PDA

View Full Version : Virtumonde `Help´



CarlRetired
2008-09-21, 20:36
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:34:14, on 2008-09-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program\delade filer\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program\Java\jre1.6.0_07\bin\jusched.exe
C:\Program\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [583f28ab] rundll32.exe "C:\WINDOWS\system32\cfkmcvjm.dll",b
O4 - HKLM\..\Run: [BM5b0c1b37] Rundll32.exe "C:\WINDOWS\system32\hnkqpwwp.dll",s
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191006126188
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205956139445
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: pxolcc.dll ttydrt.dll ceqzkr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program\delade filer\logitech\lvmvfm\LVPrcSrv.exe

--
End of file - 5086 bytes

__RiP_ChAiN_
2008-09-22, 17:45
Hello CarlRetired,

Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

CarlRetired
2008-09-22, 18:55
Malwarebytes' Anti-Malware 1.28
Database version: 1192
Windows 5.1.2600 Service Pack 2

2008-09-22 17:47:57
mbam-log-2008-09-22 (17-47-57).txt

Scan type: Quick Scan
Objects scanned: 45672
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 19
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\bcvdfopc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qoMfedAS.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\accnuwiv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rtjqab.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3c09e196-8d62-4aa2-b596-001747eaae95} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3c09e196-8d62-4aa2-b596-001747eaae95} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90089c69-2aa6-419d-b09e-083fd80f9af6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{90089c69-2aa6-419d-b09e-083fd80f9af6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{006854fc-0793-4733-a799-6aa378818a5d} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{006854fc-0793-4733-a799-6aa378818a5d} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00820334-ae1b-40a2-963b-3ebe83070a73} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00820334-ae1b-40a2-963b-3ebe83070a73} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243dab17-c5d1-40b1-9aa3-270a1c673d8a} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{243dab17-c5d1-40b1-9aa3-270a1c673d8a} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\583f28ab (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm5b0c1b37 (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\qomfedas -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomfedas -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\qoMfedAS.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\SAdefMoq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SAdefMoq.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rtjqab.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bcvdfopc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cpofdvcb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kiqagtfh.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administratör\Lokala inställningar\Temporary Internet Files\Content.IE5\PMQCFC9R\silent.dll[1].bak (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\accnuwiv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\aklyag.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ceqzkr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kafmksqs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\biqemiuy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpbumrhj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oklbdg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pcsuffrp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jdxppolr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jiizyd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kpnvceyv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qhtsivkt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mycsvsme.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM5b0c1b37.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM5b0c1b37.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

__RiP_ChAiN_
2008-09-22, 21:29
Hello CarlRetired,

We'll continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

CarlRetired
2008-09-24, 10:09
ComboFix 08-09-22.06 - Administratör 2008-09-24 9:00:48.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.269 [GMT 2:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gyioqxog.ini
C:\WINDOWS\system32\mjvcmkfc.ini
C:\WINDOWS\system32\wqyhmgdi.ini
C:\WINDOWS\system32\ydmriniq.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.

2008-09-24 08:58 . 2008-09-24 08:52 4,617,448 --a------ C:\WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
2008-09-24 08:58 . 2008-09-24 08:56 2,856,103 -ra------ C:\ComboFix.exe
2008-09-22 17:23 . 2008-09-22 17:23 <KAT> d-------- C:\Documents and Settings\Administratör\Application Data\Malwarebytes
2008-09-22 17:22 . 2008-09-22 17:23 <KAT> d-------- C:\Program\Malwarebytes' Anti-Malware
2008-09-22 17:22 . 2008-09-22 17:22 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-22 17:22 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-22 17:22 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-20 20:38 . 2008-09-20 20:38 97,280 --a------ C:\WINDOWS\system32\hnkqpwwp.dll
2008-09-17 11:16 . 18,688 C:\WINDOWS\system32\drivers\dhhknaab.dat
2008-09-17 11:16 . 5,120 C:\WINDOWS\system32\drivers\szuacxlc.dat
2008-09-14 15:32 . 2008-09-15 19:16 <KAT> d-------- C:\Program\Trend Micro
2008-09-13 21:45 . 2008-09-13 21:45 93 --a------ C:\WINDOWS\wininit.ini
2008-09-13 18:58 . 2008-09-14 15:27 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-13 00:43 . 2008-09-13 00:43 112,640 --a------ C:\WINDOWS\system32\wlikbslg.dll
2008-09-13 00:43 . 2008-09-13 00:43 112,640 --a------ C:\WINDOWS\system32\ctwfgb.dll
2008-09-12 22:00 . 2008-09-12 22:00 112,640 --a------ C:\WINDOWS\system32\pxolcc.dll
2008-09-12 22:00 . 2008-09-12 22:00 112,640 --a------ C:\WINDOWS\system32\pbjingvx.dll
2008-09-12 21:42 . 2008-09-17 19:43 <KAT> d-------- C:\WINDOWS\system32\config\systemprofile\Lokala instõllningar
2008-09-12 21:42 . 2008-09-17 19:43 <KAT> d-------- C:\Documents and Settings\NetworkService\Lokala instõllningar
2008-09-12 21:42 . 2008-09-17 19:43 <KAT> d-------- C:\Documents and Settings\LocalService\Lokala instõllningar
2008-09-12 21:42 . 2008-09-17 19:43 <KAT> d-------- C:\Documents and Settings\Administrat÷r\Lokala instõllningar
2008-09-12 21:42 . 2008-09-12 21:42 <KAT> d-------- C:\Documents and Settings\Administrat÷r
2008-09-12 20:46 . 2008-09-12 20:46 112,640 --a------ C:\WINDOWS\system32\mvzzly.dll
2008-09-12 20:46 . 2008-09-12 20:46 112,640 --a------ C:\WINDOWS\system32\mwqhucvp.dll
2008-09-12 12:55 . 2008-09-12 12:55 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-09-10 19:17 . 2008-09-10 19:17 <KAT> d-------- C:\Documents and Settings\Administratör\.jmf
2008-09-10 19:17 . 2008-09-10 19:17 <KAT> d-------- C:\Documents and Settings\Administratör\.jmf
2008-09-05 20:47 . 2008-09-05 20:49 44,032 --a------ C:\What is Colloidal Silver.doc
2008-08-29 21:32 . 2008-08-29 22:01 <KAT> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-26 16:13 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-08-26 16:13 . 2003-02-25 14:30 45,056 --a------ C:\WINDOWS\system32\vusetup.dll
2008-08-26 16:13 . 2003-05-24 00:06 11,392 --a------ C:\WINDOWS\system32\drivers\vulfntr.sys
2008-08-26 16:13 . 2002-10-24 01:07 6,912 --a------ C:\WINDOWS\system32\drivers\vulfnth.sys
2008-08-25 19:57 . 2008-08-25 19:57 <KAT> d-------- C:\Program\Bonjour
2008-08-25 19:48 . 2008-08-25 19:48 <KAT> d-------- C:\Program\Delade filer\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-12 18:46 112,640 ----a-w C:\WINDOWS\system32\mvzzly.dll
2008-09-10 17:00 --------- d-----w C:\Program\Opera
2008-09-05 18:39 --------- d-----w C:\Documents and Settings\Administratör\Application Data\AdobeUM
2008-09-03 17:53 --------- d-----w C:\Documents and Settings\Administratör\Application Data\LimeWire
2008-08-27 16:23 94,088 -c--a-w C:\Documents and Settings\Administratör\Application Data\GDIPFONTCACHEV1.DAT
2008-08-25 17:57 --------- d-----w C:\Program\Delade filer\Adobe
2008-08-23 13:57 44,544 ------w C:\WINDOWS\AWuninstall.exe
2008-08-22 15:05 --------- d-----w C:\Program\Microsoft Silverlight
2008-08-22 12:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-08-22 12:11 --------- d-----w C:\Program\TechSmith
2008-08-22 12:11 --------- d-----w C:\Program\Delade filer\Wise Installation Wizard
2008-08-22 12:03 --------- d-----w C:\Program\Delade filer\Adobe Systems Shared
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 -c--a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:25 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-17_19.42.08.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-16 19:24:28 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-20 20:57:23 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-16 19:24:28 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-20 20:57:23 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-16 19:24:28 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Tidigare\History.IE5\index.dat
+ 2008-09-20 20:57:23 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Tidigare\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{243DAB17-C5D1-40B1-9AA3-270A1C673D8A}]
C:\Documents and Settings\Administratör\Lokala inställningar\Temporary Internet Files\Content.IE5\PMQCFC9R\silent.dll[1].bak [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 118784]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelliPoint"="C:\Program\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-12-09 225280]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe" [2007-12-14 524288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\Administrat”r\Start-meny\Program\Autostart\
Adobe Gamma.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Personal.lnk - C:\Program\Personal\bin\Personal.exe [2006-06-17 438272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pxolcc.dll ttydrt.dll rtjqab.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\BitTorrent\\bittorrent.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program\\Bonjour\\mDNSResponder.exe"=
"C:\\Program\\LimeWire\\LimeWire.exe"=
"C:\\Program\\Java\\jre1.6.0_07\\bin\\javaw.exe"=

R0 lvaitqlh;lvaitqlh;C:\WINDOWS\system32\drivers\dhhknaab.dat [ ]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-07-08 33920]
R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 16768]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e913292-fe6c-11dc-a1d3-00c09f127c5d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbc48981-af58-11dc-be12-00c09f127c5d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administratör\Application Data\Mozilla\Firefox\Profiles\3mpidh08.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.se/
FF -: plugin - C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program\Mozilla Firefox\plugins\np_prsnl.dll
FF -: plugin - C:\Program\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 09:02:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\lvaitqlh]
"ImagePath"="system32\drivers\dhhknaab.dat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pxolcc.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\pxolcc.dll
.
Completion time: 2008-09-24 9:05:10
ComboFix-quarantined-files.txt 2008-09-24 07:04:49
ComboFix2.txt 2008-09-17 17:43:12
ComboFix3.txt 2008-09-13 22:05:19

Pre-Run: 1*688*899*584 byte ledigt
Post-Run: 1,654,984,704 byte ledigt

WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

176 --- E O F --- 2008-09-09 20:06:57

CarlRetired
2008-09-24, 10:35
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:30:46, on 2008-09-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program\delade filer\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program\Java\jre1.6.0_07\bin\jusched.exe
C:\Program\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {243DAB17-C5D1-40B1-9AA3-270A1C673D8A} - C:\Documents and Settings\Administratör\Lokala inställningar\Temporary Internet Files\Content.IE5\PMQCFC9R\silent.dll[1].bak (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191006126188
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205956139445
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: pxolcc.dll ttydrt.dll rtjqab.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program\delade filer\logitech\lvmvfm\LVPrcSrv.exe

--
End of file - 5594 bytes

__RiP_ChAiN_
2008-09-24, 20:09
Hello CarlRetired,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Driver::
lvaitqlh
File::
C:\WINDOWS\system32\hnkqpwwp.dll
C:\WINDOWS\system32\drivers\dhhknaab.dat
C:\WINDOWS\system32\drivers\szuacxlc.dat
C:\WINDOWS\system32\wlikbslg.dll
C:\WINDOWS\system32\ctwfgb.dll
C:\WINDOWS\system32\pxolcc.dll
C:\WINDOWS\system32\pbjingvx.dll
C:\WINDOWS\system32\mvzzly.dll
C:\WINDOWS\system32\mwqhucvp.dll
C:\WINDOWS\system32\mvzzly.dll
Folder::
C:\Documents and Settings\Administratör\Application Data\LimeWire
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{243DAB17-C5D1-40B1-9AA3-270A1C673D8A}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as CFScript.txt, in the same location as ComboFix.exe


http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

CarlRetired
2008-09-24, 22:23
ComboFix 08-09-24.01 - Administratör 2008-09-24 21:08:31.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.218 [GMT 2:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\ctwfgb.dll
C:\WINDOWS\system32\drivers\dhhknaab.dat
C:\WINDOWS\system32\drivers\szuacxlc.dat
C:\WINDOWS\system32\hnkqpwwp.dll
C:\WINDOWS\system32\mwqhucvp.dll
C:\WINDOWS\system32\mvzzly.dll
C:\WINDOWS\system32\pbjingvx.dll
C:\WINDOWS\system32\pxolcc.dll
C:\WINDOWS\system32\wlikbslg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ctwfgb.dll
C:\WINDOWS\system32\drivers\dhhknaab.dat
C:\WINDOWS\system32\drivers\szuacxlc.dat
C:\WINDOWS\system32\hnkqpwwp.dll
C:\WINDOWS\system32\mwqhucvp.dll
C:\WINDOWS\system32\mvzzly.dll
C:\WINDOWS\system32\pbjingvx.dll
C:\WINDOWS\system32\pxolcc.dll
C:\WINDOWS\system32\wlikbslg.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LVAITQLH
-------\Service_lvaitqlh


((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.

2008-09-24 08:58 . 2008-09-24 08:52 4,617,448 --a------ C:\WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
2008-09-24 08:58 . 2008-09-24 21:07 2,856,452 -ra------ C:\ComboFix.exe
2008-09-22 17:22 . 2008-09-22 17:23 <KAT> d-------- C:\Program\Malwarebytes' Anti-Malware
2008-09-22 17:22 . 2008-09-22 17:22 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-22 17:22 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-22 17:22 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-14 15:32 . 2008-09-15 19:16 <KAT> d-------- C:\Program\Trend Micro
2008-09-13 21:45 . 2008-09-13 21:45 93 --a------ C:\WINDOWS\wininit.ini
2008-09-13 18:58 . 2008-09-14 15:27 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-12 21:42 . 2008-09-17 19:43 <KAT> d-------- C:\WINDOWS\system32\config\systemprofile\Lokala inställningar
2008-09-12 21:42 . 2008-09-17 19:43 <KAT> d-------- C:\Documents and Settings\NetworkService\Lokala inställningar
2008-09-12 21:42 . 2008-09-17 19:43 <KAT> d-------- C:\Documents and Settings\LocalService\Lokala inställningar
2008-09-12 21:42 . 2008-09-12 21:42 <KAT> d-------- C:\Documents and Settings\Administratör
2008-09-12 21:42 . <KAT> C:\Documents and Settings\Administrat÷r\Lokala inställningar
2008-09-12 21:42 . <KAT> C:\Documents and Settings\Administrat÷r\Lokala inställningar
2008-09-12 12:55 . 2008-09-12 12:55 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-09-05 20:47 . 2008-09-05 20:49 44,032 --a------ C:\What is Colloidal Silver.doc
2008-08-29 21:32 . 2008-08-29 22:01 <KAT> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-26 16:13 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-08-26 16:13 . 2003-02-25 14:30 45,056 --a------ C:\WINDOWS\system32\vusetup.dll
2008-08-26 16:13 . 2003-05-24 00:06 11,392 --a------ C:\WINDOWS\system32\drivers\vulfntr.sys
2008-08-26 16:13 . 2002-10-24 01:07 6,912 --a------ C:\WINDOWS\system32\drivers\vulfnth.sys
2008-08-25 19:57 . 2008-08-25 19:57 <KAT> d-------- C:\Program\Bonjour
2008-08-25 19:48 . 2008-08-25 19:48 <KAT> d-------- C:\Program\Delade filer\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-10 17:00 --------- d-----w C:\Program\Opera
2008-08-25 17:57 --------- d-----w C:\Program\Delade filer\Adobe
2008-08-23 13:57 44,544 ------w C:\WINDOWS\AWuninstall.exe
2008-08-22 15:05 --------- d-----w C:\Program\Microsoft Silverlight
2008-08-22 12:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-08-22 12:11 --------- d-----w C:\Program\TechSmith
2008-08-22 12:11 --------- d-----w C:\Program\Delade filer\Wise Installation Wizard
2008-08-22 12:03 --------- d-----w C:\Program\Delade filer\Adobe Systems Shared
.

((((((((((((((((((((((((((((( snapshot@2008-09-17_19.42.08.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-16 19:24:28 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-24 18:53:33 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-16 19:24:28 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-24 18:53:33 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-16 19:24:28 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Tidigare\History.IE5\index.dat
+ 2008-09-24 18:53:33 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Tidigare\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 118784]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelliPoint"="C:\Program\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-12-09 225280]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe" [2007-12-14 524288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Personal.lnk - C:\Program\Personal\bin\Personal.exe [2006-06-17 438272]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program\\Bonjour\\mDNSResponder.exe"=
"C:\\Program\\Java\\jre1.6.0_07\\bin\\javaw.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-07-08 33920]
R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 16768]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e913292-fe6c-11dc-a1d3-00c09f127c5d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbc48981-af58-11dc-be12-00c09f127c5d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 21:12:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program\Delade filer\Logitech\LVMVFM\LVPrcSrv.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-09-24 21:16:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-24 19:16:40
ComboFix2.txt 2008-09-24 07:05:12
ComboFix3.txt 2008-09-17 17:43:12
ComboFix4.txt 2008-09-13 22:05:19

Pre-Run: 1*691*975*680 byte ledigt
Post-Run: 1,676,881,920 byte ledigt

144 --- E O F --- 2008-09-09 20:06:57

__RiP_ChAiN_
2008-09-25, 11:06
Hello CarlRetired,

Please run the F-Secure (http://support.f-secure.com/enu/home/ols.shtml) Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here (http://support.f-secure.com/enu/home/ols.shtml) for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

CarlRetired
2008-09-27, 02:38
Scanning Report
Friday, September 26, 2008 19:05:27 - 01:35:16
Computer name: CW
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 8 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Adform (spyware)
System
TrackingCookie.Advertising (spyware)
System
TrackingCookie.Atdmt (spyware)
System
TrackingCookie.Doubleclick (spyware)
System
TrackingCookie.Mediaplex (spyware)
System
W32/Packed/FSG_1.C (virus)
D:\P R O G Z\PHOTOSHOP\PLUGINS\FLAMINGGEARGITTERATO-V1.1\SCOTCH\KEYGEN.EXE (Submitted)
W32/Packed/FSG_2.A (virus)
D:\P R O G Z\PHOTOSHOP\PLUGINS\BUTTON STUDIO\KEYGEN.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 103845
System: 3902
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 8
Submitted: 2
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\ADMINISTRAT�R\LOKALA INST�LLNINGAR\TEMP\~ROMFN_00000204
D:\P R O G Z\ADOBE DREAMVEAVER CS3\DREAMWEAVER CS3.EXE

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-09-26
F-Secure AVP: 7.0.171, 2008-09-26
F-Secure Pegasus: 1.20.0, 2008-08-09
F-Secure Blacklight: 2.2.1092
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

__RiP_ChAiN_
2008-09-28, 23:02
Hello CarlRetired,

Please post back with a new HijackThis log, and an update on how your computer is running.

CarlRetired
2008-10-02, 03:23
The computer seems to be okey ~ Thank you very much´

--------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:50:45, on 2008-10-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program\delade filer\logitech\lvmvfm\LVPrcSrv.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program\Java\jre1.6.0_07\bin\jusched.exe
C:\Program\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Google\Update\GoogleUpdate.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program\Personal\bin\Personal.exe
C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Google\Chrome\Application\chrome.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191006126188
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205956139445
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program\delade filer\logitech\lvmvfm\LVPrcSrv.exe

--
End of file - 5990 bytes

__RiP_ChAiN_
2008-10-02, 13:44
Hello CarlRetired,

Time for some housekeeping
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.



http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png



When shown the disclaimer, Select "2"


Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.

CarlRetired
2008-10-04, 16:20
Thank you for all your recommendations which I followed and yes the computer runs fine today, again Thank you very much../CarlRetired

__RiP_ChAiN_
2008-10-05, 22:05
I'm glad to hear it. I wish you the best of luck in the future.

__RiP_ChAiN_
2008-10-12, 06:26
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.