Hello
My Windows XP machine recently came down with a serious virus attach despite the fact that I run an anti-virus (F-Secure). The virus was Virus.Win32.Nsag.a and the initial problem was that somebody had overwritten my wininet.dll with an infected version.
I replaced this with the authorised version and tried to clean up manually by editing the reg-db. I managed to remove most of the annoying spy- and adware but I was not compåletely succesful. Currently my browser is still hijacked by "oneclicksearches". And maybe there are more.
So I found this forum and decided to try "hijackthis". I would be most thankful if you could help decifer this log:
Logfile of HijackThis v1.99.1
Scan saved at 10:55:07, on 29-06-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\Program\fspex.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\FSGK32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMB32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fssm32.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FCH32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FAMEH32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\FWES\Program\fsdfwd.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\ispnews.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\TEXTware\BOOKcase40\BC40CASE.exe
C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\fsguiexe.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = gsp-xp;<local>;localhost
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpDEBD.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\WebSpeed Sikkerhedspakke\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BOOKcase 4.0.lnk = C:\Program Files\TEXTware\BOOKcase40\BC40CASE.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\AUTHENTIC\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\AUTHENTIC\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\AUTHENTIC\spy.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: TDC Kabel TV Sikkerhedspakke (BackWeb Client - 7791805) - Unknown owner - C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\WebSpeed Sikkerhedspakke\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
O23 - Service: NAV Alert - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)
O23 - Service: NAV Auto-Protect - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)
O23 - Service: Norton Program Scheduler - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)
My Windows XP machine recently came down with a serious virus attach despite the fact that I run an anti-virus (F-Secure). The virus was Virus.Win32.Nsag.a and the initial problem was that somebody had overwritten my wininet.dll with an infected version.
I replaced this with the authorised version and tried to clean up manually by editing the reg-db. I managed to remove most of the annoying spy- and adware but I was not compåletely succesful. Currently my browser is still hijacked by "oneclicksearches". And maybe there are more.
So I found this forum and decided to try "hijackthis". I would be most thankful if you could help decifer this log:
Logfile of HijackThis v1.99.1
Scan saved at 10:55:07, on 29-06-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\Program\fspex.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\FSGK32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMB32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fssm32.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FCH32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FAMEH32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\FWES\Program\fsdfwd.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\ispnews.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\TEXTware\BOOKcase40\BC40CASE.exe
C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\fsguiexe.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = gsp-xp;<local>;localhost
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpDEBD.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\WebSpeed Sikkerhedspakke\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BOOKcase 4.0.lnk = C:\Program Files\TEXTware\BOOKcase40\BC40CASE.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\AUTHENTIC\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\AUTHENTIC\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\AUTHENTIC\spy.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: TDC Kabel TV Sikkerhedspakke (BackWeb Client - 7791805) - Unknown owner - C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\WebSpeed Sikkerhedspakke\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
O23 - Service: NAV Alert - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)
O23 - Service: NAV Auto-Protect - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)
O23 - Service: Norton Program Scheduler - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)