Help - Search - Members
Full Version: Spys and viruses & F-Secure, F-Secure won't help ;(
Piriform Community Forums > Computer Help and Discussion > Spyware Hell
75871
Mar 28 2007, 05:45 AM
Hello !

Below you can find my F-secure 6.15 scan log and after that HiJackThis log. Although F-Secure says it cleans (deleted = "poistettu" in Finnish) my PC after reboot the situation is same again (yes I put system restore off when cleaning).
Any idea how to solve this ?

F-secure 6.15 scan log =======================================
Trojan-Downloader.Win32.Agent.aww (virus)
C:\WINDOWS\system32\wbem\dReposxml\BoExplorer.rar
C:\WINDOWS\system32\wbem\dReposxml\BoExplorer.rar\NTWorkStan.dll

X97M/Not_a_virus (virus)
C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\quiz\figurine100.zip\Test figurine 100 .xls

Trojan-PSW.Win32.QQPass.sn (virus)
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\xin.exe.exe Toiminto: poistettu

Trojan-PSW.Win32.QQPass.vk (virus)
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\76931.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\74121.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\54471.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\39941.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\18401.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\1.exe Toiminto: poistettu

Trojan-PSW.Win32.QQRob.me (virus)
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\71062.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\5312.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\46062.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\40512.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\36262.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\2.exe Toiminto: poistettu
C:\Program Files\Internet Explorer\InfoMs.sys Toiminto: poistettu

Trojan-PSW.Win32.OnLineGames.es (virus)
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\62375.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\59953.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\5.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\46853.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\36903.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\3.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\22435.exe Toiminto: poistettu
C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\11443.exe Toiminto: poistettu

Trojan.Win32.Agent.afb (virus)
C:\WINDOWS\system32\drivers\romman.sys Toiminto: poistettu
C:\WINDOWS\system32\drivers\lanfs.sys Toiminto: poistettu
C:\WINDOWS\system32\drivers\i82440bx.sys Toiminto: poistettu
C:\WINDOWS\system32\4bafcfsb.dll Toiminto: poistettu
C:\WINDOWS\system32\4b1acfsb.dll Toiminto: poistettu

Trojan-Downloader.Win32.Agent.bcd (virus)
C:\WINDOWS\system32\drivers\hidproc.sys Toiminto: poistettu
C:\WINDOWS\system32\wbem\ztauplqh.dll Toiminto: poistettu
C:\WINDOWS\system32\lsanp.dll Toiminto: poistettu

Adware.BHO(generic) (Undefined)
REGKEY:HKCR\clsid\{f9ba1aa9-cad4-4c14-bde6-922dff5f6f38}
Toiminto: eristetty

Tunnisteiden versio:
Virukset: 2007-03-09_06
Vakoiluohjelmat: 2007-03-05_06

Tarkistusohjelmat:
F-Secure AVP: 6.00.169, 2007-03-09
F-Secure Libra: 2.03.11, 2007-03-08
F-Secure Orion: 1.02.37, 2007-03-09
F-Secure Draco: 1.00.35, 2007-03-05
F-Secure BlackLight: 1.00.53

HijackThis v1.99.1 log =======================================
Logfile of HijackThis v1.99.1
Scan saved at 17:38:20, on 27.3.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\Bluetooth\BTNtService.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\program\fsbwsys.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\FSGK32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fssm32.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsqh.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsrw.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsav32.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\ELISAT~1\ANTI-S~1\fsaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\fsguidll.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\temp\Case Jari K\Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: a99e - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4e34ntos.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: browser Class - {C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\USERDATA\S3H535Pdm7_2002.dll
O2 - BHO: WinRAR Class - {E01EA6BA-C6CA-475D-8D3B-45F323A6B62B} - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\NAVDATA\JQMt4jq0CE_qA1dDNCzBY.dll
O2 - BHO: Flasher - {E29F0B13-0D84-45aa-81EC-CC629BC07566} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\Flasher0.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {fafc1586-a99e-4e34-ae2b-1b294ae19f4f} - C:\WINDOWS\system32\4e34ntos.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: a99e - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4e34ntos.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_SAA87.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [wsvbs] C:\WINDOWS\wsvbs.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [kernel32] C:\WINDOWS\Kernel32.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Elisa Tietoturvapalvelu.lnk = C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office Pack\Office10\OSA.EXE
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\blockpopups.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra button: Yhteysohje - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Yhteysohje - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Elisa Tietoturvapalvelu (BackWeb Plug-in - 4119343) - BackWeb Technologies Inc. - C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\Bluetooth\BTNtService.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
O23 - Service: iPod-palvelu (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Local Kernel Service (kernel) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\LqckI4J1xM.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: System Set Service (SystemSet) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)

rridgely
Mar 28 2007, 01:55 PM
Welcome to the forum. smile.gif
Lets get this all cleaned up.


Run BitDefender Online Scanner
  • Using internet Explorer please go HERE to run BitDefender's Online scan.
  • Read the terms and then click I Agree
  • You may receive a Security Warning about the BitDefender ActiveX control, If you do, please allow it to install.
  • On the scanning Options screen, Press Click Here To Scan and then follow the on screen prompts.
  • Once bit defender is finished scanning your computer it will automatically remove the infections. Once the removal process is finished press the close button and a dialog box will appear asking if you want to send your scan log back to the makers of bitdefender. You do not have to do this but what you do want to do is press the button that says "view log" and then copy and paste that log into notepad and save it to your desktop as bitdefender.txt.
  • Reboot your computer

Download Superantispyware
  1. Load Superantispyware and click the check for updates button.
  2. Once the update is finished click the scan your computer button.
  3. Check Perform Complete Scan and then next.
  4. Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  5. Make sure that they all have a check next to them and press next.
  6. Click finish and you will be taken back to the main interface.
  7. Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  8. Copy and paste the log onto the forum.

In your next reply post the bitdefender log, the superantispyware log, and a new hijackthis log. smile.gif
75871
Apr 17 2007, 07:28 AM
Sorry this took a while but I was on holidays wink.gif

Below you can find the bitdefender -log and the latest hijackthis -log.
Unfortunately after downloading the SUPERAntiSpyware.exe and when trying to launch it nothing happens (it seems like it does not even start any process). I have done downloading several times but no success (in my other XP the same SUPERAntiSpyware.exe seems to work perfectly ok).

Any idea how to continue ?

============ bitdefender -log
BitDefender Online Scanner - Real Time Virus Report

Generated at: Wed, Apr 04, 2007 - 18:21:59
--------------------------------------------------------------------------------
Scan Info

Scanned Files
1388206

Infected Files
325

Virus Detected

Dropped:Generic.Malware.PWS.98A29E0D
1

Trojan.Downloader.BBF
2

Generic.Malware.SP!V!dldPk!.41412EB7
1

Generic.Malware.PWS.1F526A27
1

Trojan.Downloader.Delf.QI
1

Trojan.BHO.AP
1

Trojan.Downloader.Harnig.XB
2

Trojan.Adload.H
1

Generic.Malware.SdldgPWS.25F04345
1

Trojan.Agent.AFB
1

Dropped:Generic.Malware.dld!!.1FA1A775
1

Generic.Malware.SgPWS.2907ED24
1

Generic.Malware.SP!BV!dldPk!.13B89283
4

Trojan.Agent.AON
4

Trojan.Dropper.GJ
266

DeepScan:Generic.Malware.SFBdld.C84779FE
1

Trojan.Downloader.Agent.AWW
1

Trojan.Nimosw.A
1

Backdoor.Agent.AHJ
1

Generic.Malware.PWS.98A29E0D
2

Trojan.Downloader.BHO.T
1

Trojan.Nimosw.B
2

Trojan.PWS.Delf.HW
1

Trojan.Cinmun.A
11

Trojan.Downloader.Agent.XZG
2

Generic.Malware.PWS.2A71E77A
1

Trojan.Downloader.AUX
2

Generic.Malware.PWS.55072735
11

--------------------------------------------------------------------------------

This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

============ hijackthis -log

Logfile of HijackThis v1.99.1
Scan saved at 14:13:09, on 14.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\Bluetooth\BTNtService.exe
C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\program\fsbwsys.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsqh.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsrw.exe
C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\WINDOWS\wsttrs.exe
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\temp\Case Jari K\Tools\x.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/ig?hl=fi
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: 4d8b - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\40ccntos.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {5080d5c1-4d8b-40cc-ae2b-1b294ae19f4f} - C:\WINDOWS\system32\40ccntos.dll
O2 - BHO: (no name) - {b3fd3a52-c8ab-42b7-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\42b7cfsb.dll
O2 - BHO: Editor - {D92EB6BE-C6CA-475D-8D3B-45F323A6B62B} - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\NAVDATA\jT1xp8OhmI_qA1dDNCzBY.dll
O2 - BHO: SysShellKernel - {E04B27AA-3973-4D68-8F42-B7C2FC8C6CF7} - C:\WINDOWS\system32\SysShellKernel.dll
O2 - BHO: Flasher - {E29F0B13-0D84-45aa-81EC-CC629BC07566} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\Flasher0.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_SAA87.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [wsvbs] C:\WINDOWS\wsvbs.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [kernel32] C:\WINDOWS\Kernel32.exe
O4 - HKLM\..\Run: [winform] C:\WINDOWS\winform.exe
O4 - HKLM\..\Run: [wsttrs] C:\WINDOWS\wsttrs.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [k05cx] C:\DOCUME~1\HP_OMI~1\LOCALS~1\Temp\c0nime.exe
O4 - HKCU\..\Run: [s1gr27vqm] C:\DOCUME~1\HP_OMI~1\LOCALS~1\Temp\Servere.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Elisa Tietoturvapalvelu.lnk = C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office Pack\Office10\OSA.EXE
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Yhteysohje - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Yhteysohje - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Elisa Tietoturvapalvelu (BackWeb Plug-in - 4119343) - BackWeb Technologies Inc. - C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\Bluetooth\BTNtService.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
O23 - Service: iPod-palvelu (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Local Kernel Service (kernel) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\LqckI4J1xM.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: System Set Service (SystemSet) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)

rridgely
Apr 18 2007, 12:34 AM
This computer is still really infected. Your going to have to run a few tools to clean this up.
Do not run these all at once. Do it one at a time.

Download AVG Anti-Spyware
  1. Load AVG antispyware and then click the Update tab at the top. Under Manual Update click Start update.
  2. After the update finishes (the status bar at the bottom will display "Update successful")
  3. Click on the Scanner tab at the top and then click on Complete System Scan
  4. Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG antispyware will then display "All actions have been applied" on the right.
  5. Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back
Note that this is not AVG antivirus but the program formally known as Ewido.

---------

Run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

--------

Please download WebRoot SpySweeper from HERE (It's a 14 day trial):
  • Click the Download now link on the right to download the program.
  • Double-click the file to install it as follows:
  • Click "Next", read the agreement, Click "Next"
  • Choose "Custom" click "Next".
  • Leave the default installation directory as it is, then click "Next".
  • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
  • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
  • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, disconnect from the internet.
  • Click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Post the webroot log and a new hijackthis log


Come back with an avg log, a panda scan log, a webroot log, and a new hijackthis log take after all of the scans.
Sorry I know thats a lot but your pc is pretty bad. tongue.gif
75871
Apr 20 2007, 06:26 AM
After downloading AVG antispyware it won't start at all ... same situation as it was with SUPERAntiSpyware.exe previously. Anyway here are the results of Panda Activescan, WebRoot SpySweeper and latest hijackthis log.
... should I really start to plan how to perform total reinstallation to this computer ?!

============= Activescan_19.4.txt

Incident Status Location

Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\HP_Omistaja\Cookies\hp_omistaja@adtech[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\HP_Omistaja\Cookies\hp_omistaja@burstnet[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\HP_Omistaja\Cookies\hp_omistaja@tribalfusion[1].txt
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\2.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\Cookies\hp_omistaja@2o7[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\Cookies\hp_omistaja@adtech[2].txt
Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\Cookies\hp_omistaja@research-int[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\HP_Omistaja\Local Settings\Temp\Cookies\hp_omistaja@tribalfusion[1].txt
Virus:Trj/Small.VS Not disinfected C:\Documents and Settings\HP_Omistaja\Omat tiedostot\Vastaanotetut tiedostot\Xoftspy 4[1].x.0ar[keygen.exe]
Virus:Trj/Small.VS Not disinfected C:\Documents and Settings\HP_Omistaja\Omat tiedostot\Vastaanotetut tiedostot\Xoftspy All Versions .0ar[keygen.exe]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/Alexa-Toolbar Not disinfected C:\Program Files\Alexa Toolbar\uninstall.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Common Files\Microsoft Shared\MSInfo\system42.rar
Potentially unwanted tool:Application/Processor Not disinfected C:\temp\Case Jari K\Tools\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\temp\SDFix\apps\Process.exe
Virus:Trj/QQRob.NV Disinfected C:\temp\SDFix\backups\backups.0ip[backups/Rpcs.exe]
Virus:Trj/Zlob.FZ Disinfected C:\WINDOWS\KERNEL32.0XE
Virus:Trj/Lineage.DCO Disinfected C:\WINDOWS\msccrt.exe
Virus:Trj/Lineage.DEE Disinfected C:\WINDOWS\system32\4.dll
Virus:Trj/WinKld.A Disinfected C:\WINDOWS\system32\ad_1128.exe
Adware:Adware/Alexa-Toolbar Not disinfected C:\WINDOWS\system32\AlxRes.dll
Adware:Adware/Alexa-Toolbar Not disinfected C:\WINDOWS\system32\AlxTB1.dll
Adware:Adware/888Bar Not disinfected C:\WINDOWS\system32\dodolook133.exe
Hacktool:Rootkit/Baidu.D Not disinfected C:\WINDOWS\system32\drivers\FFPBEK.0YS
Virus:Trj/Agent.EPE Disinfected C:\WINDOWS\system32\drivers\i82440bx.sys
Virus:Rootkit/Lineage.CQX Disinfected C:\WINDOWS\system32\drivers\ndcia.sys
Virus:Trj/WinKld.A Disinfected C:\WINDOWS\system32\dufs2.exe
Adware:Adware/BaiduBar Not disinfected C:\WINDOWS\system32\hhnvfs41.dll
Virus:Trj/Downloader.MZX Disinfected C:\WINDOWS\system32\kbnaxp.dll
Virus:Trj/Lineage.DAW Disinfected C:\WINDOWS\system32\mppds.dll
Virus:Trj/Lineage.DCO Disinfected C:\WINDOWS\system32\msccrt.dll
Virus:Trj/Wow.MJ Disinfected C:\WINDOWS\system32\nwizasktao.dll
Virus:Trj/Wow.MJ Disinfected C:\WINDOWS\system32\nwizasktao.exe
Adware:Adware/BHOcn Not disinfected C:\WINDOWS\system32\SysShellKernel.dll
Adware:Adware/Sohu Not disinfected C:\WINDOWS\system32\t21.0xe[Reg.exe]
Adware:Adware/BaiduBar Not disinfected C:\WINDOWS\system32\wincmr55.dll
Virus:Trj/Lineage.DBI Disinfected C:\WINDOWS\system32\winform.dll
Adware:Adware/BaiduBar Not disinfected C:\WINDOWS\system32\winmrx86.dll
Virus:Trj/Lineage.DBK Disinfected C:\WINDOWS\system32\wsttrs.dll
Adware:Adware/WebAttaker Not disinfected C:\WINDOWS\system32\xpnap.exe
Virus:Trj/Lineage.DBI Disinfected C:\WINDOWS\winform.exe
Virus:Trj/Lineage.DBK Disinfected C:\WINDOWS\wsttrs.exe

============= Spy_Sweeper_19.4.txt
18:39: Removal process completed. Elapsed time 00:00:24
18:39: A reboot was required but declined.
18:39: Quarantining All Traces: tribalfusion cookie
18:39: Quarantining All Traces: trb.com cookie
18:39: Quarantining All Traces: redsheriff cookies
18:39: Quarantining All Traces: burstnet cookie
18:39: Quarantining All Traces: adtech cookie
18:39: Quarantining All Traces: specificclick.com cookie
18:39: Quarantining All Traces: adecn cookie
18:39: Quarantining All Traces: sysshellkernel hijacker
18:39: Quarantining All Traces: union123 hijack
18:39: Quarantining All Traces: cnnewmusic-yiqilai
18:39: Quarantining All Traces: zsxz
18:39: Quarantining All Traces: trojan-chimoz
18:39: Quarantining All Traces: sogou
18:39: Quarantining All Traces: cnsmin
18:39: C:\Program Files\Common Files\Microsoft Shared\MSInfo\NewInfo.rxk is in use. It will be removed on reboot.
18:39: C:\Program Files\Internet Explorer\InfoMs.dll is in use. It will be removed on reboot.
18:39: trojan-phisher-qqpass is in use. It will be removed on reboot.
18:39: Quarantining All Traces: trojan-phisher-qqpass
18:39: Removal process initiated
18:35: Traces Found: 99
18:35: Custom Sweep has completed. Elapsed time 00:25:43
18:35: HKU\S-1-5-21-2044840818-1191932321-2524131797-1008\software\mz\openie2\ (ID = 2066213)
18:35: HKU\WRSS_Profile_S-1-5-21-2044840818-1191932321-2524131797-500\software\mz\openie2\ (ID = 2066213)
18:35: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {feb94f5a-69f3-4645-8c2b-9e71d270af2e} (ID = 1660141)
18:35: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {99f1d023-7ceb-4586-80f7-bb1a98db7602} (ID = 1660140)
18:35: HKLM\software\classes\clsid\{feb94f5a-69f3-4645-8c2b-9e71d270af2e}\inprocserver32\ (ID = 1660139)
18:35: HKCR\clsid\{99f1d023-7ceb-4586-80f7-bb1a98db7602}\inprocserver32\ (ID = 1660138)
18:35: File Sweep Complete, Elapsed Time: 00:23:47
18:31: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7DCA000C
18:31: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7DEB000C
18:30: Warning: TCompressedFile.GetStreams(1): Stream read error
18:30: Warning: SweepDirectories: Cannot find directory "f:". This directory was not added to the list of paths to be scanned.
18:30: Warning: SweepDirectories: Cannot find directory "e:". This directory was not added to the list of paths to be scanned.
18:28: Warning: Failed to open file "c:\documents and settings\hp_omistaja\application data\ispnews\ispnc.items". Toiminto on suoritettu
18:28: Warning: Failed to open file "c:\documents and settings\hp_omistaja\local settings\temp\temporary internet files\content.ie5\6jcnnfeg\158[1]". Toiminto on suoritettu
18:14: C:\WINDOWS\system32\jsefusf.dll (ID = 486735)
18:12: ApplicationMinimized - EXIT
18:12: ApplicationMinimized - ENTER
18:12: ApplicationMinimized - EXIT
18:12: ApplicationMinimized - ENTER
18:12: ApplicationMinimized - EXIT
18:12: ApplicationMinimized - ENTER
18:11: C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools (1 subtraces) (ID = 2147538233)
18:11: Starting File Sweep
18:11: Cookie Sweep Complete, Elapsed Time: 00:00:00
18:11: c:\documents and settings\hp_omistaja\cookies\hp_omistaja@www.burstnet[1].txt (ID = 2337)
18:11: c:\documents and settings\hp_omistaja\cookies\hp_omistaja@tribalfusion[1].txt (ID = 3589)
18:11: Found Spy Cookie: tribalfusion cookie
18:11: c:\documents and settings\hp_omistaja\cookies\hp_omistaja@trb[1].txt (ID = 3587)
18:11: Found Spy Cookie: trb.com cookie
18:11: c:\documents and settings\hp_omistaja\cookies\hp_omistaja@specificclick[1].txt (ID = 3399)
18:11: c:\documents and settings\hp_omistaja\cookies\hp_omistaja@imrworldwide[2].txt (ID = 2845)
18:11: Found Spy Cookie: redsheriff cookies
18:11: c:\documents and settings\hp_omistaja\cookies\hp_omistaja@burstnet[2].txt (ID = 2336)
18:11: Found Spy Cookie: burstnet cookie
18:11: c:\documents and settings\hp_omistaja\cookies\hp_omistaja@adtech[2].txt (ID = 2155)
18:11: Found Spy Cookie: adtech cookie
18:11: c:\documents and settings\hp_omistaja\cookies\hp_omistaja@adopt.specificclick[1].txt (ID = 3400)
18:11: Found Spy Cookie: specificclick.com cookie
18:11: c:\documents and settings\hp_omistaja\cookies\hp_omistaja@adecn[2].txt (ID = 2063)
18:11: Found Spy Cookie: adecn cookie
18:11: Starting Cookie Sweep
18:11: Registry Sweep Complete, Elapsed Time:00:00:08
18:11: HKU\S-1-5-18\system\currentcontrolset\services\jsefusf\ (ID = 2066417)
18:11: HKU\S-1-5-18\software\tbsb03263\ (ID = 1964433)
18:11: HKU\S-1-5-18\software\microsoft\internet explorer\urlsearchhooks\ || {ca3eb689-8f09-4026-aa10-b9534c691ce0} (ID = 1964431)
18:11: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {33e640d8-eb95-4b22-b475-1852b7d35993} (ID = 1964430)
18:11: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {5c3853cf-c7e0-4946-b3fa-1abdb6f48108} (ID = 1847150)
18:11: HKU\S-1-5-21-2044840818-1191932321-2524131797-1008\system\currentcontrolset\services\jsefusf\ (ID = 2066417)
18:11: HKU\S-1-5-21-2044840818-1191932321-2524131797-1008\software\tbsb03263\ (ID = 1964433)
18:11: HKU\S-1-5-21-2044840818-1191932321-2524131797-1008\software\microsoft\internet explorer\urlsearchhooks\ || {ca3eb689-8f09-4026-aa10-b9534c691ce0} (ID = 1964431)
18:11: HKU\S-1-5-21-2044840818-1191932321-2524131797-1008\software\microsoft\internet explorer\toolbar\webbrowser\ || {33e640d8-eb95-4b22-b475-1852b7d35993} (ID = 1964430)
18:11: HKU\S-1-5-21-2044840818-1191932321-2524131797-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {5c3853cf-c7e0-4946-b3fa-1abdb6f48108} (ID = 1847150)
18:11: HKU\S-1-5-21-2044840818-1191932321-2524131797-1008\software\cpush\ (ID = 1779757)
18:11: HKU\S-1-5-21-2044840818-1191932321-2524131797-1008\software\cnnic\cdnclient\ (ID = 1359346)
18:11: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {754fb7d8-b8fe-4810-b363-a788cd060f1f} (ID = 2113118)
18:11: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {a6011f8f-a7f8-49aa-9ada-49127d43138f} (ID = 2113117)
18:11: HKLM\software\classes\clsid\{a6011f8f-a7f8-49aa-9ada-49127d43138f}\ (ID = 2112768)
18:11: HKLM\software\classes\clsid\{754fb7d8-b8fe-4810-b363-a788cd060f1f}\ (ID = 2112745)
18:11: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{e04b27aa-3973-4d68-8f42-b7c2fc8c6cf7}\ (ID = 2110423)
18:11: HKLM\software\classes\typelib\{eda19996-ced5-4964-bad4-1106411d1de2}\ (ID = 2110413)
18:11: HKLM\software\classes\clsid\{e04b27aa-3973-4d68-8f42-b7c2fc8c6cf7}\ (ID = 2110402)
18:11: Found Adware: sysshellkernel hijacker
18:11: HKLM\software\microsoft\internet explorer\main\ || start page (ID = 2100024)
18:11: Found Adware: union123 hijack
18:11: HKLM\system\currentcontrolset\services\jsefusf\ || imagepath (ID = 2066452)
18:11: HKLM\system\currentcontrolset\services\jsefusf\ (ID = 2066448)
18:11: HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {dd7d4640-4464-48c0-82fd-21338366d2d2} (ID = 2066218)
18:11: HKLM\software\classes\clsid\{dd7d4640-4464-48c0-82fd-21338366d2d2}\ (ID = 2066217)
18:11: HKCR\clsid\{dd7d4640-4464-48c0-82fd-21338366d2d2}\ (ID = 2066216)
18:11: HKLM\system\currentcontrolset\services\acpidisk\ (ID = 2009520)
18:11: HKLM\software\classes\newmediapopup.ddlogic.1\ (ID = 2004184)
18:11: HKLM\software\classes\newmediapopup.ddlogic\ (ID = 2004178)
18:11: HKCR\newmediapopup.ddlogic.1\ (ID = 2004147)
18:11: HKCR\newmediapopup.ddlogic\ (ID = 2004141)
18:11: HKLM\software\microsoft\windows\currentversion\uninstall\tbsb03263.tbsb03263toolbar\ (ID = 1964934)
18:11: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{eec7e620-b32a-4e3b-b200-291660803474}\ (ID = 1964925)
18:11: HKLM\software\classes\tbsb03263.tbsb03263.3\ (ID = 1964796)
18:11: HKLM\software\classes\tbsb03263.tbsb03263\ (ID = 1964790)
18:11: HKLM\software\classes\tbsb03263.ietoolbar.1\ (ID = 1964786)
18:11: HKLM\software\classes\tbsb03263.ietoolbar\ (ID = 1964780)
18:11: HKLM\software\classes\clsid\{eec7e620-b32a-4e3b-b200-291660803474}\ (ID = 1964729)
18:11: HKLM\software\classes\clsid\{33e640d8-eb95-4b22-b475-1852b7d35993}\ (ID = 1964597)
18:11: HKCR\tbsb03263.tbsb03263.3\ (ID = 1964313)
18:11: HKCR\tbsb03263.tbsb03263\ (ID = 1964307)
18:11: HKCR\tbsb03263.ietoolbar.1\ (ID = 1964303)
18:11: HKCR\tbsb03263.ietoolbar\ (ID = 1964297)
18:11: HKCR\clsid\{eec7e620-b32a-4e3b-b200-291660803474}\ (ID = 1964246)
18:11: HKCR\clsid\{33e640d8-eb95-4b22-b475-1852b7d35993}\ (ID = 1964114)
18:11: HKLM\system\currentcontrolset\services\systemset\ (ID = 1914885)
18:11: HKLM\system\currentcontrolset\enum\root\legacy_systemset\ (ID = 1914874)
18:11: HKLM\system\controlset001\services\systemset\ (ID = 1914843)
18:11: Found Trojan Horse: trojan-chimoz
18:11: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0}\ (ID = 1889119)
18:11: HKLM\software\classes\typelib\{385ab8c5-fb22-4d17-8834-064e2ba0a6f0}\ (ID = 1889099)
18:11: HKLM\software\classes\clsid\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0}\ (ID = 1889075)
18:11: HKCR\typelib\{385ab8c5-fb22-4d17-8834-064e2ba0a6f0}\ (ID = 1889055)
18:11: HKCR\clsid\{385ab8c6-fb22-4d17-8834-064e2ba0a6f0}\ (ID = 1889031)
18:11: Found Adware: cnnewmusic-yiqilai
18:11: HKLM\software\classes\urlsearchhook.toolbarurlsearchhook.1\ (ID = 1875547)
18:11: HKLM\software\classes\urlsearchhook.toolbarurlsearchhook\ (ID = 1875543)
18:11: HKLM\software\classes\typelib\{4509d3cc-b642-4745-b030-645b79522c6d}\ (ID = 1875533)
18:11: HKLM\software\classes\toolbar3.xbtbpos00.1\ (ID = 1875529)
18:11: HKLM\software\classes\toolbar3.xbtbpos00\ (ID = 1875523)
18:11: HKLM\software\classes\clsid\{ca3eb689-8f09-4026-aa10-b9534c691ce0}\ (ID = 1875476)
18:11: HKCR\urlsearchhook.toolbarurlsearchhook.1\ (ID = 1875399)
18:11: HKCR\urlsearchhook.toolbarurlsearchhook\ (ID = 1875395)
18:11: HKCR\typelib\{4509d3cc-b642-4745-b030-645b79522c6d}\ (ID = 1875385)
18:11: HKCR\toolbar3.xbtbpos00.1\ (ID = 1875381)
18:11: HKCR\toolbar3.xbtbpos00\ (ID = 1875375)
18:11: HKCR\clsid\{ca3eb689-8f09-4026-aa10-b9534c691ce0}\ (ID = 1875328)
18:11: HKLM\software\cpush\ (ID = 1779762)
18:11: HKLM\software\microsoft\windows\currentversion\uninstall\contentmatch\ || uninstallstring (ID = 1779761)
18:11: HKLM\software\microsoft\windows\currentversion\uninstall\contentmatch\ (ID = 1779759)
18:11: HKLM\software\classes\clsid\{feb94f5a-69f3-4645-8c2b-9e71d270af2e}\ (ID = 1659867)
18:11: HKLM\software\classes\clsid\{99f1d023-7ceb-4586-80f7-bb1a98db7602}\ (ID = 1659285)
18:11: HKCR\clsid\{99f1d023-7ceb-4586-80f7-bb1a98db7602}\ (ID = 1659278)
18:11: HKLM\system\currentcontrolset\services\cdnprot\ (ID = 1361190)
18:11: HKLM\software\microsoft\internet explorer\advancedoptions\cdnclient\ (ID = 1359549)
18:11: HKLM\software\cnnic\cdnclient\ (ID = 1359525)
18:11: Found Adware: cnsmin
18:11: HKLM\software\microsoft\windows\currentversion\uninstall\zsxz\ (ID = 1159700)
18:11: Found Adware: zsxz
18:11: Starting Registry Sweep
18:11: Memory Sweep Complete, Elapsed Time: 00:01:40
18:10: ApplicationMinimized - EXIT
18:10: ApplicationMinimized - EXIT
18:10: ApplicationMinimized - ENTER
18:10: ApplicationMinimized - ENTER
18:09: Starting Memory Sweep
18:09: HKLM\software\classes\clsid\{754fb7d8-b8fe-4810-b363-a788cd060f1f}\inprocserver32\ (ID = 2158527)
18:09: C:\Program Files\Common Files\Microsoft Shared\MSInfo\NewInfo.rxk (ID = 2142658)
18:09: HKLM\software\classes\clsid\{a6011f8f-a7f8-49aa-9ada-49127d43138f}\inprocserver32\ (ID = 2142658)
18:09: HKLM\system\currentcontrolset\services\jsefusf\ || imagepath (ID = 2092214)
18:09: C:\Program Files\Internet Explorer\InfoMs.dll (ID = 2066204)
18:09: HKCR\clsid\{dd7d4640-4464-48c0-82fd-21338366d2d2}\inprocserver32\ (ID = 2066204)
18:09: Found Trojan Horse: trojan-phisher-qqpass
18:09: HKLM\software\microsoft\windows\currentversion\uninstall\contentmatch\ || uninstallstring (ID = 1834248)
18:09: Found Adware: sogou
18:09: Start Custom Sweep
18:09: Sweep initiated using definitions version 898
18:03: Your spyware definitions have been updated.
18:02: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
18:01: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
18:01: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
18:00: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
17:59: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: Off
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: Off
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
17:58: Shield States
17:58: Spyware Definitions: 866
17:58: Spy Sweeper 5.3.2.2361 started
17:58: Spy Sweeper 5.3.2.2361 started
17:58: | Start of Session, 19. huhtikuuta 2007 |
***************
17:27: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: Off
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: Off
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
17:26: Shield States
17:26: Spyware Definitions: 866
17:26: Spy Sweeper 5.3.2.2361 started
17:26: Spy Sweeper 5.3.2.2361 started
17:26: | Start of Session, 19. huhtikuuta 2007 |
***************

============= hijackthis_3.log
Logfile of HijackThis v1.99.1
Scan saved at 19:36:19, on 19.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\Bluetooth\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMB32.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Elisa Tietoturvapalvelu\Common\FCH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FAMEH32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsqh.exe
C:\Program Files\Elisa Tietoturvapalvelu\Anti-Virus\fsrw.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE
C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\program\fsbwst.exe
C:\temp\Case Jari K\Tools\x.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - URLSearchHook: 4d8b - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\40ccntos.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07a875c3-2eb1-4e9b-ae2b-1b294ae19f4f} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {4fd1d7a7-b2ba-4c7a-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\4c7acfsb.dll (file missing)
O2 - BHO: (no name) - {5080d5c1-4d8b-40cc-ae2b-1b294ae19f4f} - C:\WINDOWS\system32\40ccntos.dll
O2 - BHO: MyFavor Web - {5537AA9F-7FE5-40E1-AEC7-D3B7E01FCA73} - (no file)
O2 - BHO:  - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - (no file)
O2 - BHO: KRYGNUA - {72A3896E-990B-4352-8AF7-8F1108EC10BF} - (no file)
O2 - BHO: BHOVCIQWDKQXE - {89BD793F-890B-4D84-9211-A956FA16B0AF} - (no file)
O2 - BHO: (no name) - {A4B313AC-16DC-52D1-A4D7-1D4F7B1A9C4E} - (no file)
O2 - BHO: (no name) - {b3fd3a52-c8ab-42b7-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\42b7cfsb.dll
O2 - BHO: wgxx - {B477B87E-C2DA-4E30-92E8-0ACC9F2075AC} - (no file)
O2 - BHO: browser Class - {C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\USERDATA\k7ZzNNtLqO_2002.dll (file missing)
O2 - BHO: Editor - {D92EB6BE-C6CA-475D-8D3B-45F323A6B62B} - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\NAVDATA\jT1xp8OhmI_qA1dDNCzBY.dll
O2 - BHO: Flasher - {E29F0B13-0D84-45aa-81EC-CC629BC07566} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\Flasher0.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [EPSON Stylus DX5000 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE" /FU "C:\WINDOWS\TEMP\E_SAA87.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Elisa Tietoturvapalvelu\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Elisa Tietoturvapalvelu\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [kernel32] C:\WINDOWS\Kernel32.exe
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Elisa Tietoturvapalvelu\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [subcmr55] "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\subcmr55.dll",Start
O4 - HKLM\..\Run: [ksgdno77] "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\ksgdno77.dll",Start
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [nwizasktao] C:\WINDOWS\system32\nwizasktao.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [sckmrx86] "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\sckmrx86.dll",Start
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [s1gr27vqm] C:\DOCUME~1\HP_OMI~1\LOCALS~1\Temp\Servere.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Elisa Tietoturvapalvelu.lnk = C:\Program Files\Elisa Tietoturvapalvelu\backweb\4119343\Program\fspex.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office Pack\Office10\OSA.EXE
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Elisa Tietoturvapalvelu\Anti-Spyware\ieshield.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yhteysohje - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Yhteysohje - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ²Æ¸»Í¨ - {C1F0024B-8278-4999-B7E6-2718426D9FE6} - C:\Program Files\²Æ¸»Í¨\caif.dll (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cryptimg - cryptig.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Elisa Tietoturvapalvelu (BackWeb Plug-in - 4119343) - BackWeb Technologies Inc. - C:\PROGRA~1\ELISAT~1\backweb\4119343\Program\SERVIC~1.EXE
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Documents and Settings\HP_Omistaja\Työpöytä\JARI\Bluetooth\BTNtService.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Elisa Tietoturvapalvelu\Common\FSMA32.EXE
O23 - Service: iPod-palvelu (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Local Kernel Service (kernel) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\LqckI4J1xM.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPYWAREfighterRP - Unknown owner - C:\Program Files\SPYWAREfighter\spfprc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


rridgely
Apr 20 2007, 07:23 AM
To be honest you would be better off reformatting this computer.
The stuff being found is some pretty serious stuff. The scans are turning up rootkits and backdoor trojans and with those kinds of infections(and the even worse ones still on the computer) reformatting would be the best option. The problem is that with these infections its very difficult to make sure that the computer is in fact cleaned.
I'll keep guiding you along, but just keep the above in mind.

If you want to continue down this long path then follow the below instructions:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.

Post the dr.web log, the blacklight log, and a new hijackthis log.
75871
Apr 20 2007, 01:07 PM
OK I will start to backup the userdata and then I will reinstall the whole computer.
... there are also lots of useless applications etc which will now be cleaned away wink.gif

Thanks for your help and have a nice springtime !
rridgely
Apr 20 2007, 01:26 PM
Once you get your computer reinstalled make sure you take a few steps to keep this from happening again in the future.
1. Update windows with ALL security updates
2. Follow this guide to secure your pc:
http://forum.piriform.com/index.php?showtopic=7936

If you do both of those your pc should be pretty safe from reinfection. smile.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.