PDA

View Full Version : Outerinfo



iris1
2007-07-26, 19:00
Something installed at my PC called Outerinfo. Someone know it?
I use Norman antivirus and Spybot, but even so this thing give me really a lot of popups. I am not a genius in computer problems and don't know what to do.

I also get Error about Smitfraud-c - are they connected?

ken545
2007-07-26, 20:41
Hello iris1 and Welcome to Safer Networking.

Please read this before you post
http://forums.spybot.info/showthread.php?t=288


Download and install

Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download)

Download the Trendmicro Hijackthis Installer to your Desktop, Click on the Trendmico Hijackthis Installer and follow the defaults and it will install in C:\Program Files\Trendmicro\Hijackthis and this is exactly where we want it to be.


Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread.

iris1
2007-07-26, 21:08
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:05:06, on 26.07.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Programfiler\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programfiler\ThinkVantage\AMSG\Amsg.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe
C:\Programfiler\Lenovo\AwayTask\AwaySch.EXE
C:\Programfiler\Fellesfiler\Lenovo\Scheduler\scheduler_proxy.exe
C:\Programfiler\Picasa2\PicasaMediaDetector.exe
C:\Programfiler\Lenovo\Client Security Solution\cssauth.exe
C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Programfiler\SPAMfighter\SFAgent.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Programfiler\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\siri\MINEDO~1\MBOLS~1\ping.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\WINDOWS\?racle\?ervices.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Programfiler\Windows Media Player\WMPNSCFG.exe
C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Windows Desktop Search\WindowsSearch.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
c:\programfiler\lenovo\system update\suservice.exe
C:\Programfiler\Fellesfiler\Lenovo\tvt_reg_monitor_svc.exe
C:\Programfiler\Lenovo\Rescue and Recovery\rrservice.exe
C:\Programfiler\Fellesfiler\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programfiler\Windows Media Player\WMPNetwk.exe
C:\Programfiler\Fellesfiler\Lenovo\Logger\logmon.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Npm\bin\NJEEVES.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Programfiler\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Norman\npm\bin\niu.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\alg.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.irisdata.no/link/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {66386488-F718-80E6-1A67-8D8DBC2DD3CA} - C:\WINDOWS\system32\mrcdigz.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Programfiler\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Snarvei til egenskapsside for High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AMSG] C:\Programfiler\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Programfiler\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programfiler\Fellesfiler\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programfiler\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programfiler\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [cssauth] "C:\Programfiler\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Programfiler\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rcwl] "C:\DOCUME~1\siri\MINEDO~1\MBOLS~1\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Kjo] C:\WINDOWS\?racle\?ervices.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programfiler\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: PC-søk i Windows.lnk = C:\Programfiler\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programfiler\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programfiler\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Programfiler\Lenovo\System Update\sulauncher.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: AwayNotify - C:\Programfiler\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: System Update (SUService) - - c:\programfiler\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Programfiler\Fellesfiler\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Programfiler\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programfiler\Fellesfiler\Lenovo\Scheduler\tvtsched.exe

--
End of file - 12071 bytes

ken545
2007-07-27, 02:28
Hello Iris,

You stated that your not a computer genius but let me tell ya, you did very well following my instructions. :bigthumb:

You are infected with Purity/Clickspring and possibly the Vundo trojan, what we are going to do is attack Purity first , so I need you to do a couple of things for me so we can start cleaning you up and get you back to normal.


Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall



The thieves that are writting the Vundo trojan have written it to evade a HJT scan so I need you to rename it and post a new log. By renaming it the entries will show up on your log.

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe <--Right click on this and choose Rename and rename it to Iris.exe will be fine

So, I need to see the Combofix log and a new HJT log with it renamed please.

iris1
2007-07-27, 12:17
Here we go... have to make two replies, cause the text was too long... First log first:

"siri" - 2007-07-27 11:01:08 [GMT 2:00] - ComboFix 07-07-24 - Service Pack 2 NTFS

ADS removed - system32: Prosessen får ikke tilgang til filen fordi den brukes av en annen prosess.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\siri\MINEDO~1.\mbols~1
C:\DOCUME~1\siri\MINEDO~1.\mbols~1\ping.exe
C:\WINDOWS\racle~1
C:\WINDOWS\racle~1\?ervices.exe
C:\WINDOWS\system32\mrcdigz.dll
C:\WINDOWS\system32\rundll.exe
C:\WINDOWS\system32\wcpsvcc32.exe
C:\WINDOWS\system32\x64
C:\WINDOWS\wr.txt


((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))


2007-07-27 11:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-26 20:04 <DIR> d-------- C:\Programfiler\Trend Micro
2007-07-26 16:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Spybot - Search & Destroy
2007-07-26 13:26 <DIR> d-------- C:\IDE
2007-07-23 12:59 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Start-meny
2007-07-23 12:53 19,000 --a------ C:\WINDOWS\system32\drivers\nvcw32mf.sys
2007-07-23 12:52 <DIR> d-------- C:\Norman
2007-07-23 12:37 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-20 21:41 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\WinRAR
2007-07-19 21:47 <DIR> d-------- C:\Programfiler\Windows Live Safety Center
2007-07-19 18:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\FLEXnet
2007-07-19 17:15 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\Azureus
2007-07-19 17:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Azureus
2007-07-18 20:39 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-07-18 16:53 <DIR> d-------- C:\Programfiler\Fellesfiler\Macromedia Shared
2007-07-18 16:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Macrovision
2007-07-17 22:09 <DIR> d-------- C:\Programfiler\Shockwave.com
2007-07-17 22:09 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\PlayFirst
2007-07-17 22:02 <DIR> d-------- C:\Programfiler\Onlinebandit-no
2007-07-17 20:10 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\Sonic
2007-07-17 20:10 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\Leadertech
2007-07-17 18:29 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\SPAMfighter
2007-07-17 18:28 <DIR> d-------- C:\Programfiler\SPAMfighter
2007-07-17 18:28 <DIR> d-------- C:\Programfiler\Fellesfiler\Application
2007-07-17 18:28 <DIR> d-------- C:\Programfiler\Fellesfiler\Ankiro
2007-07-17 11:58 <DIR> d-------- C:\Programfiler\poEdit
2007-07-17 10:27 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\XLAB ISL Plugins
2007-07-17 10:26 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\XLAB ISL Light Client3
2007-07-17 09:55 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\Windows Desktop Search
2007-07-17 09:52 <DIR> d-------- C:\Programfiler\Windows Desktop Search
2007-07-16 22:32 <DIR> d-------- C:\Programfiler\Skype
2007-07-16 22:32 <DIR> d-------- C:\Programfiler\Fellesfiler\Skype
2007-07-16 22:32 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\Skype
2007-07-16 22:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Skype
2007-07-16 22:21 <DIR> d-------- C:\Musikk
2007-07-16 22:20 <DIR> d-------- C:\Videoer
2007-07-16 21:40 <DIR> d-------- C:\Programfiler\MSXML 6.0
2007-07-16 21:40 <DIR> d-------- C:\Programfiler\Microsoft CAPICOM 2.1.0.2
2007-07-16 21:34 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-16 21:33 <DIR> d-------- C:\Programfiler\Reference Assemblies
2007-07-16 21:32 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-07-16 21:32 <DIR> d-------- C:\b9fba9cf63f1bc46379d
2007-07-16 21:30 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-16 21:30 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-16 21:29 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-16 20:41 <DIR> d-------- C:\Programfiler\Microsoft Virtual PC
2007-07-16 20:37 <DIR> d-------- C:\DOCUME~1\siri\Contacts
2007-07-16 20:34 <DIR> d-------- C:\Programfiler\MSN Messenger
2007-07-16 20:26 <DIR> d-------- C:\Programfiler\XLAB ISL Boot
2007-07-16 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-16 20:19 208,248 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-16 20:12 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-07-16 20:12 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-07-16 20:12 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-07-16 20:12 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-07-16 20:12 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-07-16 20:11 91,177 -ra------ C:\WINDOWS\system32\drivers\P1131Vid.sys
2007-07-16 20:11 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-07-16 20:11 81,920 -ra------ C:\WINDOWS\CtDrvIns.exe
2007-07-16 20:11 69,632 -ra------ C:\WINDOWS\system32\P1131Sti.dll
2007-07-16 20:11 65,536 -ra------ C:\WINDOWS\system32\CtCamMgr.dll
2007-07-16 20:11 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-07-16 20:11 49,152 -ra------ C:\WINDOWS\system32\P1131Hwx.dll
2007-07-16 20:11 36,864 -ra------ C:\WINDOWS\system32\P1131Pin.dll
2007-07-16 20:11 20,480 -ra------ C:\WINDOWS\system32\P1131Srv.exe
2007-07-16 20:11 20,480 -ra------ C:\WINDOWS\P1131Cfg.exe
2007-07-16 20:11 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-07-16 20:11 126,976 -ra------ C:\WINDOWS\system32\P1131Vfw.dll
2007-07-16 20:06 <DIR> d-------- C:\Programfiler\Creative
2007-07-16 19:52 61,598 --a------ C:\WINDOWS\system32\EBPMON2.DLL
2007-07-16 19:52 57,344 --a------ C:\WINDOWS\system32\ECBTEG.DLL
2007-07-16 19:52 34,304 --a------ C:\WINDOWS\system32\EBPCHP.DLL
2007-07-16 19:52 145 --a------ C:\WINDOWS\system32\EBPPORT.DAT
2007-07-16 19:52 <DIR> d-------- C:\Programfiler\EPSON
2007-07-16 19:52 <DIR> d-------- C:\EPSON
2007-07-16 19:46 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2007-07-16 19:43 <DIR> d-------- C:\Programfiler\MSBuild
2007-07-16 19:43 <DIR> d-------- C:\Programfiler\Microsoft Works
2007-07-16 19:41 <DIR> d-------- C:\Programfiler\Microsoft.NET
2007-07-16 19:38 <DIR> d-------- C:\Programfiler\Zoom Player
2007-07-16 19:38 <DIR> d-------- C:\Programfiler\ws_ftp32
2007-07-16 19:38 <DIR> d-------- C:\Programfiler\Microsoft Visual Studio 8
2007-07-16 19:37 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-07-16 19:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Microsoft Help
2007-07-16 19:35 <DIR> dr-h----- C:\MSOCache
2007-07-16 19:34 <DIR> d-------- C:\Programfiler\kodak
2007-07-16 19:32 <DIR> d-------- C:\office
2007-07-16 19:28 <DIR> d-------- C:\Programfiler\clue
2007-07-16 19:14 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\Google
2007-07-16 19:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Google
2007-07-16 19:13 <DIR> d-------- C:\Programfiler\Google
2007-07-16 19:11 <DIR> d-------- C:\WINDOWS\Cache
2007-07-16 18:57 <DIR> d-------- C:\Programfiler\MSXML 4.0
2007-07-16 18:56 <DIR> d-------- C:\DOCUME~1\siri\hob_jportal
2007-07-16 18:48 <DIR> dr------- C:\DOCUME~1\siri\Favoritter
2007-07-16 18:46 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-16 18:46 <DIR> d-------- C:\Programfiler\TotalCmd
2007-07-16 18:43 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-16 18:43 <DIR> d-------- C:\Programfiler\Windows Live Toolbar
2007-07-16 18:42 3,407,872 --ah----- C:\DOCUME~1\siri\NTUSER.DAT


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-17 07:52:43 88,126 ----a-w C:\WINDOWS\system32\perfc014.dat
2007-07-17 07:52:43 462,998 ----a-w C:\WINDOWS\system32\perfh014.dat
2007-07-16 16:43:30 50 ----a-w C:\WINDOWS\system32\drivers\LENOVO_9265_7HG.MRK
2007-06-27 10:12:30 17,280 ----a-w C:\WINDOWS\system32\drivers\psadd.sys
2007-05-16 15:19:43 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Snarvei til egenskapsside for High Definition Audio"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 14:34 C:\WINDOWS\system32\ico.exe]
"SoundMAXPnP"="C:\Programfiler\Analog Devices\Core\smax4pnp.exe" [2006-12-18 15:34]
"SoundMAX"="C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12]
"AMSG"="C:\Programfiler\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 08:23]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-03-22 18:10]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ISUSPM Startup"="C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"AwaySch"="C:\Programfiler\Lenovo\AwayTask\AwaySch.EXE" [2006-04-18 19:05]
"TVT Scheduler Proxy"="C:\Programfiler\Fellesfiler\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 04:01]
"DiskeeperSystray"="C:\Programfiler\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 16:24]
"Picasa Media Detector"="C:\Programfiler\Picasa2\PicasaMediaDetector.exe" [2005-10-28 20:08]
"cssauth"="C:\Programfiler\Lenovo\Client Security Solution\cssauth.exe" [2006-05-12 20:15]
"Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SPAMfighter Agent"="C:\Programfiler\SPAMfighter\SFAgent.exe" [2007-07-04 14:22]
"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-04-27 14:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 18:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"Rcwl"="C:\DOCUME~1\siri\MINEDO~1\MBOLS~1\ping.exe" []
"Kjo"="C:\WINDOWS\?racle\?ervices.exe" []
"WMPNSCFG"="C:\Programfiler\Windows Media Player\WMPNSCFG.exe" [2006-11-15 10:46]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
PC-s›k i Windows.lnk - C:\Programfiler\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
C:\Programfiler\Lenovo\AwayTask\AwayNotify.dll 2006-04-18 19:05 49152 C:\Programfiler\Lenovo\AwayTask\AwayNotify.dll

R1 DLACDBHM;DLACDBHM;C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
R1 DLARTL_N;DLARTL_N;C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
R1 vmm;Virtual Machine Monitor;\??\C:\WINDOWS\system32\Drivers\vmm.sys
R2 DLABOIOM;DLABOIOM;C:\WINDOWS\system32\DLA\DLABOIOM.SYS
R2 DLADResN;DLADResN;C:\WINDOWS\system32\DLA\DLADResN.SYS
R2 DLAIFS_M;DLAIFS_M;C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
R2 DLAOPIOM;DLAOPIOM;C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
R2 DLAPoolM;DLAPoolM;C:\WINDOWS\system32\DLA\DLAPoolM.SYS
R2 DLAUDF_M;DLAUDF_M;C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
R2 DLAUDFAM;DLAUDFAM;C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
R2 DRVNDDM;DRVNDDM;C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
R2 EGATHDRV;IBM eGatherer;\??\C:\WINDOWS\SYSTEM32\EGATHDRV.SYS
R2 eLoggerSvc6;Norman eLogger service 6;C:\Norman\Npm\bin\ELOGSVC.EXE
R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS
R2 pmem;pmem;\??\C:\WINDOWS\System32\drivers\pmemnt.sys
R2 PROCDD;IPS Helper Driver;C:\WINDOWS\system32\DRIVERS\PROCDD.SYS
R2 smi2;smi2;\??\C:\Programfiler\SMI2\smi2.sys
R2 tvtfilter;tvtfilter;\??\C:\WINDOWS\system32\drivers\tvtfilter.sys
R2 WSearch;Windows Search;C:\WINDOWS\system32\SearchIndexer.exe /Embedding
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\ADIHdAud.sys
R3 HidUsb;Microsoft HID-klassedriver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 Iviaspi;IVI ASPI Shell;C:\WINDOWS\system32\drivers\iviaspi.sys
R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys
R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe
R3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE
R3 P1131VID;Creative WebCam NX Pro (WDM);C:\WINDOWS\system32\DRIVERS\P1131Vid.sys
R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys
R3 TVTPktFilter;TVT Packet Filter Service;C:\WINDOWS\system32\DRIVERS\tvtpktfilter.sys
R3 usbehci;Miniportdriver for Microsoft USB 2.0 forbedret vertskontroller;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;USB2 aktivert hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbuhci;Miniportdriver for Microsoft USB universell vertskontroller;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
R3 VPCNetS2;Virtual Machine Network Services Driver;C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
S3 E100B;Intel(R) PRO-kortdriver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 G400;G400;C:\WINDOWS\system32\DRIVERS\G400m.sys
S3 HdAudAddService;Microsoft UAA-funksjonsdriver for High Definition Audio-tjenesten;C:\WINDOWS\system32\drivers\HdAudio.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 odserv;Microsoft Office Diagnostics Service;"C:\Programfiler\Fellesfiler\Microsoft Shared\OFFICE12\ODSERV.EXE"
S3 psadd;IBM PSA Access Driver;\??\C:\WINDOWS\system32\Drivers\psadd.sys
S3 USBSTOR;USB-masselagringsenhet;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S4 agpCPQ;Compaq AGP-bussfilter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
S4 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\DRIVERS\iaStor.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
S4 viaagp;VIA AGP-bussfilter;C:\WINDOWS\system32\DRIVERS\viaagp.sys


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{30694BC6-D358-E7AA-6E3C-B1F92934E8AB}
C:\WINDOWS\system32:win32.exe

Contents of the 'Scheduled Tasks' folder
2007-07-26 20:34:01 C:\WINDOWS\tasks\Se etter oppdateringer for Windows Live Toolbar.job
2007-07-26 12:36:18 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-27 11:06:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000051f

scanning hidden files ...

C:\WINDOWS\system32:win32.exe 189776 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\viaagp]
"ImagePath"="\SystemRoot\system32\DRIVERS\viaagp.sys"

Completion time: 2007-07-27 11:07:19
C:\ComboFix-quarantined-files.txt ... 2007-07-27 11:06

--- E O F ---

iris1
2007-07-27, 12:18
I was a bit confused about the renaming. Hope you meant to rename the .exe file and not the log?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:34, on 27.07.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Programfiler\Analog Devices\Core\smax4pnp.exe
C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programfiler\ThinkVantage\AMSG\Amsg.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe
C:\Programfiler\Lenovo\AwayTask\AwaySch.EXE
C:\Programfiler\Fellesfiler\Lenovo\Scheduler\scheduler_proxy.exe
C:\Programfiler\Picasa2\PicasaMediaDetector.exe
C:\Programfiler\Lenovo\Client Security Solution\cssauth.exe
C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Programfiler\SPAMfighter\SFAgent.exe
C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Programfiler\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\siri\MINEDO~1\MBOLS~1\ping.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\WINDOWS\?racle\?ervices.exe
C:\Programfiler\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
c:\programfiler\lenovo\system update\suservice.exe
C:\Programfiler\Windows Desktop Search\WindowsSearch.exe
C:\Programfiler\Fellesfiler\Lenovo\tvt_reg_monitor_svc.exe
C:\Programfiler\Lenovo\Rescue and Recovery\rrservice.exe
C:\Programfiler\Fellesfiler\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programfiler\Windows Media Player\WMPNetwk.exe
C:\Programfiler\Fellesfiler\Lenovo\Logger\logmon.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Norman\npm\bin\niu.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programfiler\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Programfiler\Trend Micro\HijackThis\iris.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.irisdata.no/link/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Programfiler\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Snarvei til egenskapsside for High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AMSG] C:\Programfiler\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Programfiler\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programfiler\Fellesfiler\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programfiler\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programfiler\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [cssauth] "C:\Programfiler\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Programfiler\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rcwl] "C:\DOCUME~1\siri\MINEDO~1\MBOLS~1\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Kjo] C:\WINDOWS\?racle\?ervices.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programfiler\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: PC-søk i Windows.lnk = C:\Programfiler\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programfiler\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programfiler\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Programfiler\Lenovo\System Update\sulauncher.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: AwayNotify - C:\Programfiler\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: System Update (SUService) - - c:\programfiler\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Programfiler\Fellesfiler\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Programfiler\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programfiler\Fellesfiler\Lenovo\Scheduler\tvtsched.exe

--
End of file - 11496 bytes

ken545
2007-07-27, 15:38
Good Morning,

You renamed HJT correctly, thank you.

Combofix removed Purity but it reappeared on your log, we need to dig deeper.

1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to Delete:
C:\WINDOWS\system32\win32.exe



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply




Go to your Control Panel and look in the Add-Remove Programs for any of these and uninstall them. If there not present, try downloading this uninstaller.

http://www.outerinfo.com/OiUninstaller.exe


ClickSpring
Cowabanga by OIN
ipwindows / ipwins
MediaTickets
MediaTickets by OIN
OIN
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX by OIN
Yazzle Cowabanga by OIN
Yazzle Kobe :filtered:! By OIN
Yazzle Picster by OIN
Yazzle Snowball Wars by OIN
Yazzle Sudoku by OIN
Zolero Translator
WebBuying
WinPop


Outerinfo tutorial
http://www.outerinfo.com/howto.html



Then run Combofix again.

Let me see the Avenger Report, the new Combofix report and a New HJT log please.

iris1
2007-07-27, 16:12
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pcuqjqtd

*******************

Script file located at: \??\C:\WINDOWS\spnquens.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\win32.exe not found!
Deletion of file C:\WINDOWS\system32\win32.exe failed!

Could not process line:
C:\WINDOWS\system32\win32.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

iris1
2007-07-27, 16:14
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:13:57, on 27.07.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ICO.EXE
C:\Programfiler\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe
C:\Programfiler\ThinkVantage\AMSG\Amsg.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe
C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe
C:\Programfiler\Lenovo\AwayTask\AwaySch.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Lenovo\Scheduler\scheduler_proxy.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Programfiler\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Lenovo\Client Security Solution\cssauth.exe
C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
c:\programfiler\lenovo\system update\suservice.exe
C:\Programfiler\SPAMfighter\SFAgent.exe
C:\Programfiler\Fellesfiler\Lenovo\tvt_reg_monitor_svc.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Programfiler\Lenovo\Rescue and Recovery\rrservice.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\notepad.exe
C:\Programfiler\Windows Desktop Search\WindowsSearch.exe
C:\Programfiler\Fellesfiler\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programfiler\Windows Media Player\WMPNetwk.exe
C:\Programfiler\Fellesfiler\Lenovo\Logger\logmon.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Programfiler\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Programfiler\Trend Micro\HijackThis\iris.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.irisdata.no/link/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Programfiler\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Snarvei til egenskapsside for High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AMSG] C:\Programfiler\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Programfiler\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programfiler\Fellesfiler\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programfiler\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programfiler\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [cssauth] "C:\Programfiler\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Programfiler\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rcwl] "C:\DOCUME~1\siri\MINEDO~1\MBOLS~1\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Kjo] C:\WINDOWS\?racle\?ervices.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programfiler\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: PC-søk i Windows.lnk = C:\Programfiler\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programfiler\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programfiler\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Programfiler\Lenovo\System Update\sulauncher.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: AwayNotify - C:\Programfiler\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: System Update (SUService) - - c:\programfiler\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Programfiler\Fellesfiler\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Programfiler\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programfiler\Fellesfiler\Lenovo\Scheduler\tvtsched.exe

--
End of file - 11280 bytes

iris1
2007-07-27, 16:29
Now I am a bit scared here... you ask me a lot at same time lol
I received some virusalerts from Norman right after sending you the last messages...

Ran Combofix again and here is the log...

"siri" - 2007-07-27 15:22:39 [GMT 2:00] - ComboFix 07-07-24 - Service Pack 2 NTFS

ADS removed - system32: deleted 189776 bytes in 1 streams.

((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))


2007-07-27 11:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-26 20:04 <DIR> d-------- C:\Programfiler\Trend Micro
2007-07-26 16:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Spybot - Search & Destroy
2007-07-26 13:26 <DIR> d-------- C:\IDE
2007-07-23 12:59 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Start-meny
2007-07-23 12:53 19,000 --a------ C:\WINDOWS\system32\drivers\nvcw32mf.sys
2007-07-23 12:52 <DIR> d-------- C:\Norman
2007-07-23 12:37 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-20 21:41 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\WinRAR
2007-07-19 21:47 <DIR> d-------- C:\Programfiler\Windows Live Safety Center
2007-07-19 18:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\FLEXnet
2007-07-19 17:15 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\Azureus
2007-07-19 17:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Azureus
2007-07-18 20:39 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-07-18 16:53 <DIR> d-------- C:\Programfiler\Fellesfiler\Macromedia Shared
2007-07-18 16:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Macrovision
2007-07-17 22:09 <DIR> d-------- C:\Programfiler\Shockwave.com
2007-07-17 22:09 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\PlayFirst
2007-07-17 22:02 <DIR> d-------- C:\Programfiler\Onlinebandit-no
2007-07-17 20:10 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\Sonic
2007-07-17 20:10 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\Leadertech
2007-07-17 18:29 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\SPAMfighter
2007-07-17 18:28 <DIR> d-------- C:\Programfiler\SPAMfighter
2007-07-17 18:28 <DIR> d-------- C:\Programfiler\Fellesfiler\Application
2007-07-17 18:28 <DIR> d-------- C:\Programfiler\Fellesfiler\Ankiro
2007-07-17 11:58 <DIR> d-------- C:\Programfiler\poEdit
2007-07-17 10:27 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\XLAB ISL Plugins
2007-07-17 10:26 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\XLAB ISL Light Client3
2007-07-17 09:55 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\Windows Desktop Search
2007-07-17 09:52 <DIR> d-------- C:\Programfiler\Windows Desktop Search
2007-07-16 22:32 <DIR> d-------- C:\Programfiler\Skype
2007-07-16 22:32 <DIR> d-------- C:\Programfiler\Fellesfiler\Skype
2007-07-16 22:32 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\Skype
2007-07-16 22:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Skype
2007-07-16 22:21 <DIR> d-------- C:\Musikk
2007-07-16 22:20 <DIR> d-------- C:\Videoer
2007-07-16 21:40 <DIR> d-------- C:\Programfiler\MSXML 6.0
2007-07-16 21:40 <DIR> d-------- C:\Programfiler\Microsoft CAPICOM 2.1.0.2
2007-07-16 21:34 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-16 21:33 <DIR> d-------- C:\Programfiler\Reference Assemblies
2007-07-16 21:32 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-07-16 21:32 <DIR> d-------- C:\b9fba9cf63f1bc46379d
2007-07-16 21:30 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-16 21:30 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-16 21:29 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-16 20:41 <DIR> d-------- C:\Programfiler\Microsoft Virtual PC
2007-07-16 20:37 <DIR> d-------- C:\DOCUME~1\siri\Contacts
2007-07-16 20:34 <DIR> d-------- C:\Programfiler\MSN Messenger
2007-07-16 20:26 <DIR> d-------- C:\Programfiler\XLAB ISL Boot
2007-07-16 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-16 20:19 208,248 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-16 20:12 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-07-16 20:12 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-07-16 20:12 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-07-16 20:12 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-07-16 20:12 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-07-16 20:11 91,177 -ra------ C:\WINDOWS\system32\drivers\P1131Vid.sys
2007-07-16 20:11 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-07-16 20:11 81,920 -ra------ C:\WINDOWS\CtDrvIns.exe
2007-07-16 20:11 69,632 -ra------ C:\WINDOWS\system32\P1131Sti.dll
2007-07-16 20:11 65,536 -ra------ C:\WINDOWS\system32\CtCamMgr.dll
2007-07-16 20:11 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-07-16 20:11 49,152 -ra------ C:\WINDOWS\system32\P1131Hwx.dll
2007-07-16 20:11 36,864 -ra------ C:\WINDOWS\system32\P1131Pin.dll
2007-07-16 20:11 20,480 -ra------ C:\WINDOWS\system32\P1131Srv.exe
2007-07-16 20:11 20,480 -ra------ C:\WINDOWS\P1131Cfg.exe
2007-07-16 20:11 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-07-16 20:11 126,976 -ra------ C:\WINDOWS\system32\P1131Vfw.dll
2007-07-16 20:06 <DIR> d-------- C:\Programfiler\Creative
2007-07-16 19:52 61,598 --a------ C:\WINDOWS\system32\EBPMON2.DLL
2007-07-16 19:52 57,344 --a------ C:\WINDOWS\system32\ECBTEG.DLL
2007-07-16 19:52 34,304 --a------ C:\WINDOWS\system32\EBPCHP.DLL
2007-07-16 19:52 145 --a------ C:\WINDOWS\system32\EBPPORT.DAT
2007-07-16 19:52 <DIR> d-------- C:\Programfiler\EPSON
2007-07-16 19:52 <DIR> d-------- C:\EPSON
2007-07-16 19:46 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2007-07-16 19:43 <DIR> d-------- C:\Programfiler\MSBuild
2007-07-16 19:43 <DIR> d-------- C:\Programfiler\Microsoft Works
2007-07-16 19:41 <DIR> d-------- C:\Programfiler\Microsoft.NET
2007-07-16 19:38 <DIR> d-------- C:\Programfiler\Zoom Player
2007-07-16 19:38 <DIR> d-------- C:\Programfiler\ws_ftp32
2007-07-16 19:38 <DIR> d-------- C:\Programfiler\Microsoft Visual Studio 8
2007-07-16 19:37 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-07-16 19:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Microsoft Help
2007-07-16 19:35 <DIR> dr-h----- C:\MSOCache
2007-07-16 19:34 <DIR> d-------- C:\Programfiler\kodak
2007-07-16 19:32 <DIR> d-------- C:\office
2007-07-16 19:28 <DIR> d-------- C:\Programfiler\clue
2007-07-16 19:14 <DIR> d-------- C:\DOCUME~1\siri\PROGRA~1\Google
2007-07-16 19:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Google
2007-07-16 19:13 <DIR> d-------- C:\Programfiler\Google
2007-07-16 19:11 <DIR> d-------- C:\WINDOWS\Cache
2007-07-16 18:57 <DIR> d-------- C:\Programfiler\MSXML 4.0
2007-07-16 18:56 <DIR> d-------- C:\DOCUME~1\siri\hob_jportal
2007-07-16 18:48 <DIR> dr------- C:\DOCUME~1\siri\Favoritter
2007-07-16 18:46 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-16 18:46 <DIR> d-------- C:\Programfiler\TotalCmd
2007-07-16 18:43 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-16 18:43 <DIR> d-------- C:\Programfiler\Windows Live Toolbar
2007-07-16 18:42 3,407,872 --ah----- C:\DOCUME~1\siri\NTUSER.DAT


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-17 07:52:43 88,126 ----a-w C:\WINDOWS\system32\perfc014.dat
2007-07-17 07:52:43 462,998 ----a-w C:\WINDOWS\system32\perfh014.dat
2007-07-16 16:43:30 50 ----a-w C:\WINDOWS\system32\drivers\LENOVO_9265_7HG.MRK
2007-06-27 10:12:30 17,280 ----a-w C:\WINDOWS\system32\drivers\psadd.sys
2007-05-16 15:19:43 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Snarvei til egenskapsside for High Definition Audio"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 14:34 C:\WINDOWS\system32\ico.exe]
"SoundMAXPnP"="C:\Programfiler\Analog Devices\Core\smax4pnp.exe" [2006-12-18 15:34]
"SoundMAX"="C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12]
"AMSG"="C:\Programfiler\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 08:23]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-03-22 18:10]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ISUSPM Startup"="C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"AwaySch"="C:\Programfiler\Lenovo\AwayTask\AwaySch.EXE" [2006-04-18 19:05]
"TVT Scheduler Proxy"="C:\Programfiler\Fellesfiler\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 04:01]
"DiskeeperSystray"="C:\Programfiler\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 16:24]
"Picasa Media Detector"="C:\Programfiler\Picasa2\PicasaMediaDetector.exe" [2005-10-28 20:08]
"cssauth"="C:\Programfiler\Lenovo\Client Security Solution\cssauth.exe" [2006-05-12 20:15]
"Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SPAMfighter Agent"="C:\Programfiler\SPAMfighter\SFAgent.exe" [2007-07-04 14:22]
"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-04-27 14:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 18:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"Rcwl"="C:\DOCUME~1\siri\MINEDO~1\MBOLS~1\ping.exe" []
"Kjo"="C:\WINDOWS\?racle\?ervices.exe" []
"WMPNSCFG"="C:\Programfiler\Windows Media Player\WMPNSCFG.exe" [2006-11-15 10:46]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
PC-s›k i Windows.lnk - C:\Programfiler\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
C:\Programfiler\Lenovo\AwayTask\AwayNotify.dll 2006-04-18 19:05 49152 C:\Programfiler\Lenovo\AwayTask\AwayNotify.dll

R1 DLACDBHM;DLACDBHM;C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
R1 DLARTL_N;DLARTL_N;C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
R1 vmm;Virtual Machine Monitor;\??\C:\WINDOWS\system32\Drivers\vmm.sys
R2 DLABOIOM;DLABOIOM;C:\WINDOWS\system32\DLA\DLABOIOM.SYS
R2 DLADResN;DLADResN;C:\WINDOWS\system32\DLA\DLADResN.SYS
R2 DLAIFS_M;DLAIFS_M;C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
R2 DLAOPIOM;DLAOPIOM;C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
R2 DLAPoolM;DLAPoolM;C:\WINDOWS\system32\DLA\DLAPoolM.SYS
R2 DLAUDF_M;DLAUDF_M;C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
R2 DLAUDFAM;DLAUDFAM;C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
R2 DRVNDDM;DRVNDDM;C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
R2 EGATHDRV;IBM eGatherer;\??\C:\WINDOWS\SYSTEM32\EGATHDRV.SYS
R2 eLoggerSvc6;Norman eLogger service 6;C:\Norman\Npm\bin\ELOGSVC.EXE
R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS
R2 pmem;pmem;\??\C:\WINDOWS\System32\drivers\pmemnt.sys
R2 PROCDD;IPS Helper Driver;C:\WINDOWS\system32\DRIVERS\PROCDD.SYS
R2 smi2;smi2;\??\C:\Programfiler\SMI2\smi2.sys
R2 tvtfilter;tvtfilter;\??\C:\WINDOWS\system32\drivers\tvtfilter.sys
R2 WSearch;Windows Search;C:\WINDOWS\system32\SearchIndexer.exe /Embedding
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\ADIHdAud.sys
R3 HidUsb;Microsoft HID-klassedriver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 Iviaspi;IVI ASPI Shell;C:\WINDOWS\system32\drivers\iviaspi.sys
R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys
R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe
R3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE
R3 P1131VID;Creative WebCam NX Pro (WDM);C:\WINDOWS\system32\DRIVERS\P1131Vid.sys
R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys
R3 TVTPktFilter;TVT Packet Filter Service;C:\WINDOWS\system32\DRIVERS\tvtpktfilter.sys
R3 usbehci;Miniportdriver for Microsoft USB 2.0 forbedret vertskontroller;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;USB2 aktivert hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbuhci;Miniportdriver for Microsoft USB universell vertskontroller;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
R3 VPCNetS2;Virtual Machine Network Services Driver;C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
S3 E100B;Intel(R) PRO-kortdriver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 G400;G400;C:\WINDOWS\system32\DRIVERS\G400m.sys
S3 HdAudAddService;Microsoft UAA-funksjonsdriver for High Definition Audio-tjenesten;C:\WINDOWS\system32\drivers\HdAudio.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 odserv;Microsoft Office Diagnostics Service;"C:\Programfiler\Fellesfiler\Microsoft Shared\OFFICE12\ODSERV.EXE"
S3 psadd;IBM PSA Access Driver;\??\C:\WINDOWS\system32\Drivers\psadd.sys
S3 USBSTOR;USB-masselagringsenhet;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S4 agpCPQ;Compaq AGP-bussfilter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
S4 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\DRIVERS\iaStor.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
S4 viaagp;VIA AGP-bussfilter;C:\WINDOWS\system32\DRIVERS\viaagp.sys


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{30694BC6-D358-E7AA-6E3C-B1F92934E8AB}
C:\WINDOWS\system32:win32.exe

Contents of the 'Scheduled Tasks' folder
2007-07-27 12:34:01 C:\WINDOWS\tasks\Se etter oppdateringer for Windows Live Toolbar.job
2007-07-26 12:36:18 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-27 15:25:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\viaagp]
"ImagePath"="\SystemRoot\system32\DRIVERS\viaagp.sys"

Completion time: 2007-07-27 15:25:47
C:\ComboFix-quarantined-files.txt ... 2007-07-27 15:25
C:\ComboFix2.txt ... 2007-07-27 11:07

--- E O F ---

iris1
2007-07-27, 16:32
How do I make a new Avanger report now? Shoult I still put the text from the box as last time? Sorry... just want to be sure...

:red:

ken545
2007-07-27, 16:55
hey your doing fine, didn't mean to overwhelm you.

Part of Purity is still present, where you able to remove any of those programs that I listed??

No need for another Avenger log at the moment.

Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O4 - HKCU\..\Run: [Rcwl] "C:\DOCUME~1\siri\MINEDO~1\MBOLS~1\ping.exe" -vt yazb
O4 - HKCU\..\Run: [Kjo] C:\WINDOWS\?racle\?ervices.exe

Not sure why this is here, if you know what it is and use it then leave it be otherwise remove it also.
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/F...ansferCtrl.cab



There may be something on your system reinstalling this stuff as we remove it. Lets run AVG Anti Spyware


Make sure you follow these instructions correctly to Remove or Quarantine what it finds and also to save the report, without me seeing the report my hands are tied.
Download and install the 30 day trial of AVG Anti-Spyware 7.5.1.43 (http://www.ewido.net/en/download/) to your desktop. It's very important that I see the report so make sure you follow the instructions and save the log.


Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG and update the definition files.
On the main screen select the icon Update then select the Update now link.
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
Under Reports
Select Automatically generate report after every scan
Un-Select Only if threats were found
Close AVG Anti-Spyware 7.5 <-- Do not run the scan yet.

Boot your computer into Safemode

Go to Start> Shut Off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
This will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to SAFEMODE
Then press the Enter on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)


IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process:

Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system <--Don't forget this
make sure to remember where you saved that file, this is important, I need to see that log.
Close AVG Anti-Spyware 7.5


Let me see the log from AVG and New HJT log please

iris1
2007-07-27, 16:59
Before I start next procedure, I wanna inform you a bit...

I didn't find any of those listed in controlpanel, so I used the uninstaller. I think that's when Norman alerted me about the viruses...like he suddenly found them. Make sence? or...

Now I have to go back to your message and proceed... I am really thankful about help - THANKS! :crowned:

Siri, Norway

ken545
2007-07-27, 18:14
I think that's when Norman alerted me about the viruses...like he suddenly found them. Make sence? or... YES It Does

iris1
2007-07-27, 19:49
This was a hard test for my lack of patience :p:

But I am really sorry to tell you I was not able to make a report of the AVG scan. When I click Reports at the top, it tells me no reports available. Sorry! I was really trying to do every step you told me.

I did notice though that AVG found 45 items... Most of them middle and 4 high.

Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:44:48, on 27.07.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\IPSSVC.EXE
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
c:\programfiler\lenovo\system update\suservice.exe
C:\WINDOWS\system32\ICO.EXE
C:\Programfiler\Analog Devices\Core\smax4pnp.exe
C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Programfiler\ThinkVantage\AMSG\Amsg.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe
C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe
C:\Programfiler\Lenovo\AwayTask\AwaySch.EXE
C:\Programfiler\Fellesfiler\Lenovo\tvt_reg_monitor_svc.exe
C:\Programfiler\Lenovo\Rescue and Recovery\rrservice.exe
C:\Programfiler\Fellesfiler\Lenovo\Scheduler\tvtsched.exe
C:\Programfiler\Fellesfiler\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programfiler\Picasa2\PicasaMediaDetector.exe
C:\Programfiler\Windows Media Player\WMPNetwk.exe
C:\Programfiler\Fellesfiler\Lenovo\Logger\logmon.exe
C:\Programfiler\Lenovo\Client Security Solution\cssauth.exe
C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programfiler\SPAMfighter\SFAgent.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\alg.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Programfiler\Windows Media Player\WMPNSCFG.exe
C:\Programfiler\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programfiler\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programfiler\Windows Live Toolbar\msn_sl.exe
C:\Programfiler\Trend Micro\HijackThis\iris.exe
C:\WINDOWS\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Programfiler\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Snarvei til egenskapsside for High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AMSG] C:\Programfiler\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Programfiler\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programfiler\Fellesfiler\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programfiler\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programfiler\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [cssauth] "C:\Programfiler\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Programfiler\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programfiler\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: PC-søk i Windows.lnk = C:\Programfiler\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programfiler\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programfiler\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Programfiler\Lenovo\System Update\sulauncher.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: AwayNotify - C:\Programfiler\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programfiler\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: System Update (SUService) - - c:\programfiler\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Programfiler\Fellesfiler\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Programfiler\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programfiler\Fellesfiler\Lenovo\Scheduler\tvtsched.exe

--
End of file - 11269 bytes

ken545
2007-07-27, 20:15
There should be an icon for Norman Anti Virus in you system tray by the clock, right click it and shut it down or disable.

Also open AVG and on the main tab, disable the Background Guard or Shield ( it may be listed differently on your version )

Then remove this with HJT.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


Run this system cleaner,

Download and Install CCleaner (http://www.ccleaner.com/)
If you don't want the Yahoo Toolbar, be sure to uncheck it during installation
* Click on Run Cleaner
* Run the Issues Scan < -- After it scans your system, when you click on the Fix button and it asks you to backup the Registry..Say Yes
Tutorial for CCleaner (http://www.ccleaner.com/help/tour1.asp)


The rest of your log looks fine :bigthumb: How is your system behaving now??

iris1
2007-07-27, 20:54
Hello there,
No logs this time eh? :p:
It's done... and it seems more quiet over here. Long time since I received these annoying popups. :bigthumb:

Do you think we killed the virus or is there anything more to do?

Should I remove some of the programs I have downloaded or keep them?

Thanks for helping me out - really thanks :bigthumb:

ken545
2007-07-27, 21:05
Glad things are well :bigthumb:

You can delete these as newer versions are coming out all the time.
Combofix
Avenger

AVG Anti Spyware is yours to keep after the trial, you will just lose the Resident Shield and Auto Updates.

CCleaner is also a good free program, I run it on my
own systems about once a week.


System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Reboot your computer


Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Create a new Restore Point <-- Very Important


Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it


Some reading and free programs to install to help keep you more secure on the internet,

How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Here are some free programs to install, don't leave home without them

Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Ad-Aware 2007 7.0.1.5 (http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button)
Check for Updates and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give you the option to deny the change.

IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.


Thanks for stopping by Safer Networking , I'm glad I was able to help you.

iris1
2007-07-27, 22:16
Done - and now I am really exhausted, but happy for doing a good job today. :alien:

Thanks again for really good help! I think we were a good team. lol

Take care! Send you a virtual glass of champagne and wish you a good weekend. :D:

ken545
2007-07-27, 22:32
Thank you , it was my pleasure to help you.

Safe Surfin,
Ken