I like have like everyone else (or so it would seam) got infected with virtumonde.
I have run spybot in safe mode and it works once and I can remove 7 or so faults. Then when I run it again it shows 2 new faults for virtumonde.dll or my computer just reboots.
I've also tried running the F-secure program for solving the problem but it didn't work.
Spybot every now and then also comes up with an entry called doubleclick so there is a possibility I have several infections I am not aware off or havn't noticed.
I no longer have any filesharing programs installed however I can see in the HJT log that there are still several entries wich could have arrived from them. If there are any remains left wich I havn't cleared out please let me know and I'll delete them.
Here's the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:45:58, on 2008-09-07
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Java\jre1.6.0_07\bin\jusched.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\SYMANT~1\VPTray.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\Symantec AntiVirus\DefWatch.exe
C:\Program\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\MMTray.exe
C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\FRAPS\FRAPS.EXE
C:\Program\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Johan\xampp\mysql\bin\mysqld-nt.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Xfire\xfire.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program\Windows Live\Messenger\usnsvc.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O1 - Hosts: 205.238.40.1 winmx.com
O1 - Hosts: 205.238.40.1 www.winmx.com
O1 - Hosts: 205.238.40.1 err.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1304.winmx.com
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [StartCCC] "C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [BearShare] "C:\Documents and Settings\Johan\iso\bearshare\BearShare.exe" /pause
O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\system32\dllcache\winlogon.exe
O4 - HKLM\..\Run: [88d27c01] rundll32.exe "C:\WINDOWS\system32\fartndri.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Policies\Explorer\Run: [{88D27CAE-07CF-1053-0625-04040508002e}] "C:\Program\Delade filer\{88D27CAE-07CF-1053-0625-04040508002e}\Update.exe" mc-110-12-0000272
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\Program\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WinMySQLadmin.lnk = C:\Documents and Settings\Johan\xampp\mysql\bin\winmysqladmin.exe
O4 - Startup: Xfire.lnk = C:\Program\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace2.goteborg.se/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.hornsrev.dk/live/AxisCamControl.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: myaeid.dll
O21 - SSODL: printers - {914AC093-AC08-469E-B537-3A800A69A331} - libmsns.dll (file missing)
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MySql - Unknown owner - C:/Documents and Settings/Johan/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program\SanDisk\Sansa Updater\SansaSvr.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 15493 bytes

Hello Cvoyager

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.



Read this about File Sharing



P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.




Do this first...Important


Disable the TeaTimer, leave it disabled until we're done or it will prevent fixes from taking

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect



Your infected with quite a few things , :red: lets start the cleaning.


Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)

O1 - Hosts: 205.238.40.1 winmx.com
O1 - Hosts: 205.238.40.1 www.winmx.com
O1 - Hosts: 205.238.40.1 err.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1304.winmx.com

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: "C:\Documents and Settings\Johan\iso\bearshare\BearShare.exe" /pause
O4 - HKLM\..\Run: [88d27c01] rundll32.exe "C:\WINDOWS\system32\fartndri.dll",b

O20 - AppInit_DLLs: myaeid.dll

O21 - SSODL: printers - {914AC093-AC08-469E-B537-3A800A69A331} - libmsns.dll (file missing)





This tool needs to be run from Safemode to be effective so download it to your desktop then boot to Safemode to run it



To Enter Safemode

Go to [b]Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thanks for the help:)
I've done what you told me, how ever.
after I had rebooted to safe mode and run the programs I couldn't get it back into standard mode, the boot process would just stop at the windows screen and it never procedded, it just looped the same screen over and over (the one with windows XP symbol and some blue dots moving to show it's booting up).
I tried to make a system restore but it didn't help, I gave up and when I tried it today it booted up on the second try and finished running the program.
How ever the first thing I got in firefox was a pop-up window so there are still things left...
If you have any tips on how to get the computer to boot up I'd apperciate them:)

Here are the logs



SDFix: Version 1.222
Run by Johan on 2008-09-08 at 21:54

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CFAX32I.DLL - Deleted
C:\WINDOWS\SYSTEM32\CFAX32U.DLL - Deleted
C:\WINDOWS\SYSTEM32\DFEN32X.DLL - Deleted



Folder C:\Documents and Settings\Johan\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 15:35:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:68,3c,ec,ef,00,b6,22,19,6f,0c,78,8c,43,4c,01,c4,58,34,54,b9,1a,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,35,d9,ae,f3,12,c6,98,aa,ed,cb,fa,39,13,0a,c9,16,cb,..
"khjeh"=hex:c7,0a,ce,49,1b,59,48,9a,75,24,11,46,c3,93,4e,48,fc,17,1a,8b,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:15,31,8f,2a,36,2e,da,c0,a8,7b,c2,19,d8,ae,bb,7b,90,db,76,24,a0,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:de,fe,3e,81,60,21,ad,99,b3,23,35,be,33,b1,eb,75,60,85,70,32,bc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:72,95,87,9d,4b,11,0f,1f,29,d0,14,58,d9,91,db,34,f6,ba,df,db,79,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:6e,20,c8,33,e9,16,f3,8c,a2,12,28,41,0e,e4,f8,ac,3f,5b,bd,b3,53,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:a6,a4,c9,8b,b2,73,f9,b4,50,c1,4e,69,06,d6,62,f4,70,4d,e4,e0,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,35,d9,ae,f3,12,c6,98,aa,ed,cb,fa,39,13,0a,c9,16,cb,..
"khjeh"=hex:c7,0a,ce,49,1b,59,48,9a,75,24,11,46,c3,93,4e,48,fc,17,1a,8b,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ce,5b,10,f8,dc,e1,71,07,8a,12,a0,9f,cc,35,ad,9d,0f,f8,8a,cb,1b,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:28,68,db,c6,cc,06,33,a8,2d,94,8d,c1,f6,30,d9,97,58,b4,d1,32,51,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:8b,db,29,89,a5,98,0a,f7,ac,35,26,16,71,24,84,0a,15,ea,9b,66,71,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a1,a8,59,80,e9,42,46,db,85,f4,a7,c8,d5,9b,30,1f,e9,5a,19,3e,8c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:a6,a4,c9,8b,b2,73,f9,b4,50,c1,4e,69,06,d6,62,f4,70,4d,e4,e0,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,35,d9,ae,f3,12,c6,98,aa,ed,cb,fa,39,13,0a,c9,16,cb,..
"khjeh"=hex:c7,0a,ce,49,1b,59,48,9a,75,24,11,46,c3,93,4e,48,fc,17,1a,8b,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ce,5b,10,f8,dc,e1,71,07,8a,12,a0,9f,cc,35,ad,9d,0f,f8,8a,cb,1b,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:0d,1e,fa,78,6f,37,2d,c2,8c,ca,94,59,2e,12,61,78,7d,35,2c,33,ae,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:52,ab,50,54,ec,65,57,77,2b,32,24,a6,9a,27,73,3c,d9,70,28,1f,f5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a1,a8,59,80,e9,42,46,db,85,f4,a7,c8,d5,9b,30,1f,e9,5a,19,3e,8c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:a6,a4,c9,8b,b2,73,f9,b4,50,c1,4e,69,06,d6,62,f4,70,4d,e4,e0,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,35,d9,ae,f3,12,c6,98,aa,ed,cb,fa,39,13,0a,c9,16,cb,..
"khjeh"=hex:c7,0a,ce,49,1b,59,48,9a,75,24,11,46,c3,93,4e,48,fc,17,1a,8b,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ce,5b,10,f8,dc,e1,71,07,8a,12,a0,9f,cc,35,ad,9d,0f,f8,8a,cb,1b,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:28,68,db,c6,cc,06,33,a8,2d,94,8d,c1,f6,30,d9,97,58,b4,d1,32,51,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:19,3c,ab,ec,70,3e,7f,00,a6,bd,40,4d,27,be,16,85,27,4b,2e,29,86,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a1,a8,59,80,e9,42,46,db,85,f4,a7,c8,d5,9b,30,1f,e9,5a,19,3e,8c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:a6,a4,c9,8b,b2,73,f9,b4,50,c1,4e,69,06,d6,62,f4,70,4d,e4,e0,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,35,d9,ae,f3,12,c6,98,aa,ed,cb,fa,39,13,0a,c9,16,cb,..
"khjeh"=hex:c7,0a,ce,49,1b,59,48,9a,75,24,11,46,c3,93,4e,48,fc,17,1a,8b,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:0b,51,cb,fa,b4,15,7a,2d,2c,46,08,15,f7,2f,cd,b5,7b,07,00,0e,ad,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:d7,28,ad,57,1e,2c,47,a4,ca,b3,b0,0c,1e,e4,6e,ef,b9,36,c2,60,15,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:52,ab,50,54,ec,65,57,77,2b,32,24,a6,9a,27,73,3c,d9,70,28,1f,f5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a1,a8,59,80,e9,42,46,db,85,f4,a7,c8,d5,9b,30,1f,e9,5a,19,3e,8c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:a6,a4,c9,8b,b2,73,f9,b4,50,c1,4e,69,06,d6,62,f4,70,4d,e4,e0,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,35,d9,ae,f3,12,c6,98,aa,ed,cb,fa,39,13,0a,c9,16,cb,..
"khjeh"=hex:c7,0a,ce,49,1b,59,48,9a,75,24,11,46,c3,93,4e,48,fc,17,1a,8b,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:d2,c4,39,f5,61,f2,f5,02,6c,9f,a9,56,06,db,99,cc,4f,9e,7c,83,85,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:5d,cd,94,61,cb,4e,60,e9,15,75,99,06,e5,67,47,f3,21,92,4d,c3,5e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:52,ab,50,54,ec,65,57,77,2b,32,24,a6,9a,27,73,3c,d9,70,28,1f,f5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a1,a8,59,80,e9,42,46,db,85,f4,a7,c8,d5,9b,30,1f,e9,5a,19,3e,8c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:a6,a4,c9,8b,b2,73,f9,b4,50,c1,4e,69,06,d6,62,f4,70,4d,e4,e0,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,35,d9,ae,f3,12,c6,98,aa,ed,cb,fa,39,13,0a,c9,16,cb,..
"khjeh"=hex:c7,0a,ce,49,1b,59,48,9a,75,24,11,46,c3,93,4e,48,fc,17,1a,8b,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:a9,aa,22,9b,b9,12,78,1b,36,8c,b5,ea,50,96,74,ae,1d,03,2a,7b,02,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:e7,a8,db,a2,7b,69,a6,97,3c,0e,bc,78,c8,42,9c,09,86,fe,8a,cb,6d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:52,ab,50,54,ec,65,57,77,2b,32,24,a6,9a,27,73,3c,d9,70,28,1f,f5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a1,a8,59,80,e9,42,46,db,85,f4,a7,c8,d5,9b,30,1f,e9,5a,19,3e,8c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:a6,a4,c9,8b,b2,73,f9,b4,50,c1,4e,69,06,d6,62,f4,70,4d,e4,e0,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,35,d9,ae,f3,12,c6,98,aa,ed,cb,fa,39,13,0a,c9,16,cb,..
"khjeh"=hex:c7,0a,ce,49,1b,59,48,9a,75,24,11,46,c3,93,4e,48,fc,17,1a,8b,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:d2,c4,39,f5,61,f2,f5,02,6c,9f,a9,56,06,db,99,cc,4f,9e,7c,83,85,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:5d,cd,94,61,cb,4e,60,e9,15,75,99,06,e5,67,47,f3,21,92,4d,c3,5e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:52,ab,50,54,ec,65,57,77,2b,32,24,a6,9a,27,73,3c,d9,70,28,1f,f5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a1,a8,59,80,e9,42,46,db,85,f4,a7,c8,d5,9b,30,1f,e9,5a,19,3e,8c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:a6,a4,c9,8b,b2,73,f9,b4,50,c1,4e,69,06,d6,62,f4,70,4d,e4,e0,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,35,d9,ae,f3,12,c6,98,aa,ed,cb,fa,39,13,0a,c9,16,cb,..
"khjeh"=hex:c7,0a,ce,49,1b,59,48,9a,75,24,11,46,c3,93,4e,48,fc,17,1a,8b,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:a9,aa,22,9b,b9,12,78,1b,36,8c,b5,ea,50,96,74,ae,1d,03,2a,7b,02,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:e7,a8,db,a2,7b,69,a6,97,3c,0e,bc,78,c8,42,9c,09,86,fe,8a,cb,6d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:52,ab,50,54,ec,65,57,77,2b,32,24,a6,9a,27,73,3c,d9,70,28,1f,f5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a1,a8,59,80,e9,42,46,db,85,f4,a7,c8,d5,9b,30,1f,e9,5a,19,3e,8c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:a6,a4,c9,8b,b2,73,f9,b4,50,c1,4e,69,06,d6,62,f4,70,4d,e4,e0,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,35,d9,ae,f3,12,c6,98,aa,ed,cb,fa,39,13,0a,c9,16,cb,..
"khjeh"=hex:c7,0a,ce,49,1b,59,48,9a,75,24,11,46,c3,93,4e,48,fc,17,1a,8b,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:a9,aa,22,9b,b9,12,78,1b,36,8c,b5,ea,50,96,74,ae,1d,03,2a,7b,02,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:e7,a8,db,a2,7b,69,a6,97,3c,0e,bc,78,c8,42,9c,09,86,fe,8a,cb,6d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:52,ab,50,54,ec,65,57,77,2b,32,24,a6,9a,27,73,3c,d9,70,28,1f,f5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a1,a8,59,80,e9,42,46,db,85,f4,a7,c8,d5,9b,30,1f,e9,5a,19,3e,8c,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:114b2cc2
"s1"=dword:2898735d
"s2"=dword:5c15f431
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:a6,a4,c9,8b,b2,73,f9,b4,50,c1,4e,69,06,d6,62,f4,70,4d,e4,e0,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,35,d9,ae,f3,12,c6,98,aa,ed,cb,fa,39,13,0a,c9,16,cb,..
"khjeh"=hex:c7,0a,ce,49,1b,59,48,9a,75,24,11,46,c3,93,4e,48,fc,17,1a,8b,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:a9,aa,22,9b,b9,12,78,1b,36,8c,b5,ea,50,96,74,ae,1d,03,2a,7b,02,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:e7,a8,db,a2,7b,69,a6,97,3c,0e,bc,78,c8,42,9c,09,86,fe,8a,cb,6d,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:52,ab,50,54,ec,65,57,77,2b,32,24,a6,9a,27,73,3c,d9,70,28,1f,f5,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a1,a8,59,80,e9,42,46,db,85,f4,a7,c8,d5,9b,30,1f,e9,5a,19,3e,8c,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:a6,a4,c9,8b,b2,73,f9,b4,50,c1,4e,69,06,d6,62,f4,70,4d,e4,e0,36,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,35,d9,ae,f3,12,c6,98,aa,ed,cb,fa,39,13,0a,c9,16,cb,..
"khjeh"=hex:c7,0a,ce,49,1b,59,48,9a,75,24,11,46,c3,93,4e,48,fc,17,1a,8b,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:a9,aa,22,9b,b9,12,78,1b,36,8c,b5,ea,50,96,74,ae,1d,03,2a,7b,02,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:e7,a8,db,a2,7b,69,a6,97,3c,0e,bc,78,c8,42,9c,09,86,fe,8a,cb,6d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:52,ab,50,54,ec,65,57,77,2b,32,24,a6,9a,27,73,3c,d9,70,28,1f,f5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a1,a8,59,80,e9,42,46,db,85,f4,a7,c8,d5,9b,30,1f,e9,5a,19,3e,8c,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{599C43AB-CAB4-978E-7C21-15714EA61E14}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{793189C5-83A4-18E7-8C70-AD4F4ECF7507}]
"iacedlpikplkikccnk"=hex:69,61,6f,6a,6c,65,68,66,67,65,70,63,62,66,6d,70,68,66,00,00
"haabfdaekeoicdgg"=hex:69,61,6f,6a,6c,65,68,66,67,65,70,63,62,66,6d,70,68,66,00,00

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Fj„rrhj„lp - Windows Messenger och tal"
"C:\\Documents and Settings\\Johan\\UTorrent\\utorrent.exe"="C:\\Documents and Settings\\Johan\\UTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"="C:\\Program\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat:*:Enabled:The Battle for Middle-earth (tm)"
"C:\\Spel\\Railroads\\RailRoads.exe"="C:\\Spel\\Railroads\\RailRoads.exe:*:Enabled:Sid Meier's Railroads!"
"C:\\WINDOWS\\system32\\dllcache\\winlogon.exe"="C:\\WINDOWS\\system32\\dllcache\\winlogon.exe:*:Enabled:Windows Sharing"
"C:\\Program\\Grisoft\\AVG7\\avginet.exe"="C:\\Program\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program\\Messenger\\msmsgs.exe"="C:\\Program\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program\\Winamp Remote\\bin\\Orb.exe"="C:\\Program\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program\\FlashGet\\flashget.exe"="C:\\Program\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\\Program\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Documents and Settings\\Johan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Documents and Settings\\Johan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program\\uTorrent\\uTorrent.exe"="C:\\Program\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"="C:\\Program\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe:*:Enabled:Supreme Commander - Forged Alliance"
"C:\\Program\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"="C:\\Program\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander - Forged Alliance"
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"="C:\\Program\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program\\Skype\\Phone\\Skype.exe"="C:\\Program\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"="C:\\Program\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 19 Jan 2007 3,871 ..SH. --- "C:\WINDOWS\system32\wvvwa.tmp"
Tue 13 Feb 2007 499,960 ..SH. --- "C:\WINDOWS\system32\wvvwa.bak2"
Tue 13 Feb 2007 500,156 ..SH. --- "C:\WINDOWS\system32\wvvwa.bak1"
Sun 13 Aug 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 28 May 2007 66,048 ...H. --- "C:\Documents and Settings\Bj”rn\Mina dokument\~WRL0003.tmp"
Sun 27 Apr 2008 25,600 ...H. --- "C:\Documents and Settings\Bj”rn\Mina dokument\~WRL0301.tmp"
Mon 22 Jul 2002 418,816 ...HR --- "C:\WINDOWS\system32\Tools\All.exe"
Fri 19 Jul 2002 390,144 ...HR --- "C:\WINDOWS\system32\Tools\Change.exe"
Fri 19 Jul 2002 574,464 ...HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"
Tue 20 Aug 2002 430,592 ...HR --- "C:\WINDOWS\system32\Tools\Counter.exe"
Tue 23 Jul 2002 390,656 ...HR --- "C:\WINDOWS\system32\Tools\DelFolders.exe"
Fri 22 Nov 2002 399,872 ...HR --- "C:\WINDOWS\system32\Tools\DirectSetup.exe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"
Fri 19 Jul 2002 388,608 ...HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"
Mon 2 Dec 2002 431,616 ...HR --- "C:\WINDOWS\system32\Tools\Restart.exe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"
Sat 26 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 16 Apr 2003 346,602 ...HR --- "C:\Documents and Settings\Bj”rn\Lokala inst„llningar\Temp\IEC1.tmp"
Tue 29 May 2007 22,016 ...H. --- "C:\Documents and Settings\Bj”rn\Mina dokument\skola\~WRL0005.tmp"
Sat 5 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\68be7562a9b6afbc1c39f471a85ce0e9\BIT2.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e86f7f947cc9f2c261146c045cde1616\BIT102.tmp"
Sat 6 Sep 2008 444 ...HR --- "C:\Documents and Settings\Johan\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sun 13 Aug 2006 4,348 A..H. --- "C:\Documents and Settings\Johan\Mina dokument\Min musik\S„kerhetskopia f”r licens\drmv1key.bak"
Tue 1 May 2007 20 A..H. --- "C:\Documents and Settings\Johan\Mina dokument\Min musik\S„kerhetskopia f”r licens\drmv1lic.bak"
Sun 13 Aug 2006 400 A.SH. --- "C:\Documents and Settings\Johan\Mina dokument\Min musik\S„kerhetskopia f”r licens\drmv2key.bak"

Finished!

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:52:57, on 2008-09-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program\Symantec AntiVirus\DefWatch.exe
C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Documents and Settings\Johan\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\notepad.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\SYMANT~1\VPTray.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\MMTray.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Windows Live\Messenger\MsnMsgr.Exe
C:\Program\PC Connectivity Solution\ServiceLayer.exe
C:\FRAPS\FRAPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [StartCCC] "C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [BM8be14f9d] Rundll32.exe "C:\WINDOWS\system32\sgljlmgx.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\Program\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WinMySQLadmin.lnk = C:\Documents and Settings\Johan\xampp\mysql\bin\winmysqladmin.exe
O4 - Startup: Xfire.lnk = C:\Program\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace2.goteborg.se/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.hornsrev.dk/live/AxisCamControl.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: vidiqf.dll
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MySql - Unknown owner - C:/Documents and Settings/Johan/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program\SanDisk\Sansa Updater\SansaSvr.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 10161 bytes

Hello,

Your HJT log was in normal windows so I am assuming you can boot up ok? Keep in mind that the vermin that write this garbage are not very nice people, there only purpose in life it to steal anything they can from you, personal info, passwords to your bank account and the list goes on,if they leave any damage in the process they could care less. SDBot is nasty and it looks like its gone. You will find as we remove this garbage you will see your computer acting more normal.

Remove these with HJT.

O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\sgljlmgx.dll",s

O20 - AppInit_DLLs: vidiqf.dll





Please download Malwarebytes' Anti-Malware from [b]Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- Don't forget to do this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

My boot process still doesn't work as it should but I managed to get it into windows now by disconnecting my external harddrive. I am not sure why disconnecting it has effect but it does, do you think it could be because of malware being located on the external drive?

Here are the logs
Note that the MBAM log might look a bit strange, this has a simple reason. I had to translate the log since it came in swedish (wich is the language I speak), that's why some tearms may look odd because technical terms in english is not what I do best. But hopefully you'll be able to understand it...

Malwarebytes' Anti-Malware 1.27
Databaseversion: 1132
Windows 5.1.2600 Service Pack 3

2008-09-09 19:09:46
mbam-log-2008-09-09 (19-09-46).txt

Type of scan:Quick scanAntal skannade objekt: 64720
Time: 6 minute(s), 44 second(s)

Infected memory processes: 0
infected memory modules: 3
infected registry keys:14
infected registry values: 6
infected registry data posts: 2
infected folders: 2
infected files: 32

Infected memory processes:
(No infected processes were found)

Infected memory modules:
C:\WINDOWS\system32\cbXQhhhi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cpimimvy.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vidiqf.dll (Trojan.Vundo) -> Delete on reboot.

Infected registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0a1d722d-d0ae-40ac-86bb-9a02d68ad31d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0a1d722d-d0ae-40ac-86bb-9a02d68ad31d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3c962382-728c-4e04-b959-568bb234e16e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3c962382-728c-4e04-b959-568bb234e16e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\sin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f1eeddd-13c7-4ad3-821c-b116295d08d2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8ef40c36-293f-4749-8ea0-94fb3ad83fa1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Infected registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\88d27c01 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb6667 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd3801 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga4499 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc8830 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm8be14f9d (Trojan.Agent) -> Delete on reboot.

Infected registry data posts:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\cbxqhhhi -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\cbxqhhhi -> Delete on reboot.

Infected folders:
C:\Prograrm\VSAdd-in (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program\Smart Antivirus 2009 (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.

Infected files:
C:\WINDOWS\system32\vidiqf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cbXQhhhi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ihhhQXbc.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ihhhQXbc.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bljusuak.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kausujlb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpimimvy.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yvmimipc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fartndri.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\irdntraf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qkrbelwn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nwlebrkq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sgljlmgx.dll_old (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dnncaqkc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gianrj(2).dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mtgmunpf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\myaeid.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rnaavxla.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\skrdkjeg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wkqdfb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hqjlrmuo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lkoawnrn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jcfjicdo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtsllj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xyhtfmvx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\wmcodec_update.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program\Smart Antivirus 2009\vscan.tsi (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drvhis.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mit.bat (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\BM8be14f9d.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM8be14f9d.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:39:40, on 2008-09-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program\Symantec AntiVirus\DefWatch.exe
C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Documents and Settings\Johan\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\SYMANT~1\VPTray.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\MMTray.exe
C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Windows Live\Messenger\MsnMsgr.Exe
C:\FRAPS\FRAPS.EXE
C:\Program\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Xfire\xfire.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\PC Connectivity Solution\ServiceLayer.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program\Windows Live\Messenger\usnsvc.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {084909EF-8D68-4D37-8B39-300ADADADC24} - (no file)
O2 - BHO: (no name) - {0E2166D6-02C1-4210-883C-28B42FF0977D} - (no file)
O2 - BHO: (no name) - {4E9CAE1A-545D-48EA-8EEF-4D1DB6695AD3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {68A39F7E-45EE-4E7C-AECB-7A8DD4F1BC70} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {de27ed1d-eaa2-4c11-957c-a358d42a227e} - (no file)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [StartCCC] "C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\Program\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WinMySQLadmin.lnk = C:\Documents and Settings\Johan\xampp\mysql\bin\winmysqladmin.exe
O4 - Startup: Xfire.lnk = C:\Program\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace2.goteborg.se/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.hornsrev.dk/live/AxisCamControl.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: awvvw - C:\WINDOWS\
O20 - Winlogon Notify: opnnnml - opnnnml.dll (file missing)
O20 - Winlogon Notify: tuvSlKdA - C:\WINDOWS\
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MySql - Unknown owner - C:/Documents and Settings/Johan/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program\SanDisk\Sansa Updater\SansaSvr.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 11139 bytes

Your doing fine, boot up and then connect your external drive.

Remove these with HJT.

O2 - BHO: (no name) - {084909EF-8D68-4D37-8B39-300ADADADC24} - (no file)
O2 - BHO: (no name) - {0E2166D6-02C1-4210-883C-28B42FF0977D} - (no file)
O2 - BHO: (no name) - {68A39F7E-45EE-4E7C-AECB-7A8DD4F1BC70} - (no file)
O2 - BHO: (no name) - {de27ed1d-eaa2-4c11-957c-a358d42a227e} - (no file)

O20 - Winlogon Notify: awvvw - C:\WINDOWS\
O20 - Winlogon Notify: opnnnml - opnnnml.dll (file missing) G
O20 - Winlogon Notify: tuvSlKdA - C:\WINDOWS\




Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Here we are:)

ComboFix 08-09-05.12 - Johan 2008-09-09 20:04:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1053.18.943 [GMT 2:00]
Running from: C:\Documents and Settings\Johan\Skrivbord\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Johan\Application Data\inst.exe
C:\Documents and Settings\Karin\aria.txt
C:\Program\Delade filer\{38D27~1
C:\Program\Delade filer\{38D27~1\MyToolBar.dll
C:\Program\Delade filer\{38D27~1\Uninst.exe
C:\Program\Delade filer\{88D27~1
C:\Program\Delade filer\{88D27~1\services.dll
C:\update.exe
C:\WINDOWS\system32\qrfjrumi.ini
C:\WINDOWS\system32\qvcoeccm.ini
C:\WINDOWS\system32\rhffqvqs.ini
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\system32\wvvwa.ini
C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\wvvwa.tmp
I:\Autorun.inf
C:\Documents and Settings\Björn\aria.txt . . . . failed to delete
C:\Documents and Settings\Björn\Cookies\björn@2o7[2].txt . . . . failed to delete
C:\Documents and Settings\Björn\Cookies\björn@cmt.us.playstation[1].txt . . . . failed to delete
C:\Documents and Settings\Gäst\Lokala inställningar\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))
.

2008-09-09 19:01 . 2008-09-09 19:01 <KAT> d-------- C:\Program\Malwarebytes' Anti-Malware
2008-09-09 19:01 . 2008-09-09 19:01 <KAT> d-------- C:\Documents and Settings\Johan\Application Data\Malwarebytes
2008-09-09 19:01 . 2008-09-09 19:01 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-09 19:01 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 19:01 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 18:24 . 2008-09-09 18:24 <KAT> d-------- C:\Documents and Settings\Johan\Application Data\dvdcss
2008-09-08 21:54 . 2008-09-08 21:54 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-09-08 21:44 . 2008-09-08 21:44 <KAT> d-------- C:\WINDOWS\ERUNT
2008-09-08 21:44 . 2008-09-09 15:44 <KAT> d-------- C:\SDFix
2008-09-07 19:54 . 2008-09-08 21:32 <KAT> d-------- C:\Program\7-Zip
2008-09-06 16:14 . 2008-09-06 16:16 <KAT> d-------- C:\Documents and Settings\Johan\Application Data\SPORE
2008-09-06 12:16 . 2008-09-09 18:46 149 --a------ C:\WINDOWS\wininit.ini
2008-09-05 18:30 . 2008-09-05 18:30 <KAT> d-------- C:\Program\Trend Micro
2008-09-05 18:30 . 2008-09-05 18:30 <KAT> d-------- C:\Program\Stardock Games
2008-09-05 15:50 . 2008-09-05 15:54 15,872 --a------ C:\StarCodec_ver1.5897.0.exe
2008-09-05 15:48 . 2008-09-05 15:49 73,728 --a------ C:\MediaTube_ver1.1573.0.exe
2008-09-02 18:33 . 2008-04-14 21:34 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-09-02 18:33 . 2008-04-14 21:34 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-09-02 18:33 . 2008-04-14 21:33 102,912 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-09-02 18:33 . 2008-04-14 21:11 79,872 --------- C:\WINDOWS\system32\msxml6r.dll
2008-09-02 18:33 . 2008-04-14 21:11 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-09-02 18:33 . 2008-04-14 21:34 10,752 --------- C:\WINDOWS\system32\smtpapi.dll
2008-09-02 18:33 . 2008-04-14 21:34 9,728 --------- C:\WINDOWS\system32\rwnh.dll
2008-09-02 18:20 . 2008-04-13 22:06 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-09-02 18:20 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-09-02 18:18 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\005609_.tmp
2008-09-02 18:04 . 2008-09-02 18:05 <KAT> d-------- C:\WINDOWS\system32\NtmsData
2008-09-01 19:12 . 2008-09-01 20:36 <KAT> d-------- C:\Program\Silkroad
2008-08-27 23:03 . 2008-08-27 23:03 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-08-27 22:39 . 2008-08-27 22:39 <KAT> d-------- C:\Documents and Settings\Karin\Application Data\ATI
2008-08-27 22:38 . 2008-08-27 22:38 <KAT> d-------- C:\Documents and Settings\Karin\Application Data\PC Suite
2008-08-27 18:06 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-24 20:54 . 2008-08-24 20:54 <KAT> d-------- C:\Documents and Settings\Johan\Application Data\vlc
2008-08-24 20:50 . 2008-08-24 20:50 <KAT> d-------- C:\Program\VideoLAN
2008-08-19 21:52 . 2008-08-19 21:52 <KAT> d-------- C:\WINDOWS\system32\Plugins
2008-08-15 21:42 . 2008-05-01 16:37 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-15 21:41 . 2008-04-11 21:06 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-11 18:46 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-08-11 18:46 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-08-11 18:46 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-08-11 18:46 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-08-11 18:46 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-08-11 18:46 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-09 18:19 --------- d-----w C:\Documents and Settings\Johan\Application Data\Xfire
2008-09-09 17:56 --------- d-----w C:\Program\Symantec
2008-09-09 17:56 --------- d-----w C:\Program\Delade filer\Symantec Shared
2008-09-09 17:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-08 19:32 --------- d-----w C:\Program\Winamp
2008-09-07 19:50 --------- d-----w C:\Documents and Settings\Johan\Application Data\Skype
2008-09-07 19:15 --------- d-----w C:\Documents and Settings\Johan\Application Data\Winamp
2008-09-07 17:30 --------- d-----w C:\Documents and Settings\Johan\Application Data\skypePM
2008-09-07 14:42 --------- d-----w C:\Program\uTorrent
2008-09-07 14:41 --------- d-----w C:\Documents and Settings\Johan\Application Data\uTorrent
2008-09-07 06:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-09-06 13:44 --------- d-----w C:\Program\Electronic Arts
2008-09-06 11:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-06 09:50 --------- d-----w C:\Program\Spybot - Search & Destroy
2008-09-06 09:44 --------- d--h--w C:\Program\InstallShield Installation Information
2008-09-05 12:54 --------- d-----w C:\Program\Xfire
2008-09-05 12:48 4,701,809 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-09-03 18:33 --------- d-----w C:\Documents and Settings\Johan\Application Data\teamspeak2
2008-09-02 16:54 96,384 ----a-w C:\WINDOWS\system32\drivers\sptd4989.sys
2008-09-01 13:54 --------- d-----w C:\Program\MSN Messenger
2008-09-01 13:54 --------- d-----w C:\Program\Messenger Plus! Live
2008-08-29 21:20 --------- d-----w C:\Program\The Seal Hunter
2008-08-29 20:43 139,600 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-08-27 16:06 --------- d-----w C:\Program\Java
2008-08-24 18:54 --------- d-----w C:\Documents and Settings\Johan\Application Data\vlc
2008-08-11 16:37 --------- d-----w C:\Program\LucasArts
2008-08-10 14:58 --------- d-----w C:\Program\EA GAMES
2008-07-30 11:31 --------- d--h--r C:\Documents and Settings\Johan\Application Data\SecuROM
2008-07-30 11:25 --------- d-----w C:\Program\Delade filer\Adobe
2008-07-30 11:24 --------- d-----w C:\Documents and Settings\Johan\Application Data\AdobeUM
2008-07-30 11:19 --------- d-----w C:\Documents and Settings\Johan\Application Data\Media Center Programs
2008-07-30 11:05 --------- d-----w C:\Program\THQ
2008-07-30 11:03 --------- d-----w C:\Documents and Settings\Johan\Application Data\InstallShield Installation Information
2008-07-26 20:38 --------- d-----w C:\Program\Skype
2008-07-26 20:38 --------- d-----w C:\Program\Delade filer\Skype
2008-07-26 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-07-26 15:14 --------- d-----w C:\Program\Firaxis Games
2008-07-23 08:53 --------- d-----w C:\Program\Delade filer\PocketSoft
2008-07-23 08:49 --------- d-----w C:\Program\Atari
2008-07-13 13:13 --------- d-----w C:\Program\MainConcept
2007-07-08 18:21 47,360 ----a-w C:\Documents and Settings\Johan\Application Data\pcouffin.sys
2007-05-11 20:21 417,792 ----a-w C:\Documents and Settings\Johan\GL4JavbJauGljJNI14.dll
2007-03-31 20:46 81,920 ----a-w C:\Documents and Settings\Johan\Application Data\ezpinst.exe
2006-08-29 15:01 604 ---ha-w C:\Program\STLL Notifier
2007-12-10 16:40 6,275,816 ----a-w C:\Program\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="C:\Program\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Fraps"="C:\FRAPS\FRAPS.EXE" [2006-06-18 2838528]
"CTSyncU.exe"="C:\Program\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
"mount.exe"="C:\Program\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 106496]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"ATIPTA"="C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-03 339968]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2004-10-08 221184]
"DAEMON Tools"="C:\Program\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"AVG7_CC"="C:\Program\Grisoft\AVG7\avgcc.exe" [2008-07-04 579584]
"StartCCC"="C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"PCSuiteTrayApplication"="C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"MMTray"="MMTray.exe" [2001-11-09 C:\WINDOWS\system32\MMTray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="C:\Program\Grisoft\AVG7\avgw.exe" [2007-10-23 219136]
"Nokia.PCSync"="C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

C:\Documents and Settings\Johan\Start-meny\Program\Autostart\
WinMySQLadmin.lnk - C:\Documents and Settings\Johan\xampp\mysql\bin\winmysqladmin.exe [2007-12-21 936448]
Xfire.lnk - C:\Program\Xfire\xfire.exe [2008-08-27 3068752]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.WMV3"= C:\Program\COMBIN~1\Filters\wmv9vcm.dll
"vidc.ffds"= C:\Program\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"VIDC.mjpg"= mcmjpg32.dll
"vidc.dmb1"= m3jpeg32.dll
"msacm.dvacm"= C:\Program\DELADE~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= C:\Program\DELADE~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm"= C:\Program\DELADE~1\ULEADS~1\MPEG\mpegacm.acm
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"C:\\Spel\\Railroads\\RailRoads.exe"=
"C:\\Program\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Documents and Settings\\Johan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"C:\\Program\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2004-09-22 262144]
R2 Apache2.2;Apache2.2;C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe [2007-12-21 17920]
S0 hbnjebso;hbnjebso;C:\WINDOWS\system32\drivers\mogshr.sys [ ]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;C:\WINDOWS\system32\DRIVERS\fantom.sys [2006-03-10 39424]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;C:\WINDOWS\system32\drivers\PPJoyBus.sys [2004-10-24 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;C:\WINDOWS\system32\drivers\PPortJoy.sys [2004-10-24 28800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fab56a2-3db7-11db-a71b-00115b33add5}]
\Shell\AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fab56a3-3db7-11db-a71b-00115b33add5}]
\Shell\AutoRun\command - F:\autorun.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\zv0r8om6.default\
FF -: plugin - C:\Program\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 20:18:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet011\Services\MySql]
"ImagePath"="C:/Documents and Settings/Johan/xampp/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet011\Services\MySql]
"ImagePath"="C:/Documents and Settings/Johan/xampp/mysql/bin/mysqld-nt.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Documents and Settings\Johan\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program\PC Connectivity Solution\ServiceLayer.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-09-09 20:26:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-09 18:26:28

Pre-Run: 115,921,235,968 byte ledigt
Post-Run: 116,837,515,264 byte ledigt

250

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:29:45, on 2008-09-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
C:\Documents and Settings\Johan\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program\DAEMON Tools\daemon.exe
C:\Program\Grisoft\AVG7\avgcc.exe
C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\PC Connectivity Solution\ServiceLayer.exe
C:\Program\Windows Live\Messenger\MsnMsgr.Exe
C:\FRAPS\FRAPS.EXE
C:\Program\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Windows Live\Messenger\usnsvc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {4E9CAE1A-545D-48EA-8EEF-4D1DB6695AD3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [StartCCC] "C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [mount.exe] C:\Program\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\Program\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WinMySQLadmin.lnk = C:\Documents and Settings\Johan\xampp\mysql\bin\winmysqladmin.exe
O4 - Startup: Xfire.lnk = C:\Program\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace2.goteborg.se/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.hornsrev.dk/live/AxisCamControl.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MySql - Unknown owner - C:/Documents and Settings/Johan/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program\SanDisk\Sansa Updater\SansaSvr.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9035 bytes

Lets install the Recovery Console, it may come in handy one day if you have windows issues and your computer won't start.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Windows XP SP2 <-- This will work

Download the file & save it as its originally named, next to ComboFix.exe.

http://i24.photobucket.com/albums/c30/ken545/RC1-4.gif

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

I think this didn't work as it should, because combofix started running as usuall and I went away to do some stuff and when I got back it had rebooted so I signed in and then it finished a scan and posted a log, but I don't think it's the one you wanted. It says nothing about the recovery console not being installed though. I've scanned my harddrive but havn't been able to find any file called CF_RC.txt so I am not sure what to do, I'm posting up the log i got though (called log.txt) but I don't think it was that one you were looking for was it?

ComboFix 08-09-05.14 - Johan 2008-09-10 14:29:45.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1053.18.836 [GMT 2:00]
Running from: C:\Documents and Settings\Johan\Skrivbord\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Björn\aria.txt . . . . failed to delete
C:\Documents and Settings\Björn\Cookies\björn@2o7[2].txt . . . . failed to delete
C:\Documents and Settings\Björn\Cookies\björn@cmt.us.playstation[1].txt . . . . failed to delete
C:\Documents and Settings\Gäst\Lokala inställningar\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 )))))))))))))))))))))))))))))))
.

2008-09-09 20:26 . 2008-09-09 20:26 <KAT> d-------- C:\WINDOWS\system32\config\systemprofile\Lokala inställningar
2008-09-09 20:26 . 2008-09-09 20:26 <KAT> d-------- C:\Documents and Settings\Svante\Lokala inställningar
2008-09-09 20:26 . 2008-09-09 20:26 <KAT> d-------- C:\Documents and Settings\NetworkService\Lokala inställningar
2008-09-09 20:26 . 2008-09-09 20:26 <KAT> d-------- C:\Documents and Settings\LocalService\Lokala inställningar
2008-09-09 20:26 . 2008-09-09 20:26 <KAT> d-------- C:\Documents and Settings\Karin\Lokala inställningar
2008-09-09 20:26 . 2008-09-09 20:26 <KAT> d-------- C:\Documents and Settings\Johan\Lokala inställningar
2008-09-09 20:26 . 2008-09-09 20:26 <KAT> d-------- C:\Documents and Settings\Gäst
2008-09-09 20:26 . <KAT> C:\Documents and Settings\Gõst\Lokala inställningar
2008-09-09 20:26 . <KAT> C:\Documents and Settings\Gõst\Lokala inställningar
2008-09-09 20:26 . 2008-09-09 20:26 <KAT> d-------- C:\Documents and Settings\Björn
2008-09-09 20:26 . <KAT> C:\Documents and Settings\Bj÷rn\Lokala inställningar
2008-09-09 20:26 . <KAT> C:\Documents and Settings\Bj÷rn\Lokala inställningar
2008-09-09 20:26 . 2008-09-09 20:26 <KAT> d-------- C:\Documents and Settings\Anders\Lokala inställningar
2008-09-09 20:26 . 2008-09-09 20:26 <KAT> d-------- C:\Documents and Settings\Administratör
2008-09-09 20:26 . <KAT> C:\Documents and Settings\Administrat÷r\Lokala inställningar
2008-09-09 20:26 . <KAT> C:\Documents and Settings\Administrat÷r\Lokala inställningar
2008-09-09 19:01 . 2008-09-09 19:01 <KAT> d-------- C:\Program\Malwarebytes' Anti-Malware
2008-09-09 19:01 . 2008-09-09 19:01 <KAT> d-------- C:\Documents and Settings\Johan\Application Data\Malwarebytes
2008-09-09 19:01 . 2008-09-09 19:01 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-09 19:01 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 19:01 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-09 18:24 . 2008-09-09 18:24 <KAT> d-------- C:\Documents and Settings\Johan\Application Data\dvdcss
2008-09-08 21:54 . 2008-09-08 21:54 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-09-08 21:44 . 2008-09-08 21:44 <KAT> d-------- C:\WINDOWS\ERUNT
2008-09-08 21:44 . 2008-09-09 15:44 <KAT> d-------- C:\SDFix
2008-09-07 19:54 . 2008-09-08 21:32 <KAT> d-------- C:\Program\7-Zip
2008-09-06 16:14 . 2008-09-06 16:16 <KAT> d-------- C:\Documents and Settings\Johan\Application Data\SPORE
2008-09-06 12:16 . 2008-09-09 18:46 149 --a------ C:\WINDOWS\wininit.ini
2008-09-05 18:30 . 2008-09-05 18:30 <KAT> d-------- C:\Program\Trend Micro
2008-09-05 18:30 . 2008-09-05 18:30 <KAT> d-------- C:\Program\Stardock Games
2008-09-05 15:50 . 2008-09-05 15:54 15,872 --a------ C:\StarCodec_ver1.5897.0.exe
2008-09-05 15:48 . 2008-09-05 15:49 73,728 --a------ C:\MediaTube_ver1.1573.0.exe
2008-09-02 18:33 . 2008-04-14 21:34 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-09-02 18:33 . 2008-04-14 21:34 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-09-02 18:33 . 2008-04-14 21:33 102,912 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-09-02 18:33 . 2008-04-14 21:11 79,872 --------- C:\WINDOWS\system32\msxml6r.dll
2008-09-02 18:33 . 2008-04-14 21:11 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-09-02 18:33 . 2008-04-14 21:34 10,752 --------- C:\WINDOWS\system32\smtpapi.dll
2008-09-02 18:33 . 2008-04-14 21:34 9,728 --------- C:\WINDOWS\system32\rwnh.dll
2008-09-02 18:20 . 2008-04-13 22:06 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-09-02 18:20 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-09-02 18:18 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\005609_.tmp
2008-09-02 18:04 . 2008-09-02 18:05 <KAT> d-------- C:\WINDOWS\system32\NtmsData
2008-09-01 19:12 . 2008-09-01 20:36 <KAT> d-------- C:\Program\Silkroad
2008-08-27 23:03 . 2008-08-27 23:03 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-08-27 22:39 . 2008-08-27 22:39 <KAT> d-------- C:\Documents and Settings\Karin\Application Data\ATI
2008-08-27 22:38 . 2008-08-27 22:38 <KAT> d-------- C:\Documents and Settings\Karin\Application Data\PC Suite
2008-08-27 18:06 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-24 20:54 . 2008-08-24 20:54 <KAT> d-------- C:\Documents and Settings\Johan\Application Data\vlc
2008-08-24 20:50 . 2008-08-24 20:50 <KAT> d-------- C:\Program\VideoLAN
2008-08-19 21:52 . 2008-08-19 21:52 <KAT> d-------- C:\WINDOWS\system32\Plugins
2008-08-15 21:42 . 2008-05-01 16:37 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-15 21:41 . 2008-04-11 21:06 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-11 18:46 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-08-11 18:46 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-08-11 18:46 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-08-11 18:46 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-08-11 18:46 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-08-11 18:46 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-09 19:41 --------- d-----w C:\Program\Winamp
2008-09-09 18:19 --------- d-----w C:\Documents and Settings\Johan\Application Data\Xfire
2008-09-09 17:56 --------- d-----w C:\Program\Symantec
2008-09-09 17:56 --------- d-----w C:\Program\Delade filer\Symantec Shared
2008-09-09 17:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-07 19:50 --------- d-----w C:\Documents and Settings\Johan\Application Data\Skype
2008-09-07 19:15 --------- d-----w C:\Documents and Settings\Johan\Application Data\Winamp
2008-09-07 17:30 --------- d-----w C:\Documents and Settings\Johan\Application Data\skypePM
2008-09-07 14:42 --------- d-----w C:\Program\uTorrent
2008-09-07 14:41 --------- d-----w C:\Documents and Settings\Johan\Application Data\uTorrent
2008-09-07 06:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-09-06 13:57 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-09-06 13:44 --------- d-----w C:\Program\Electronic Arts
2008-09-06 11:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-06 09:50 --------- d-----w C:\Program\Spybot - Search & Destroy
2008-09-06 09:44 --------- d--h--w C:\Program\InstallShield Installation Information
2008-09-05 12:54 --------- d-----w C:\Program\Xfire
2008-09-05 12:48 4,701,809 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-09-03 18:33 --------- d-----w C:\Documents and Settings\Johan\Application Data\teamspeak2
2008-09-02 16:54 96,384 ----a-w C:\WINDOWS\system32\drivers\sptd4989.sys
2008-09-01 13:54 --------- d-----w C:\Program\MSN Messenger
2008-09-01 13:54 --------- d-----w C:\Program\Messenger Plus! Live
2008-08-29 21:20 --------- d-----w C:\Program\The Seal Hunter
2008-08-29 20:43 139,600 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-08-29 20:28 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-08-27 16:06 --------- d-----w C:\Program\Java
2008-08-24 18:54 --------- d-----w C:\Documents and Settings\Johan\Application Data\vlc
2008-08-11 16:37 --------- d-----w C:\Program\LucasArts
2008-08-10 14:58 --------- d-----w C:\Program\EA GAMES
2008-08-05 13:44 122,880 ----a-w C:\WINDOWS\system32\UAService7.exe
2008-07-30 11:31 --------- d--h--r C:\Documents and Settings\Johan\Application Data\SecuROM
2008-07-30 11:25 --------- d-----w C:\Program\Delade filer\Adobe
2008-07-30 11:24 --------- d-----w C:\Documents and Settings\Johan\Application Data\AdobeUM
2008-07-30 11:19 --------- d-----w C:\Documents and Settings\Johan\Application Data\Media Center Programs
2008-07-30 11:05 --------- d-----w C:\Program\THQ
2008-07-30 11:03 --------- d-----w C:\Documents and Settings\Johan\Application Data\InstallShield Installation Information
2008-07-26 20:38 --------- d-----w C:\Program\Skype
2008-07-26 20:38 --------- d-----w C:\Program\Delade filer\Skype
2008-07-26 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-07-26 15:14 --------- d-----w C:\Program\Firaxis Games
2008-07-23 08:53 --------- d-----w C:\Program\Delade filer\PocketSoft
2008-07-23 08:49 --------- d-----w C:\Program\Atari
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-13 13:13 --------- d-----w C:\Program\MainConcept
2008-07-07 20:29 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:46 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:42 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:49 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2007-07-08 18:21 47,360 ----a-w C:\Documents and Settings\Johan\Application Data\pcouffin.sys
2007-05-11 20:21 417,792 ----a-w C:\Documents and Settings\Johan\GL4JavbJauGljJNI14.dll
2007-03-31 20:46 81,920 ----a-w C:\Documents and Settings\Johan\Application Data\ezpinst.exe
2006-08-29 15:01 604 ---ha-w C:\Program\STLL Notifier
2007-12-10 16:40 6,275,816 ----a-w C:\Program\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="C:\Program\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Fraps"="C:\FRAPS\FRAPS.EXE" [2006-06-18 2838528]
"CTSyncU.exe"="C:\Program\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
"mount.exe"="C:\Program\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]
"SpybotSD TeaTimer"="C:\Program\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 106496]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"ATIPTA"="C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-03 339968]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2004-10-08 221184]
"DAEMON Tools"="C:\Program\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"AVG7_CC"="C:\Program\Grisoft\AVG7\avgcc.exe" [2008-07-04 579584]
"StartCCC"="C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"PCSuiteTrayApplication"="C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"MMTray"="MMTray.exe" [2001-11-09 C:\WINDOWS\system32\MMTray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="C:\Program\Grisoft\AVG7\avgw.exe" [2007-10-23 219136]
"Nokia.PCSync"="C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

C:\Documents and Settings\Johan\Start-meny\Program\Autostart\
WinMySQLadmin.lnk - C:\Documents and Settings\Johan\xampp\mysql\bin\winmysqladmin.exe [2007-12-21 936448]
Xfire.lnk - C:\Program\Xfire\xfire.exe [2008-08-27 3068752]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.WMV3"= C:\Program\COMBIN~1\Filters\wmv9vcm.dll
"vidc.ffds"= C:\Program\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"VIDC.mjpg"= mcmjpg32.dll
"vidc.dmb1"= m3jpeg32.dll
"msacm.dvacm"= C:\Program\DELADE~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= C:\Program\DELADE~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm"= C:\Program\DELADE~1\ULEADS~1\MPEG\mpegacm.acm
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"C:\\Spel\\Railroads\\RailRoads.exe"=
"C:\\Program\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Documents and Settings\\Johan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"C:\\Program\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2004-09-22 262144]
R2 Apache2.2;Apache2.2;C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe [2007-12-21 17920]
S0 hbnjebso;hbnjebso;C:\WINDOWS\system32\drivers\mogshr.sys [ ]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;C:\WINDOWS\system32\DRIVERS\fantom.sys [2006-03-10 39424]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;C:\WINDOWS\system32\drivers\PPJoyBus.sys [2004-10-24 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;C:\WINDOWS\system32\drivers\PPortJoy.sys [2004-10-24 28800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fab56a2-3db7-11db-a71b-00115b33add5}]
\Shell\AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fab56a3-3db7-11db-a71b-00115b33add5}]
\Shell\AutoRun\command - F:\autorun.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\zv0r8om6.default\
FF -: plugin - C:\Program\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-10 14:36:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet011\Services\MySql]
"ImagePath"="C:/Documents and Settings/Johan/xampp/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet011\Services\MySql]
"ImagePath"="C:/Documents and Settings/Johan/xampp/mysql/bin/mysqld-nt.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Documents and Settings\Johan\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program\PC Connectivity Solution\ServiceLayer.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-09-10 14:45:25 - machine was rebooted [Johan]
ComboFix-quarantined-files.txt 2008-09-10 12:45:19
ComboFix2.txt 2008-09-09 18:26:34

Pre-Run: 119,673,839,616 byte ledigt
Post-Run: 119,650,983,936 byte ledigt

264

It looks like it took, post a new HJT log and let me know how things are running now??

Things are running much more smoothly now:) I don't recive any alerts or pop-ups anymore and the net seams to run quicker now too:)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:26:29, on 2008-09-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Documents and Settings\Johan\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\UAService7.exe
C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program\DAEMON Tools\daemon.exe
C:\Program\Grisoft\AVG7\avgcc.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\MMTray.exe
C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Windows Live\Messenger\MsnMsgr.Exe
C:\FRAPS\FRAPS.EXE
C:\Program\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program\Xfire\xfire.exe
C:\Program\Windows Live\Messenger\usnsvc.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {4E9CAE1A-545D-48EA-8EEF-4D1DB6695AD3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [StartCCC] "C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [mount.exe] C:\Program\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\Program\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WinMySQLadmin.lnk = C:\Documents and Settings\Johan\xampp\mysql\bin\winmysqladmin.exe
O4 - Startup: Xfire.lnk = C:\Program\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace2.goteborg.se/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.hornsrev.dk/live/AxisCamControl.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Documents and Settings\Johan\xampp\apache\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: MySql - Unknown owner - C:/Documents and Settings/Johan/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program\SanDisk\Sansa Updater\SansaSvr.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9113 bytes

http://i24.photobucket.com/albums/c30/ken545/cool.gif Looking Good

ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system


Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.




How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken

Great! A thousand thank's for your help Ken:)
I am not sure how you work at this forum but I would be intrested to learn more about spyware and how my computer works in detail. I know a bit of how it works but if you have tips of where I can learn more I'd appreciate it:) That way I might even be able to help others some day

Hi,

Your very welcome. Infected computers are really getting out of hand, and we are always looking for good people that want to help out, there are a few ways to go. There are other forums but these are the major two, you can sign up for free for the classroom.

My profile to give you an idea of what we do and stand for

https://mvp.support.microsoft.com/profile=44B84057-25EC-41E5-BB23-DA3B787FA002


You can join one of these classrooms
http://forums.whatthetech.com/What_the_Tech_Classroom_t80368.html

Not sure who to contact on this one
http://www.malwareremoval.com/

Been a pleasure,
Take Care,
Ken:)

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.