TechSpot

Cant get rid of virus/mal/ad ware!

By adammm
Nov 27, 2006
  1. Please read the report.txt, report2.txt, report3.txt(scan it before just incase)! as its wayyyy to long for me to post ... best to just paste it in all one file :p thank you!!


    [EDIT] Think i fixed it! I dont think you going to get any more from me! now got 5 anti ciruses / malware / adware an others installed :O they keep fighting tho!
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Glad you got your problem fixed. Welcome to TechSpot!
    Cheers :wave: :wave:
     
  3. adammm

    adammm TS Rookie Topic Starter

    Thanks you kitty <3
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    You`re running an outdated version of HJT. The current version is 1.99.1.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :wave: :wave:

    Edit: I`ve just seen your edited post. Make sure you have the latest version of HJT and post a fresh HJT log. I`ll then check it to make sure your system is clean or not.


    This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. adammm

    adammm TS Rookie Topic Starter

    It's no clear!! hmm it was on last boot but it seems to have re infected me! grr

    Ill get info now

    [edit]
    Logs removed updated!
    LOOK DOWN FOR LOGS!
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is riddled with nasties.

    Now, go and follow all the instructions in the link I gave you.

    Post fresh HJT and AVG Antispyware logs as attachments, only after doing the above.

    Regards Howard :)

    This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. adammm

    adammm TS Rookie Topic Starter

    Please read the report.txt, report2.txt, report3.txt(scan it before just incase)! as its wayyyy to long for me to post ... best to just paste it in all one file :p thank you!!
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`ve just had a look at your reports from your first post and it doesn`t change a thing. If you wanted to post lots of logs, you should`ve posted an upto date HJT log/AVG Antispyware log and possibly Smitfruad fix/vundofix/look2me destroyer/Virtumundobegone logs, all seperately.

    I don`t need nor want to see SS&D logs. I can tell from your AVG log that you haven`t followed the instructions properly, if at all.

    You still need to follow all the instructions in the link I gave you.

    Once you`ve done that, I`ll be in a better position to help you.

    See: The way it works is you ask for help, I give you some instructions to follow. You follow them and I check the logs you post as requested. I then tell you how best to proceed with any further clean up that needs to be done. You then follow those instructions and post the requested log files. If your system still isn`t clean, more instructions will follow until it is.

    I have no wish to appear difficult, but It has to be like that, otherwise it just won`t work.

    Regards Howard :)

    This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. adammm

    adammm TS Rookie Topic Starter

    Sorry for late reply

    Code:
    Logfile of HijackThis v1.99.1
    Scan saved at 13:47:44, on 28/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\Dit.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\program files\steam\steam.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\xampp\mysql\bin\winmysqladmin.exe
    C:\Program Files\Xfire\xfire.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\FREEDO~1\fdm.exe
    C:\Program Files\Macromedia\Fireworks 8\Fireworks.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe
    C:\Program Files\Downloads\hijackthis\HijackThis1337.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
    R3 - URLSearchHook: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)
    R3 - URLSearchHook: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)
    O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\atknsoik.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1010DF3A-9489-4FDC-9C97-4555F8041594} - (no file)
    O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - C:\WINDOWS\system32\wirvufc.dll
    O2 - BHO: URLDetector Class - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
    O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)
    O2 - BHO: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
    O2 - BHO: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)
    O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
    O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
    O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [NoAdware4] "C:\Program Files\NoAdware4\NoAdware4.exe" :Min:
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: WinMySQLadmin.lnk = C:\Program Files\xampp\mysql\bin\winmysqladmin.exe
    O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113244918218
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay112.hotmail.msn.com/activex/HMAtchmt.ocx
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: ddcca - C:\WINDOWS\
    O20 - Winlogon Notify: fccccdc - C:\WINDOWS\
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\
    O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
    O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
    
    AVG AV

    Code:
    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------
    
     + Created at:	12:19:02 28/11/2006
    
     + Scan result:	
    
    
    
    	Nothing found.
    
    
    
    ::Report end
    
    Somthing tells me thats not good :(

    Ok most of its cleared up but now its just pop ups :) i can cope but would be nice to be infection free :(
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the pocket killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    ipwins
    NoAdware4

    Close control panel

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ipwins.exe
    NoAdware4.exe
    ShowWnd.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

    R3 - URLSearchHook: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)

    R3 - URLSearchHook: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)

    O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\atknsoik.dll

    O2 - BHO: (no name) - {1010DF3A-9489-4FDC-9C97-4555F8041594} - (no file)

    O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - C:\WINDOWS\system32\wirvufc.dll

    O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)

    O2 - BHO: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)

    O2 - BHO: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)

    O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - (no file)

    O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe

    O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe

    O4 - HKCU\..\Run: [NoAdware4] "C:\Program Files\NoAdware4\NoAdware4.exe" :Min:

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006Free Install.cab

    O20 - Winlogon Notify: ddcca - C:\WINDOWS\

    O20 - Winlogon Notify: fccccdc - C:\WINDOWS\

    O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\NoAdware4<Delete the entire folder.
    C:\Program Files\ipwins<Delete the entire folder.

    ShowWnd.exe<Search your system for this file and delete all instances found.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\system32\wingsa32.dll
    C:\WINDOWS\system32\fccccdc.dll
    C:\WINDOWS\system32\ddcca.dll
    C:\WINDOWS\system32\wirvufc.dll
    C:\WINDOWS\system32\atknsoik.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log as an attachment(see HERE) and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. adammm

    adammm TS Rookie Topic Starter

    Ok i cant find ipwins or ShowWnd in processes or a&r.. i had a quick look tho and in SSD resident and it says this:

    Code:
    28/11/2006 00:00:18 Denied value "IpWins" (new data: "") deleted in System Startup global entry!
    28/11/2006 00:00:35 Denied value "ITBarLayout" (new data: "") deleted in User-specific browser toolbar!
    28/11/2006 00:00:41 Denied value "{74DD705D-6834-439C-A735-A6DBE2677452}" (new data: "") deleted in Global browser toolbar!
    28/11/2006 00:00:46 Denied value "Local Page" (new data: "C:\windows\system32\blank.htm") changed in Browser page!
    28/11/2006 00:00:56 Allowed value "Default_Page_URL" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome") changed in Browser page!
    28/11/2006 00:00:58 Allowed value "boucicault" (new data: "") deleted in Shell services!
    28/11/2006 00:01:01 Allowed value "ITBarLayout" (new data: "") deleted in User-specific browser toolbar!
    28/11/2006 00:01:02 Allowed value "{74DD705D-6834-439C-A735-A6DBE2677452}" (new data: "") deleted in Global browser toolbar!
    28/11/2006 11:18:13 Allowed value "ITBarLayout" (new data: "") deleted in User-specific browser toolbar!
    28/11/2006 11:18:13 Allowed value "{74DD705D-6834-439C-A735-A6DBE2677452}" (new data: "") deleted in Global browser toolbar!
    28/11/2006 11:20:20 Allowed value "Default_Page_URL" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome") changed in Browser page!
    28/11/2006 11:20:21 Allowed value "boucicault" (new data: "") deleted in Shell services!
    28/11/2006 11:46:43 Allowed value "{74DD705D-6834-439C-A735-A6DBE2677452}" (new data: "") deleted in User-specific browser toolbar!
    28/11/2006 11:46:46 Allowed value "{46A4E9D9-B30E-452A-8157-DBBEC8573B03}" (new data: "") deleted in Browser Helper Object!
    28/11/2006 14:42:23 Allowed value "PrevxOne" (new data: "") deleted in System Startup global entry!
    28/11/2006 14:48:19 Allowed value "PrevxOne" (new data: "") deleted in System Startup global entry!
    
    I'll continue to do the rest of it.. rbr

    [EDIT]

    Ok i done all what you said apart from none of these dlls exist:

    C:\WINDOWS\system32\wingsa32.dll
    C:\WINDOWS\system32\fccccdc.dll
    C:\WINDOWS\system32\ddcca.dll
    C:\WINDOWS\system32\wirvufc.dll
    C:\WINDOWS\system32\atknsoik.dll

    Code:
    # 1 [Files to Delete]
    Path = C:\WINDOWS\system32\wingsa32.dll
    *This file does not seem to exist
     
    # 2 [Files to Delete]
    Path = C:\WINDOWS\system32\fccccdc.dll
    *This file does not seem to exist
     
    # 3 [Files to Delete]
    Path = C:\WINDOWS\system32\ddcca.dll
    *This file does not seem to exist
     
    # 4 [Files to Delete]
    Path = C:\WINDOWS\system32\wirvufc.dll
    *This file does not seem to exist
     
    # 5 [Files to Delete]
    Path = C:\WINDOWS\system32\atknsoik.dll
    *This file does not seem to exist
     
    # 6 [Files to Delete]
    Path = C:\WINDOWS\system32\atknsoik.dll
    *This file does not seem to exist
     
    # 7 [Files to Delete]
    Path = C:\WINDOWS\system32\atknsoik.dll
    *This file does not seem to exist
    
    It seems to be fixed thanks! But i would like to completly remove f-secure aswell. Then uninstall dosn't uninstall it! A bit of a con! I try to delete the file but it says fslsp.dll is still runing or write protect message. And in the HJT log O10 fslsp.dll missing and i cant remove any of the f-secure processes. how could i do this please thanks.
     

    Attached Files:

  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, before we tackle the F-secure issue, do the following from normal mode.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - (no file)

    O2 - BHO: (no name) - {1010DF3A-9489-4FDC-9C97-4555F8041594} - (no file)

    O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - (no file)

    O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)

    O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)

    O2 - BHO: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)

    O2 - BHO: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)

    O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - (no file)

    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -

    O20 - Winlogon Notify: ddcca - C:\WINDOWS\

    O20 - Winlogon Notify: fccccdc - C:\WINDOWS\

    O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\

    Click on the fix checked button.

    Close HJT.

    Download and run these three tools in order.

    Tool1
    Tool2
    Tool3

    Reboot your system and post a fresh HJT log into a new post.

    Regards Howard :)

    This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. adammm

    adammm TS Rookie Topic Starter

    hi sorry for the late reply i had a lot of course work finished it all now :)

    soz ill reply as fast as possible

    Code:
    Logfile of HijackThis v1.99.1
    Scan saved at 16:14:00, on 29/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Downloads\hijackthis\HijackThis1337.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1010DF3A-9489-4FDC-9C97-4555F8041594} - (no file)
    O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)
    O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)
    O2 - BHO: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
    O2 - BHO: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)
    O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - (no file)
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: WinMySQLadmin.lnk.disabled
    O4 - Startup: Xfire.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113244918218
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - 
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay112.hotmail.msn.com/activex/HMAtchmt.ocx
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: ddcca - C:\WINDOWS\
    O20 - Winlogon Notify: fccccdc - C:\WINDOWS\
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
    O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\
    O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
    
    I'm happy as the virus+adware seems to have gone :) now i just need to get rid off F-secure!!
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You have a very stubborn vundo infection.

    Download vundofix from HERE.

    Double-click VundoFix.exe to run it.

    Rightclick in the main window and click add more files.

    Enter the filepath you wish to remove and click the add files button, followed by the close window button.

    These are the filepaths you need to enter into vundofix.

    C:\WINDOWS\system32\ddcca.dll
    C:\WINDOWS\system32\fccccdc.dll
    C:\WINDOWS\system32\igfxcui.dll
    C:\WINDOWS\system32\wingsa32.dll

    Click the remove vundo button. And let vundofix do it`s stuff.

    Post a fresh HJT log after doing the above.

    Regards Howard :)

    This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. adammm

    adammm TS Rookie Topic Starter

    Yes i did run it and it rebooted and everything! still there ? :S


    [EDIT]

    I done fix and it now shows:

    Code:
    Logfile of HijackThis v1.99.1
    Scan saved at 19:11:23, on 29/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\program files\steam\steam.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Downloads\hijackthis\HijackThis1337.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1010DF3A-9489-4FDC-9C97-4555F8041594} - (no file)
    O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)
    O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)
    O2 - BHO: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
    O2 - BHO: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)
    O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - (no file)
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - Startup: WinMySQLadmin.lnk.disabled
    O4 - Startup: Xfire.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113244918218
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - 
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay112.hotmail.msn.com/activex/HMAtchmt.ocx
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
    
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The entries are still there, maybe F-secure is interfering with the fix.

    Download LSPFix from http://cexx.org/lspfix.htm
    1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
    2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
    3. Check the "I know what I am doing" checkbox.
    4. Select (highlight) all instances of 'fslsp.dll' in the left column under "Keep".
    5. Click the arrow >> so it goes over to the right column under "Remove".
    6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
    7. Restart your computer

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    F-Secure

    Also, temporarily uninstall AVG Antispyware and Spybot search and destroy.

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    FSGKHS

    F-Secure Automatic Update Agent
    F-Secure Anti-Virus Firewall Daemon
    F-Secure Management Agent

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    fsgk32st.exe
    fsaua.exe
    fsdfwd.exe
    FSMA32.EXE

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - (no file)

    O2 - BHO: (no name) - {1010DF3A-9489-4FDC-9C97-4555F8041594} - (no file)

    O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - (no file)

    O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)

    O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)

    O2 - BHO: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)

    O2 - BHO: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)

    O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - (no file)

    O4 - Startup: WinMySQLadmin.lnk.disabled

    O4 - Startup: Xfire.lnk.disabled

    O4 - Global Startup: Microsoft Office.lnk.disabled

    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -

    O20 - Winlogon Notify: ddcca - C:\WINDOWS\

    O20 - Winlogon Notify: fccccdc - C:\WINDOWS\

    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\

    O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\

    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe

    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe

    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\F-Secure<Delete the entire folder.

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. adammm

    adammm TS Rookie Topic Starter

    Code:
    Logfile of HijackThis v1.99.1
    Scan saved at 20:42:42, on 29/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\xampp\apache\bin\apache.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\program files\steam\steam.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Downloads\hijackthis\HijackThis1337.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113244918218
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay112.hotmail.msn.com/activex/HMAtchmt.ocx
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
    
    Now thats looking good :)

    I didnt uninstall AVG AV because there seems to be no need as it looks (TO ME) to of worked :)

    Is there any way to completly uninstall the f-secure services as there only disabled... i want the gone and dont want anything to do with that program!
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Very well done, your HJT log is now clean.

    I suggest you install the AVG free Antivirus programme.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. adammm

    adammm TS Rookie Topic Starter

    hehe i didnt uninstall it :p

    Thanks for all your help!!

    Theres a small thing though how do i uninstall a service? as i want to get rid of F-secure.

    and anywhere i can donate ? :)
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Don`t confuse AVG Antispyware with AVG Antivirus. They`re two completely different programmes. It`s the AVG Antivirus you need to install, because your system has no antivirus programme running.

    According to your last HJT log, F-Secure is no longer running on your system.

    Thanks for the offer of a donation, but it`s really not necessary. This website is paid for via advertising. the members help out on a voluntary basis.

    Regards Howard :)

    This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...