I have done everything what guide asks to do. Now computer seems to be clean... but... but... There is some problems and f-secure seems to find somethin that avg ym. not.
Avg find something, also super and panda. Now i think there is something still left and F-secure keeps telling me that harmful code found from (ect. path). Avg gives clean result.
Last one which is done is hijack!
And there hijack and some other logs:
Logfile of HijackThis v1.99.1
Scan saved at 15:52:18, on 16.12.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\dna Nettiturva\Common\FSM32.EXE
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\DNANET~1\backweb\4653381\Program\SERVIC~1.EXE
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe
C:\Program Files\dna Nettiturva\Anti-Virus\fsgk32st.exe
C:\Program Files\dna Nettiturva\backweb\4653381\program\fsbwsys.exe
C:\Program Files\dna Nettiturva\Anti-Virus\FSGK32.EXE
C:\Program Files\dna Nettiturva\Common\FSMA32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\dna Nettiturva\Common\FSMB32.EXE
C:\Program Files\dna Nettiturva\Anti-Virus\fssm32.exe
C:\Program Files\dna Nettiturva\backweb\4653381\Program\dna Nettiturva.exe
C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\dna Nettiturva\Common\FCH32.EXE
C:\Program Files\Motherboard Monitor 5\DLL\display.dll
C:\Program Files\dna Nettiturva\Common\FAMEH32.EXE
C:\Program Files\dna Nettiturva\Anti-Virus\fsrw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\dna Nettiturva\FWES\Program\fsdfwd.exe
C:\Program Files\dna Nettiturva\Anti-Virus\fsav32.exe
C:\PROGRA~1\DNANET~1\ANTI-S~1\fsaw.exe
C:\Program Files\dna Nettiturva\FSGUI\fsguidll.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Opera7\Opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Downloadsofta\Korjaus 12_2006\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.dnai....net/login.wssp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dnainternet.fi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = dna Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://paivitys.dnai...hteys/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\dna Nettiturva\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\dna Nettiturva\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\dna Nettiturva\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\dna Nettiturva\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: dna Nettiturva.lnk = C:\Program Files\dna Nettiturva\backweb\4653381\Program\dna Nettiturva.exe
O8 - Extra context menu item: &Estä tämä kohoikkuna - C:\Program Files\dna Nettiturva\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Lähetä &Bluetooth-laitteeseen - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie_ctx.htm
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE-suojaus - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\dna Nettiturva\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-suojaus... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\dna Nettiturva\Anti-Spyware\ieshield.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dnainternet.fi
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dna Nettiturva (BackWeb Plug-in - 4653381) - BackWeb Technologies Inc. - C:\PROGRA~1\DNANET~1\backweb\4653381\Program\SERVIC~1.EXE
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth-ohjelmisto\bin\btwdins.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\dna Nettiturva\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\dna Nettiturva\backweb\4653381\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\dna Nettiturva\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\dna Nettiturva\Common\FSMA32.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Winlogon - Unknown owner - C:\WINDOWS\System32\com\oboe32\rundmc.exe (file missing)
AVG
+ Created at: 10:14:40 16.12.2006
+ Scan result:
C:\System Volume Information\_restore{5674C277-E6FC-460D-A2AA-3250FCB0D527}\RP38\A0016160.Dll -> Adware.GigatechSuperBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5674C277-E6FC-460D-A2AA-3250FCB0D527}\RP38\A0016161.Dll -> Adware.GigatechSuperBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5674C277-E6FC-460D-A2AA-3250FCB0D527}\RP38\A0016162.exe -> Adware.GigatechSuperBar : Cleaned with backup (quarantined).
C:\FOUND.017\FILE0001.CHK -> Adware.IGetNet : Cleaned with backup (quarantined).
C:\FOUND.017\FILE0005.CHK -> Adware.IGetNet : Cleaned with backup (quarantined).
C:\FOUND.019\FILE0007.CHK -> Adware.IGetNet : Cleaned with backup (quarantined).
C:\FOUND.022\FILE0001.CHK -> Adware.IGetNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Adware.ISTBar : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Windows installer -> Adware.PestTrap : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Windows installer -> Adware.PestTrap : Error during cleaning.
C:\FOUND.013\FILE0002.CHK -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0005.CHK -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0009.CHK -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0037.CHK -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\FOUND.013\FILE0029.CHK -> Adware.TopMoxie : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Com\oboe32\SYSTRAY.0XE -> Backdoor.Iroffer.1213.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{218E5F57-255A-4179-855D-0D5353FEBEDB}\RP2\A0000015.exe -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{218E5F57-255A-4179-855D-0D5353FEBEDB}\RP2\A0000016.exe -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\GYMSPZD.0LL -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\gymspzd.dll -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\NTDBG.0XE -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\NTDBG.1XE -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\RECOVER32.0LL -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\RECOVER32.DLL -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ahuy.exe -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ntdbg.exe -> Downloader.Agent.apd : Cleaned with backup (quarantined).
[584] C:\WINDOWS\System32\rmass.exe -> Downloader.Agent.apd : Cleaned with backup (quarantined).
[596] C:\WINDOWS\System32\rmass.exe -> Downloader.Agent.apd : Cleaned with backup (quarantined).
[780] VM_10001000 -> Downloader.Agent.apd : Cleaned with backup (quarantined).
C:\winstall.exe -> Downloader.Small.cpg : Cleaned with backup (quarantined).
E:\System Volume Information\_restore{5674C277-E6FC-460D-A2AA-3250FCB0D527}\RP66\A0040675.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned.
::Report end
SUPERantispyware
Scan type : Complete Scan
Total Scan Time : 00:10:25
Memory items scanned : 507
Memory threats detected : 0
Registry items scanned : 4728
Registry threats detected : 15
File items scanned : 1708
File threats detected : 2
Trojan.SHELL32
HKLM\System\ControlSet001\Services\Shell32
C:\WINDOWS\SYSTEM32\COM\OBOE32\SHELL32.EXE
HKLM\System\ControlSet002\Services\Shell32
HKLM\System\CurrentControlSet\Services\Shell32
Trojan.Recover32
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}
C:\WINDOWS\SYSTEM32\RECOVER32.DLL
Adware.IST/ISTBar (Slotch Bar)
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}#SystemComponent
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}#Installer
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\Contains
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\Contains\Files
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\Contains\Files#C:\WINDOWS\Downloaded Program Files\ISTactivex.dll
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\DownloadInformation
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\DownloadInformation#CODEBASE
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\InstalledVersion
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}\InstalledVersion#LastModified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\ISTactivex.dll [ ]