Results 1 to 10 of 10

Thread: cmdService

  1. #1
    Junior Member
    Join Date
    Apr 2006
    Posts
    5

    Default cmdService

    Hello!
    I've been looking around the net for a fix to remove the cmdService spy/mal ware. Its found by Spybot S&D, but can't be removed and returns everytime I restart my computer.
    I've tried every single given solution I've found on the net, but I still can't remove it, so this is my last chance.

    My Hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 18:06:13, on 2006-04-11
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    C:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
    C:\Program\F-Secure Anti-Virus\backweb\4476822\Program\fspex.exe
    C:\Program\F-Secure Anti-Virus\Common\FSMA32.EXE
    C:\Program\Norman\NPF\NPFSVICE.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program\F-Secure Anti-Virus\Common\FSMB32.EXE
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
    C:\Program\F-Secure Anti-Virus\Common\FCH32.EXE
    C:\Program\F-Secure Anti-Virus\Common\FAMEH32.EXE
    C:\Program\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\F-Secure Anti-Virus\Common\FSM32.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Messenger\msmsgs.exe
    C:\WINDOWS\system32\?icrosoft\r?gsvr32.exe
    C:\Program\Norman\NPF\NPFMSG.EXE
    C:\Program\F-Secure Anti-Virus\FSGUI\fsguiexe.exe
    C:\Program\Mozilla Firefox\firefox.exe
    C:\Program\MSN Messenger\msnmsgr.exe
    C:\Program\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Win32 Kernel Update] C:\WINDOWS\System32\win32update.exe
    O4 - HKLM\..\Run: [AdobeReaderPro] lssas.exe
    O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
    O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
    O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
    O4 - HKLM\..\RunServices: [AdobeReaderPro] lssas.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
    O4 - HKCU\..\Run: [Sepe] "C:\WINDOWS\System32\FNTS~1\msiexec.exe" -vt yax
    O4 - HKCU\..\Run: [Iittjcls] C:\WINDOWS\system32\?icrosoft\r?gsvr32.exe
    O4 - Global Startup: NPF Messenger.lnk = ?
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144581822250
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/Yazzl...cab?refid=1148
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: Run - C:\WINDOWS\system32\j26m0cj1efo.dll (file missing)
    O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\gp0ol3d31.dll
    O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure Anti-Virus\Common\FSMA32.EXE
    O23 - Service: Norman Type-R - Unknown owner - C:\Program\Norman\NPF\NPFSVICE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WinVideoDriver (WinVideo16) - Unknown owner - C:\WINDOWS\Win32Update.exe (file missing)
    O23 - Service: wxpdll32 - Unknown owner - C:\WINDOWS\wxpdll32.exe (file missing)

    Please help me, Im getting annoyed with all those new browser windows opening all the time and even in Firefox with new folds opening all the time.

  2. #2
    Security Expert-Emeritus Rawe's Avatar
    Join Date
    Mar 2006
    Location
    Finland
    Posts
    393

    Default

    Hello and welcome..

    Lets get started. You have few infections there.

    ==

    Please print these instructions out, or write them down, as you can't read them during the fix.

    Please download Look2Me-Destroyer to your desktop.

    Before continuing with the fix there is something you must do:
    • Click Start -> Run and type in: services.msc
    • Check that the following services are running and that their startup is set to automatic:
    • Seclogon, or Secondary logon service
    • Next your machine needs to be offline, manually disconnect the network cable if necessary.
    • Your antivirus, and every other security software MUST be disabled.


    Now continue:
    • Double-click Look2Me-Destroyer.exe to run it.
    • Put a check next to Run this program as a task.
    • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
    • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    • Once it's done scanning, click the Remove L2M button.
    • You will receive a Done Scanning message, click OK.
    • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    • Your computer will then shutdown.
    • Turn your computer back on.
    • Re-launch your Anti-virus/Firewall protection.
    • Re-connect back to the internet.
    • Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log.
    If Look2Me-Destroyer does not reopen automatically, reboot and try again.
    Hi there, stranger!

    Proud Member of ASAP since 2005.

  3. #3
    Junior Member
    Join Date
    Apr 2006
    Posts
    5

    Default

    Hi there and thank you for helping me out!

    I followed your instructions and here is the logs:

    First Hihack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 20:14:29, on 2006-04-11
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    C:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
    C:\Program\F-Secure Anti-Virus\backweb\4476822\Program\fspex.exe
    C:\Program\F-Secure Anti-Virus\Common\FSMA32.EXE
    C:\Program\Norman\NPF\NPFSVICE.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program\F-Secure Anti-Virus\Common\FSMB32.EXE
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
    C:\Program\F-Secure Anti-Virus\Common\FCH32.EXE
    C:\Program\F-Secure Anti-Virus\Common\FAMEH32.EXE
    C:\Program\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\F-Secure Anti-Virus\Common\FSM32.EXE
    C:\Program\F-Secure Anti-Virus\FSGUI\FSSW.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Messenger\msmsgs.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\?icrosoft\r?gsvr32.exe
    C:\Program\Norman\NPF\NPFMSG.EXE
    C:\Program\F-Secure Anti-Virus\FSGUI\fsguiexe.exe
    C:\Program\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Win32 Kernel Update] C:\WINDOWS\System32\win32update.exe
    O4 - HKLM\..\Run: [AdobeReaderPro] lssas.exe
    O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
    O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
    O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
    O4 - HKLM\..\RunServices: [AdobeReaderPro] lssas.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
    O4 - HKCU\..\Run: [Sepe] "C:\WINDOWS\System32\FNTS~1\msiexec.exe" -vt yax
    O4 - HKCU\..\Run: [Iittjcls] C:\WINDOWS\system32\?icrosoft\r?gsvr32.exe
    O4 - Global Startup: NPF Messenger.lnk = ?
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144581822250
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/Yazzl...cab?refid=1148
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure Anti-Virus\Common\FSMA32.EXE
    O23 - Service: Norman Type-R - Unknown owner - C:\Program\Norman\NPF\NPFSVICE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WinVideoDriver (WinVideo16) - Unknown owner - C:\WINDOWS\Win32Update.exe (file missing)
    O23 - Service: wxpdll32 - Unknown owner - C:\WINDOWS\wxpdll32.exe (file missing)


    And here we have the Look2Me-Destroyer Log:


    Look2Me-Destroyer V1.0.12

    Scanning for infected files.....
    Scan started at 2006-04-11 20:11:04

    Infected! C:\WINDOWS\system32\j26m0cj1efo.dll
    Infected! C:\WINDOWS\system32\gp0ol3d31.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0007310.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0007338.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0007353.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0007376.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0011025.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011052.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011061.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011094.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011119.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011137.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011156.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011157.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011168.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011180.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012174.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012178.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012186.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012205.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012215.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012222.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012236.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012245.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012248.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012257.dll
    Infected! C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012265.dll
    Infected! C:\WINDOWS\system32\alkctrs.dll
    Infected! C:\WINDOWS\system32\dbserver.dll
    Infected! C:\WINDOWS\system32\en42l1ho1.dll
    Infected! C:\WINDOWS\system32\gp0ol3d31.dll
    Infected! C:\WINDOWS\system32\kcdro.dll
    Infected! C:\WINDOWS\system32\ktn2l75o1.dll
    Infected! C:\WINDOWS\system32\mrwstr10.dll
    Infected! C:\WINDOWS\system32\mxwmdmsp.dll
    Infected! C:\WINDOWS\system32\o0pqla751d.dll
    Infected! C:\WINDOWS\system32\ozcache.dll
    Infected! C:\WINDOWS\system32\r4r6le9s1h.dll
    Infected! C:\WINDOWS\system32\vjpodbc.dll
    Infected! C:\WINDOWS\system32\wladmod.dll

    Attempting to delete infected files...

    Attempting to delete: C:\WINDOWS\system32\gp0ol3d31.dll
    C:\WINDOWS\system32\gp0ol3d31.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0007310.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0007310.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0007338.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0007338.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0007353.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0007353.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0007376.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0007376.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0011025.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP22\A0011025.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011052.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011052.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011061.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011061.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011094.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011094.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011119.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011119.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011137.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011137.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011156.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011156.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011157.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011157.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011168.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011168.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011180.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP23\A0011180.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012174.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012174.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012178.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012178.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012186.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012186.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012205.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012205.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012215.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012215.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012222.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012222.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012236.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012236.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012245.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012245.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012248.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012248.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012257.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012257.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012265.dll
    C:\System Volume Information\_restore{D53D735D-133C-4B36-9DBA-40A592633D42}\RP24\A0012265.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\alkctrs.dll
    C:\WINDOWS\system32\alkctrs.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\dbserver.dll
    C:\WINDOWS\system32\dbserver.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\en42l1ho1.dll
    C:\WINDOWS\system32\en42l1ho1.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\gp0ol3d31.dll
    C:\WINDOWS\system32\gp0ol3d31.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\kcdro.dll
    C:\WINDOWS\system32\kcdro.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\ktn2l75o1.dll
    C:\WINDOWS\system32\ktn2l75o1.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\mrwstr10.dll
    C:\WINDOWS\system32\mrwstr10.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\mxwmdmsp.dll
    C:\WINDOWS\system32\mxwmdmsp.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\o0pqla751d.dll
    C:\WINDOWS\system32\o0pqla751d.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\ozcache.dll
    C:\WINDOWS\system32\ozcache.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\r4r6le9s1h.dll
    C:\WINDOWS\system32\r4r6le9s1h.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\vjpodbc.dll
    C:\WINDOWS\system32\vjpodbc.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\wladmod.dll
    C:\WINDOWS\system32\wladmod.dll Deleted successfully!

    Making registry repairs.

    Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run
    Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F5DC21A9-F8CF-4E26-B456-265FB9667507}"
    HKCR\Clsid\{F5DC21A9-F8CF-4E26-B456-265FB9667507}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CD4328CD-EFB6-4EAB-B655-35ABB6464A13}"
    HKCR\Clsid\{CD4328CD-EFB6-4EAB-B655-35ABB6464A13}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6BF44C78-30E9-49FF-9F39-F8270A3EE031}"
    HKCR\Clsid\{6BF44C78-30E9-49FF-9F39-F8270A3EE031}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D3317197-714F-4420-AA72-A4AEF86C3382}"
    HKCR\Clsid\{D3317197-714F-4420-AA72-A4AEF86C3382}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2075FF86-4F65-471A-BA27-EE31B7A03984}"
    HKCR\Clsid\{2075FF86-4F65-471A-BA27-EE31B7A03984}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{31DEA37D-F1B3-4723-AEF8-65BDEA013C21}"
    HKCR\Clsid\{31DEA37D-F1B3-4723-AEF8-65BDEA013C21}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DE3FF989-E35D-4679-9977-1B31CC5665BE}"
    HKCR\Clsid\{DE3FF989-E35D-4679-9977-1B31CC5665BE}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{65DDEC30-1C16-44DB-A0B0-F9D74BE3EBA4}"
    HKCR\Clsid\{65DDEC30-1C16-44DB-A0B0-F9D74BE3EBA4}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E11F9131-A5ED-4C45-AC5F-7EED1BBCF378}"
    HKCR\Clsid\{E11F9131-A5ED-4C45-AC5F-7EED1BBCF378}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D9BD7477-2256-4BEB-ACBC-70E4C575D8A1}"
    HKCR\Clsid\{D9BD7477-2256-4BEB-ACBC-70E4C575D8A1}

    Restoring Windows certificates.

    Replaced hosts file with default windows hosts file


    Restoring SeDebugPrivilege for Administratörer - Succeeded

  4. #4
    Security Expert-Emeritus Rawe's Avatar
    Join Date
    Mar 2006
    Location
    Finland
    Posts
    393

    Default

    Ok then; lets continue.

    ==

    Please print these instructions out, or write them down, as you can't read them during the fix.

    1. Please download Ewido Anti-Malware
    • Install Ewido Anti-malware
    • Launch Ewido, there should be an icon on your desktop, double-click it.
    • The program will now open to the main screen.
    • When you run Ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

      You will need to update Ewido to the latest definition files.
      • On the left hand side of the main screen click Update.
      • Then click on Start Update.
    • The update will start and a progress bar will show the updates being installed.
      (the status bar at the bottom will display ("Update successful")
    • Exit Ewido, do not run the scan yet!
    If you are having problems with the updater, you can use this link to manually update ewido.
    ewido manual updates

    ==

    2. Please download Brute Force Uninstaller to your desktop.
    • Right-click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C: ) or whatever your primary drive is
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
    3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Do not do anything with these yet!

    ==

    Next, please reboot your computer in Safe Mode by doing the following:
    1) Restart your computer
    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3) Instead of Windows loading as normal, a menu should appear
    4) Select the first option, to run Windows in Safe Mode.


    ==

    Please run a scan with HijackThis and check the following objects for removal if present:

    O4 - HKLM\..\Run: [AdobeReaderPro] lssas.exe
    O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
    O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
    O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
    O4 - HKLM\..\RunServices: [AdobeReaderPro] lssas.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
    O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
    O4 - HKCU\..\Run: [Sepe] "C:\WINDOWS\System32\FNTS~1\msiexec.exe" -vt yax
    O4 - HKCU\..\Run: [Iittjcls] C:\WINDOWS\system32\?icrosoft\r?gsvr32.exe


    Now close ALL other open windows except for HijackThis and hit FIX CHECKED.

    ==

    4. Next, Please Run Ewido:
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • You will be prompted to clean the first infection.
    • Select "Perform action on all infections", then proceed.
    • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report.
    • Save the report .txt file to your desktop or a location where you can find it easily.
    Close Ewido anti-malware.

    ==

    5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by double-clicking BFU.exe
    • In the Scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
    • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the Complete script execution box to pop up and hit OK.
    • Press Exit to terminate the BFU program.
    Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log.
    Hi there, stranger!

    Proud Member of ASAP since 2005.

  5. #5
    Junior Member
    Join Date
    Apr 2006
    Posts
    5

    Default

    Hello again and thank you again for helping me out. The pop-ups dissapeared last night after the first fix, but I did follow your new insructions aswell and here they are, first the Hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 14:11:22, on 2006-04-12
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    C:\Program\ewido anti-malware\ewidoctrl.exe
    C:\Program\F-Secure Anti-Virus\backweb\4476822\Program\fspex.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    C:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
    C:\Program\F-Secure Anti-Virus\Common\FSMA32.EXE
    C:\Program\Norman\NPF\NPFSVICE.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program\F-Secure Anti-Virus\Common\FSMB32.EXE
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
    C:\Program\F-Secure Anti-Virus\Common\FCH32.EXE
    C:\Program\F-Secure Anti-Virus\Common\FAMEH32.EXE
    C:\Program\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\F-Secure Anti-Virus\Common\FSM32.EXE
    C:\Program\F-Secure Anti-Virus\FSGUI\FSSW.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Messenger\msmsgs.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
    C:\Program\Norman\NPF\NPFMSG.EXE
    C:\Program\F-Secure Anti-Virus\FSGUI\fsguiexe.exe
    C:\Program\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Win32 Kernel Update] C:\WINDOWS\System32\win32update.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - Global Startup: NPF Messenger.lnk = ?
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144581822250
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/Yazzl...cab?refid=1148
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure Anti-Virus\Common\FSMA32.EXE
    O23 - Service: Norman Type-R - Unknown owner - C:\Program\Norman\NPF\NPFSVICE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WinVideoDriver (WinVideo16) - Unknown owner - C:\WINDOWS\Win32Update.exe (file missing)
    O23 - Service: wxpdll32 - Unknown owner - C:\WINDOWS\wxpdll32.exe (file missing)

    and the log from ewido:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 14:08:14, 2006-04-12
    + Report-Checksum: E9628C9E

    + Scan result:

    HKU\S-1-5-21-117609710-1644491937-725345543-1004\Software\DNS -> Adware.Shorty : Cleaned with backup
    HKU\S-1-5-21-117609710-1644491937-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
    :mozilla.16:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
    :mozilla.17:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.18:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.20:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.21:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.22:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
    :mozilla.23:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
    :mozilla.33:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
    :mozilla.36:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
    :mozilla.39:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
    :mozilla.61:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.62:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.64:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.65:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.67:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.90:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.91:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.92:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.115:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
    :mozilla.118:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.134:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
    :mozilla.135:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
    :mozilla.138:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.139:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.140:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.141:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.154:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
    :mozilla.155:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
    :mozilla.179:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.180:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
    :mozilla.181:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.182:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.183:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.184:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.185:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.186:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.192:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
    :mozilla.194:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    :mozilla.199:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Epilot : Cleaned with backup
    :mozilla.244:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.245:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.246:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.247:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.255:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
    :mozilla.256:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
    :mozilla.257:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
    :mozilla.258:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
    :mozilla.265:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.266:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.267:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.268:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.312:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
    :mozilla.313:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
    :mozilla.314:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
    :mozilla.315:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
    :mozilla.316:C:\Documents and Settings\Koira\Application Data\Mozilla\Firefox\Profiles\gcfk10qf.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\Documents and Settings\Koira\Cookies\koira@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Koira\Cookies\koira@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Koira\Cookies\koira@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
    C:\Documents and Settings\Koira\Cookies\koira@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
    C:\Documents and Settings\Koira\Cookies\koira@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\Documents and Settings\Koira\Lokala inställningar\Temp\!UPDATE.0XE -> Downloader.PurityScan.bw : Cleaned with backup
    C:\Documents and Settings\Koira\Lokala inställningar\Temp\temp.fr03B9 -> Adware.Look2Me : Cleaned with backup
    C:\Documents and Settings\Koira\Lokala inställningar\Temp\temp.fr8026\Programs\webhdll.dll -> Adware.WebHancer : Cleaned with backup
    C:\Documents and Settings\Koira\Lokala inställningar\Temp\temp.frBDFF -> Adware.Look2Me : Cleaned with backup
    C:\Documents and Settings\Koira\Lokala inställningar\Temp\temp.frF99C -> Adware.Look2Me : Cleaned with backup
    C:\Documents and Settings\Koira\Lokala inställningar\Temp\Temporary Internet Files\Content.IE5\X12OG8XM\!update-3595[1].0000 -> Downloader.PurityScan.bw : Cleaned with backup
    C:\Documents and Settings\Koira\Lokala inställningar\Temp\Temporary Internet Files\Content.IE5\X12OG8XM\DRSMARTLOAD45A[1].0XE -> Downloader.Adload.ai : Cleaned with backup
    C:\WINDOWS\DH.0LL -> Hijacker.Small.jf : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERSL_0001_N68M2802NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UERSL_0001_N68M2802NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UERSL_0001_N68M2802NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\UERSL_0001_N68M2802NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\YazzleActiveX.ocx -> Adware.MediaTickets : Cleaned with backup
    C:\WINDOWS\system32\AD.0TML -> Hijacker.Agent.e : Cleaned with backup
    C:\WINDOWS\system32\config\systemprofile\Application Data\ΑрpPatch\wυcrtupd.exe -> Adware.PurityScan : Cleaned with backup
    C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Temporary Internet Files\Content.IE5\AH65UT0J\MOUSEPAD9[1].0XE -> Downloader.VB.aaf : Cleaned with backup
    C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Temporary Internet Files\Content.IE5\QXW7ONOJ\!update-3620[1].0000 -> Downloader.PurityScan.w : Cleaned with backup
    C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Temporary Internet Files\Content.IE5\QXW7ONOJ\DRSMARTLOAD[1].0XE -> Downloader.VB.aad : Cleaned with backup
    C:\WINDOWS\system32\config\systemprofile\Mina dokument\аѕsembly\javaw.exe -> Downloader.PurityScan.w : Cleaned with backup
    C:\WINDOWS\system32\ERASEME_76254.0XE -> Backdoor.SdBot.xd : Cleaned with backup
    C:\WINDOWS\system32\Fοnts\MSIEXEC.0XE -> Downloader.PurityScan.w : Cleaned with backup
    C:\WINDOWS\system32\glmj.dll -> Adware.PurityScan : Cleaned with backup
    C:\WINDOWS\system32\guard.tmp_tobedeleted -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\Temp\!UPDATE.0XE -> Downloader.PurityScan.w : Cleaned with backup
    C:\WINDOWS\WIN32UPDATE.0XE -> Backdoor.SdBot.xd : Cleaned with backup
    C:\WINDOWS\wxpdll32.0xe -> Backdoor.Aimbot.dd : Cleaned with backup


    ::Report End

  6. #6
    Security Expert-Emeritus Rawe's Avatar
    Join Date
    Mar 2006
    Location
    Finland
    Posts
    393

    Default

    Almost finished.

    Go ahead and remove BFU, Ewido & Look2Me-Destroyer.

    ==

    Please run a scan with HijackThis and check the following objects for removal:

    O4 - HKLM\..\Run: [Win32 Kernel Update] C:\WINDOWS\System32\win32update.exe
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/Yazzl...cab?refid=1148


    Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.

    ==

    Click Start -> Run and type in:

    services.msc

    Click "OK".

    In the services window find service; WinVideoDriver

    Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.

    Then repeat the step for the following service: wxpdll32

    ==

    Now delete the bad services:
    • Open HiJackThis
    • Click on the configure button on the bottom right
    • Click on the tab "Misc Tools"
    • Click on "Delete an NT service"
    • Copy and paste this in: WinVideo16
    • Click "ok", then reboot


    Repeat the step for the following service: wxpdll32

    ==

    After the last reboot, please delete the following files if present:

    C:\WINDOWS\Win32Update.exe
    C:\WINDOWS\wxpdll32.exe


    Then finally empty recycle bin and post back with a fresh HijackThis log.
    Hi there, stranger!

    Proud Member of ASAP since 2005.

  7. #7
    Junior Member
    Join Date
    Apr 2006
    Posts
    5

    Default

    Hello,
    the final(?) Hijack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 15:03:23, on 2006-04-12
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    C:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
    C:\Program\F-Secure Anti-Virus\Common\FSMA32.EXE
    C:\Program\F-Secure Anti-Virus\backweb\4476822\Program\fspex.exe
    C:\Program\Norman\NPF\NPFSVICE.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
    C:\Program\F-Secure Anti-Virus\Common\FSMB32.EXE
    C:\Program\F-Secure Anti-Virus\Common\FCH32.EXE
    C:\Program\F-Secure Anti-Virus\Common\FAMEH32.EXE
    C:\Program\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\F-Secure Anti-Virus\Common\FSM32.EXE
    C:\Program\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Messenger\msmsgs.exe
    C:\Program\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
    C:\Program\Norman\NPF\NPFMSG.EXE
    C:\Program\F-Secure Anti-Virus\FSGUI\fsguiexe.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - Global Startup: NPF Messenger.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144581822250
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure Anti-Virus\Common\FSMA32.EXE
    O23 - Service: Norman Type-R - Unknown owner - C:\Program\Norman\NPF\NPFSVICE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

  8. #8
    Security Expert-Emeritus Rawe's Avatar
    Join Date
    Mar 2006
    Location
    Finland
    Posts
    393

    Default

    Looks clean to me

    ==

    First priority: Install Service Pack 2 by visiting WindowsUpdates. After you have installed it, reboot, download & install ALL the available critical updates. Then some more preventive maintenance:

    Please read here how to clear old restore points and create a new one.

    Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

    Here's some tips for future to prevent spyware;

    Detect and Remove Programs:
    • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
    • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
    Prevention Programs:
    • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    Other necessary Programs:
    • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
    • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
    • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
    And also see TonyKlein's good advice;
    So how did I get infected in the first place? (My favourite)
    Hi there, stranger!

    Proud Member of ASAP since 2005.

  9. #9
    Junior Member
    Join Date
    Apr 2006
    Posts
    5

    Default

    Well, I have to say Thanks again for helping me out. Kiitos

  10. #10
    Security Expert-Emeritus Rawe's Avatar
    Join Date
    Mar 2006
    Location
    Finland
    Posts
    393

    Default

    You're welcome (ole hyvä!) :D

    ==

    Since this issue is now resolved, this Topic has been archived. Should you need it reopened for any reason, please PM an Staff member with it's address and request. This only applies to the Original poster. Glad we were able to help.
    Hi there, stranger!

    Proud Member of ASAP since 2005.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •