiler\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [PaperPort PTD] C:\Programfiler\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Programfiler\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [llqbyyb] C:\WINDOWS\system32\gdekwbf.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programfiler\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programfiler\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programfiler\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Block this popup - C:\Programfiler\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Konverter koblingsmål til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Konverter koblingsmål til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Konverter til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Konverter til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Konverter valgte koblinger til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Konverter valgte koblinger til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Konverterer utvalg til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Konverterer utvalg til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Opprett mobil favoritt - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Opprett mobil favoritt... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113977553171
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpda...api/activex.cab
O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} (ExecuteAgent2p Class) - http://www.vitari.no/admin/common/getImg.asp?FileID=1288
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = psigroup.no
O17 - HKLM\Software\..\Telephony: DomainName = psigroup.no
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = psigroup.no
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programfiler\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programfiler\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FSMA32.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Programfiler\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)



Best regards

Pjusken

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:30 AM

Posted 01 September 2005 - 03:14 AM

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 pjusken

pjusken
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 02 September 2005 - 01:22 PM

Hi

and thank you for your replay. I have done everything you suggested and here is copies of the logs you reqested.

Hijackthislog:

Logfile of HijackThis v1.99.1
Scan saved at 20:15:35, on 02.09.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programfiler\ewido\security suite\ewidoctrl.exe
C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programfiler\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programfiler\F-Secure\Anti-Virus\fssm32.exe
C:\Programfiler\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programfiler\F-Secure\Common\FSMA32.EXE
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\F-Secure\Common\FCH32.EXE
C:\Programfiler\F-Secure\Common\FNRB32.EXE
C:\Programfiler\F-Secure\Common\FAMEH32.EXE
C:\Programfiler\F-Secure\Anti-Virus\fsqh.exe
C:\Programfiler\F-Secure\Anti-Virus\fsrw.exe
C:\Programfiler\F-Secure\FWES\Program\fsdfwd.exe
C:\Programfiler\F-Secure\Common\FIH32.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\F-Secure\Anti-Virus\fsav32.exe
C:\Programfiler\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\Apoint2K\Apoint.exe
C:\Programfiler\Apoint2K\Apntex.exe
C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programfiler\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\Programfiler\F-Secure\Common\FSM32.EXE
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\Programfiler\F-Secure\FSGUI\fsguidll.exe
C:\Programfiler\Scansoft\PaperPort\pptd40nt.exe
C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programfiler\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Programfiler\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\wuauclt.exe
D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pksheyep.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.4000.1001\no\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.4000.1001\no\msntb.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programfiler\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programfiler\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programfiler\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [PaperPort PTD] C:\Programfiler\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Programfiler\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programfiler\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programfiler\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programfiler\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Block this popup - C:\Programfiler\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Konverter koblingsmål til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Konverter koblingsmål til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Konverter til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Konverter til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Konverter valgte koblinger til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Konverter valgte koblinger til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Konverterer utvalg til Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Konverterer utvalg til eksisterende PDF-fil - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Opprett mobil favoritt - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Opprett mobil favoritt... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113977553171
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpda...api/activex.cab
O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} (ExecuteAgent2p Class) - http://www.vitari.no/admin/common/getImg.asp?FileID=1288
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = psigroup.no
O17 - HKLM\Software\..\Telephony: DomainName = psigroup.no
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = psigroup.no
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = psigroup.no
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = psigroup.no
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido\security suite\ewidoctrl.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programfiler\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programfiler\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FSMA32.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Programfiler\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe



and here is the log from Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 20:07:33, 02.09.2005
+ Report-Checksum: 3A1B1A6C

+ Scan result:

HKU\S-1-5-21-484763869-507921405-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-484763869-507921405-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{999A06FF-10EF-4A29-8640-69E99882C26B} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-484763869-507921405-1343024091-1004\Software\_rtneg3 -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-484763869-507921405-1343024091-1004\Software\_rtneg3\eeennn -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-484763869-507921405-1343024091-1004\Software\_rtneg3\kkws -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-484763869-507921405-1343024091-1004\Software\_rtneg3\ppops -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-484763869-507921405-1343024091-1004\Software\_rtneg3\reel -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-484763869-507921405-1343024091-1004\Software\_rtneg3\ssites -> Spyware.Begin2Search : Cleaned with backup
C:\Documents and Settings\Lennartb\Cookies\lennartb@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Lennartb\Cookies\lennartb@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Lennartb\Cookies\lennartb@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Lennartb\Cookies\lennartb@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Lennartb\Cookies\lennartb@ilead.itrack[2].txt -> Spyware.Cookie.Itrack : Cleaned with backup
C:\Documents and Settings\Lennartb\Cookies\lennartb@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Lennartb\Cookies\lennartb@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Lennartb\Cookies\lennartb@sonycorporate.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lennartb\Lokale innstillinger\Temporary Internet Files\Content.IE5\SXEBKTQF\aurora[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Lennartb.SYMTECH-LENNART\Cookies\lennartb@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Lennartb.SYMTECH-LENNART\Cookies\lennartb@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Lennartb.SYMTECH-LENNART\Cookies\lennartb@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Lennartb.SYMTECH-LENNART\Cookies\lennartb@ilead.itrack[2].txt -> Spyware.Cookie.Itrack : Cleaned with backup
C:\Documents and Settings\Lennartb.SYMTECH-LENNART\Cookies\lennartb@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lennartb.SYMTECH-LENNART\Cookies\lennartb@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Lennartb.SYMTECH-LENNART\Cookies\lennartb@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Lennartb.SYMTECH-LENNART\Lokale innstillinger\Temp\umqltg4cl_.ini -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Lennartb.SYMTECH-LENNART\Lokale innstillinger\Temporary Internet Files\Content.IE5\ZZ5J7HGW\aurora[2].exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\S-1-5-21-607957377-4217684590-2342043122-1146\Dc105.tmp -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\pksheyep.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\pshwr.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\vtiofebowlv.exe -> Adware.BetterInternet : Cleaned with backup
D:\Programfiler\Propellerhead\Reason Demo\Reason_3 0_serial.exe -> Spyware.Beginto.c : Cleaned with backup


::Report End

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:30 AM

Posted 02 September 2005 - 02:04 PM

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pksheyep.dll (file missing)

Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users