[Aki]

Hello!

I have done everything what guide asks to do. Now computer seems to be clean... but... but... There is some problems and f-secure seems to find somethin that avg ym. not.
Avg find something, also super and panda. Now i think there is something still left and F-secure keeps telling me that harmful code found from (ect. path). Avg gives clean result.


Last one which is done is hijack!

And there hijack and some other logs:



Logfile of HijackThis v1.99.1
Scan saved at 15:52:18, on 16.12.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\dna Nettiturva\Common\FSM32.EXE
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\DNANET~1\backweb\4653381\Program\SERVIC~1.EXE
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe
C:\Program Files\dna Nettiturva\Anti-Virus\fsgk32st.exe
C:\Program Files\dna Nettiturva\backweb\4653381\program\fsbwsys.exe
C:\Program Files\dna Nettiturva\Anti-Virus\FSGK32.EXE
C:\Program Files\dna Nettiturva\Common\FSMA32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\dna Nettiturva\Common\FSMB32.EXE
C:\Program Files\dna Nettiturva\Anti-Virus\fssm32.exe
C:\Program Files\dna Nettiturva\backweb\4653381\Program\dna Nettiturva.exe
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\dna Nettiturva\Common\FCH32.EXE
C:\Program Files\Motherboard Monitor 5\DLL\display.dll
C:\Program Files\dna Nettiturva\Common\FAMEH32.EXE
C:\Program Files\dna Nettiturva\Anti-Virus\fsrw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\dna Nettiturva\FWES\Program\fsdfwd.exe
C:\Program Files\dna Nettiturva\Anti-Virus\fsav32.exe
C:\PROGRA~1\DNANET~1\ANTI-S~1\fsaw.exe
C:\Program Files\dna Nettiturva\FSGUI\fsguidll.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Opera7\Opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Downloadsofta\Korjaus 12_2006\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.dnai....net/login.wssp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dnainternet.fi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = dna Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://paivitys.dnai...hteys/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\dna Nettiturva\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\dna Nettiturva\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\dna Nettiturva\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\dna Nettiturva\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: dna Nettiturva.lnk = C:\Program Files\dna Nettiturva\backweb\4653381\Program\dna Nettiturva.exe
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\dna Nettiturva\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Lähetä &Bluetooth-laitteeseen - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie_ctx.htm
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\dna Nettiturva\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\dna Nettiturva\Anti-Spyware\ieshield.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dnainternet.fi
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dna Nettiturva (BackWeb Plug-in - 4653381) - BackWeb Technologies Inc. - C:\PROGRA~1\DNANET~1\backweb\4653381\Program\SERVIC~1.EXE
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\dna Nettiturva\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\dna Nettiturva\backweb\4653381\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\dna Nettiturva\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\dna Nettiturva\Common\FSMA32.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Winlogon - Unknown owner - C:\WINDOWS\System32\com\oboe32\rundmc.exe (file missing)





AVG
+ Created at: 10:14:40 16.12.2006

+ Scan result:



C:\System Volume Information\_restore{5674C277-E6FC-460D-A2AA-3250FCB0D527}\RP38\A0016160.Dll -> Adware.GigatechSuperBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5674C277-E6FC-460D-A2AA-3250FCB0D527}\RP38\A0016161.Dll -> Adware.GigatechSuperBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5674C277-E6FC-460D-A2AA-3250FCB0D527}\RP38\A0016162.exe -> Adware.GigatechSuperBar : Cleaned with backup (quarantined).
C:\FOUND.017\FILE0001.CHK -> Adware.IGetNet : Cleaned with backup (quarantined).
C:\FOUND.017\FILE0005.CHK -> Adware.IGetNet : Cleaned with backup (quarantined).
C:\FOUND.019\FILE0007.CHK -> Adware.IGetNet : Cleaned with backup (quarantined).
C:\FOUND.022\FILE0001.CHK -> Adware.IGetNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Adware.ISTBar : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Windows installer -> Adware.PestTrap : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Windows installer -> Adware.PestTrap : Error during cleaning.
C:\FOUND.013\FILE0002.CHK -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0005.CHK -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0009.CHK -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0037.CHK -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0029.CHK -> Adware.TopMoxie : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Com\oboe32\SYSTRAY.0XE -> Backdoor.Iroffer.1213.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{218E5F57-255A-4179-855D-0D5353FEBEDB}\RP2\A0000015.exe -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{218E5F57-255A-4179-855D-0D5353FEBEDB}\RP2\A0000016.exe -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\GYMSPZD.0LL -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\gymspzd.dll -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\NTDBG.0XE -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\NTDBG.1XE -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\RECOVER32.0LL -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\RECOVER32.DLL -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ahuy.exe -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ntdbg.exe -> Downloader.Agent.apd : Cleaned with backup (quarantined).
[584] C:\WINDOWS\System32\rmass.exe -> Downloader.Agent.apd : Cleaned with backup (quarantined).
[596] C:\WINDOWS\System32\rmass.exe -> Downloader.Agent.apd : Cleaned with backup (quarantined).
[780] VM_10001000 -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\winstall.exe -> Downloader.Small.cpg : Cleaned with backup (quarantined).
E:\System Volume Information\_restore{5674C277-E6FC-460D-A2AA-3250FCB0D527}\RP66\A0040675.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned.


::Report end

SUPERantispyware
Scan type : Complete Scan
Total Scan Time : 00:10:25

Memory items scanned : 507
Memory threats detected : 0
Registry items scanned : 4728
Registry threats detected : 15
File items scanned : 1708
File threats detected : 2

Trojan.SHELL32
HKLM\System\ControlSet001\Services\Shell32
C:\WINDOWS\SYSTEM32\COM\OBOE32\SHELL32.EXE
HKLM\System\ControlSet002\Services\Shell32
HKLM\System\CurrentControlSet\Services\Shell32

Trojan.Recover32
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}
C:\WINDOWS\SYSTEM32\RECOVER32.DLL

Adware.IST/ISTBar (Slotch Bar)
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}#SystemComponent
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}#Installer
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\Contains
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\Contains\Files
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\Contains\Files#C:\WINDOWS\Downloaded Program Files\ISTactivex.dll
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\DownloadInformation
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\DownloadInformation#CODEBASE
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\InstalledVersion
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\InstalledVersion#LastModified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\ISTactivex.dll [
]

[Advertisements]

System_volume is the restore points

Turn off restore points, boot, turn them back on – here’s how

http://service1.syma...src=sec_doc_nam
=====================
Fix this with HiJackThis – mark it, close IE, click fix checked

O23 - Service: Winlogon - Unknown owner - C:\WINDOWS\System32\com\oboe32\rundmc.exe (file missing)

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

Winlogon

Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.

[MFDnSC]

System_volume is the restore points

Turn off restore points, boot, turn them back on – here’s how

http://service1.syma...src=sec_doc_nam
=====================
Fix this with HiJackThis – mark it, close IE, click fix checked

O23 - Service: Winlogon - Unknown owner - C:\WINDOWS\System32\com\oboe32\rundmc.exe (file missing)

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

Winlogon

Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.

[Aki]

Jep!

Turning restorepoint of was little mistake. Now i have explorer.exe missing and i tried to copy it from xp cd to system c:/windows/. Proses management says thet it dont find any explorer.exe file. I know it is there and I´m tried to point it directly.

How i can get explorer back on? It`s very difficult to work without start toolbar and icons.

Edited by Aki, 16 December 2006 - 12:20 PM.

[MFDnSC]

start - run sfc /scannow

[Aki]

No Help... command screen flash one time but Toolbar and icons still missing. Also Right click on desktop causes nothing. I`m workin right now only trough win res mnagement screen and using commands what i remember.

[Aki]

No Help... command screen flash one time but Toolbar and icons still missing. Also Right click on desktop causes nothing. I`m workin right now only trough win res mnagement screen and using commands what i remember.

[Aki]

No Help... command screen flash one time but Toolbar and icons still missing. Also Right click on desktop causes nothing. I`m workin right now only trough win res mnagement screen and using commands what i remember.

[Aki]

No Help... command screen flash one time but Toolbar and icons still missing. Also Right click on desktop causes nothing. I`m workin right now only trough win res mnagement screen and using commands what i remember.

[MFDnSC]

Boot from the CD and do a repair install - turning off restore points did not cause this