Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91679 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] b.exe virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 hevonen

hevonen

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 07 October 2009 - 04:14 AM

Hello, My computer seems to have the b.exe virus. After F-Secure started alerting me about it I ran a full scan and as a result it "isolated" two viruses which I though I deleted from the "isolated" folder (named Trojan FraudPack.ums or something). However, when I look at Task Manager I can see b.exe is running. F-Secure claims there are no viruses on my computer now. I haven't had any problems yet that I've noticed but naturally want to have my computer virus-free. Could you please tell me what I have to do? I have very basic computer skills. Thank you very much in advance. EDIT Oct 9: F-Secure also now spotted Packed.Win32.Krap.ae virus that it isolated in the isolated folder. I haven't done anything about it (for now) since it says it's a secure place to keep it as I don't know if that would alter the information in the logs below? Let me know what I should do when you have the chance. Also, is it safe to back up files(mainly word documents and pictures) to memory sticks or will the virus(es) spread there as well? (P.S. I'm not sure if I'm using correct terminoly with "isolated" etc as the programs I have on my computer are in my native language of Finnish) EDIT: I only now realized I posted the wrong attachment. I added it now. DDS (Ver_09-09-29.01) - NTFSx86 Run by merkku at 12:56:36,71 on ke 07.10.2009 Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_15 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1035.18.1791.870 [GMT 3:00] SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} FW: Saunalahti Turvapaketti 7.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\Ati2evxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\Ati2evxx.exe C:\Program Files\ATK Hotkey\ASLDRSrv.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\system32\CTsvcCDA.EXE C:\Program Files\Creative\Shared Files\CTDevSrv.exe C:\Program Files\Saunalahti Turvapaketti\Anti-Virus\fsgk32st.exe C:\Program Files\Saunalahti Turvapaketti\Common\FSMA32.EXE C:\Program Files\Saunalahti Turvapaketti\Anti-Virus\FSGK32.EXE C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Program Files\Saunalahti Turvapaketti\Anti-Virus\fssm32.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\ATK Hotkey\Hcontrol.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe C:\Windows\system32\conime.exe C:\Program Files\ATK Hotkey\ATKOSD.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe C:\Windows\ehome\ehtray.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\Program Files\Creative\Software Update 3\SoftAuto.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Windows\ehome\ehmsas.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\taskeng.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Windows\system32\ctfmon.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Windows\system32\NOTEPAD.EXE C:\Program Files\Saunalahti Turvapaketti\Common\FSLAUNCHER0.EXE C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\merkku\Downloads\dds.scr C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.fi/ uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s BHO: Adobe PDF Reader -linkkiavustaja: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll BHO: 1 (0x1) - No File BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\google\google_bae\BAE.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [<NO NAME>] uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe uRun: [SmpcSys] c:\program files\packard bell\setupmypc\SmpSys.exe uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe" uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [PopRock] c:\users\merkku\appdata\local\temp\b.exe mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [<NO NAME>] mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe" mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [toolbar_eula_launcher] c:\program files\packard bell\google_eula\EULALauncher.exe mRun: [F-Secure Manager] "c:\program files\saunalahti turvapaketti\common\FSM32.EXE" /splash mRun: [F-Secure TNB] "c:\program files\saunalahti turvapaketti\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe" mRun: [OPSE reminder] "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.exe" -r "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.ini" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\users\merkku\appdata\roaming\micros~1\windows\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE mPolicies-explorer: UseDefaultTile = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) mPolicies-system: HideFastUserSwitching = 0 (0x0) IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html IE: Vie Microsoft E&xceliin - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} - c:\program files\allmusicconverter\YouTubeRipper.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL LSP: c:\program files\saunalahti turvapaketti\fsps\program\fslsp.dll DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://ezproxy.utu.fi:2191/lib/uniturku/support/plugins/ebraryRdr.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL ================= FIREFOX =================== FF - ProfilePath - c:\users\merkku\appdata\roaming\mozilla\firefox\profiles\vy1rdj0l.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.fi/ FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask"); ============= SERVICES / DRIVERS =============== R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2007-7-28 33920] R1 F-Secure HIPS;F-Secure HIPS;c:\program files\saunalahti turvapaketti\hips\drivers\fshs.sys [2007-7-28 67808] R1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2007-9-11 35552] R1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2007-9-11 70944] R1 fsvista;F-Secure Vista Support Driver;c:\program files\saunalahti turvapaketti\anti-virus\minifilter\fsvista.sys [2007-9-11 12384] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\saunalahti turvapaketti\anti-virus\minifilter\fsgk.sys [2007-9-11 100984] R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2009-8-18 23096] S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000] S3 FSORSPClient;F-Secure ORSP Client;c:\program files\saunalahti turvapaketti\orsp client\fsorsp.exe [2007-7-28 55904] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-6-23 29744] S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2009-8-18 245760] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\saunalahti turvapaketti\anti-virus\win2k\fsfilter.sys [2007-9-11 39776] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\saunalahti turvapaketti\anti-virus\win2k\fsrec.sys [2007-9-11 25184] =============== Created Last 30 ================ 2009-10-03 01:44 195,440 -------- c:\windows\system32\MpSigStub.exe 2009-10-02 14:25 230,916 a------- c:\windows\system32\msxml71.dll 2009-09-08 22:13 897,608 a------- c:\windows\system32\drivers\tcpip.sys 2009-09-08 22:13 104,960 a------- c:\windows\system32\netiohlp.dll 2009-09-08 22:13 27,136 a------- c:\windows\system32\NETSTAT.EXE 2009-09-08 22:12 19,968 a------- c:\windows\system32\ARP.EXE 2009-09-08 22:12 9,728 a------- c:\windows\system32\TCPSVCS.EXE 2009-09-08 22:12 10,240 a------- c:\windows\system32\finger.exe 2009-09-08 22:12 8,704 a------- c:\windows\system32\HOSTNAME.EXE 2009-09-08 22:12 11,264 a------- c:\windows\system32\MRINFO.EXE 2009-09-08 22:12 17,920 a------- c:\windows\system32\ROUTE.EXE 2009-09-08 22:12 17,920 a------- c:\windows\system32\netevent.dll 2009-09-08 22:10 2,501,921 a------- c:\windows\system32\wlan.tmf 2009-09-08 22:10 293,376 a------- c:\windows\system32\wlanmsm.dll 2009-09-08 22:10 127,488 a------- c:\windows\system32\L2SecHC.dll 2009-09-08 22:10 302,592 a------- c:\windows\system32\wlansec.dll 2009-09-08 22:10 513,024 a------- c:\windows\system32\wlansvc.dll 2009-09-08 22:09 2,868,224 a------- c:\windows\system32\mf.dll ==================== Find3M ==================== 2009-10-04 19:30 450,820 a------- c:\windows\system32\perfh00B.dat 2009-10-04 19:30 88,430 a------- c:\windows\system32\perfc00B.dat 2009-09-16 18:09 20 ----h--- c:\programdata\PKP_DLdu.DAT 2009-09-16 18:09 20 ----h--- c:\progra~2\PKP_DLdu.DAT 2009-08-28 15:39 28,672 a------- c:\windows\system32\Apphlpdm.dll 2009-08-28 15:39 173,056 a------- c:\windows\apppatch\AcXtrnal.dll 2009-08-28 15:38 2,153,984 a------- c:\windows\apppatch\AcGenral.dll 2009-08-28 15:38 541,696 a------- c:\windows\apppatch\AcLayers.dll 2009-08-28 15:38 459,776 a------- c:\windows\apppatch\AcSpecfc.dll 2009-08-28 13:15 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-18 03:57 86,016 a------- c:\windows\inf\infstrng.dat 2009-08-18 03:57 51,200 a------- c:\windows\inf\infpub.dat 2009-08-18 03:57 86,016 a------- c:\windows\inf\infstor.dat 2009-08-14 11:35 10,936 a------- c:\windows\system32\MusCVideo.dll 2009-08-14 11:35 3,768 a------- c:\windows\system32\MusCVideo.sys 2009-08-14 11:35 23,096 a------- c:\windows\system32\MusCAudio.sys 2009-08-14 11:35 23,096 a------- c:\windows\system32\drivers\MusCAudio.sys 2009-08-13 18:03 245,760 a------- c:\windows\system32\snmvtsvc.exe 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-18 19:06 827,904 a------- c:\windows\system32\wininet.dll 2009-07-18 19:01 78,336 a------- c:\windows\system32\ieencode.dll 2009-07-18 12:46 26,624 a------- c:\windows\system32\ieUnatt.exe 2009-07-17 17:35 71,680 a------- c:\windows\system32\atl.dll 2009-07-14 16:00 313,344 a------- c:\windows\system32\wmpdxm.dll 2009-07-14 15:59 4,096 a------- c:\windows\system32\dxmasf.dll 2009-07-14 15:58 7,680 a------- c:\windows\system32\spwmp.dll 2009-07-14 13:59 8,147,456 a------- c:\windows\system32\wmploc.DLL 2008-07-03 19:19 174 a--sh--- c:\program files\desktop.ini 2008-07-03 19:02 665,600 a------- c:\windows\inf\drvindex.dat 2007-06-24 00:35 274,158 a------- c:\windows\inf\perflib\040b\perfi.dat 2007-06-24 00:35 274,158 a------- c:\windows\inf\perflib\040b\perfh.dat 2007-06-24 00:35 36,790 a------- c:\windows\inf\perflib\040b\perfd.dat 2007-06-24 00:35 36,790 a------- c:\windows\inf\perflib\040b\perfc.dat 2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat 2007-07-28 00:01 262,144 a--sh--- c:\windows\serviceprofiles\localservice\NTUSER.DAT 2007-07-28 00:00 2,048 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\lastalive0.dat 2007-07-28 00:00 2,048 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\lastalive1.dat 2007-07-28 10:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat 2007-07-28 10:03 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 2007-07-28 10:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat 2007-07-28 00:01 262,144 a--sh--- c:\windows\serviceprofiles\networkservice\NTUSER.DAT 2007-12-04 02:07 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat 2007-12-04 02:07 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 2007-12-04 02:07 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat ============= FINISH: 12:57:20,14 =============== ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/07 12:59 Program Version: Version 1.3.5.0 Windows Version: Windows Vista SP1 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\Windows\System32\Drivers\dump_atapi.sys Address: 0x8F445000 Size: 32768 File Visible: No Signed: - Status: - Name: dump_dumpata.sys Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys Address: 0x8F43A000 Size: 45056 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\Windows\system32\drivers\rootrepeal.sys Address: 0x99D3B000 Size: 49152 File Visible: No Signed: - Status: - Processes ------------------- Path: System PID: 4 Status: Locked to the Windows API! Path: C:\Windows\System32\audiodg.exe PID: 1220 Status: Locked to the Windows API! SSDT ------------------- #: 078 Function Name: NtCreateThread Status: Hooked by "C:\Program Files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys" at address 0x8f408e02 #: 165 Function Name: NtLoadDriver Status: Hooked by "C:\Program Files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys" at address 0x8f40912a #: 177 Function Name: NtMapViewOfSection Status: Hooked by "C:\Program Files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys" at address 0x8f408b4e #: 197 Function Name: NtOpenSection Status: Hooked by "C:\Program Files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys" at address 0x8f40955c #: 267 Function Name: NtRenameKey Status: Hooked by "C:\Program Files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys" at address 0x8f40a7fa #: 317 Function Name: NtSetSystemInformation Status: Hooked by "C:\Program Files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys" at address 0x8f4093ac #: 330 Function Name: NtSuspendProcess Status: Hooked by "C:\Program Files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys" at address 0x8f4089d4 #: 331 Function Name: NtSuspendThread Status: Hooked by "C:\Program Files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys" at address 0x8f408e36 #: 332 Function Name: NtSystemDebugControl Status: Hooked by "C:\Program Files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys" at address 0x8f408fb0 #: 334 Function Name: NtTerminateProcess Status: Hooked by "C:\Program Files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys" at address 0x8f408934 #: 335 Function Name: NtTerminateThread Status: Hooked by "C:\Program Files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys" at address 0x8f408a8a #: 358 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\Program Files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys" at address 0x8f408efa #: 382 Function Name: NtCreateThreadEx Status: Hooked by "C:\Program Files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys" at address 0x8f408e1c ==EOF==

Attached Files


Edited by hevonen, 09 October 2009 - 06:32 AM.

    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 09 October 2009 - 10:13 PM

Hi,

Please do the following:


Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2



**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 hevonen

hevonen

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 10 October 2009 - 07:30 AM

Hello,

thank you for replying. I did what you told me to do, here's the report. I don't know why it says F-Secure (="Saunalahti Turvapaketti") is enabled as I did disable it, the icon had the red cross etc.

ComboFix 09-10-08.04 - merkku 10.10.2009 16:09.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1035.18.1791.985 [GMT 3:00]
Running from: c:\users\merkku\desktop\ComboFix.exe
FW: Saunalahti Turvapaketti 7.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3987257784-22570265-891074465-500
c:\windows\Installer\22a5b5.msi

.
((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.

2009-10-10 13:17 . 2009-10-10 13:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-07 02:17 . 2009-10-07 09:53 -------- d-----w- c:\program files\ERUNT
2009-10-04 22:19 . 2009-10-04 22:19 680 ----a-w- c:\users\merkku\AppData\Local\d3d9caps.dat
2009-10-04 22:19 . 2009-10-04 22:19 -------- d-----w- c:\windows\Sun
2009-10-02 22:44 . 2009-10-01 07:29 195440 ------w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-10 12:43 . 2007-06-23 21:36 88430 ----a-w- c:\windows\system32\perfc00B.dat
2009-10-10 12:43 . 2007-06-23 21:36 450820 ----a-w- c:\windows\system32\perfh00B.dat
2009-10-09 12:10 . 2007-09-11 11:44 -------- d-----w- c:\program files\Saunalahti Turvapaketti
2009-10-07 09:43 . 2008-08-03 12:17 -------- d-----w- c:\program files\Java
2009-09-28 23:51 . 2007-10-15 07:04 -------- d-----w- c:\users\merkku\AppData\Roaming\Canon
2009-09-16 15:09 . 2008-07-03 17:08 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2009-09-09 00:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-28 12:39 . 2009-09-02 20:03 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 20:03 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-18 00:55 . 2009-08-18 00:54 -------- d-----w- c:\program files\AllMusicConverter
2009-08-18 00:40 . 2009-08-18 00:40 -------- d-----w- c:\users\merkku\AppData\Roaming\Apple Computer
2009-08-18 00:39 . 2009-08-18 00:37 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-18 00:39 . 2009-08-18 00:37 -------- d-----w- c:\program files\iTunes
2009-08-18 00:38 . 2009-08-18 00:38 -------- d-----w- c:\program files\iPod
2009-08-18 00:37 . 2009-08-18 00:15 -------- d-----w- c:\program files\Common Files\Apple
2009-08-18 00:37 . 2009-08-18 00:30 -------- d-----w- c:\programdata\Apple Computer
2009-08-18 00:36 . 2009-08-18 00:36 -------- d-----w- c:\program files\Bonjour
2009-08-18 00:34 . 2009-08-18 00:30 -------- d-----w- c:\program files\QuickTime
2009-08-18 00:20 . 2009-08-18 00:20 -------- d-----w- c:\program files\Apple Software Update
2009-08-18 00:15 . 2009-08-18 00:15 -------- d-----w- c:\programdata\Apple
2009-08-14 17:07 . 2009-09-08 19:13 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-08 19:13 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-08 19:12 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-08 19:12 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-08 19:12 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-08 19:12 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-08 19:13 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-08 19:12 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-08 19:12 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:16 . 2009-09-08 19:12 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 08:35 . 2009-08-18 00:54 10936 ----a-w- c:\windows\system32\MusCVideo.dll
2009-08-14 08:35 . 2009-08-18 00:54 3768 ----a-w- c:\windows\system32\MusCVideo.sys
2009-08-14 08:35 . 2009-08-18 00:54 23096 ----a-w- c:\windows\system32\MusCAudio.sys
2009-08-14 08:35 . 2009-08-18 00:54 23096 ----a-w- c:\windows\system32\drivers\MusCAudio.sys
2009-08-13 15:03 . 2009-08-18 00:54 245760 ----a-w- c:\windows\system32\snmvtsvc.exe
2009-07-25 02:23 . 2009-06-20 13:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-18 16:06 . 2009-07-29 13:32 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-07-29 13:32 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-07-29 13:32 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:35 . 2009-08-11 20:26 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-14 13:00 . 2009-08-11 20:25 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-11 20:25 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-11 20:25 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-11 20:25 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2008-09-24 01:00 . 2007-06-23 11:17 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-07-27 21:02 . 2007-07-27 21:02 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2007-07-27 21:02 . 2007-07-27 21:02 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
2007-06-23 21:41 . 2007-06-23 21:41 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SmpcSys"="c:\program files\Packard Bell\SetUpMyPC\SmpSys.exe" [2006-10-23 1092152]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2007-11-13 3411968]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-05-28 401408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-29 39408]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-22 815104]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-01-11 232184]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-24 29744]
"toolbar_eula_launcher"="c:\program files\Packard Bell\GOOGLE_EULA\EULALauncher.exe" [2007-02-20 28672]
"F-Secure Manager"="c:\program files\Saunalahti Turvapaketti\Common\FSM32.EXE" [2008-12-04 182936]
"F-Secure TNB"="c:\program files\Saunalahti Turvapaketti\FSGUI\TNBUtil.exe" [2008-12-04 957024]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 729088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-12-01 4186112]

c:\users\merkku\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-5-15 479232]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-7 28672]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-2-8 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDefaultTile"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{B1C6B758-729B-4831-B814-8D0B88273271}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{AC1A3EE6-1E9B-4AF4-83B6-43B183D03FE8}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{F83C4120-8162-4A27-9BFC-6FA9D8D4858D}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{A6A27418-ADF1-45C7-A049-164D7666FBEC}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{C72BADB7-9989-4FCC-BD06-949D21FD2AAA}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{5291BB78-5C6F-4654-90F5-F9D1CBBDEF6E}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F9079D34-0319-4D9B-825D-DE2E2A5CA002}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{78914C48-11D9-48CD-8FC8-0B6D3069557E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\River Past\\Animated GIF Converter and Booster Pack\\VideoCleaner.exe"= c:\program files\River Past\Animated GIF Converter and Booster Pack\VideoCleaner.exe:*:Enabled:River Past Animated GIF Converter

R0 fsbts;fsbts;c:\windows\System32\drivers\fsbts.sys [28.7.2007 0:10 33920]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\Saunalahti Turvapaketti\HIPS\drivers\fshs.sys [28.7.2007 0:09 67808]
R1 FSES;F-Secure Email Scanning Driver;c:\windows\System32\drivers\fses.sys [11.9.2007 14:46 35552]
R1 FSFW;F-Secure Firewall Driver;c:\windows\System32\drivers\fsdfw.sys [11.9.2007 14:46 70944]
R1 fsvista;F-Secure Vista Support Driver;c:\program files\Saunalahti Turvapaketti\Anti-Virus\minifilter\fsvista.sys [11.9.2007 14:44 12384]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Saunalahti Turvapaketti\Anti-Virus\minifilter\fsgk.sys [11.9.2007 14:44 100984]
R3 MusCAudio;MusCAudio;c:\windows\System32\drivers\MusCAudio.sys [18.8.2009 3:54 23096]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [21.5.2008 14:42 64000]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\Saunalahti Turvapaketti\ORSP Client\fsorsp.exe [28.7.2007 0:09 55904]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [23.6.2007 14:17 29744]
S3 SMServer;SMServer;c:\windows\System32\snmvtsvc.exe [18.8.2009 3:54 245760]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Saunalahti Turvapaketti\Anti-Virus\win2k\fsfilter.sys [11.9.2007 14:44 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Saunalahti Turvapaketti\Anti-Virus\win2k\fsrec.sys [11.9.2007 14:44 25184]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {6173A4FC-D42D-69A6-52CA-A30496389760} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-10-10 c:\windows\Tasks\Laajennettu takuu.job
- c:\program files\Packard Bell\SetupmyPC\PBCarNot.exe [2007-06-23 16:38]

2009-10-10 c:\windows\Tasks\Tarkistetaan Windows Live -työkalurivin päivitykset.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 09:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.fi/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Vie Microsoft E&xceliin - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Saunalahti Turvapaketti\FSPS\program\fslsp.dll
FF - ProfilePath - c:\users\merkku\AppData\Roaming\Mozilla\Firefox\Profiles\vy1rdj0l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.fi/
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-VidGIF_is1 - c:\program files\GeoVid\VidGIF\unins000.exe
AddRemove-{F5CE5428-B9ED-4A00-8EEE-7E672F381618}_is1 - c:\program files\bitsoft.net\123 AVI to GIF Converter\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-10 16:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

[0] 0x575C3A43

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\Saunalahti Turvapaketti\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(648)
c:\program files\Saunalahti Turvapaketti\FWES\Program\fsdc32.dll

- - - - - - - > 'csrss.exe'(540)
c:\program files\Saunalahti Turvapaketti\FWES\Program\fsdc32.dll

- - - - - - - > 'csrss.exe'(592)
c:\program files\Saunalahti Turvapaketti\FWES\Program\fsdc32.dll
.
Completion time: 2009-10-10 16:21
ComboFix-quarantined-files.txt 2009-10-10 13:21

Pre-Run: 89 725 386 752 tavua vapaana
Post-Run: 90 144 247 808 tavua vapaana

207 --- E O F --- 2009-10-08 18:33

#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 10 October 2009 - 07:41 AM

Hi,

Please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

**Vista users - right click on the IE icon and run as administrator

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


In your next reply please include
  • MBAM Log
  • Kaspersky report

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#5 hevonen

hevonen

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 12 October 2009 - 01:08 PM

Hello, sorry for taking this long to reply. I ran both the programs and they say there are no viruses, threats etc. HOWEVER, I was not able to run IE as administrator. When I right-click the IE icon, it does not give me the option "run as administrator" for some reason. I looked at Properties and did a google search but couldn't really figure out how to find the command. So, Kaspersky notified me that it may not properly work as it's not running as administrator but did the scan anyway. Let me know if I have to run Kaspersky again and importantly, where to find the "run as administrator" command as it was not under right-click. I wonder if F-Secure got rid of the virus somehow when it located&isolated the latter virus? b.exe is also not showing on Task Manager anymore. Malwarebytes' Anti-Malware 1.41 Database version: 2945 Windows 6.0.6001 Service Pack 1 12.10.2009 17:15:31 mbam-log-2009-10-12 (17-15-31).txt Scan type: Quick Scan Objects scanned: 89495 Time elapsed: 9 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) KASPERSKY ONLINE SCANNER 7.0: scan report Monday, October 12, 2009 Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Monday, October 12, 2009 15:48:05 Records in database: 2960098 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Objects scanned: 140297 Threats found: 0 Infected objects found: 0 Suspicious objects found: 0 Scan duration: 03:23:25 No threats found. Scanned area is clean. Selected area has been scanned.

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 12 October 2009 - 05:25 PM

Hi,

Quite likely your antivirus took care of the problem as there are no other signs of malware on your system.

Please post a fresh DDS and Attach.txt and advise how your computer is running now and if there are any outstanding issues.

Re, no right click, run as admin option. Your User Account Control option is probably disabled.

Instructions for fixing it HERE

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#7 hevonen

hevonen

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 13 October 2009 - 12:26 PM

Hi, I never really had any problems that manifested in a way that I noticed other than F-Secure alerting me about viruses, the program trying to clean the files and then after a few failed attempts ("target was renamed") it put them in a safe "isolated targets" file. F-Secure also notified me when b.exe was trying to connect to Internet (which I never allowed). None of this has happened within the last couple of days. Here are the reports- again, I did close the anti-virus programs (this time also Windows Defender which I forgot to do the previous times- sorry). Is my computer free of malware/viruses now? DDS (Ver_09-06-26.01) - NTFSx86 Run by merkku at 20:34:36,58 on ti 13.10.2009 Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_15 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1035.18.1791.887 [GMT 3:00] SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} FW: Saunalahti Turvapaketti 7.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\system32\Ati2evxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\Ati2evxx.exe C:\Program Files\ATK Hotkey\ASLDRSrv.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\system32\CTsvcCDA.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Creative\Shared Files\CTDevSrv.exe C:\Program Files\ATK Hotkey\Hcontrol.exe C:\Program Files\Saunalahti Turvapaketti\Anti-Virus\fsgk32st.exe C:\Program Files\Saunalahti Turvapaketti\Common\FSMA32.EXE C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Saunalahti Turvapaketti\Anti-Virus\FSGK32.EXE C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe C:\Windows\ehome\ehtray.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\Program Files\Creative\Software Update 3\SoftAuto.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\ATK Hotkey\ATKOSD.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Windows\ehome\ehmsas.exe C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Saunalahti Turvapaketti\Anti-Virus\fssm32.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\iPod\bin\iPodService.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Windows\system32\conime.exe C:\Windows\system32\taskeng.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\Windows\system32\taskeng.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\notepad.exe C:\Program Files\Saunalahti Turvapaketti\Common\FSLAUNCHER0.EXE C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\merkku\Downloads\dds.scr C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.fi/ uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s BHO: Adobe PDF Reader -linkkiavustaja: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll BHO: 1 (0x1) - No File BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\google\google_bae\BAE.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe uRun: [SmpcSys] c:\program files\packard bell\setupmypc\SmpSys.exe uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe" uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe" mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe" mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [toolbar_eula_launcher] c:\program files\packard bell\google_eula\EULALauncher.exe mRun: [F-Secure Manager] "c:\program files\saunalahti turvapaketti\common\FSM32.EXE" /splash mRun: [F-Secure TNB] "c:\program files\saunalahti turvapaketti\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe" mRun: [OPSE reminder] "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.exe" -r "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.ini" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: c:\users\merkku\appdata\roaming\micros~1\windows\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE mPolicies-explorer: UseDefaultTile = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) mPolicies-system: HideFastUserSwitching = 0 (0x0) IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html IE: Vie Microsoft E&xceliin - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} - c:\program files\allmusicconverter\YouTubeRipper.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL LSP: c:\program files\saunalahti turvapaketti\fsps\program\fslsp.dll DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://ezproxy.utu.fi:2191/lib/uniturku/support/plugins/ebraryRdr.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab AppInit_DLLs: c:\progra~1\google\google~3\GoogleDesktopNetwork3.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\merkku\appdata\roaming\mozilla\firefox\profiles\vy1rdj0l.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.fi/ FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask"); ============= SERVICES / DRIVERS =============== R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2007-7-28 33920] R1 F-Secure HIPS;F-Secure HIPS;c:\program files\saunalahti turvapaketti\hips\drivers\fshs.sys [2007-7-28 67808] R1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2007-9-11 35552] R1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2007-9-11 70944] R1 fsvista;F-Secure Vista Support Driver;c:\program files\saunalahti turvapaketti\anti-virus\minifilter\fsvista.sys [2007-9-11 12384] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\saunalahti turvapaketti\anti-virus\minifilter\fsgk.sys [2007-9-11 100984] R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2009-8-18 23096] S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000] S3 FSORSPClient;F-Secure ORSP Client;c:\program files\saunalahti turvapaketti\orsp client\fsorsp.exe [2007-7-28 55904] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-6-23 29744] S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2009-8-18 245760] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\saunalahti turvapaketti\anti-virus\win2k\fsfilter.sys [2007-9-11 39776] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\saunalahti turvapaketti\anti-virus\win2k\fsrec.sys [2007-9-11 25184] =============== Created Last 30 ================ 2009-10-12 17:04 <DIR> --d----- c:\users\merkku\appdata\roaming\Malwarebytes 2009-10-12 17:03 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-12 17:03 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-12 17:03 <DIR> --d----- c:\programdata\Malwarebytes 2009-10-12 17:03 <DIR> --d----- c:\progra~2\Malwarebytes 2009-10-12 17:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-10 16:21 <DIR> --dsh--- C:\$RECYCLE.BIN 2009-10-10 16:06 229,888 a------- c:\windows\PEV.exe 2009-10-10 16:06 161,792 a------- c:\windows\SWREG.exe 2009-10-10 16:06 98,816 a------- c:\windows\sed.exe 2009-10-10 16:06 <DIR> --d----- C:\ComboFix 2009-10-03 01:44 195,440 -------- c:\windows\system32\MpSigStub.exe ==================== Find3M ==================== 2009-10-10 15:43 450,820 a------- c:\windows\system32\perfh00B.dat 2009-10-10 15:43 88,430 a------- c:\windows\system32\perfc00B.dat 2009-09-16 18:09 20 ----h--- c:\programdata\PKP_DLdu.DAT 2009-09-16 18:09 20 ----h--- c:\progra~2\PKP_DLdu.DAT 2009-08-28 15:39 28,672 a------- c:\windows\system32\Apphlpdm.dll 2009-08-28 15:39 173,056 a------- c:\windows\apppatch\AcXtrnal.dll 2009-08-28 15:38 2,153,984 a------- c:\windows\apppatch\AcGenral.dll 2009-08-28 15:38 541,696 a------- c:\windows\apppatch\AcLayers.dll 2009-08-28 15:38 459,776 a------- c:\windows\apppatch\AcSpecfc.dll 2009-08-28 13:15 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-18 03:57 86,016 a------- c:\windows\inf\infstrng.dat 2009-08-18 03:57 51,200 a------- c:\windows\inf\infpub.dat 2009-08-18 03:57 86,016 a------- c:\windows\inf\infstor.dat 2009-08-14 19:29 104,960 a------- c:\windows\system32\netiohlp.dll 2009-08-14 19:29 17,920 a------- c:\windows\system32\netevent.dll 2009-08-14 17:16 17,920 a------- c:\windows\system32\ROUTE.EXE 2009-08-14 17:16 9,728 a------- c:\windows\system32\TCPSVCS.EXE 2009-08-14 17:16 11,264 a------- c:\windows\system32\MRINFO.EXE 2009-08-14 17:16 27,136 a------- c:\windows\system32\NETSTAT.EXE 2009-08-14 17:16 19,968 a------- c:\windows\system32\ARP.EXE 2009-08-14 17:16 10,240 a------- c:\windows\system32\finger.exe 2009-08-14 17:16 8,704 a------- c:\windows\system32\HOSTNAME.EXE 2009-08-14 11:35 10,936 a------- c:\windows\system32\MusCVideo.dll 2009-08-14 11:35 3,768 a------- c:\windows\system32\MusCVideo.sys 2009-08-14 11:35 23,096 a------- c:\windows\system32\MusCAudio.sys 2009-08-13 18:03 245,760 a------- c:\windows\system32\snmvtsvc.exe 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-18 19:06 827,904 a------- c:\windows\system32\wininet.dll 2009-07-18 19:01 78,336 a------- c:\windows\system32\ieencode.dll 2009-07-18 12:46 26,624 a------- c:\windows\system32\ieUnatt.exe 2009-07-17 17:35 71,680 a------- c:\windows\system32\atl.dll 2008-07-03 19:19 174 a--sh--- c:\program files\desktop.ini 2008-07-03 19:02 665,600 a------- c:\windows\inf\drvindex.dat 2007-06-24 00:35 274,158 a------- c:\windows\inf\perflib\040b\perfi.dat 2007-06-24 00:35 274,158 a------- c:\windows\inf\perflib\040b\perfh.dat 2007-06-24 00:35 36,790 a------- c:\windows\inf\perflib\040b\perfd.dat 2007-06-24 00:35 36,790 a------- c:\windows\inf\perflib\040b\perfc.dat 2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat 2007-07-28 00:02 262,144 a--sh--- c:\windows\serviceprofiles\localservice\NTUSER.DAT 2007-07-28 00:00 2,048 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\lastalive0.dat 2007-07-28 00:00 2,048 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\lastalive1.dat 2007-07-28 00:02 262,144 a--sh--- c:\windows\serviceprofiles\networkservice\NTUSER.DAT 2007-12-04 02:07 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat 2007-12-04 02:07 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 2007-12-04 02:07 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat ============= FINISH: 20:35:33,79 ===============

Attached Files



#8 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 13 October 2009 - 12:50 PM

Hi,

The logs are clean, time to do some housekeeping.

Please do the following.

Visit ADOBEand download the latest version of Acrobat Reader (version 9.1)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT



Please download JavaRa to your desktop and unzip it to its own folder.
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button.
  • Scroll down to the Java SE Runtime Environment (JRE) option.
  • Download and install the latest Java Runtime Environment (JRE) version for your computer.(version 6, update 16)


NEXT


Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT

Now to remove the rest of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

If any logs remain after using this tool > right click and delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.


  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them

    Then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.

  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

    WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • For Firefox, I highly recommend this add-on to keep your PC even more secure.
    • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#9 hevonen

hevonen

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 13 October 2009 - 03:44 PM

Hi, I did all the steps you asked me to, and will definitely consider the suggestions you gave me concerning avoiding malware. I didn't quite get what the OTC did as it didn't seem to remove anything that I noticed even after rebooting (I deleted the logs manually). I'm assuming I should remove/uninstall dds, rootrepeal, Erunt, Malwarebytes as well- if so, no need to specifically to reply. Thank you very very much for all your help, CatByte!

#10 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 13 October 2009 - 04:03 PM

Hi, Keep Malwarebytes, it's a good program to have, update it and run it regularly, anything else on your desktop - right click and delete.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#11 hevonen

hevonen

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 13 October 2009 - 04:17 PM

Done- thank you again!

#12 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 13 October 2009 - 05:07 PM

You are more than welcome stay safe :wavey: CB

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 13 October 2009 - 05:07 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users