PDA

View Full Version : Need help to clean and protect my mothers compyter



Joshen
2008-03-21, 12:13
Hello.
I need some help here.

My mother have had a computer for tree years with unprotected connection to the internet from time to time using a 56k modem. :sad:

This have resulted in a non updated windows/ java.
I will try to get the newest java and all other protections programs from a friend. And then update windows, how long time it now takes (any suggestions how i can do this faster?, is it possible to download the fixes on a other computer and install them here)

I need help to clean the computer from all crap.
It seams that i cant install Antivir because it stops the viruses (a lot of warnings) and then i cant connect to the net.
So i need help to get rid of the problems first so i can protect it after that.

I have attached the logfile from HJT but i cant connect and get information from KAV. (any suggestions)

I only have a couple of days to fix this so i hope we can get this eliminated untill a have to go home again.


Logfile of HijackThis v1.99.1
Scan saved at 09:27:51, on 2008-03-21
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program\Winamp\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Internet Explorer\iexplore.exe
C:\PROGRAM\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Ägaren\Skrivbord\jakt\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSN] "C:\WINDOWS\System32\msn.exe" /INITSERVICE
O4 - HKLM\..\Run: [csvhost.exe] c:\windows\system32\csvhost.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MsnFixer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\..\{252D1E2A-5C73-4C99-83D5-A129693A5242}: NameServer = 195.67.199.18 195.67.199.19
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Shaba
2008-03-22, 12:30
Hi Joshen

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

Joshen
2008-03-22, 14:30
For now it would be good if we can get rid of the trojans.

I have downloaded Avira Antivir and will install it to stop more crap from coming in.

For now there is nothing critical information on this computer, no banking or so. This comuter is only connected to the internet to check information from time to time, or to get her to use email more.

I will try to reinstall this computer in this summer and install all required protection.

/Johan

Shaba
2008-03-22, 14:35
Hi

Ok, we'll start with these:

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
Please download LSPFix from here (http://www.cexx.org/LSPFix.exe).
Run the LSPFix.exe that you have just finished downloading.
Check the I know what I'm doing box.
In the Keep box you should see one or more instances of rsvp32_2.dll.
Select every instance of rsvp32_2.dll and move each one to the Remove box by clicking the >> button.
When you are done click Finish>>.


Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Joshen
2008-03-22, 19:10
Youre response was faster than i expected. :bigthumb:
But no i have performed the actions anyway.
Logfiles below

//Johan


SDFix: Version 1.159

Run by Žgaren on 2008-03-22 at 17:54

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\WINDOWS\system32\2pac.txt - Deleted
C:\WINDOWS\system32\adv.txt - Deleted
C:\WINDOWS\system32\csvhost.exe - Deleted
C:\WINDOWS\system32\form.txt - Deleted
C:\WINDOWS\system32\hook.dll - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\info.txt - Deleted
C:\WINDOWS\system32\mousecrm.exe - Deleted
C:\WINDOWS\system32\msn.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 17:58:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"c:\\windows\\obo.exe"="c:\\windows\\obo.exe:*:Enabled:obo"
"c:\\windows\\system32\\csvhost.exe"="c:\\windows\\system32\\csvhost.exe:*:Enabled:csvhost"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 3 Aug 2005 196 A.SHR --- "C:\BOOT.BAK"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Žgaren\Application Data\U3\temp\Launchpad Removal.exe"

Finished!



Logfile of HijackThis v1.99.1
Scan saved at 18:02:57, on 2008-03-22
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe
C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program\Winamp\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRAM\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Ägaren\Skrivbord\jakt\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MsnFixer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206088591515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206088543562
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Shaba
2008-03-22, 19:14
Hi

Looks much better :bigthumb:

Try now to install AntiVir and let me know how it went.

Post back a fresh HijackThis log anyway.

Joshen
2008-03-22, 21:37
Im updating Antivir at the moment but i have already recived a couple of Trojan warnings

(i also got a popup responce that some software wanted to connect to internet and i had done nothing, so it seems wierd)

RSVP32_2.dll TR/Cimus.A.2
C:\SystemVolumeInformation\...\A0034394.dll TR/Zapchast.CM
I placed them on Quarantine at the moment, dident know exacly what to do
(so my internet connection dont get damaged again)

Here are my New log file also (i havent scanned the computer yet)

/Johan

Logfile of HijackThis v1.99.1
Scan saved at 20:25:40, on 2008-03-22
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program\Winamp\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program\Java\jre1.6.0_05\bin\jusched.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\update.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ägaren\Skrivbord\jakt\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MsnFixer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206088591515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206088543562
O17 - HKLM\System\CCS\Services\Tcpip\..\{252D1E2A-5C73-4C99-83D5-A129693A5242}: NameServer = 195.67.199.18 195.67.199.19
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Joshen
2008-03-22, 23:05
Ok now its scanned.
And dam did we find crap
/J

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 21:55:35, on 2008-03-22
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program\Winamp\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\PROGRAM\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Ägaren\Skrivbord\jakt\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MsnFixer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206088591515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206088543562
O17 - HKLM\System\CCS\Services\Tcpip\..\{252D1E2A-5C73-4C99-83D5-A129693A5242}: NameServer = 195.67.199.18 195.67.199.19
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

53 Notes

Joshen
2008-03-22, 23:07
Avira log


AntiVir PersonalEdition Classic
Report file date: den 22 mars 2008 20:52

Scanning for 1161960 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Username: SYSTEM
Computer name: BURKEN

Version information:
BUILD.DAT : 270 15603 Bytes 2007-09-19 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 2007-08-23 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 2007-08-16 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 2007-08-14 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 2007-08-21 12:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 2007-07-18 14:27:15
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 2008-03-07 19:52:01
ANTIVIR2.VDF : 7.0.3.62 337408 Bytes 2008-03-21 19:52:01
ANTIVIR3.VDF : 7.0.3.64 16384 Bytes 2008-03-22 19:52:01
AVEWIN32.DLL : 7.6.0.75 3334656 Bytes 2008-03-22 19:52:03
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2007-02-26 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 2007-07-18 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 2007-04-16 13:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2008-03-22 19:52:04
AVREG.DLL : 7.0.1.6 30760 Bytes 2007-07-18 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 2007-08-28 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 2007-07-18 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 2007-03-08 11:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 2007-08-07 12:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 2007-08-21 12:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2007-07-23 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: den 22 mars 2008 20:52

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'CTDVDDET.exe' - '1' Module(s) have been scanned
Scan process 'CTSysVol.exe' - '1' Module(s) have been scanned
Scan process 'cthelper.exe' - '1' Module(s) have been scanned
Scan process 'SchSvr.exe' - '1' Module(s) have been scanned
Scan process 'kbd.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '40' files ).

Joshen
2008-03-22, 23:08
Starting the file scan:

Begin scan in 'C:\' <PRESARIO>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Administratör\Lokala inställningar\Temporary Internet Files\Content.IE5\5JHC5S7L\e9xr[1].chm
[0] Archive type: CHM
--> /launch.html
[DETECTION] Is the Trojan horse TR/Expl.ADODB.Stream.1030
[INFO] The file was moved to '485d6403.qua'!
C:\Documents and Settings\Administratör\Lokala inställningar\Temporary Internet Files\Content.IE5\T386P2RJ\e9ex[1].dat
[DETECTION] Is the Trojan horse TR/Dldr.Small.jc
[INFO] The file was moved to '484a6416.qua'!
C:\Documents and Settings\Administratör\Lokala inställningar\Temporary Internet Files\Content.IE5\T386P2RJ\index[1].htm
[DETECTION] Contains suspicious code HEUR/Exploit.HTML
[INFO] The file was moved to '48496451.qua'!
C:\Documents and Settings\Administratör\Lokala inställningar\Temporary Internet Files\Content.IE5\T386P2RJ\tbd1[1].htm
[DETECTION] Contains detection pattern of the Java script virus JS/ObjCode.B
[INFO] The file was moved to '4849644c.qua'!
C:\Documents and Settings\Administratör.BURKEN\Lokala inställningar\Temporary Internet Files\Content.IE5\5JHC5S7L\e9xr[1].chm
[0] Archive type: CHM
--> /launch.html
[DETECTION] Is the Trojan horse TR/Expl.ADODB.Stream.1030
[INFO] The file was moved to '485d6436.qua'!
C:\Documents and Settings\Administratör.BURKEN\Lokala inställningar\Temporary Internet Files\Content.IE5\T386P2RJ\e9ex[1].dat
[DETECTION] Is the Trojan horse TR/Dldr.Small.jc
[INFO] The file was moved to '484a643c.qua'!
C:\Documents and Settings\Administratör.BURKEN\Lokala inställningar\Temporary Internet Files\Content.IE5\T386P2RJ\index[1].htm
[DETECTION] Contains suspicious code HEUR/Exploit.HTML
[INFO] The file was moved to '48496474.qua'!
C:\Documents and Settings\Administratör.BURKEN\Lokala inställningar\Temporary Internet Files\Content.IE5\T386P2RJ\tbd1[1].htm
[DETECTION] Contains detection pattern of the Java script virus JS/ObjCode.B
[INFO] The file was moved to '4849646f.qua'!
C:\Documents and Settings\Administratör.BURKEN.000\Lokala inställningar\Temporary Internet Files\Content.IE5\5JHC5S7L\e9xr[1].chm
[0] Archive type: CHM
--> /launch.html
[DETECTION] Is the Trojan horse TR/Expl.ADODB.Stream.1030
[INFO] The file was moved to '485d6455.qua'!
C:\Documents and Settings\Administratör.BURKEN.000\Lokala inställningar\Temporary Internet Files\Content.IE5\T386P2RJ\e9ex[1].dat
[DETECTION] Is the Trojan horse TR/Dldr.Small.jc
[INFO] The file was moved to '484a645c.qua'!
C:\Documents and Settings\Administratör.BURKEN.000\Lokala inställningar\Temporary Internet Files\Content.IE5\T386P2RJ\index[1].htm
[DETECTION] Contains suspicious code HEUR/Exploit.HTML
[INFO] The file was moved to '484964a6.qua'!
C:\Documents and Settings\Administratör.BURKEN.000\Lokala inställningar\Temporary Internet Files\Content.IE5\T386P2RJ\tbd1[1].htm
[DETECTION] Contains detection pattern of the Java script virus JS/ObjCode.B
[INFO] The file was moved to '4849649c.qua'!
C:\Documents and Settings\Default User\Lokala inställningar\Temporary Internet Files\Content.IE5\5JHC5S7L\e9xr[1].chm
[0] Archive type: CHM
--> /launch.html
[DETECTION] Is the Trojan horse TR/Expl.ADODB.Stream.1030
[INFO] The file was moved to '485d6490.qua'!
C:\Documents and Settings\Default User\Lokala inställningar\Temporary Internet Files\Content.IE5\T386P2RJ\e9ex[1].dat
[DETECTION] Is the Trojan horse TR/Dldr.Small.jc
[INFO] The file was moved to '484a6496.qua'!
C:\Documents and Settings\Default User\Lokala inställningar\Temporary Internet Files\Content.IE5\T386P2RJ\index[1].htm
[DETECTION] Contains suspicious code HEUR/Exploit.HTML
[INFO] The file was moved to '484964cc.qua'!
C:\Documents and Settings\Default User\Lokala inställningar\Temporary Internet Files\Content.IE5\T386P2RJ\tbd1[1].htm
[DETECTION] Contains detection pattern of the Java script virus JS/ObjCode.B
[INFO] The file was moved to '484964c2.qua'!
C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\0VWR450V\popup[1].php
[0] Archive type: GZ
--> popup[1]
[DETECTION] Contains detection pattern of the exploits EXP/Agent.B
[INFO] The file was moved to '48556538.qua'!
C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\8XGZ01E9\index[2].php
[DETECTION] Contains detection pattern of the Java script virus JS/Dldr.Agent.BX
[INFO] The file was moved to '48496545.qua'!
C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\8XGZ01E9\popup[1].php
[0] Archive type: GZ
--> popup[1]
[DETECTION] Contains detection pattern of the exploits EXP/Agent.B
[INFO] The file was moved to '4855654a.qua'!
C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\GBIPQ34T\exefile[1].jpg
[DETECTION] Is the Trojan horse TR/Dldr.Small.cwq.15
[INFO] The file was moved to '484a655f.qua'!
C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\GBIPQ34T\popup[1].php
[0] Archive type: GZ
--> popup[1]
[DETECTION] Contains detection pattern of the exploits EXP/Agent.B
[INFO] The file was moved to '4855655a.qua'!
C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\GBIPQ34T\popup[2].php
[0] Archive type: GZ
--> popup[2]
[DETECTION] Contains detection pattern of the exploits EXP/Agent.B
[INFO] The file was moved to '4855655b.qua'!
C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\GBIPQ34T\popup[3].php
[0] Archive type: GZ
--> popup[3]
[DETECTION] Contains detection pattern of the exploits EXP/Agent.B
[INFO] The file was moved to '49264efc.qua'!
C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\UPW3SHO7\popup[1].htm
[DETECTION] Contains detection pattern of the exploits EXP/Agent.B
[INFO] The file was moved to '48556569.qua'!
C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\UPW3SHO7\popup[1].php
[0] Archive type: GZ
--> popup[1]
[DETECTION] Contains detection pattern of the exploits EXP/Agent.B
[INFO] The file was moved to '4855656a.qua'!
C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\UPW3SHO7\popup[2].php
[0] Archive type: GZ
--> popup[2]
[DETECTION] Contains detection pattern of the exploits EXP/Agent.B
[INFO] The file was moved to '49264ecb.qua'!
C:\Johan\Fun CD\Kul 2\Prog mm\terror\crazy_ncs.exe
[DETECTION] Is the Trojan horse TR/Delf.DK.2
[INFO] The file was moved to '4846671b.qua'!
C:\RECYCLER\S-1-5-21-2885024849-3345150975-3579236153-1003\Dc130.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.edb.67
[INFO] The file was moved to '48166b20.qua'!
C:\SDFix\SDFix\backups\backups.zip
[0] Archive type: ZIP
--> backups/csvhost.exe
[DETECTION] Is the Trojan horse TR/Cimuz.A.2
--> backups/hook.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
--> backups/mousecrm.exe
[DETECTION] Contains detection pattern of the worm WORM/SdBot.8655
--> backups/msn.exe
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48486e27.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP54\A0031507.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ec3.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP54\A0031521.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575cc.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP54\A0031527.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ec5.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP54\A0031534.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ec4.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP54\A0031544.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575cd.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP55\A0031557.exe
[DETECTION] Contains detection pattern of the worm WORM/Sasser.E
[INFO] The file was moved to '496575ce.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP55\A0031563.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ec7.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP55\A0032563.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ec6.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032590.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575c0.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032596.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ec8.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032602.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575c1.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032608.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156eca.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032614.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575c3.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032620.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ec9.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032626.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575c2.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032632.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ecb.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032641.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ecc.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032650.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575c5.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032656.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ece.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032667.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575c4.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032676.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ecd.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032685.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575c6.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032694.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ecf.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP56\A0032703.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575c7.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP57\A0032870.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ed0.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP57\A0032878.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ed1.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP58\A0032892.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ed2.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP59\A0032895.exe
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ed3.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP59\A0033874.exe
[DETECTION] Contains detection pattern of the worm WORM/SdBot.8655
[INFO] The file was moved to '496575dc.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP59\A0033875.exe
[DETECTION] Is the Trojan horse TR/Cimuz.A.2
[INFO] The file was moved to '48156ed5.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP59\A0033876.dll
[DETECTION] Is the Trojan horse TR/Cimuz.A.2
[INFO] The file was moved to '496575de.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP62\A0034313.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156ee8.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP63\A0034345.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '48156eea.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP63\A0034360.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575e3.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP65\A0034401.exe
[DETECTION] Is the Trojan horse TR/Cimuz.A.2
[INFO] The file was moved to '48156eed.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP65\A0034402.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575e6.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP65\A0034403.exe
[DETECTION] Contains detection pattern of the worm WORM/SdBot.8655
[INFO] The file was moved to '48156eef.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP65\A0034404.exe
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575f8.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP65\A0034408.exe
[DETECTION] Is the Trojan horse TR/Cimuz.A.2
[INFO] The file was moved to '48156eee.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP65\A0034409.dll
[DETECTION] Is the Trojan horse TR/Zapchast.CM
[INFO] The file was moved to '496575e7.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP65\A0034411.exe
[DETECTION] Contains detection pattern of the worm WORM/SdBot.8655
[INFO] The file was moved to '48156ee0.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP66\A0034499.exe
[DETECTION] Is the Trojan horse TR/Delf.DK.2
[INFO] The file was moved to '48156ef2.qua'!
C:\System Volume Information\_restore{EB1D0C0D-F7BA-4195-8159-43E5B59C354A}\RP66\A0034500.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.edb.67
[INFO] The file was moved to '48156ef3.qua'!
C:\WINDOWS\obo.exe
[DETECTION] Is the Trojan horse TR/Cimuz.A.2
[INFO] The file was moved to '48546f33.qua'!
C:\WINDOWS\xqk.exe
[DETECTION] Is the Trojan horse TR/Delf.YZ.6
[INFO] The file was moved to '48506f44.qua'!
Begin scan in 'D:\' <PRESARIO_RP>


End of the scan: den 22 mars 2008 21:54
Used time: 1:01:13 min

The scan has been done completely.

5673 Scanning directories
520088 Files were scanned
75 viruses and/or unwanted programs were found
4 Files were classified as suspicious:
0 files were deleted
0 files were repaired
76 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
520013 Files not concerned
18894 Archives were scanned
2 Warnings

Shaba
2008-03-23, 12:21
Hi

Not so bad as it might look.

Most of them are in quarantines or system restore.

Open HijackThis, click do a system scan only and checkmark this:

O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)

Close all windows including browser and press fix checked.

Reboot.

Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
Click the Save Report As... button (see red arrow below)
http://img.photobucket.com/albums/v666/sUBs/Kas-SaveReport-1.gif
In the Save as... prompt, select Desktop
In the File name box, name the file KasScan-ddmmyy (or similar)
In the Save as type prompt, select Text file (see below)
http://img.photobucket.com/albums/v666/sUBs/Kas-Savetxt.gif
Now click on the Save as Text button
Savethe file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

Joshen
2008-03-23, 21:52
Hello there.
Missed that we moved to a page two (this is not my day)
Ok, the problem i have is that i cant sem to able to access the online scanner. The page is not found, it might be some setting here but i cant find the problem

Joshen
2008-03-23, 21:54
We have explorer 6 here, Windows with service pack 1, and if i understood it correct i need service pack 2 to update to explorer 7

Joshen
2008-03-23, 22:31
It seams that i cant connect to kaspersky.com, kaspersky.se works fine but not .com

Joshen
2008-03-23, 22:39
I will have to leave tomorrow morning, but i will check if you have any ideas first.

In any case the computer seams mutch better, so thanks a lot for all the help. I will save this information for later so i can continue the next time im here.

The information i can give now is a new HJT log.
The best thing for my mother is that the trojans arent trying to connect to the internet any more.

I will check in tomorrow...


Logfile of HijackThis v1.99.1
Scan saved at 21:35:28, on 2008-03-23
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program\Winamp\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program\Java\jre1.6.0_05\bin\jusched.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ägaren\Skrivbord\jakt\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MsnFixer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206088591515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206088543562
O17 - HKLM\System\CCS\Services\Tcpip\..\{252D1E2A-5C73-4C99-83D5-A129693A5242}: NameServer = 195.67.199.18 195.67.199.19
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Shaba
2008-03-24, 12:15
Hi

Do this then instead:

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

And also fix these with HijackThis:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)

Joshen
2008-03-24, 21:21
Thanks for all support. :present:
Sadly i have returned home now. But i will save all the conversation we have had and all files until my next visit.
The situation anyway is mutch better than before.
:bow:

I will continue this work when i return in the beginning of the summer. Probably with the help of someone of you. ;)

Until next time, Thanks, or if you prefer Kiitos

//Johan

Shaba
2008-03-25, 15:21
Hi

Then I give you some tips for the future, there might be still viruses left:

Please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/)
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://bfccomputers.com/index.php?showtopic=1644)

Malwarebytes' Anti-Malware Scanning Guide (http://bfccomputers.com/index.php?showtopic=1645)


Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

Instructions for Spybot S & D (http://www.bleepingcomputer.com/forums/?showtutorial=43)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Shaba
2008-03-27, 12:11
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.