Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

VERY tough Malware. HJT log.[RESOLVED]

Started by Ace81 , May 25 2005 06:17 AM

  • This topic is locked This topic is locked

#1
Ace81
Posted 25 May 2005 - 06:17 AM

Ace81

    New Member

  • Member
  • Pip
  • 4 posts
Hi,

I am advanced computer user even studying computers but I haven't had much problem with malwares before. Now, I got very annoying problem with advertisement.
The problem has been in and is still that I get advertisement popups from internet. the most typical is www.loadingwebsite.com. Another is www.Paypopup.com. Then there are abcsearch and other too like www.nuker.com. Sometimes I get advertisement, sometimes just blank screen but that's annoying and must get rid of.

Here are the synopsis:
1)I have up to date F-secure Anti-Virus client installed. It doesn't show any infections while full scan tho it founds viruses in temp. internet files for some reason. Does these adv. programs load them more to my system?

2)I used uptodate Ad Aware SE. First time, it showed many harmful infections. I removed them. Now, it doesn't show anything except some data mining cookies

3)I have used SpyBot and immunized the system. Spybot found many infections but removed them.

4)I used XoftSpy. Same thing that Spybot

5)I used Easycleaner and Spywareblaster. No changes even there were a lot to clean.

6)I used HiJackThis. I removed some unneccessary files and some that are maybe dangerous. I got some advices for this too.

Here is the log file:
Logfile of HijackThis v1.99.1
Scan saved at 14:45:17, on 25.5.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fi\msnappau.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\FSGUI\fsguiexe.exe
C:\Program Files\Internet Explorer\iexplore.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fi\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fi\msnappau.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Hemmil„t\Ty”p”yt„\l2mfix\second.bat
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab30149.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downlo...slv32_EN_XP.cab
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: iPod-palvelu (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

---

then, I will ad SpyBot's recent log. I don't want to remove needed backweb files by F-secure. but is there anything odd?


--- Search result list ---
BackWeb lite: Interface (IBackWebChannelVariable) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{FEFCA7F0-6C8E-11D0-A866-0000B43699FC}

BackWeb lite: File extension (Rekisterin avain, nothing done)
HKEY_CLASSES_ROOT\.bwp

BackWeb lite: File extension (Rekisterin avain, nothing done)
HKEY_CLASSES_ROOT\bwpfile

BackWeb lite: Global settings (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\BackWeb

BackWeb lite: Interface (IBackWeb) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{53FCF355-5323-11D0-A864-0000B43699FC}

BackWeb lite: Interface (IBackWeb2) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{23F43240-F78D-11D0-9A50-00AA004812C2}

BackWeb lite: Interface (IBackWeb4) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{740904E0-0BFB-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebAlertSettings) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{72B62B40-17D1-11D1-96A7-F8E906C10000}

BackWeb lite: Interface (IBackWebAllInfoPakCollection) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{8131F530-649E-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebAllStoryCollection) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9DB46423-FF61-11D0-9951-444553540000}

BackWeb lite: Interface (IBackWebApplicationNotifications) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{D0894D60-6C6C-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebChannel) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{53FCF35B-5323-11D0-A864-0000B43699FC}

BackWeb lite: Interface (IBackWebChannel2) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9647FB70-DC0F-11D0-A875-0000B43699FC}

BackWeb lite: Interface (IBackWebChannel4) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{AEE96320-2131-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebChannel4_2) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{025632A0-BCEC-11D1-8B35-00609761C47A}

BackWeb lite: Interface (IBackWebChannelCollection) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{53FCF35A-5323-11D0-A864-0000B43699FC}

BackWeb lite: Interface (IBackWebChannelCollection4) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{BCD0C200-69C1-11D1-8AF8-00609761C47A}

BackWeb lite: Interface (IBackWebChannelDownloadServices) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9132E380-DC21-11D0-A875-0000B43699FC}

BackWeb lite: Interface (IBackWebChannelTableNotifications) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{2F523082-5A0B-11D0-9B9C-444553540000}

BackWeb lite: Interface (IBackWebChannelVariableCollection) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A4BC67F0-6C90-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebCommSettings) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{12473FC5-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebCommunications) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{BAD37BC0-2231-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebDialerSettings) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{12473FC4-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebDirectory) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{15030BC0-0B52-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebDirectoryEntry) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{0C6E0440-0B50-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebDirectoryEntryCollection) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{5DF6CE40-0B50-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebDirectoryNotifications) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{41CEBDC0-32C1-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebDisplaySettings) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{12473FC6-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebDisplaySettings4_2) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{001B3F20-D866-11D1-8B4C-00609761C47A}

BackWeb lite: Interface (IBackWebDownloadTimeConstraint) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{0D1F7C83-8123-11D0-B5CA-0000B43698D6}

BackWeb lite: Interface (IBackWebDownloadTimeConstraintCollection) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{0D1F7C84-8123-11D0-B5CA-0000B43698D6}

BackWeb lite: Interface (IBackWebExtension) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{0F4FE440-983F-11D0-9B9C-444553540000}

BackWeb lite: Interface (IBackWebFileAccess) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{3AF78A6E-6F14-11D1-A884-0000B43699FC}

BackWeb lite: Interface (IBackWebFileAccessViaDir) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{608FE360-6FB2-11D1-A885-0000B43699FC}

BackWeb lite: Interface (IBackWebFilterSettings) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{C8CEEEE0-17D6-11D1-96A7-F8E906C10000}

BackWeb lite: Interface (IBackWebGeneralSettings) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{12473FC3-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebGeneralSettings2) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{E01AD640-F87D-11D0-9A50-00AA004812C2}

BackWeb lite: Interface (IBackWebInfoPak) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{EB1FFFC2-5688-11D0-A865-0000B43699FC}

BackWeb lite: Interface (IBackWebInfoPak4_2) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{610141C2-7701-11D1-B042-004095903824}

BackWeb lite: Interface (IBackWebInfoPakCollection) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{EB1FFFC1-5688-11D0-A865-0000B43699FC}

BackWeb lite: Interface (IBackWebInfoPakDownloadServices) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{2DE07D90-DC04-11D0-A875-0000B43699FC}

BackWeb lite: Interface (IBackWebInfoPakFile) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{3AF78A74-6F14-11D1-A884-0000B43699FC}

BackWeb lite: Interface (IBackWebInfoPakFilesCollection) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{3AF78A71-6F14-11D1-A884-0000B43699FC}

BackWeb lite: Interface (IBackWebInfoPakNotifications) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{4A3666F3-5F2D-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebItemDownloadServices) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{93BF8F00-DBE8-11D0-A875-0000B43699FC}

BackWeb lite: Interface (IBackWebOpenInfoPakFile) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{3AF78A77-6F14-11D1-A884-0000B43699FC}

BackWeb lite: Interface (IBackWebPlayer) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{8028B940-4932-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebSetup) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{12473FC7-61A7-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebSetup4) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{3667E7B0-4F28-11D1-8ADB-00609761C47A}

BackWeb lite: Interface (IBackWebSetupNotifications) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{2F099AF0-6329-11D0-A866-0000B43699FC}

BackWeb lite: Interface (IBackWebStory) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9DB46424-FF61-11D0-9951-444553540000}

BackWeb lite: Interface (IBackWebStoryCollection) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9DB46422-FF61-11D0-9951-444553540000}

BackWeb lite: Interface (IBackWebStoryField) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{5B1E13A0-004B-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebStoryFieldCollection) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{1D91D9E0-004B-11D1-9951-444553540000}

BackWeb lite: Interface (IBackWebStoryTableNotifications) (Rekisterin avain, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{44230BC0-3105-11D1-9951-444553540000}

BackWeb lite: Netscape viewer (Rekisterin arvo, nothing done)
HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Viewers\application/x-iad

BackWeb lite: Netscape viewer (Rekisterin arvo, nothing done)
HKEY_USERS\S-1-5-21-448539723-1383384898-682003330-1004\Software\Netscape\Netscape Navigator\Viewers\application/x-iad

BackWeb lite: Netscape viewer (Rekisterin arvo, nothing done)
HKEY_USERS\.DEFAULT\Software\Netscape\Netscape Navigator\Viewers\application/x-iad

BackWeb lite: Netscape viewer (Rekisterin arvo, nothing done)
HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Viewers\application/x-bwpreview

BackWeb lite: Netscape viewer (Rekisterin arvo, nothing done)
HKEY_USERS\S-1-5-21-448539723-1383384898-682003330-1004\Software\Netscape\Netscape Navigator\Viewers\application/x-bwpreview

BackWeb lite: Netscape viewer (Rekisterin arvo, nothing done)
HKEY_USERS\.DEFAULT\Software\Netscape\Netscape Navigator\Viewers\application/x-bwpreview

BackWeb lite: User settings (Rekisterin avain, nothing done)
HKEY_USERS\S-1-5-18\Software\BackWeb

BackWeb lite: User settings (Rekisterin avain, nothing done)
HKEY_USERS\S-1-5-21-448539723-1383384898-682003330-1004\Software\BackWeb

BackWeb lite: User settings (Rekisterin avain, nothing done)
HKEY_USERS\.DEFAULT\Software\BackWeb


--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-04-27 Includes\Dialer.sbi
2005-05-12 Includes\Hijackers.sbi
2005-04-15 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-05-11 Includes\Malware.sbi
2005-05-11 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-02-09 Includes\Security.sbi
2005-05-11 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-05-11 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600)
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Security Update for Microsoft Data Access Components
/ Windows Media Player: Windows Media Player Hotfix -päivitys [lisätietoja on artikkelissa Q828026]
/ Windows Media Player / SP0: Windows Media Player Hotfix -päivitys [lisätietoja on artikkelissa Q828026]
/ Windows Media Player: Windows Media Update 320920
/ Windows XP / SP1: Windows XP Hotfix - KB821557
/ Windows XP / SP1: Windows XP Hotfix - KB823182
/ Windows XP / SP1: Windows XP Hotfix - KB824105
/ Windows XP / SP1: Windows XP Hotfix- KB824141
/ Windows XP / SP1: Windows XP Hotfix- KB828035
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q305691 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q306582 for more information]
/ Windows XP / SP1 / Q308678: Windows XP Hotfix (SP1) [See Q308678 for more information]
/ Windows XP / SP1 / Q309521: Windows XP Hotfix (SP1) [See Q309521 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q311889 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q311967 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q313450 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q315000 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q315403 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q317277 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q318138 for more information]
/ Windows XP / SP1: Windows XP Application Compatibility Update[Q319580]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q323172 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q324096 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q324380 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q326830 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q328940 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329048 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q329170
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329390 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329441 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329834 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q810577
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q811493
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q811630
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q815021
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q817606
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q819696
/ Windows XP / SP2: Windows XP Hotfix- KB823559
/ Windows XP / SP2: Windows XP Hotfix- KB825119
/ Windows XP / SP2: Windows XP Hotfix- KB828741
/ Windows XP / SP2: Windows XP Hotfix- KB833987
/ Windows XP / SP2: Windows XP Hotfix- KB835732
/ Windows XP / SP2: Windows XP Hotfix- KB837001
/ Windows XP / SP2: Windows XP Hotfix- KB839643
/ Windows XP / SP2: Windows XP Hotfix- KB839645
/ Windows XP / SP2: Windows XP Hotfix- KB840315
/ Windows XP / SP2: Windows XP Hotfix- KB840374
/ Windows XP / SP2: Windows XP Hotfix- KB841873
/ Windows XP / SP2: Windows XP Hotfix- KB842773
/ Windows XP / SP2: Windows XP Hotfix [Lisätietoja saat lukemalla dokumentin Q323255]
/ Windows XP / SP2: Windows XP Hotfix [Lisätietoja saat lukemalla dokumentin Q329115]


--- Startup entries list ---
Located: HK_LM:Run, EM_EXEC
command: C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
file: C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
size: 28672
MD5: 621e303c3d83ad5ac6072f446e5232b3

Located: HK_LM:Run, F-Secure Manager
command: "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
file: C:\Program Files\F-Secure\Common\FSM32.EXE
size: 118832
MD5: 0f2f4fdb7e1de09593fd7855d28f3e9b

Located: HK_LM:Run, F-Secure TNB
command: "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
file: C:\Program Files\F-Secure\TNB\TNBUtil.exe
size: 684032
MD5: 53cc050273ca9b6e0011b05644bd8482

Located: HK_LM:Run, iTunesHelper
command: C:\Program Files\iTunes\iTunesHelper.exe
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 286720
MD5: a609fb3f0d15b741cd628df2b25f651e

Located: HK_LM:Run, LogitechVideoRepair
command: C:\Program Files\Logitech\Video\ISStart.exe
file: C:\Program Files\Logitech\Video\ISStart.exe
size: 458752
MD5: 3c0ee706ceb7e9a154bf8e7749ca5a91

Located: HK_LM:Run, LogitechVideoTray
command: C:\Program Files\Logitech\Video\LogiTray.exe
file: C:\Program Files\Logitech\Video\LogiTray.exe
size: 217088
MD5: 2d3bcca5c7ca55fedd60e3336d3a92af

Located: HK_LM:Run, LVCOMSX
command: C:\WINDOWS\System32\LVCOMSX.EXE
file: C:\WINDOWS\System32\LVCOMSX.EXE
size: 221184
MD5: 5ba8a7da5d0573f7923e02b260aad2f1

Located: HK_LM:Run, msnappau
command: "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fi\msnappau.exe"
file: C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fi\msnappau.exe
size: 86016
MD5: e377c992dfbb5837826ea311e436c66d

Located: HK_LM:Run, NeroCheck
command: C:\WINDOWS\System32\\NeroCheck.exe
file: C:\WINDOWS\System32\\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, second
command: C:\Documents and Settings\Hemmil„t\Ty”p”yt„\l2mfix\second.bat

Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 55296
MD5: 6878f2bfa204da2a4451f91821fd4391

Located: HK_LM:Run, WinampAgent
command: C:\Program Files\Winamp\winampa.exe
file: C:\Program Files\Winamp\winampa.exe
size: 33792
MD5: 11aa6662a1be30375afd1a8407811e7e

Located: HK_LM:Run, zBrowser Launcher
command: C:\Program Files\Logitech\iTouch\iTouch.exe
file: C:\Program Files\Logitech\iTouch\iTouch.exe
size: 520192
MD5: c265e8d31c7bc3a59458a49c6e5ced4b

Located: HK_CU:Run, msnmsgr
command: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
file: C:\Program Files\MSN Messenger\msnmsgr.exe
size: 6815744
MD5: d846554575a9f571d6b891153faa0c50

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: deb88aef013dd1eefb462d7cad642166

Located: Startup (common), hp psc 1000 series.lnk
command: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
file: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
size: 147456
MD5: 03163baf3a5dbf8742804093931d7d32

Located: Startup (common), hpoddt01.exe.lnk
command: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
file: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
size: 28672
MD5: a564a22308a3f55235ba2478ee82992d



--- Browser helper object list ---


--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} ()
DPF name:
CLSID name:
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla

{14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class)
DPF name:
CLSID name: MessengerStatsClient Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MessengerStatsPAClient.dll
Short name: MESSEN~1.DLL
Date (created): 6.4.2004 19:03:54
Date (last access): 25.5.2005 15:15:06
Date (last write): 6.4.2004 19:03:54
Filesize: 172072
Attributes: archive
MD5: 94D1773AEAA2197AFEE3A6F8404FE4E9
CRC32: 76C3823D
Version: 0.9.0.2

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 25.9.2004 12:40:58
Date (last access): 25.5.2005 12:36:48
Date (last write): 9.9.2004 14:45:18
Filesize: 54488
Attributes: archive
MD5: 12EF836DCCCDD0211F3E09D72812B9C6
CRC32: 8038F1E1
Version: 0.10.0.1

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:

{33564D57-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
description: Microsoft WMV Video Codec
classification: Legitimate
known filename: WMV9DMO.CAB
info link:
info source: Patrick M. Kolla

{56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class)
DPF name:
CLSID name: RdxIE Class
description: Netster
classification: Confirmed as malware
known filename:
info link:
info source:
Path: C:\WINDOWS\Downloaded Program Files\
Long name: RdxIE.dll
Short name:
Date (created): 3.6.2004 11:04:04
Date (last access): 25.5.2005 15:15:06
Date (last write): 3.6.2004 11:04:04
Filesize: 520349
Attributes: archive
MD5: 2DBB57FDB7D3BFF88B21924187B3EE02
CRC32: B04A8C78
Version: 0.6.0.0

{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class)
DPF name:
CLSID name: GSDACtl Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: gsda.dll
Short name:
Date (created): 2.8.2002 11:26:16
Date (last access): 25.5.2005 14:56:30
Date (last write): 2.8.2002 11:26:16
Filesize: 126976
Attributes: archive
MD5: 5EE65B9EC52620265673154EA2B9E5DD
CRC32: 7A1393C7
Version: 0.1.0.0

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 11.4.2005 12:20:22
Date (last access): 25.5.2005 14:18:24
Date (last write): 11.4.2005 12:20:22
Filesize: 118784
Attributes: archive
MD5: 36259D36E842FCF12B3D2F3766E7529F
CRC32: F62E6268
Version: 0.57.0.6

{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class)
DPF name:
CLSID name: MsnMessengerSetupDownloadControl Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnMessengerSetupDownloader.ocx
Short name: MSNMES~1.OCX
Date (created): 5.11.2004 16:58:20
Date (last access): 25.5.2005 13:35:52
Date (last write): 5.11.2004 16:58:20
Filesize: 119496
Attributes: archive
MD5: 1B40AA6A5D25E6CB4EDFC4C717113161
CRC32: 4F5D45E3
Version: 0.1.0.0

{B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class)
DPF name:
CLSID name: ZoneIntro Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ZIntro.ocx
Short name:
Date (created): 6.4.2004 19:03:12
Date (last access): 25.5.2005 13:35:52
Date (last write): 6.4.2004 19:03:12
Filesize: 85032
Attributes: archive
MD5: 65431ACCF09A96C3BE53B7681BFFE44D
CRC32: C8777857
Version: 0.9.0.2

{BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element)
DPF name:
CLSID name: ASquaredScanForm Element
Path: C:\WINDOWS\DOWNLO~1\
Long name: axscan.ocx
Short name:
Date (created): 5.5.2005 16:28:44
Date (last access): 25.5.2005 13:04:46
Date (last write): 5.5.2005 16:28:44
Filesize: 903680
Attributes: archive
MD5: DD55CC11F700EADBAF1DCC6337C183F6
CRC32: F7EED4BE
Version: 0.1.0.0

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\flash\
Long name: Flash.ocx
Short name:
Date (created): 9.6.2004 15:59:26
Date (last access): 25.5.2005 14:28:06
Date (last write): 9.6.2004 15:59:26
Filesize: 939224
Attributes: archive
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 0.7.0.0

{D27CDB6E-AE6D-11CF-96B8-444553546800} ()
DPF name:
CLSID name:

{F72BC3F0-6C20-4793-9DDA-258589D8A907} ()
DPF name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: netslv32.dll
Short name:
Date (created): 6.9.2004 14:43:46
Date (last access): 25.5.2005 14:56:52
Date (last write): 6.9.2004 14:43:46
Filesize: 9728
Attributes: archive
MD5: 7176C1F29E620D1513BC14D7CD15EB4E
CRC32: EE670AB7
Version: 0.1.0.0



--- Process list ---
Spybot - Search && Destroy process list report, 25.5.2005 15:18:44

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 156 ( 824) C:\Program Files\Logitech\Video\FxSvr2.exe
PID: 176 ( 824) C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
PID: 368 ( 648) C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
PID: 396 ( 648) C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
PID: 412 ( 648) C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
PID: 424 ( 396) C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
PID: 432 ( 368) C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
PID: 448 ( 648) C:\Program Files\F-Secure\Common\FSMA32.EXE
PID: 488 ( 424) C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
PID: 516 ( 4) \SystemRoot\System32\smss.exe
PID: 568 ( 448) C:\Program Files\F-Secure\Common\FSMB32.EXE
PID: 580 ( 516) csrss.exe
PID: 604 ( 516) \??\C:\WINDOWS\system32\winlogon.exe
PID: 648 ( 604) C:\WINDOWS\system32\services.exe
PID: 660 ( 604) C:\WINDOWS\system32\lsass.exe
PID: 824 ( 648) C:\WINDOWS\system32\svchost.exe
PID: 840 ( 648) C:\WINDOWS\System32\svchost.exe
PID: 944 ( 648) C:\WINDOWS\System32\svchost.exe
PID: 1100 ( 648) svchost.exe
PID: 1132 ( 648) svchost.exe
PID: 1256 ( 448) C:\Program Files\F-Secure\Common\FCH32.EXE
PID: 1316 ( 648) wdfmgr.exe
PID: 1420 (1400) C:\WINDOWS\Explorer.EXE
PID: 1484 ( 648) C:\WINDOWS\system32\spoolsv.exe
PID: 1644 (1420) C:\WINDOWS\System32\rundll32.exe
PID: 1728 ( 448) C:\Program Files\F-Secure\Common\FAMEH32.EXE
PID: 1784 (1420) C:\Program Files\Logitech\iTouch\iTouch.exe
PID: 1808 (1420) C:\WINDOWS\SOUNDMAN.EXE
PID: 1816 (1420) C:\Program Files\iTunes\iTunesHelper.exe
PID: 1824 (1420) C:\Program Files\Winamp\winampa.exe
PID: 1832 (1420) C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fi\msnappau.exe
PID: 1844 (1420) C:\WINDOWS\System32\LVCOMSX.EXE
PID: 1856 (1420) C:\Program Files\Logitech\Video\LogiTray.exe
PID: 1864 (1420) C:\Program Files\F-Secure\Common\FSM32.EXE
PID: 1884 (1420) C:\Program Files\MSN Messenger\msnmsgr.exe
PID: 1916 (1420) C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
PID: 1928 (1420) C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PID: 2304 ( 648) C:\Program Files\iPod\bin\iPodService.exe
PID: 2388 ( 648) C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
PID: 2432 ( 176) C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
PID: 2452 ( 648) C:\Program Files\F-Secure\Common\FNRB32.EXE
PID: 2512 (3228) C:\Program Files\F-Secure\FSGUI\fsavgui.exe
PID: 2576 ( 448) C:\Program Files\F-Secure\Common\FIH32.EXE
PID: 2580 ( 448) C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
PID: 2820 (1420) C:\Program Files\Internet Explorer\iexplore.exe
PID: 3228 (1864) C:\Program Files\F-Secure\FSGUI\fsguiexe.exe
PID: 3596 (1420) C:\WINDOWS\system32\NOTEPAD.EXE
PID: 4052 (1420) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 25.5.2005 15:18:44

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://g.msn.fi/0SEFIFI/SAOS01
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsof...search.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn...st/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn...st/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F0595588-1054-4304-8F03-CC5E3F692CA2}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F0595588-1054-4304-8F03-CC5E3F692CA2}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{18129EDA-E127-40E5-9830-FFABC4D62164}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{18129EDA-E127-40E5-9830-FFABC4D62164}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1D1F89F8-60FF-4112-9391-EF979CCC1870}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1D1F89F8-60FF-4112-9391-EF979CCC1870}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{69443A4B-D489-46E9-88CC-081D74EEF667}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{69443A4B-D489-46E9-88CC-081D74EEF667}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: TCP/IP
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: NLA-nimiavaruus (Network Location Awareness)
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

So. The problem is to get rid of these popups. I am confused. There should be nothing left in computer that can lauch them!? What is wrong in this?

CWShredder found Look2Me but it is removed and cannot be found again. Still, after all cleaning, popups are coming.


Please, some experienced system monitor, help!

As you can see. this computer is not my own. I have got a job to clean this :tazz:

Edited by Ace81, 25 May 2005 - 06:36 AM.

  • 0

Advertisements

#2
Metallica
Posted 25 May 2005 - 06:50 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Whatchemecall a information overdose. :tazz:

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downlo...slv32_EN_XP.cab

Then do a find files for param32.dll , systr.dll or popup_bl.dll and guninst.exe
Most likely they will be in your C:\WINDOWS\System32\ folder

Let me know which ones are found where.

Regards,
  • 0

#3
Ace81
Posted 25 May 2005 - 07:01 AM

Ace81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the fast reply!

I removed the lines. The problem is still there. It just showed me loadingwebsite.com again :tazz:

I am sorry but there are no such files that you told. none of them.

Here is current log:

It SHOULD be pretty clean.

Logfile of HijackThis v1.99.1
Scan saved at 15:54:52, on 25.5.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fi\msnappau.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\FSGUI\fsguiexe.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fi\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fi\msnappau.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab30149.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: iPod-palvelu (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Edited by Ace81, 25 May 2005 - 07:01 AM.

  • 0

#4
Metallica
Posted 25 May 2005 - 07:10 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files.
Reboot into safe mode and do a full sytem scan.
Save the logfile from the scan and post it.

Regards,
  • 0

#5
Ace81
Posted 25 May 2005 - 08:39 AM

Ace81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi,

I did what you said. Everything is running smoothly so far.

Ewido found 48 infections. two dialer.generals and rest look2me.hb and mostly .ab. I cleaned all those files and eventually removed them. I wonder why F-secure don't find them!

Thanks for the help! I will be back if problems come back!
  • 0

#6
Metallica
Posted 25 May 2005 - 08:59 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
F-Secure is an AntiVirus and Ewido specializes in Trojans and spyware, so a comparison is not really fair. :tazz:

Let me know tomorrow if your computer is still behaving OK so I can close this thread.

Please have a look at my site for some tips on how to remove and prevent spyware.

Regards,
  • 0

#7
Ace81
Posted 26 May 2005 - 07:23 AM

Ace81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Problem solved. Thanks for the information.
  • 0

#8
Metallica
Posted 26 May 2005 - 07:29 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP