Options

HJT Log for Review Please

Unknown
edited May 2005 in Spyware & Virus Removal
Hi ! For quite a while I have been fightning against trojans and HSA in my computor. Unfortunately without any success. I was very close to give up when I found Short-Media Forums.

I have now red the removal Guide, I have now done a system restore and I have also downloaded a program that uninstalled HSA. At least I hope so ! (risky - I know but I was becoming desperate.) And all of a sudden it seems that the trojans and HSA are gone.

Would someone please review my HJT log to see if my computor now is clean or if there is still something I need to take care of. Thanks !

I use F-Secure Internet Security 2005 and Ad-aware 6.2.0.207.

Logfile of HijackThis v1.99.1
Scan saved at 17:10:26, on 2005-05-14
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\F-Secure Internet Security\Common\FSM32.EXE
C:\Program\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\F-Secure Internet Security\Common\FCH32.EXE
C:\Program\WinPoET Broadband Connection\WrOS.EXE
C:\Program\Skype\Phone\Skype.exe
C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program\F-Secure Internet Security\FSPC\fspc.exe
C:\Program\Telefonica\Kit ADSL USB\DSLMON.exe
C:\Program\BrigSoft\AlarmMasterPlus\AlarmMasterPlus.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program\INCRED~1\bin\IMApp.exe
C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program\F-Secure Internet Security\FSGUI\fsguiexe.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vglfb.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E8A21F6F-CE35-C5F4-D125-77B47648F1A3} - C:\WINDOWS\netmx32.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [AWMON] "C:\Program\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\Run: [updater] C:\Program\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IncrediMail] C:\Program\INCRED~1\bin\IncMail.exe /c
O4 - Startup: Alarm Master Plus.lnk = C:\Program\BrigSoft\AlarmMasterPlus\AlarmMasterPlus.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Consola KIT ADSL.lnk = C:\Program\Telefonica\Kit ADSL USB\DSLMON.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IncrediBar - {023FA804-DCE1-4817-94ED-6BA4200F9AF2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Visa &lista över webbplatser - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Inaktivera webbsidefilter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Blockera den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Tillåt den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115749792015
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O23 - Service: F-Secure Internet Security 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program\WinPoET Broadband Connection\WrOS.EXE



Best regards
Bogart

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    You did pretty good, just a few remnants left.

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vglfb.dll/sp.html#12047
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {E8A21F6F-CE35-C5F4-D125-77B47648F1A3} - C:\WINDOWS\netmx32.dll (file missing)
    O4 - HKLM\..\Run: [updater] C:\Program\Common files\updater\wupdater.exe


    Now delete this directory:

    C:\Program\Common files\updater



    Reboot and post a new hijackthis log.
  • Bogart
    edited May 2005
    Hello Buckeye_Sam,

    I want you to know that your assistence is highly appreciated.
    I have now done what you suggested.

    A few questions though: Although I placed a checkmark next to the entries R0 Search Assistent and 04 Run updater and asked Hijack This to fixed them, they are still there after rebooting I still find them in the new log. The three other entries I asked Hijack This to fix were gone.

    Furthermore, I dont find any folder called updater in Common Files in the Program file. This is what I find:

    C:\Program\Common Files\Nullsoft\ActiveX\2.0\AOL Media Player Playback Control.exe and lots of .dll files

    When I search for updater I find a lot of files linked to programs like Acrobat Reader, Photoshop and Dreamweaver etc. but no one linked to the Common File.

    Furthermore, when looking in Shared Files I find something called Gator and which I dont recognize.

    C::\Program\Shared Files\GMT\GatorStubSetup.exe

    Does this say anything to you ?

    Regarding missing files I have found control.exe in System32 but HOSTS was missing.

    I have now restored the HOSTS file.

    In the ......driver\etc file there are now the following files: Hosts, hosts.bho, lmhosts.sam, networks, protocol, services.

    Any comments about this or I leave it like it is ?

    Once again thanks a lot.
    Best regards
    Bogart

    Finally. My new log file:

    Logfile of HijackThis v1.99.1
    Scan saved at 08:01:02, on 2005-05-16
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    C:\Program\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
    C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program\F-Secure Internet Security\Common\FSMB32.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\WinPoET Broadband Connection\WrOS.EXE
    C:\Program\F-Secure Internet Security\Common\FCH32.EXE
    C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE
    C:\Program\F-Secure Internet Security\FSPC\fspc.exe
    C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe
    C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\F-Secure Internet Security\Common\FSM32.EXE
    C:\Program\Lavasoft\AD-AWA~2\Ad-Watch.exe
    C:\Program\Skype\Phone\Skype.exe
    C:\Program\F-Secure Internet Security\FSGUI\fsguiexe.exe
    C:\Program\Telefonica\Kit ADSL USB\DSLMON.exe
    C:\Program\INCRED~1\bin\IMApp.exe
    C:\Program\BrigSoft\AlarmMasterPlus\AlarmMasterPlus.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [AWMON] "C:\Program\Lavasoft\AD-AWA~2\Ad-Watch.exe"
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [updater] C:\Program\Common files\updater\wupdater.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [IncrediMail] C:\Program\INCRED~1\bin\IncMail.exe /c
    O4 - Startup: Alarm Master Plus.lnk = C:\Program\BrigSoft\AlarmMasterPlus\AlarmMasterPlus.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Consola KIT ADSL.lnk = C:\Program\Telefonica\Kit ADSL USB\DSLMON.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: IncrediBar - {023FA804-DCE1-4817-94ED-6BA4200F9AF2} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Visa &lista över webbplatser - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: &Inaktivera webbsidefilter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: &Blockera den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: &Tillåt den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program\IrfanView\Ebay\Ebay.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
    O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115749792015
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0231E820-3394-46EA-8D5A-28F5CBD31BB1}: NameServer = 80.58.61.250 80.58.61.254
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0231E820-3394-46EA-8D5A-28F5CBD31BB1}: NameServer = 80.58.61.250 80.58.61.254
    O23 - Service: F-Secure Internet Security 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
    O23 - Service: FSMA - F-Secure Corporation - C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
    O23 - Service: iPod-tjänst (iPodService) - Unknown owner - C:\Program\iPod\bin\iPodService.exe (file missing)
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program\WinPoET Broadband Connection\WrOS.EXE
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    Download and run Microsoft's Antispyware application.

    http://www.microsoft.com/athome/security/spyware/software/default.mspx

    Remove everything that it finds.


    Reboot and post a new hijackthis log.
  • Bogart
    edited May 2005
    Hello,

    The Microsoft Antispyware program has now been downloaded and I had it run on my computor.

    Five new entries were found which have been removed.

    These entries Ad-aware and F-Secure did not find. My remarks ????

    My log file still include R0 Search Assistent as well as 04 Updater.

    I have removed the complete Common file from my hard disc but still the updater appear to be in this file.

    Any suggestions ?

    Please find my new log file:

    Logfile of HijackThis v1.99.1
    Scan saved at 14:40:52, on 2005-05-17
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    C:\Program\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
    C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program\F-Secure Internet Security\Common\FSMB32.EXE
    C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\F-Secure Internet Security\Common\FCH32.EXE
    C:\Program\WinPoET Broadband Connection\WrOS.EXE
    C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE
    C:\Program\F-Secure Internet Security\FSPC\fspc.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe
    C:\Program\F-Secure Internet Security\Common\FSM32.EXE
    C:\Program\Lavasoft\AD-AWA~2\Ad-Watch.exe
    C:\Program\Skype\Phone\Skype.exe
    C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    C:\Program\Telefonica\Kit ADSL USB\DSLMON.exe
    C:\Program\BrigSoft\AlarmMasterPlus\AlarmMasterPlus.exe
    C:\Program\INCRED~1\bin\IMApp.exe
    C:\Program\F-Secure Internet Security\FSGUI\fsguiexe.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [AWMON] "C:\Program\Lavasoft\AD-AWA~2\Ad-Watch.exe"
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [updater] C:\Program\Common files\updater\wupdater.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [IncrediMail] C:\Program\INCRED~1\bin\IncMail.exe /c
    O4 - Startup: Alarm Master Plus.lnk = C:\Program\BrigSoft\AlarmMasterPlus\AlarmMasterPlus.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Consola KIT ADSL.lnk = C:\Program\Telefonica\Kit ADSL USB\DSLMON.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: IncrediBar - {023FA804-DCE1-4817-94ED-6BA4200F9AF2} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Visa &lista över webbplatser - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: &Inaktivera webbsidefilter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: &Blockera den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: &Tillåt den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program\IrfanView\Ebay\Ebay.htm
    O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115749792015
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0231E820-3394-46EA-8D5A-28F5CBD31BB1}: NameServer = 80.58.61.250 80.58.61.254
    O23 - Service: F-Secure Internet Security 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
    O23 - Service: FSMA - F-Secure Corporation - C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
    O23 - Service: iPod-tjänst (iPodService) - Unknown owner - C:\Program\iPod\bin\iPodService.exe (file missing)
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program\WinPoET Broadband Connection\WrOS.EXE
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    If the file/folder does not exist then all you need to do is remove the registry entry. You can do that by fixing this line with hijackthis:

    O4 - HKLM\..\Run: [updater] C:\Program\Common files\updater\wupdater.exe


    Reboot and post a new hijackthis log.
  • Bogart
    edited May 2005
    Hello Buckeye_Sam,

    Ever since I downloaded Microsoft Antispyware a couple of days ago a new spyware has been visible after scanning: Euniverse Updater Browser Modifier.

    Spyware Scan Details
    Start Date: 2005-05-19 11:30:05
    End Date: 2005-05-19 11:39:49
    Total Time: 9 mins 44 secs

    Detected Threats

    EUniverse Updater Browser Modifier more information...
    Details: EUniverse is adware that runs at Windows startup. EUniverse generates pop-up advertisements, and performs a number of spyware related functions such as transmitting personal information and redirecting Internet Explorer.
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected registry keys/values detected
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run updater


    Detected Spyware Cookies
    No spyware cookies were found during this scan.


    Everytime it pops up after scanning in the MS Antispyware program I press the button remove and I also get a confirmation that removal has been done but for any strange reason it is still there. It still pops up the next time I do a scan despite rebooting or doing the exercise in a safe mood.

    Furthermore, I have asked hijackthis to delete the threads: R0 Search assistent and 04 HKLM Run updater but the program does not manage to do so. The threads are still there.

    I have also tried to take away those two threads manually in the regedit but they still do pop up again.

    I have run CWShredder with no problems found.. Neither did Antibuster find anything extraordinary present.

    The register HKLM refers to a file in C:\Program\Common files\updater\wupdater.exe, a file that does not exist in the program folder ! But where is it ??

    Furthermore, I have done a System Restore today but the problem still remains

    So now I really do not know what to do or what to delete.

    Since the first sign of spyware a couple of weeks ago I do not run Internet Explorer anymore but only Firefox.

    My logfile as per today:

    Logfile of HijackThis v1.99.1
    Scan saved at 19:34:13, on 2005-05-19
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    C:\Program\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
    C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe
    C:\Program\F-Secure Internet Security\Common\FSMB32.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\WinPoET Broadband Connection\WrOS.EXE
    C:\Program\F-Secure Internet Security\Common\FCH32.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\F-Secure Internet Security\Common\FSM32.EXE
    C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE
    C:\Program\Lavasoft\AD-AWA~2\Ad-Watch.exe
    C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe
    C:\Program\Skype\Phone\Skype.exe
    C:\Program\F-Secure Internet Security\FSPC\fspc.exe
    C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    C:\Program\Telefonica\Kit ADSL USB\DSLMON.exe
    C:\Program\BrigSoft\AlarmMasterPlus\AlarmMasterPlus.exe
    C:\Program\F-Secure Internet Security\FSGUI\fsguiexe.exe
    C:\Program\INCRED~1\bin\IMApp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program\Microsoft AntiSpyware\gcasServ.exe
    C:\Program\Microsoft Office\Office10\WINWORD.EXE
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [AWMON] "C:\Program\Lavasoft\AD-AWA~2\Ad-Watch.exe"
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [updater] C:\Program\Common files\updater\wupdater.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [IncrediMail] C:\Program\INCRED~1\bin\IncMail.exe /c
    O4 - Startup: Alarm Master Plus.lnk = C:\Program\BrigSoft\AlarmMasterPlus\AlarmMasterPlus.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Consola KIT ADSL.lnk = C:\Program\Telefonica\Kit ADSL USB\DSLMON.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: IncrediBar - {023FA804-DCE1-4817-94ED-6BA4200F9AF2} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Visa &lista över webbplatser - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: &Inaktivera webbsidefilter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: &Blockera den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: &Tillåt den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program\IrfanView\Ebay\Ebay.htm
    O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115749792015
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0231E820-3394-46EA-8D5A-28F5CBD31BB1}: NameServer = 80.58.61.250 80.58.61.254
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0231E820-3394-46EA-8D5A-28F5CBD31BB1}: NameServer = 80.58.61.250 80.58.61.254
    O23 - Service: F-Secure Internet Security 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
    O23 - Service: FSMA - F-Secure Corporation - C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
    O23 - Service: iPod-tjänst (iPodService) - Unknown owner - C:\Program\iPod\bin\iPodService.exe (file missing)
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program\WinPoET Broadband Connection\WrOS.EXE


    Scanned at: 19:39:43 on: 2005-05-19


    -- Scan 1
    About:Buster Version 4.0
    Reference List : 26

    No ADS found on system
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    -- Scan 2
    About:Buster Version 4.0
    Reference List : 26

    No ADS found on system
    Attempted Clean Of Temp folder.
    Pages Reset... Done!
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    My only guess is that F-Secure is blocking any changes to the registry. I'm not very familiar with F-Secure, but the issue that you are describing usually indicates that something is blocking the changes, in your case, attempting to delete a bad entry.

    You can try fixing that line with Hijackthis is Safe Mode. Or you can figure out how to disable F-Secure long enough to allow Hijackthis to fix that line. A third option would be to go into the registry and manually delete it, but let's use that as a last resort.
  • Bogart
    edited May 2005
    Hello Buckeye_Sam,

    Unless some new bad entries are hiding somewhere in the new log file and which I do not recognise , at last my system seems to be clean

    Please make a final review.

    I sincerely hope that the target finally has been met and if so, I can assure you that it´s a great relief. Thanks to your excellent support, hijackthis, Spy Doctor and some other exercises made lately including some careful removal in the regedit, the system now seems to be clean and also stays clean even after rebooting.!

    Would like to put forward a thousand thanks to you for your support and guidance !

    Best regards,
    Bogart
    ( retired but still an enthusiastic Swede living in sunny Spain)

    Here my last logfile:

    Logfile of HijackThis v1.99.1
    Scan saved at 15:49:36, on 2005-05-22
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    C:\Program\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
    C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program\F-Secure Internet Security\Common\FSMB32.EXE
    C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\F-Secure Internet Security\Common\FCH32.EXE
    C:\Program\WinPoET Broadband Connection\WrOS.EXE
    C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE
    C:\Program\F-Secure Internet Security\FSPC\fspc.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\F-Secure Internet Security\Common\FSM32.EXE
    C:\Program\Skype\Phone\Skype.exe
    C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe
    C:\Program\Telefonica\Kit ADSL USB\DSLMON.exe
    C:\Program\BrigSoft\AlarmMasterPlus\AlarmMasterPlus.exe
    C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    C:\Program\INCRED~1\bin\IMApp.exe
    C:\Program\F-Secure Internet Security\FSGUI\fsguiexe.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash
    O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [IncrediMail] C:\Program\INCRED~1\bin\IncMail.exe /c
    O4 - Startup: Alarm Master Plus.lnk = C:\Program\BrigSoft\AlarmMasterPlus\AlarmMasterPlus.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Consola KIT ADSL.lnk = C:\Program\Telefonica\Kit ADSL USB\DSLMON.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: IncrediBar - {023FA804-DCE1-4817-94ED-6BA4200F9AF2} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Webbfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Visa &lista över webbplatser - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: &Inaktivera webbsidefilter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: &Blockera den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: &Tillåt den här webbplatsen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program\IrfanView\Ebay\Ebay.htm
    O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115749792015
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0231E820-3394-46EA-8D5A-28F5CBD31BB1}: NameServer = 80.58.61.250 80.58.61.254
    O23 - Service: F-Secure Internet Security 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
    O23 - Service: FSMA - F-Secure Corporation - C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
    O23 - Service: iPod-tjänst (iPodService) - Unknown owner - C:\Program\iPod\bin\iPodService.exe (file missing)
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program\WinPoET Broadband Connection\WrOS.EXE
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    Your log is clean! :thumbsup:

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

      You can find instructions on how to enable and reenable system restore here:

      Managing Windows Millenium System Restore

      or

      Windows XP System Restore Guide

      Renable system restore with instructions from tutorial above

    2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        1. Change the Download signed ActiveX controls to Prompt
        2. Change the Download unsigned ActiveX controls to Disable
        3. Change the Initialize and script ActiveX controls not marked as safe to Disable
        4. Change the Installation of desktop items to Prompt
        5. Change the Launching programs and files in an IFRAME to Prompt
        6. Change the Navigate sub-frames across different domains to Prompt
        7. When all these settings have been made, click on the OK button.
        8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.

    3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and Removal Resources

    4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

      A tutorial on installing & using this product can be found here:

      Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

    8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

      A tutorial on installing & using this product can be found here:

      Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

    9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.
Sign In or Register to comment.