Jump to content
jkstone

HJT-log, help?

Recommended Posts

Is there viruses?

Thanks for helping

:)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 15:05:49, on 25.8.2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Norman\Npm\bin\ELOGSVC.EXE

C:\Norman\Ngs\Bin\Nnf.exe

C:\Norman\Ngs\Bin\Nprosec.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Norman\Npm\Bin\Zanda.exe

C:\Norman\npm\bin\nvoy.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Norman\npf\bin\npfsvc32.exe

C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe

C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\alg.exe

C:\Norman\Npm\Bin\scheduler.exe

C:\Norman\Npm\Bin\Njeeves.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\sm56hlpr.exe

C:\Norman\Npm\Bin\ZLH.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\cleanmgr.exe

C:\Norman\nse\bin\NSESVC.EXE

C:\Norman\Nvc\Bin\Nip.exe

C:\Norman\Nvc\bin\nvcoas.exe

C:\Norman\Nvc\Bin\cclaw.exe

C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

C:\skanaa.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://testbed.fmi.fi/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [High Definition Audio -ominaisuussivun pikakuvake] HDAShCut.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AutorunsDisabled

O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: HP-leikekirja - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: HP Smart -valitse - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\norman\ngs\bin\nlf.dll

O10 - Unknown file in Winsock LSP: c:\norman\ngs\bin\nlf.dll

O10 - Unknown file in Winsock LSP: c:\norman\ngs\bin\nlf.dll

O10 - Unknown file in Winsock LSP: c:\norman\ngs\bin\nlf.dll

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe

O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe

O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe

O23 - Service: NetMeeting et

Share this post


Link to post
Share on other sites

Hello and :)

I will be helping you on removing malwares on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Do not install/uninstall anything on your computer unless advised.
  • Do not run any other scanning tools other than those instructed for you to use.
  • Follow the instructions on the order they are given.
  • Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
  • If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
  • If you do not reply within 3 days after my last response, I will be asking you whether you still need assistance and if you still don't reply within 48 hours then the topic will be closed.
  • And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.

_________________________________________________

Any computer issues? Hanging? Slow boot up?

Also, you're still using an outdated XP. Are there any problems downloading updates for your computer?

Please do the following:

Download CKScanner by askey127 from Here & save it to your Desktop.

  • Doubleclick CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

--Next--

Please download DDS by sUBs from one of the following links and save it to your desktop.

[*]Disable any script blocking protection (How to Disable your Security Programs)

[*]Double click DDS icon to run the tool (may take up to 3 minutes to run)

[*]When done, DDS.txt will open.

[*]After a few moments, attach.txt will open in a second window.

[*]Save both reports to your desktop.

---------------------------------------------------

  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:

  • Under the reply panel is the Attachments Panel.
  • Browse for the attachment file you want to upload, then click the green Upload button.
  • Once it has uploaded, click the Manage Current Attachments drop down box.
  • Click on to insert the attachment into your post

Please post both DDS logs in your next reply.

--Next--

gmer_zip.gif

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

To post in your next reply:

1. Regarding my questions above.

2. CKScanner log.

3. DDS logs.

4. GMER log.

Share this post


Link to post
Share on other sites

Well, the problem is that pc is VERY slow particularly boot up.

It's few years old Fujitsu-Siemens laptop, with 1Gb RAM.

I have ran Cclener, cut down autoruns and defraged.

When I defraged, Norman found a virus.

And now I don't know what to do.

Here is dkfiles.txt

CKScanner - Additional Security Risks - These are not necessarily bad

c:\program files\ableton\live 6.0.1\library\presets\audio effects\vinyl distortion\crack.adv

c:\program files\creative professional\emulator x family\templates\filter\crackberry.xml

c:\program files\pinnacle\studio 10\plugins\rtfx\3dserver\filtersplus3d\crackedslab3d.xml

c:\program files\pinnacle\studio 10\plugins\rtfx\studioxml\rtfx volume 2\crackedslab-gpu.xml

scanner sequence 3.BB.11

----- EOF -----

All those programs are genuine. I don't understand those "cracks".

Here is DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86

Run by User at 9:40:52,96 on la 28.08.2010

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Home Edition 5.1.2600.2.1252.358.1035.18.1023.510 [GMT 3:00]

AV: Norman Security Suite *On-access scanning enabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}

FW: Norman Personal Firewall v. 1.4 *disabled* {2B6AE065-7C1B-49B0-8AB7-5BC3BA338F5C}

FW: Norman Security Suite *enabled* {83B29CE9-9DE2-2CB5-9AB3-780D70FF12B0}

============== Running Processes ===============

C:\Norman\Npm\bin\ELOGSVC.EXE

C:\Norman\Ngs\Bin\Nnf.exe

C:\Norman\Ngs\Bin\Nprosec.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Norman\Npm\Bin\Zanda.exe

C:\Norman\npm\bin\nvoy.exe

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Norman\npf\bin\npfsvc32.exe

C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe

C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\alg.exe

C:\Norman\Npm\Bin\scheduler.exe

C:\Norman\Npm\Bin\Njeeves.exe

C:\Norman\nse\bin\NSESVC.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\Norman\Nvc\bin\nvcoas.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\sm56hlpr.exe

C:\Norman\Npm\Bin\ZLH.EXE

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Norman\Nvc\Bin\Nip.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Norman\Nvc\Bin\cclaw.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\User\Ty

Attach.txt

Share this post


Link to post
Share on other sites

Hi,

So sorry for the delay here. I haven't received any notifications of your reply. :blink:

I see that you are being helped here -> http://www.bleepingcomputer.com/forums/topic343315.html

If you wish to continue with your pc's clean up here, please advice BC or post in your other thread that you are currently being helped here so that they can close your thread over there. Or if you wish to continue it there please advise so that we can close your thread here. Thank you.

Share this post


Link to post
Share on other sites

Is it forbidden to ask help in two forums?

It seems to be that nobody is helping me anywhere :blink:

Can you help or not

Share this post


Link to post
Share on other sites

Hi,

Asking for malware removal help for the same pc in different forums or helpers it would be a waste of time for both the helper and the one asking for help. Furthermore, different helpers use different methods in tackling infections and use different powerful tools or advance tweaks that might clash or conflict with other helper's way of doing things, this might render the pc being fixed inoperable.

I could help you out if you wish but please have your other thread closed before we proceed.

Share this post


Link to post
Share on other sites

Hi,

Just post in your thread there that you are currently being helped here. After doing that, please do the following:

Run a fresh DDS scan for me please. If you no longer have DDS with you please download from here:

Please download DDS by sUBs from one of the following links and save it to your desktop.

[*]Disable any script blocking protection (How to Disable your Security Programs)

[*]Double click DDS icon to run the tool (may take up to 3 minutes to run)

[*]When done, DDS.txt will open.

[*]After a few moments, attach.txt will open in a second window.

[*]Save both reports to your desktop.

---------------------------------------------------

  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:

  • Under the reply panel is the Attachments Panel.
  • Browse for the attachment file you want to upload, then click the green Upload button.
  • Once it has uploaded, click the Manage Current Attachments drop down box.
  • Click on to insert the attachment into your post

Please post both DDS logs in your next reply.

--Next--

icon11.gif Please download Rootkit Unhooker and save it on your desktop.

  • Disable your security programs
  • Double click RKUnhookerLE.exe to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

To post in your next reply:

1. DDS logs.

2. Rootkit Unhooker log.

Share this post


Link to post
Share on other sites
Hi,

Still there? Post the logs when you're ready. Thanks.

I'm still needing help, but I haven't been at home for few days, and I will be away still couple days, so I can't post the logs now. So you need to wait :)

I'll post the logs when I can.

:)

Share this post


Link to post
Share on other sites

Ok, Here is the logs.

DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86

Run by User at 9:29:02,62 on la 11.09.2010

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Home Edition 5.1.2600.2.1252.358.1035.18.1023.501 [GMT 3:00]

AV: Norman Security Suite *On-access scanning disabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}

FW: Norman Personal Firewall v. 1.4 *disabled* {2B6AE065-7C1B-49B0-8AB7-5BC3BA338F5C}

FW: Norman Security Suite *disabled* {83B29CE9-9DE2-2CB5-9AB3-780D70FF12B0}

============== Running Processes ===============

C:\Norman\Npm\bin\ELOGSVC.EXE

C:\Norman\Ngs\Bin\Nnf.exe

C:\Norman\Ngs\Bin\Nprosec.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Norman\Npm\Bin\Zanda.exe

C:\Norman\npm\bin\nvoy.exe

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Norman\npf\bin\npfsvc32.exe

C:\Program Files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe

C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\alg.exe

C:\Norman\Npm\Bin\scheduler.exe

C:\Norman\Npm\Bin\Njeeves.exe

C:\Norman\nse\bin\NSESVC.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Norman\Nvc\bin\nvcoas.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\sm56hlpr.exe

C:\Norman\Npm\Bin\ZLH.EXE

C:\Norman\Nvc\Bin\Nip.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Norman\Nvc\Bin\cclaw.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe

C:\WINDOWS\system32\wscntfy.exe

E:\dds.pif

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://testbed.fmi.fi/

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll

BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

mRun: [High Definition Audio -ominaisuussivun pikakuvake] HDAShCut.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [AlcWzrd] ALCWZRD.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [sMSERIAL] sm56hlpr.exe

mRun: [Norman ZANDA] "c:\norman\npm\bin\ZLH.EXE" /LOAD /SPLASH

mRun: [<NO NAME>]

mRun: [Logitech Utility] Logi_MwX.Exe

mRun: [updReg] c:\windows\UpdReg.EXE

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog

StartupFolder: c:\docume~1\alluse~1\kynnis~1\ohjelmat\kynnis~1\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\kynnis~1\ohjelmat\kynnis~1\autoru~1\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe

StartupFolder: c:\docume~1\alluse~1\kynnis~1\ohjelmat\kynnis~1\autoru~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\kynnis~1\ohjelmat\kynnis~1\autoru~1\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

IE: Vie Microsoft E&xceliin - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll

IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

LSP: c:\norman\ngs\bin\nlf.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: OdysseyClient - odyEvent.dll

============= SERVICES / DRIVERS ===============

P2 NPFSvc32;Norman Personal Firewall Service;c:\norman\npf\bin\npfsvc32.exe [2008-12-12 286328]

R1 NGS;Norman General Security Driver;c:\norman\ngs\bin\ngs.sys [2010-8-21 26744]

R1 NPROSEC;Norman Security driver;c:\norman\ngs\bin\nprosec.sys [2010-8-21 72392]

R1 tdi_nf;Norman Network Filter TDIL driver;c:\windows\system32\drivers\tdi_nf.sys [2010-8-21 376136]

R2 Ndiskio;Ndiskio;c:\norman\nse\bin\Ndiskio.sys [2009-10-15 22880]

R2 NNFSVC;Norman Network Filtering service;c:\norman\ngs\bin\nnf.exe [2010-8-21 219904]

R2 Norman ZANDA;Norman ZANDA;c:\norman\npm\bin\Zanda.exe [2007-5-2 301192]

R2 NPROSECSVC;Norman Security service;c:\norman\ngs\bin\nprosec.exe [2010-8-21 103016]

R2 nregsec;Norman Registry Security driver;c:\norman\ngs\bin\nregsec.sys [2010-8-21 40384]

R2 NVOY;Norman Resource Provider;c:\norman\npm\bin\nvoy.exe [2008-12-9 98776]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]

R3 nnetsec;Norman Network Security service;c:\windows\system32\drivers\nnetsec.sys [2010-8-21 48272]

R3 NNetSecC;Norman Network Filter NDIS common driver;c:\norman\ngs\bin\nnetsecc.sys [2010-8-21 29968]

R3 nsesvc;Norman Scanner Engine Service;c:\norman\nse\bin\Nsesvc.exe [2010-6-25 282624]

R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2007-5-2 21832]

R3 nvcoas;Norman Virus Control on-access component;c:\norman\nvc\bin\Nvcoas.exe [2009-2-20 210248]

R3 Scheduler;Norman Scheduler Service;c:\norman\npm\bin\scheduler.exe [2009-5-12 133272]

S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2008-4-2 15872]

S3 EMUXMIDI;E-MU Xmidi Driver;c:\windows\system32\drivers\EMUXMIDI.sys [2006-6-9 134912]

S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [2005-1-24 27264]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-2-13 136704]

S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-2-13 8320]

S3 nvcfsr;nvcfsr;c:\norman\nvc\bin\Nvcfsr.sys [2006-3-10 9032]

S3 nvcoafl51;nvcoafl51;c:\norman\nvc\bin\Nvcoafl51.sys [2006-3-10 32584]

S3 nvcoaft51;nvcoaft51;c:\norman\nvc\bin\Nvcoaft51.sys [2006-3-10 132168]

S3 nvcoarc51;nvcoarc51;c:\norman\nvc\bin\Nvcoarc51.sys [2006-3-10 25544]

S3 NVCScheduler;Norman Virus Control Scheduler;"c:\norman\npm\bin\nvcsched.exe" --> c:\norman\npm\bin\Nvcsched.exe [?]

S3 RDID1070;Roland SonicCell;c:\windows\system32\drivers\RDWM1070.sys [2008-3-14 135424]

S3 Us1n51ua;Us1n51ua;c:\windows\system32\bootvrfy.exe [2006-2-24 5120]

=============== Created Last 30 ================

2010-08-21 08:11:57 67664 ----a-w- c:\windows\system32\drivers\ale_nf64.sys

2010-08-21 08:11:57 60960 ----a-w- c:\windows\system32\drivers\ale_nf.sys

2010-08-21 08:11:57 376136 ----a-w- c:\windows\system32\drivers\tdi_nf.sys

2010-08-21 08:11:56 48272 ----a-w- c:\windows\system32\drivers\nnetsec.sys

2010-08-21 08:11:56 34192 ----a-w- c:\windows\system32\drivers\nnetsecl64.sys

2010-08-21 08:11:56 30584 ----a-w- c:\windows\system32\drivers\nnetsecl.sys

2010-08-18 16:53:31 0 d-----w- c:\program files\TomTom International B.V

==================== Find3M ====================

2010-09-11 06:23:15 85636 ----a-w- c:\windows\system32\perfc00B.dat

2010-09-11 06:23:15 398830 ----a-w- c:\windows\system32\perfh00B.dat

============= FINISH: 9:29:30,32 ===============

Report.txt

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 2)

Number of processors #1

==============================================

>Drivers

==============================================

0xF6A08000 C:\WINDOWS\system32\DRIVERS\w29n51.sys 3223552 bytes (Intel

Attach.txt

Share this post


Link to post
Share on other sites

Hi,

Please read through these instructions to familiarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty in properly disabling your protective programs, refer to this link - How to Disable your Security Programs

--------------------------------------------------------------------

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC_update.png

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

cfRC_screen_2.png

Click on Yes, to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Share this post


Link to post
Share on other sites

Hi,

We will continue when you have the time.

If you do, please refrain from running combofix for now, instead, post fresh DDS logs and we'll continue from there. Please take note to do this when you have the time to do the scans till we are done. Thank you.

Share this post


Link to post
Share on other sites

Here is the log.

But tell me, HOW I CAN REMOVE THE BOOTLOADER? I tried msconfig, but can't do it?

ComboFix 10-09-13.02 - User 14.09.2010 18:51:28.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.358.1035.18.1023.485 [GMT 3:00]

Sijainti: c:\documents and settings\User\Ty

Share this post


Link to post
Share on other sites

Hi,

Why I should post a new DDS log? My computer is alone at home, not in use.

I asked in the event that the pc was in use by you or others and that there may have been something that was modified since the last log.

Bootloader? You mean the recovery console? I advise you not to tamper with it until we are finished as it provides a way for us if ever something goes bad during clean up.

If you wish to remove it then we'll remove it after we are through.

Please do the following:

Please go to Virus Total

  • Click on Browse.
  • On the File Upload window, copy/paste the text below into the File name box:
    c:\windows\system32\drivers\ale_nf.sys
  • Click Send file. Allow the file to be scanned. If it says already scanned -- click Reanalyze Now

Repeat the procedure with the following files:

c:\windows\system32\drivers\tdi_nf.sys

c:\windows\system32\drivers\EMUXMIDI.sys

c:\windows\system32\bootvrfy.exe

Please post the results in your next reply.

Share this post


Link to post
Share on other sites

Sorry for new post, but i don't see edit-button anywhere.

Yes, I ment recovery console. Ok, I'll wait that we finish this operation.

Share this post


Link to post
Share on other sites

Hi,

Please do the following:

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty in properly disabling your protective programs, refer to this link - How to Disable your Security Programs

--------------------------------------------------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

RegLock::

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

DDS::

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

Driver::

mchInjDrv

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

--Next--

Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

--Next--

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post back the log.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.

To post in your next reply:

1. Combofix log.

2. Malwarebytes' log.

Share this post


Link to post
Share on other sites

Ok, here is the logs:

ComboFix 10-09-13.02 - User 18.09.2010 9:54.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.358.1035.18.1023.487 [GMT 3:00]

Sijainti: c:\documents and settings\User\Ty

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.