View Full Version : Bifrose.LA (WinXP)
I did a scan with Spybot S&D yesterday and found this. I removed it and rescanned and it appeared to be gone. That's until today, when I started up again. I haven't been having any problems (as far as I know) because of this trojan yet, but i obviously want to get rid of it asap.
Earlier today I've tried again to remove it with Spybot S&D, both in normal and safe mode. As soon as I reboot, it comes back. I've also deleted all backups and such (or at least the ones I can think of).
I've done scans with other programs as well, but Spybot is the only program that picks up on this. I'm not sure if that's a good thing or if it's bad :-\
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:52:55, on 11.09.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\alg.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
E:\Opera\Opera.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Britt sin IE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programfiler\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DVD43] E:\DVDREG~1\DVDRegionFree.exe /hidden
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MailWasherPro.lnk = E:\MailWasher Pro\MailWasher.exe
O8 - Extra context menu item: Download all links using BitComet - res://E:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://E:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://E:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E718D87-6909-4FCE-92D4-EDCB2F725727} (Navigram Control) - http://www.navigram.com/engine/v906/Navigram.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5014/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - E:\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 9318 bytes
The Kapersky log-file was too big so I zipped it...
Hello Britt and welcome to the Forums :)
You really have an infection there...
I must warn that one or more of the identified infections is a backdoor trojan :sick:
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.
Please let us know what you have decided to do in your next post:bigthumb
I really don't want to reformat if I can do this some other way.
OK we'll begin the cleaning.
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix 07-09-14.2 - "BrittS" 2007-09-14 16:58:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.507 [GMT 2:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\BrittS\PROGRA~1\addon.dat
.
((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))
.
2007-09-14 16:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 20:30 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-13 00:50 <DIR> d-------- C:\Programfiler\MSECache
2007-09-13 00:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Office Genuine Advantage
2007-09-12 22:26 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2007-09-12 19:26 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\Azureus
2007-09-12 19:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Azureus
2007-09-11 20:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-11 20:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Kaspersky Lab
2007-09-11 17:29 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-11 17:29 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-11 17:29 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-11 17:29 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-11 17:07 2,750 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-11 17:06 <DIR> d-------- C:\DOCUME~1\BrittS\SmitfraudFix
2007-09-11 14:47 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-11 14:16 <DIR> d-------- C:\DOCUME~1\BrittS\.housecall6.6
2007-09-11 14:14 <DIR> dr-h----- C:\DOCUME~1\BrittS\Siste
2007-09-11 13:31 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-09-11 13:31 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-09-11 11:46 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\Sunbelt Software
2007-09-11 10:49 <DIR> d-------- C:\Programfiler\Trend Micro
2007-09-10 03:46 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\last.fm
2007-09-07 13:29 <DIR> d-------- C:\Programfiler\Glary Utilities PRO
2007-09-05 18:02 <DIR> d--h----- C:\WINDOWS\system16
2007-09-05 18:02 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\WNR
2007-09-03 00:01 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\Nero
2007-09-01 00:30 <DIR> d-------- C:\Programfiler\Fellesfiler\xing shared
2007-09-01 00:30 <DIR> d-------- C:\Program Files
2007-09-01 00:30 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\Real
2007-09-01 00:29 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-09-01 00:29 <DIR> d-------- C:\Programfiler\Winamp
2007-08-30 23:32 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\AlwaysNeat
2007-08-28 05:32 3,073,320 --a------ C:\WINDOWS\system32\AdvrCntr2D6E0B790.dll
2007-08-28 05:32 <DIR> d-------- C:\Programfiler\Windows Sidebar
2007-08-28 05:29 996,648 --a------ C:\WINDOWS\system32\ShellManager10E2D762.dll
2007-08-28 03:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Kontiki
2007-08-28 03:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Channel4
2007-08-27 13:29 <DIR> d-------- C:\Programfiler\Google
2007-08-27 13:29 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\Google
2007-08-24 18:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SecretsOfOlympus
2007-08-18 01:02 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\JLC's Software
2007-08-17 20:40 <DIR> d-------- C:\Programfiler\Fellesfiler\Ahead
2007-08-17 20:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Nero
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-14 07:21 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\MailWasherPro
2007-09-14 00:44 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Symantec
2007-09-14 00:02 --------- d-------- C:\Programfiler\Fellesfiler\Symantec Shared
2007-09-13 23:21 35296 --a------ C:\WINDOWS\system32\drivers\Dvd43.sys
2007-09-13 01:19 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Microsoft Help
2007-09-13 01:17 676224 --a------ C:\WINDOWS\system32\OGACheckControl.DLL
2007-09-13 01:07 --------- d-------- C:\Programfiler\MSBuild
2007-09-11 23:14 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Spybot - Search & Destroy
2007-09-11 21:51 --------- d-------- C:\Programfiler\Glary Utilities
2007-09-10 03:39 --------- d-------- C:\Programfiler\iTunes
2007-09-09 22:15 --------- d--h----- C:\Programfiler\InstallShield Installation Information
2007-09-08 21:34 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\dvdcss
2007-09-07 18:31 --------- d-------- C:\Programfiler\UHS
2007-09-01 00:30 --------- d-------- C:\Programfiler\Real
2007-09-01 00:30 --------- d-------- C:\Programfiler\Fellesfiler\Real
2007-08-29 00:41 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\Apple Computer
2007-08-16 01:13 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\PlayFirst
2007-08-16 01:13 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\PlayFirst
2007-08-12 15:03 --------- d-------- C:\Programfiler\Nancy Drew
2007-08-12 00:34 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\AmuletAdventure
2007-08-12 00:24 --------- d-------- C:\Programfiler\iPod
2007-08-08 02:07 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\Mysteryville2
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-29 00:08 --------- d-------- C:\Programfiler\QuickTime
2007-07-29 00:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Apple Computer
2007-07-29 00:07 --------- d-------- C:\Programfiler\Fellesfiler\Apple
2007-07-29 00:07 --------- d-------- C:\Programfiler\Apple Software Update
2007-07-29 00:07 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Apple
2007-07-25 13:44 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\Screenshot Sender
2007-07-22 09:04 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Goland
2007-07-22 08:52 --------- d-------- C:\Programfiler\Goland
2007-07-19 16:43 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\RetroRecords
2007-07-19 04:04 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SpinTop Games
2007-07-17 12:44 5419008 --a------ C:\WINDOWS\Chaizer.scr
2007-07-16 14:29 --------- d-------- C:\Programfiler\Wondershare
2007-06-27 19:05 972072 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 08:47 238888 --a------ C:\WINDOWS\NuNInst.exe
2007-06-19 15:33 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-04-13 17:35 774144 --a------ C:\Programfiler\RngInterstitial.dll
--------- C:\Programfiler\Ät&Njut
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-09 21:06]
"nwiz"="nwiz.exe" [2005-12-09 21:06 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-09 21:06]
"ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2007-03-15 05:10]
"osCheck"="C:\Programfiler\Norton Internet Security\osCheck.exe" [2006-09-06 03:22]
"Symantec PIF AlertEng"="C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"DVD43"="E:\DVDREG~1\DVDRegionFree.exe" [2006-08-03 18:38]
"NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2007-09-01 00:30]
C:\DOCUME~1\BrittS\START-~1\PROGRA~1\Oppstart\
MailWasherPro.lnk - E:\MailWasher Pro\MailWasher.exe [2007-04-13 12:18:31]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= E:\DVDREG~1\DVDShell.dll [2004-10-09 15:18 49152]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
R3 cmeu0wdm;CardMan 2020;C:\WINDOWS\system32\DRIVERS\cmeu0wdm.sys
R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys
R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys
R3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);C:\WINDOWS\system32\DRIVERS\zd1201u.sys
S3 OMNUSB;Omnikey AG CardMan 2020 USB-smartkortleser;C:\WINDOWS\system32\DRIVERS\sccmusbm.sys
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;\??\C:\WINDOWS\system32\ZDNDIS5.SYS
*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A507AC59-2400-3712-5963-C201EA167347}]
C:\WINDOWS\system16\svchost.exe s
.
Contents of the 'Scheduled Tasks' folder
"2007-09-08 15:59:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe
"2007-09-14 05:19:30 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - BrittS.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2007-09-14 14:38:23 C:\WINDOWS\Tasks\User_Feed_Synchronization-{175DC273-B5DC-45F7-A58F-0F1545D54786}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 16:59:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-14 16:59:53
C:\ComboFix-quarantined-files.txt ... 2007-09-14 16:59
.
--- E O F ---
Hi, we'll continue :)
Open notepad and copy/paste the text in the quotebox below into it:
Dirlook::
C:\WINDOWS\system16
C:\DOCUME~1\BrittS\PROGRA~1\WNR
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A507AC59-2400-3712-5963-C201EA167347}]
File::
C:\WINDOWS\system16\svchost.exe
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\DRIVERS\cmeu0wdm.sys
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:58:46, on 14.09.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Nero 7\InCD\InCDsrv.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
E:\MailWasher Pro\MailWasher.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
E:\BitComet\BitComet.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Trend Micro\HijackThis\Crusty.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plusskurs.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programfiler\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DVD43] E:\DVDREG~1\DVDRegionFree.exe /hidden
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MailWasherPro.lnk = E:\MailWasher Pro\MailWasher.exe
O8 - Extra context menu item: Download all links using BitComet - res://E:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://E:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://E:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E718D87-6909-4FCE-92D4-EDCB2F725727} (Navigram Control) - http://www.navigram.com/engine/v906/Navigram.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5014/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - E:\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 9737 bytes
ComboFix 07-09-14.2 - "BrittS" 2007-09-14 17:55:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.495 [GMT 2:00]
Command switches used :: C:\Documents and Settings\BrittS\Skrivebord\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\system16\svchost.exe
.
((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))
.
2007-09-14 16:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 20:30 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-13 00:50 <DIR> d-------- C:\Programfiler\MSECache
2007-09-13 00:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Office Genuine Advantage
2007-09-12 22:26 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2007-09-12 19:26 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\Azureus
2007-09-12 19:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Azureus
2007-09-11 20:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-11 20:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Kaspersky Lab
2007-09-11 17:29 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-11 17:29 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-11 17:29 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-11 17:29 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-11 17:07 2,750 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-11 17:06 <DIR> d-------- C:\DOCUME~1\BrittS\SmitfraudFix
2007-09-11 14:47 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-11 14:16 <DIR> d-------- C:\DOCUME~1\BrittS\.housecall6.6
2007-09-11 14:14 <DIR> dr-h----- C:\DOCUME~1\BrittS\Siste
2007-09-11 13:31 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-09-11 13:31 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-09-11 11:46 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\Sunbelt Software
2007-09-11 10:49 <DIR> d-------- C:\Programfiler\Trend Micro
2007-09-10 03:46 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\last.fm
2007-09-07 13:29 <DIR> d-------- C:\Programfiler\Glary Utilities PRO
2007-09-05 18:02 <DIR> d--h----- C:\WINDOWS\system16
2007-09-05 18:02 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\WNR
2007-09-03 00:01 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\Nero
2007-09-01 00:30 <DIR> d-------- C:\Programfiler\Fellesfiler\xing shared
2007-09-01 00:30 <DIR> d-------- C:\Program Files
2007-09-01 00:30 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\Real
2007-09-01 00:29 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-09-01 00:29 <DIR> d-------- C:\Programfiler\Winamp
2007-08-30 23:32 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\AlwaysNeat
2007-08-28 05:32 3,073,320 --a------ C:\WINDOWS\system32\AdvrCntr2D6E0B790.dll
2007-08-28 05:32 <DIR> d-------- C:\Programfiler\Windows Sidebar
2007-08-28 05:29 996,648 --a------ C:\WINDOWS\system32\ShellManager10E2D762.dll
2007-08-28 03:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Kontiki
2007-08-28 03:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Channel4
2007-08-27 13:29 <DIR> d-------- C:\Programfiler\Google
2007-08-27 13:29 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\Google
2007-08-24 18:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SecretsOfOlympus
2007-08-18 01:02 <DIR> d-------- C:\DOCUME~1\BrittS\PROGRA~1\JLC's Software
2007-08-17 20:40 <DIR> d-------- C:\Programfiler\Fellesfiler\Ahead
2007-08-17 20:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Nero
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-14 17:53 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Symantec
2007-09-14 07:21 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\MailWasherPro
2007-09-14 00:02 --------- d-------- C:\Programfiler\Fellesfiler\Symantec Shared
2007-09-13 23:21 35296 --a------ C:\WINDOWS\system32\drivers\Dvd43.sys
2007-09-13 01:19 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Microsoft Help
2007-09-13 01:17 676224 --a------ C:\WINDOWS\system32\OGACheckControl.DLL
2007-09-13 01:07 --------- d-------- C:\Programfiler\MSBuild
2007-09-11 23:14 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Spybot - Search & Destroy
2007-09-11 21:51 --------- d-------- C:\Programfiler\Glary Utilities
2007-09-10 03:39 --------- d-------- C:\Programfiler\iTunes
2007-09-09 22:15 --------- d--h----- C:\Programfiler\InstallShield Installation Information
2007-09-08 21:34 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\dvdcss
2007-09-07 18:31 --------- d-------- C:\Programfiler\UHS
2007-09-01 00:30 --------- d-------- C:\Programfiler\Real
2007-09-01 00:30 --------- d-------- C:\Programfiler\Fellesfiler\Real
2007-08-29 00:41 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\Apple Computer
2007-08-16 01:13 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\PlayFirst
2007-08-16 01:13 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\PlayFirst
2007-08-12 15:03 --------- d-------- C:\Programfiler\Nancy Drew
2007-08-12 00:34 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\AmuletAdventure
2007-08-12 00:24 --------- d-------- C:\Programfiler\iPod
2007-08-08 02:07 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\Mysteryville2
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-29 00:08 --------- d-------- C:\Programfiler\QuickTime
2007-07-29 00:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Apple Computer
2007-07-29 00:07 --------- d-------- C:\Programfiler\Fellesfiler\Apple
2007-07-29 00:07 --------- d-------- C:\Programfiler\Apple Software Update
2007-07-29 00:07 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Apple
2007-07-25 13:44 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\Screenshot Sender
2007-07-22 09:04 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Goland
2007-07-22 08:52 --------- d-------- C:\Programfiler\Goland
2007-07-19 16:43 --------- d-------- C:\DOCUME~1\BrittS\PROGRA~1\RetroRecords
2007-07-19 04:04 --------- d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SpinTop Games
2007-07-17 12:44 5419008 --a------ C:\WINDOWS\Chaizer.scr
2007-07-16 14:29 --------- d-------- C:\Programfiler\Wondershare
2007-06-27 19:05 972072 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 08:47 238888 --a------ C:\WINDOWS\NuNInst.exe
2007-06-19 15:33 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-04-13 17:35 774144 --a------ C:\Programfiler\RngInterstitial.dll
--------- C:\Programfiler\Ät&Njut
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
---- Directory of C:\WINDOWS\system16 ----
2007-09-13 23:48 75607 --ah----- C:\WINDOWS\system16\klog.dat
---- Directory of C:\DOCUME~1\BrittS\PROGRA~1\WNR ----
2007-09-10 08:44 2008 --a------ C:\DOCUME~1\BrittS\PROGRA~1\WNR\PSW\psw.ini
2007-09-09 21:40 1829 --a------ C:\DOCUME~1\BrittS\PROGRA~1\WNR\PSW\proxycache.lz
2007-09-09 21:13 83 --a------ C:\DOCUME~1\BrittS\PROGRA~1\WNR\PSW\user_lists.ini
2007-09-09 21:03 11309 --a------ C:\DOCUME~1\BrittS\PROGRA~1\WNR\PSW\updated_proxies.ini
2007-09-05 18:05 11277 --a------ C:\DOCUME~1\BrittS\PROGRA~1\WNR\PSW\proxies.ini
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-09 21:06]
"nwiz"="nwiz.exe" [2005-12-09 21:06 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-09 21:06]
"ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2007-03-15 05:10]
"osCheck"="C:\Programfiler\Norton Internet Security\osCheck.exe" [2006-09-06 03:22]
"Symantec PIF AlertEng"="C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"DVD43"="E:\DVDREG~1\DVDRegionFree.exe" [2006-08-03 18:38]
"NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2007-09-01 00:30]
C:\DOCUME~1\BrittS\START-~1\PROGRA~1\Oppstart\
MailWasherPro.lnk - E:\MailWasher Pro\MailWasher.exe [2007-04-13 12:18:31]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= E:\DVDREG~1\DVDShell.dll [2004-10-09 15:18 49152]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
R3 cmeu0wdm;CardMan 2020;C:\WINDOWS\system32\DRIVERS\cmeu0wdm.sys
R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys
R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys
R3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);C:\WINDOWS\system32\DRIVERS\zd1201u.sys
S3 OMNUSB;Omnikey AG CardMan 2020 USB-smartkortleser;C:\WINDOWS\system32\DRIVERS\sccmusbm.sys
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;\??\C:\WINDOWS\system32\ZDNDIS5.SYS
*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-09-08 15:59:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe
"2007-09-14 05:19:30 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - BrittS.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2007-09-14 14:38:23 C:\WINDOWS\Tasks\User_Feed_Synchronization-{175DC273-B5DC-45F7-A58F-0F1545D54786}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 17:56:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-14 17:56:56
C:\ComboFix-quarantined-files.txt ... 2007-09-14 17:56
C:\ComboFix2.txt ... 2007-09-14 16:59
.
--- E O F ---
File cmeu0wdm.sys received on 09.14.2007 18:01:39 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.9.14.0 2007.09.14 -
AntiVir 7.6.0.10 2007.09.14 -
Authentium 4.93.8 2007.09.14 -
Avast 4.7.1043.0 2007.09.14 -
AVG 7.5.0.485 2007.09.14 -
BitDefender 7.2 2007.09.14 -
CAT-QuickHeal 9.00 2007.09.14 -
ClamAV 0.91.2 2007.09.14 -
DrWeb 4.33 2007.09.14 -
eSafe 7.0.15.0 2007.09.13 -
eTrust-Vet 31.1.5135 2007.09.14 -
Ewido 4.0 2007.09.14 -
FileAdvisor 1 2007.09.14 -
Fortinet 3.11.0.0 2007.09.14 -
F-Prot 4.3.2.48 2007.09.13 -
F-Secure 6.70.13030.0 2007.09.14 -
Ikarus T3.1.1.12 2007.09.14 -
Kaspersky 4.0.2.24 2007.09.14 -
McAfee 5119 2007.09.13 -
Microsoft 1.2803 2007.09.14 -
NOD32v2 2530 2007.09.14 -
Norman 5.80.02 2007.09.14 -
Panda 9.0.0.4 2007.09.14 -
Prevx1 V2 2007.09.14 -
Rising 19.40.42.00 2007.09.14 -
Sophos 4.21.0 2007.09.14 -
Sunbelt 2.2.907.0 2007.09.13 -
Symantec 10 2007.09.14 -
TheHacker 6.2.5.059 2007.09.14 -
VBA32 3.12.2.4 2007.09.14 -
VirusBuster 4.3.26:9 2007.09.14 -
Webwasher-Gateway 6.0.1 2007.09.14 -
Additional information
File size: 43737 bytes
MD5: 0225629de70615904f79d33de0893c34
SHA1: d1c1037660b3c0f506c74161775eb9d2c11b96b1
I did a new scan with Spybot S&D now and it didn't find anything. Does that mean that the problem's gone or can it be just a false positive?
Hello :)
You're not clean yet.
Could you be a little more exact. Why can't you start the pc in safe mode?
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Open "My Computer" and delete the following folders (if present):
C:\WINDOWS\system16
C:\Documents and Settings\BrittS\PROGRA~1\WNR Where "PROGRA~1" is a folder that begins with letters PROGRA
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
There's no problem starting my pc in safe mode. If you've ment for me to do that then I guess I've misunderstood you.
I found both "System16" and "WNR" and I deleted them.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:52:39, on 16.09.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Nero 7\InCD\InCDsrv.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
E:\MailWasher Pro\MailWasher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Trend Micro\HijackThis\Crusty.exe
C:\Programfiler\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Programfiler\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Programfiler\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Programfiler\Symantec\LiveUpdate\LuCallbackProxy.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plusskurs.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programfiler\Fellesfiler\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programfiler\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DVD43] E:\DVDREG~1\DVDRegionFree.exe /hidden
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MailWasherPro.lnk = E:\MailWasher Pro\MailWasher.exe
O8 - Extra context menu item: Download all links using BitComet - res://E:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://E:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://E:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E718D87-6909-4FCE-92D4-EDCB2F725727} (Navigram Control) - http://www.navigram.com/engine/v906/Navigram.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5014/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - E:\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 9843 bytes
Hello :)
I mixed the safe mode issue with someone else, sorry.
Looks pretty good now. How is the pc running?
There's no problem here now. Do you think I'm all clean again? Thank you for helping me.:bighug:
Hi again, yes - it is looking clean now :)
You can remove the tools we used.
Then you should update your Java to the latest version (6u2) Start
Control Panel
Add/Remove Programs
Delete the old Java,
J2SE Runtime Environment 6.0
Download the latest version of Java Runtime Environment (JRE) 6u2 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)