virus win32.agent

Unknown

I have problems with this virus it just wont go away. I have scanned with f-secure and it finds these viruses
autorun.onf - Worm.win32.autoRun.nuu
tmp3FC.tmp - Trojan.win32.Small.Ymw
Temp3FF.tmp Trojan.win32.agent.akwc
in those files.
I also run hijack this and get this results anya suggestions?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:40, on 2008-11-25
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winsys2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\MSTMON_P.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program\F-Secure\Common\FSM32.EXE
C:\Program\Microsoft IntelliType Pro\itype.exe
C:\Program\Java\jre1.6.0_07\bin\jusched.exe
C:\Program\UltraMon\UltraMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\DAEMON Tools Lite\daemon.exe
C:\Program\Delade filer\Nero\Lib\NMIndexStoreSvr.exe
C:\Program\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program\F-Secure\Common\FSMA32.EXE
C:\Program\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Delade filer\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program\F-Secure\Common\FCH32.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program\F-Secure\Common\FAMEH32.EXE
C:\Program\F-Secure\Anti-Virus\fsqh.exe
C:\Program\F-Secure\Anti-Virus\fsrw.exe
C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe
C:\Program\F-Secure\Common\FNRB32.EXE
C:\Program\F-Secure\Common\FIH32.EXE
C:\WINDOWS\System32\alg.exe
C:\Program\Windows Live\Messenger\usnsvc.exe
C:\Program\F-Secure\Anti-Virus\fsav32.exe
C:\Program\Windows Live\Messenger\msnmsgr.exe
C:\Program\F-Secure\ANTI-S~1\fsaw.exe
C:\Program\F-Secure\FSGUI\fsguidll.exe
D:\Proggs\Last.fm\LastFM.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\WinRAR\WinRAR.exe
C:\DOCUME~1\Jens\LOKALA~1\Temp\Rar$EX00.390\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor2300WStatusDisplay] C:\WINDOWS\system32\MSTMON_P.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [itype] "C:\Program\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdheh.exe] C:\WINDOWS\system32\kdheh.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Block this popup - C:\Program\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{259431C2-4F8A-4585-9CA1-20E19AE74E4B}: NameServer = 85.255.112.229;85.255.112.156
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program\F-Secure\Common\FNRB32.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program\Delade filer\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8852 bytes

DeFe

Hello and welcome to the forums

My name is DeFe and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

1. Please Read All Instructions Carefully
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you
4. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly.

virusman

Sounds great I have read the instructions and awayting help :thumbup

DeFe

Hi


First we enable viewing of hidden files.



To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Second we check Following file.

Go to C:\WINDOWS\system32\ and find winsys2.exe press right mouse button on it and click Properties and go Version tab let me know what it says there.

virusman

hi there it says
Version 1.0.0.1

DeFe

Hi

Does it says anything on Description and Copyright?

virusman

Description:TODO <File Description>
Copyright: TODO:(c) <Company name>. All rights reserved.

DeFe

Thank for information just checked that file because some legal software makes it too but in this case it seems like it is an Trojan/malware.

Start Hijackthis press Do system scan only and mark these lines.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdheh.exe] C:\WINDOWS\system32\kdheh.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{259431C2-4F8A-45 85-9CA1-20E19AE74E4B}: NameServer = 85.255.112.229;85.255.112.156


After marked lines click Fix checked.

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Reboot your computer after the scan!

After reboot send a fresh HijackThis log and MBAM log.

virusman

this result
Malwarebytes' Anti-Malware 1.30
Databasversion: 1423
Windows 5.1.2600 Service Pack 3

2008-11-25 20:51:04
mbam-log-2008-11-25 (20-51-04).txt

Skanningstyp: Fullständig skanning (C:\|D:\|E:\|)
Antal skannade objekt: 208758
Förfluten tid: 1 hour(s), 47 minute(s), 42 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 1
Infekterade registervärden: 0
Infekterade registerdataposter: 6
Infekterade mappar: 1
Infekterade filer: 5

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
HKEY_CLASSES_ROOT\sexvid (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdheh.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{259431c2-4f8a-4585-9ca1-20e19ae74e4b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.229;85.255.112.156 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{259431c2-4f8a-4585-9ca1-20e19ae74e4b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.229;85.255.112.156 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{259431c2-4f8a-4585-9ca1-20e19ae74e4b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.229;85.255.112.156 -> Quarantined and deleted successfully.

Infekterade mappar:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Infekterade filer:
C:\WINDOWS\system32\kdheh.exe (Rootkit.DNSChanger.H) -> Delete on reboot.
E:\-- APPZ --\ACDSee.Pro.2.v2.0.238.Incl.Keymaker-CORE\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
E:\-- APPZ --\WinRAR.v3.20.WinALL.Cracked-CORE\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{44F7EAD8-B93A-4EDF-9A92-C933C03512A1}\RP111\A0018406.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{82321650-2834-4B2C-B6B2-534003E99033}\RP109\A0021829.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

Going to reboot now and do another hijack and a new mbam log.

virusman

got this result next time I scanned
Malwarebytes' Anti-Malware 1.30
Databasversion: 1423
Windows 5.1.2600 Service Pack 3

2008-11-25 22:46:19
mbam-log-2008-11-25 (22-46-19).txt

Skanningstyp: Fullständig skanning (C:\|D:\|E:\|)
Antal skannade objekt: 208177
Förfluten tid: 1 hour(s), 48 minute(s), 31 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 2

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
E:\System Volume Information\_restore{82321650-2834-4B2C-B6B2-534003E99033}\RP133\A0027262.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{82321650-2834-4B2C-B6B2-534003E99033}\RP133\A0027263.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

and hijack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:56:29, on 2008-11-25
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\MSTMON_P.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program\F-Secure\Common\FSM32.EXE
C:\Program\Microsoft IntelliType Pro\itype.exe
C:\Program\Java\jre1.6.0_07\bin\jusched.exe
C:\Program\UltraMon\UltraMon.exe
C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\DAEMON Tools Lite\daemon.exe
C:\Program\Delade filer\Nero\Lib\NMIndexStoreSvr.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program\Delade filer\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program\F-Secure\Anti-Virus\fssm32.exe
C:\Program\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program\F-Secure\Common\FCH32.EXE
C:\Program\F-Secure\Common\FAMEH32.EXE
C:\Program\F-Secure\Anti-Virus\fsqh.exe
C:\Program\F-Secure\Anti-Virus\fsrw.exe
C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe
C:\Program\F-Secure\Anti-Virus\fsav32.exe
C:\Program\F-Secure\Common\FNRB32.EXE
C:\Program\F-Secure\Common\FIH32.EXE
C:\Program\F-Secure\ANTI-S~1\fsaw.exe
C:\Program\F-Secure\FSGUI\fsguidll.exe
C:\Program\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\WinRAR\WinRAR.exe
C:\DOCUME~1\Jens\LOKALA~1\Temp\Rar$EX01.922\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor2300WStatusDisplay] C:\WINDOWS\system32\MSTMON_P.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [itype] "C:\Program\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdheh.exe] C:\WINDOWS\system32\kdheh.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Block this popup - C:\Program\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program\F-Secure\Common\FNRB32.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program\Delade filer\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8373 bytes

DeFe

Hi

Lets double check this winsys2.exe.

Go to http://virusscan.jotti.org/ and submit this file there C:\WINDOWS\system32\winsys2.exe after jotti have scanned file let me know it's results.


Step 1.
CCleaner
Please download CCleaner ... © Piriform Ltd. (slim version) and save it to your desktop. CCleaner guide can be found here...if needed.


To Install CCleaner:

1. Click the ccsetup???_slim.exe...icon on your desktop. (??? = version #'s)
2. Press the "Run"...(Security prompt). Select a language...Press "OK" ...button.
3. Click "Next"...(Welcome screen). Click "I Agree"...(License Agreement).
4. Click "Next" for default install location.
   The default is set to C:\Program Files\CCleaner. Unless you want it installed elsewhere, just leave it.
5. Check the "Install Options", you want.
6. Click "Install". Click "Finish" when prompted.

To Run CCleaner:

1. Click CCleaner desktop icon or Start Menu item...(depending on install options)
2. Before first use, check under Options, Advanced, and UNCHECK "Only delete files in Windows Temp folder older than 48 hours".
3. A pop up box will appear advising this process will permanently delete files from your system.
4. Select the items to clean up.
   • In the Windows Tab:
   • Clean all entries in the "Internet Explorer".
     Note: "Cookies"...box. If checked will require re-entry of user names, passwords on "next" visit to sites that require users log in.
   • Clean all the entries in the "Windows Explorer" section.
   • Clean all entries in the "System" section...except "Start Menu Shortcuts" and "Desktop Shortcuts" uncheck these 2 items.
   • *Uncheck* the "Advanced" section.
   
   
   
   • In the Applications Tab:
   • Clean all in the "Firefox/Mozilla" section. (if you use it)
     Firefox Caution: "Saved Form Information"...box. If checked will remove all your saved passwords, if you use that feature.
   • Clean all in the "Opera" section. (if you use it)
   • Clean all in the "Applications" section.
   • Clean all in the "Internet" Section.
   • Clean all in the "Multimedia" section. (if you use them)
   • Clean all in the "Utilities" section. (if you use them)
   • Clean all in the "Windows" section.
5. Then click the "Run Cleaner" button and it will scan and clean your system.
6. Close CCleaner when finished.

FYI...You may see some files "marked" for deletion when Windows restarts...this is because they are "in use" by the system and can't be removed until restart.
CAUTION: Please do NOT use the "Issues" button in the left pane.
This is a built-in registry cleaner. Removing certain entries can render your computer inoperable!


Step 2.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

Send new Hijackthis log too.

virusman

took the scan on online malware scan

Scan taken on 26 Nov 2008 14:29:05 (GMT) A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

DeFe

Proceed to Step 1 and then Step 2.

virusman

I have scanned my bootdrive C: but i got a lot of .rar archives that takes forever to scan. No files found in the bootdrive.
And Step1 went fine

virusman

this is my new hijack file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:52:37, on 2008-11-26
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\MSTMON_P.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program\F-Secure\Common\FSM32.EXE
C:\Program\Microsoft IntelliType Pro\itype.exe
C:\Program\Java\jre1.6.0_07\bin\jusched.exe
C:\Program\UltraMon\UltraMon.exe
C:\Program\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\DAEMON Tools Lite\daemon.exe
C:\Program\Delade filer\Nero\Lib\NMIndexStoreSvr.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program\Delade filer\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program\F-Secure\Anti-Virus\fssm32.exe
C:\Program\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program\F-Secure\Common\FCH32.EXE
C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe
C:\Program\F-Secure\Anti-Virus\fsqh.exe
C:\Program\F-Secure\Common\FAMEH32.EXE
C:\Program\F-Secure\Anti-Virus\fsrw.exe
C:\Program\F-Secure\Common\FNRB32.EXE
C:\Program\F-Secure\Common\FIH32.EXE
C:\Program\F-Secure\Anti-Virus\fsav32.exe
C:\Program\F-Secure\ANTI-S~1\fsaw.exe
C:\Program\F-Secure\FSGUI\fsguidll.exe
C:\Program\Windows Live\Messenger\msnmsgr.exe
C:\Program\Windows Live\Messenger\usnsvc.exe
D:\Proggs\Last.fm\LastFM.exe
C:\Program\WinRAR\WinRAR.exe
C:\DOCUME~1\Jens\LOKALA~1\Temp\Rar$EX00.672\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor2300WStatusDisplay] C:\WINDOWS\system32\MSTMON_P.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [itype] "C:\Program\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdheh.exe] C:\WINDOWS\system32\kdheh.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Block this popup - C:\Program\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program\F-Secure\Common\FNRB32.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program\Delade filer\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8320 bytes

DeFe

Little more to do and then you are clean

Start Hijackthis press Do system scan only and mark these lines.

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdheh.exe] C:\WINDOWS\system32\kdheh.exe


After marked lines click Fix checked.

After you have fixed those lines whit Hijackthis you are Clean

virusman

Thank you so much!!
Very nice with really talented computer people :thumbup

Have a great weekend.

Veka

Glad we could be of assistance! The help you received here was free.

This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead

_______________________________

Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.