PDA

View Full Version : Need help with Virtumonde problem!



Forre
2008-07-17, 23:53
I have a problem removing Virtumonde and virtumonde.dll. They keep coming back despite numerous attempts to remove them with spybot. What should I do? I have deactivated TeaTimer. Here is my HJT-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:52:17, on 2008-07-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Intel\Wireless\Bin\EvtEng.exe
C:\Program\Intel\Wireless\Bin\S24EvMon.exe
C:\Program\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Program\Avast4\aswUpdSv.exe
D:\Program\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program\delade filer\logitech\lvmvfm\LVPrcSrv.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program\Intel\Wireless\Bin\RegSrvc.exe
C:\Program\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
D:\Program\Avast4\ashMaiSv.exe
D:\Program\Avast4\ashWebSv.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\Logi_MwX.Exe
D:\Program\Avast4\ashDisp.exe
C:\Program\Delade filer\Teleca Shared\CapabilityManager.exe
C:\Program\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Windows Live\Messenger\msnmsgr.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
C:\Program\Personal\bin\Personal.exe
C:\Program\Delade filer\Logitech\KHAL\KHALMNPR.EXE
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\Delade filer\Teleca Shared\Generic.exe
C:\Program\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
D:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\Program\Intuwave\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.superstart.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.umu.se:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {1C2DA439-4680-4E85-A22D-EB2385FABF80} - C:\WINDOWS\system32\ssqRIBQi.dll
O2 - BHO: (no name) - {644DDE63-8742-4CA1-9BA8-F729F9AFAD53} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A151461E-7A7E-48EA-A37B-C8353AF15C98} - C:\Documents and Settings\LinaAnte\Lokala inställningar\Temporary Internet Files\Content.IE5\UC4EXV3L\3077ahntdksr[1].dll
O2 - BHO: {cd5c30ca-f8fb-2558-fa54-1994de380bcb} - {bcb083ed-4991-45af-8552-bf8fac03c5dc} - C:\WINDOWS\system32\qtpyod.dll
O2 - BHO: (no name) - {C9D15D55-629F-4F02-B45C-B7CA067E2A5D} - C:\WINDOWS\system32\urqNDVnn.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avast!] D:\Program\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [BM313e2b3d] Rundll32.exe "C:\WINDOWS\system32\uidfxhmk.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Program\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ssqRIBQi - C:\WINDOWS\SYSTEM32\ssqRIBQi.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program\Avast4\ashWebSv.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program\delade filer\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11279 bytes

pskelley
2008-07-20, 16:36
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do. This can be a tough infection to remove so do not expect fast or easy.

(I know you said TeaTimer was disabled, check to be sure you followed these directions)
1)We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

2) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

Forre
2008-07-20, 21:03
Wow, I can't even get ComboFix to work. Nothing happens when I double-click the program. The first time I tried, Spybot started and searched my system, but then nothing happens when I click it.

Any ideas?

Forre
2008-07-20, 21:13
I got it to run anyway! I'm guessing some program that was running blocked combofix from running in some way. It started when I was looking through all programs that was running and closed a lot of them. It's running right now anyway. I'll post the log soon... Hopefully!

Forre
2008-07-20, 22:25
After two attempts with combofix I got the logfile. I see the warning concerning the recovery console, but my system says that it is up! Weird. Anyway, here's the log file:

ComboFix 08-07-19.1 - LinaAnte 2008-07-20 21:08:16.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1053.18.611 [GMT 2:00]
Running from: C:\Documents and Settings\LinaAnte\Skrivbord\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\CMVxGfhk.ini
C:\WINDOWS\system32\CMVxGfhk.ini2
C:\WINDOWS\system32\dqiuplxg.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\dxbvyn.dll
C:\WINDOWS\system32\jducpsvo.dll
C:\WINDOWS\system32\khfGxVMC.dll
C:\WINDOWS\system32\mcsxao.dll
C:\WINDOWS\system32\mrtnviyy.dll
C:\WINDOWS\system32\nnVDNqru.ini
C:\WINDOWS\system32\nnVDNqru.ini2
C:\WINDOWS\system32\ooreujlm.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\pxaheeuu.dll
C:\WINDOWS\system32\sfxuloss.ini
C:\WINDOWS\system32\ssqRIBQi.dll
C:\WINDOWS\system32\ssvbnqid.dll
C:\WINDOWS\system32\uueehaxp.ini
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\xitrspau.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.

2008-07-17 22:00 . 2008-07-17 22:00 <KAT> d-------- C:\Program\Trend Micro
2008-07-15 22:39 . 2008-07-15 22:39 <KAT> d-------- C:\Program\Spybot - Search & Destroy
2008-07-15 22:39 . 2008-07-15 22:39 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-15 21:17 . 2008-07-15 21:17 <KAT> d-------- C:\Documents and Settings\Administratör\Application Data\Sony Ericsson
2008-07-15 21:15 . 2003-04-10 15:50 <KAT> dr------- C:\Documents and Settings\Administratör\Start-meny
2008-07-15 21:15 . 2003-04-10 15:50 <KAT> dr------- C:\Documents and Settings\Administratör\Start-meny
2008-07-15 21:15 . 2003-04-10 15:50 <KAT> d-------- C:\Documents and Settings\Administratör\Skrivbord
2008-07-15 21:15 . 2003-04-10 15:50 <KAT> d-------- C:\Documents and Settings\Administratör\Skrivbord
2008-07-15 21:15 . 2003-04-10 15:50 <KAT> d--h----- C:\Documents and Settings\Administratör\Skrivare
2008-07-15 21:15 . 2003-04-10 15:50 <KAT> d--h----- C:\Documents and Settings\Administratör\Skrivare
2008-07-15 21:15 . 2003-04-10 15:50 <KAT> d--h----- C:\Documents and Settings\Administratör\Nätverket
2008-07-15 21:15 . 2003-04-10 15:50 <KAT> d--h----- C:\Documents and Settings\Administratör\Nätverket
2008-07-15 21:15 . 2003-04-10 16:04 <KAT> dr------- C:\Documents and Settings\Administratör\Mina dokument
2008-07-15 21:15 . 2003-04-10 16:04 <KAT> dr------- C:\Documents and Settings\Administratör\Mina dokument
2008-07-15 21:15 . 2003-04-10 15:50 <KAT> d--h----- C:\Documents and Settings\Administratör\Mallar
2008-07-15 21:15 . 2003-04-10 15:50 <KAT> d--h----- C:\Documents and Settings\Administratör\Mallar
2008-07-15 21:15 . 2003-04-10 15:50 <KAT> d--h----- C:\Documents and Settings\Administratör\Lokala inställningar
2008-07-15 21:15 . 2003-04-10 15:50 <KAT> d--h----- C:\Documents and Settings\Administratör\Lokala inställningar
2008-07-15 21:15 . 2003-04-10 16:04 <KAT> dr------- C:\Documents and Settings\Administratör\Favoriter
2008-07-15 21:15 . 2003-04-10 16:04 <KAT> dr------- C:\Documents and Settings\Administratör\Favoriter
2008-07-15 21:15 . 2003-04-12 05:44 <KAT> d-------- C:\Documents and Settings\Administratör\Application Data\ATI
2008-07-15 21:15 . 2008-07-15 21:15 <KAT> d-------- C:\Documents and Settings\Administratör
2008-07-14 20:45 . 2008-07-14 20:45 <KAT> d-------- C:\Program\Lavasoft
2008-07-14 20:45 . 2008-07-14 20:45 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-14 20:43 . 2008-07-14 20:44 <KAT> d-------- C:\Program\Delade filer\Wise Installation Wizard
2008-07-13 20:46 . 2008-07-20 18:42 110,419 --a------ C:\WINDOWS\BM313e2b3d.xml
2008-07-13 20:14 . 2008-06-14 20:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-13 20:14 . 2008-06-14 20:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-06 10:29 . 2008-07-06 10:29 <KAT> d-------- C:\Program\CloneDVD
2008-07-06 10:29 . 2008-07-06 10:29 <KAT> d-------- C:\Documents and Settings\LinaAnte\Application Data\Vso
2008-07-06 10:29 . 2008-07-06 10:29 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\DVDXStudio
2008-07-06 10:29 . 2008-07-06 10:29 81,920 --a------ C:\Documents and Settings\LinaAnte\Application Data\ezpinst.exe
2008-07-06 10:29 . 2008-07-06 10:29 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-06 10:29 . 2008-07-06 10:29 47,360 --a------ C:\Documents and Settings\LinaAnte\Application Data\pcouffin.sys
2008-07-06 10:29 . 2008-07-06 10:29 14 --a------ C:\WINDOWS\system32\systeminfo3.dll
2008-07-04 16:57 . 2008-07-04 16:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-04 15:42 . 2008-07-04 15:42 <KAT> d--hs---- C:\FOUND.003
2008-06-28 11:43 . 2008-06-28 11:43 <KAT> d-------- C:\Documents and Settings\LinaAnte\Application Data\Agency9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 08:29 --------- d-----w C:\Documents and Settings\LinaAnte\Application Data\Vso
2008-06-04 20:32 --------- d-----w C:\Program\Intuwave
2008-06-04 20:32 --------- d-----w C:\Documents and Settings\LinaAnte\Application Data\Sony Ericsson
2008-06-04 20:31 --------- d-----w C:\Program\Symbian
2008-06-04 20:31 --------- d-----w C:\Program\Delade filer\Sony Ericsson Shared
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,289,728 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:16 1,289,728 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 20:22 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:44 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:44 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-20_20.24.52.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-20 19:04:28 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_514.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MsnMsgr"="C:\Program\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:35 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="C:\Program\Synaptics\SynTP\SynTPLpr.exe" [2005-11-02 00:11 102491]
"SynTPEnh"="C:\Program\Synaptics\SynTP\SynTPEnh.exe" [2005-11-02 00:11 692315]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-12-02 15:42 151552]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"ATICCC"="C:\Program\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43 45056]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-10-19 09:30 69632]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-01-17 18:28 344064]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-01-16 11:58 3080192]
"LManager"="C:\Program\LAUNCH~1\QtZgAcer.EXE" [2005-12-06 17:11 458752]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00 397312]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-11-30 20:39 225280]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45 2462208]
"Sony Ericsson PC Suite"="D:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17 159744]
"QuickTime Task"="D:\Program\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"Adobe Reader Speed Launcher"="C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"PC Suite for Smartphones"="C:\Program\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" [2007-12-25 14:53 548864]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-16 20:27 15600128 C:\WINDOWS\RTHDCPL.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 09:50 20992 C:\WINDOWS\LOGI_MWX.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 14:46 28160 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Logitech SetPoint.lnk - C:\Program\Logitech\SetPoint\SetPoint.exe [2006-12-24 18:18:42 450560]
Adobe Gamma.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 110592]
Free WebSite Tools.lnk - D:\Program\CoffeeCup Free FTP\ThirtyDayTimer.exe [2007-04-02 12:41:20 372224]
Personal.lnk - C:\Program\Personal\bin\Personal.exe [2008-03-24 19:14:34 722728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\Acer\ACERAR~1\Kernel\Burner\MKDMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"D:\\Program\\Miranda IM\\miranda32.exe"=
"D:\\Program\\DC++\\DCPlusPlus.exe"=
"D:\\Program\\VLC\\vlc.exe"=
"D:\\Spel\\Steam\\Steam.exe"=
"D:\\Spel\\Steam\\steamapps\\andreasforsell@telia.com\\counter-strike\\hl.exe"=
"D:\\Program\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=
"D:\\Program\\Winamp\\Winamp Remote\\bin\\Orb.exe"=
"D:\\Program\\Winamp\\Winamp Remote\\bin\\OrbTray.exe"=
"D:\\Program\\Winamp\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"D:\\Program\\Skype\\Phone\\Skype.exe"=
"C:\\Program\\Bonjour\\mDNSResponder.exe"=
"D:\\Program\\Azureus\\Azureus.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program\\Intuwave\\Shared\\mRouterRuntime\\mRouterRuntime.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"554:TCP"= 554:TCP:sf
"1755:TCP"= 1755:TCP:sf
"1755:UDP"= 1755:UDP:sf
"5004:UDP"= 5004:UDP:sf
"5005:UDP"= 5005:UDP:sf

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 16:57]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 16:57]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-11-30 20:45]
R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]
R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);C:\WINDOWS\system32\DRIVERS\zebrceb.sys [2008-01-15 10:44]
S3 AVerM115;AVerM115 service;C:\WINDOWS\system32\DRIVERS\AVerM115.sys [2005-08-24 07:07]
S3 DCamUSBIntel;KONICA_MINOLTA DiMAGE PC camera driver;C:\WINDOWS\system32\DRIVERS\mltcap.sys [2003-02-10 23:56]
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\Drivers\lv321av.sys []
S3 SMCB000;SMSC CIR HID Miniport Device Driver;C:\WINDOWS\system32\DRIVERS\hidsmsc.sys [2005-12-06 17:50]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 16:49]
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys [2006-03-13 16:50]
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys [2006-03-13 16:50]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys [2006-03-13 16:50]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys [2006-03-13 16:50]
S3 zebrbus;Sony Ericsson Composite Device driver;C:\WINDOWS\system32\DRIVERS\zebrbus.sys [2008-01-15 10:44]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\WINDOWS\system32\DRIVERS\zebrmdfl.sys [2008-01-15 10:44]
S3 zebrmdm;Sony Ericsson Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdm.sys [2008-01-15 10:44]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdmc.sys [2008-01-15 10:44]
S3 zebrsce;Sony Ericsson PC-Connect Port;C:\WINDOWS\system32\DRIVERS\zebrsce.sys [2008-01-15 10:44]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-20 18:37:50 C:\WINDOWS\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_LAPPEN_LinaAnte.job"
- C:\WINDOWS\system32\mobsync.exeD /Schedule=
"2008-07-09 07:14:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{77D15665-4F35-4C0A-9F82-B71D624CD7DB} - C:\WINDOWS\system32\urqNDVnn.dll
HKCU-Run-Steam - (no file)
HKLM-Run-320d18a1 - C:\WINDOWS\system32\pxaheeuu.dll
HKLM-Run-BM313e2b3d - C:\WINDOWS\system32\odjugkeh.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 21:10:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-20 21:10:44
ComboFix-quarantined-files.txt 2008-07-20 19:10:42

Pre-Run: 4,217,700,352 byte ledigt
Post-Run: 4,196,892,672 byte ledigt

221 --- E O F --- 2008-07-15 19:40:31












And here is the fresh hijackthis-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:21:54, on 2008-07-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Intel\Wireless\Bin\EvtEng.exe
C:\Program\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
D:\Program\Avast4\aswUpdSv.exe
D:\Program\Avast4\ashServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Delade filer\Teleca Shared\CapabilityManager.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
C:\Program\Personal\bin\Personal.exe
C:\Program\Delade filer\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program\delade filer\logitech\lvmvfm\LVPrcSrv.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program\Intel\Wireless\Bin\RegSrvc.exe
C:\Program\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
D:\Program\Avast4\ashMaiSv.exe
D:\Program\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.superstart.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.umu.se:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Program\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program\Avast4\ashWebSv.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program\delade filer\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10138 bytes

pskelley
2008-07-20, 22:43
Thanks for returning your information, you said this:

I see the warning concerning the recovery console, but my system says that it is up!
I have used combofix many hundreds of times and have not known it to be wrong yet. You should see the Recovery Console during each startup. On my computer RC is at the top, let me know.

Let's do this now.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

2) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

Please tell me how the computer is running now.

Thanks

Forre
2008-07-21, 00:18
Hehe, I believe you when you talk about that recovery console... I don't think I knew what it was. I don't have it actually. Anyway, here is the log-file from Malwarebytes'.....

Thank you very much so far, the computer seems much better already! fantastic


Malwarebytes' Anti-Malware 1.21
Databasversion: 971
Windows 5.1.2600 Service Pack 2

23:15:00 2008-07-20
mbam-log-7-20-2008 (23-15-00).txt

Skanningstyp: Fullständig skanning (C:\|D:\|)
Antal skannade objekt: 121540
Förfluten tid: 32 minute(s), 46 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 1
Infekterade mappar: 0
Infekterade filer: 10

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
C:\System Volume Information\_restore{FFB70D71-0C9A-4C7D-9A72-DFDD2696FA57}\RP2\A0000124.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FFB70D71-0C9A-4C7D-9A72-DFDD2696FA57}\RP2\A0000125.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FFB70D71-0C9A-4C7D-9A72-DFDD2696FA57}\RP2\A0000128.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FFB70D71-0C9A-4C7D-9A72-DFDD2696FA57}\RP2\A0000129.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jducpsvo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\khfGxVMC.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pxaheeuu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqRIBQi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM313e2b3d.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM313e2b3d.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

pskelley
2008-07-21, 00:33
OK, then here is the next step:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Gracias

Forre
2008-07-21, 00:37
Ok! I have the windows cd nearby, so if I need it I will install it, but for now I don't really need it, right?

I'd rather continue the cleanup! Is it finished?

pskelley
2008-07-21, 00:59
That's right, if you have a Windows Operating System CD you do not need to install Recovery Console.

Remove combofix from your computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean infected System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run MBAM again to make sure we got it all, no need to post a clean scan.

How is the computer running?

Thanks

Forre
2008-07-21, 12:55
No malware found! The computer seems to be working just fine. A lot better than before.

The only weird thing is that my avast symbol seems to have disappeared, but the program seems to be running from what I can tell.

Thank you very much! I could never have done all that on my own!

pskelley
2008-07-21, 15:05
The only weird thing is that my avast symbol seems to have disappeared
That's strange...sometimes combofix stops them from running so it does not get blocked, but you should be back to normal now. Did you check in the Security Center to be sure all three items are green and go?
We are talking about the Avast icon in the System Tray...correct? It might return after a restart, let me know, I have the program on an old antique Compaq with Windows 98 and I will boot the computer and take a look if you need me to.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Forre
2008-07-21, 23:04
You're way too kind! I'll fix this on my own. I'll just reinstall avast. Think that will be the easiest way out. the logo disappeared when I tried combofix the first time, and that time it failed to create the log-file. All the other symbols have returned, but not avast. I'll reinstall it.

Really, thank's a lot for all the help! I owe you! :)