PDA

View Full Version : Can't remove Win32.Rootkit.Podnuha



keigo
2009-04-16, 21:08
Hello!

I'm having trouble with a malicious rootkit that I can't seem to remove. It was Ad-Aware that initially discovered the malicious file, however, removing it hasn't been a success.


Help would very much be appreciated!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:04:39, on 2009-04-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Google\Update\GoogleUpdate.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\CDBurnerXP\NMSAccessU.exe
C:\Program\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Yones\Lokala inställningar\Application Data\Google\Update\GoogleUpdate.exe
C:\Program\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program\DC++\DCPlusPlus.exe
C:\Program\VLC media player\vlc.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - (no file)
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: e-kort Browser Helper Object - {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D} - C:\Program\ekort\Bhoekort.dll
O2 - BHO: (no name) - {22ED5426-F8A1-4280-B972-6F5D1B6DAD3D} - C:\WINDOWS\system32\asferro.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E71F5184-35A9-3C29-99D1-B72C4506A596} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [H2O] C:\Program\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Antispyware] C:\Program\Antispyware\Antispyware.exe -boot
O4 - Startup: Skärmurklipp och start för OneNote 2007.lnk = C:\Program\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Unibet Poker - {C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - C:\Microgaming\Poker\UnibetpokerMPP\MPPoker.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: e-kort - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program\ekort\ekort.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Yones\Start-meny\Program\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Yones\Start-meny\Program\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start-meny\Program\UltimateBet\UltimateBet.lnk (HKCU)
O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start-meny\Program\UltimateBet\UltimateBet.lnk (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.6.0_10) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O20 - Winlogon Notify: crypt - C:\WINDOWS\
O20 - Winlogon Notify: __c00EF984 - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: Eset Service (ekrn) - Unknown owner - C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9891dd0fbf580) (gupdate1c9891dd0fbf580) - Google Inc. - C:\Program\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program\CDBurnerXP\NMSAccessU.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 11224 bytes

pskelley
2009-04-17, 22:29
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You must have read and followed the "Before you Post" instructions, there are no excuses for not following the directions, let's start like this:

1) 1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.


2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

keigo
2009-04-18, 12:19
Thank you so much for your help! Here are the following logs that you wanted. In the combofix log, I noticed that some of it wasn't in English, so I translated a little bit. Hope that can help.

Combofix:

ComboFix 09-04-18.05 - Yones 2009-04-18 10:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.46.1053.18.2047.1561 [GMT 2:00]
Körs från: c:\documents and settings\Yones\Skrivbord\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Skapade en ny återställningspunkt
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar )))))))))))))))))))))))))))))))))))))))))))))))) (Other deleted files)
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Yones\Application Data\Adobe\crc.dat
c:\documents and settings\Yones\Application Data\inst.exe
c:\documents and settings\Yones\Yones.exe
c:\windows\system\msvbvm60.dll
c:\windows\wiaserviv.log
C:\xcrashdump.dat

----- BITS: Troligen infekterade webbplatser ----- (Probable infected sites)

hxxp://www.funkypornovideo.net
.
(((((((((((((((((((((((( Filer Skapade från 2009-03-18 till 2009-04-18 ))))))))))))))))))))))))))))))
.

2009-04-17 16:21 . 2009-04-17 16:21 -------- d-----w c:\documents and settings\LocalService\Start-meny
2009-04-17 16:21 . 2008-06-06 10:15 38208 ----a-w c:\windows\system32\drivers\TfSysMon.sys
2009-04-17 16:21 . 2008-06-06 10:15 33088 ----a-w c:\windows\system32\drivers\TfNetMon.sys
2009-04-17 16:21 . 2008-06-06 10:15 12608 ----a-w c:\windows\system32\drivers\TfKbMon.sys
2009-04-17 16:21 . 2008-06-06 10:15 51520 ----a-w c:\windows\system32\drivers\TfFsMon.sys
2009-04-17 16:20 . 2009-04-17 16:20 -------- d-----w c:\windows\system32\xircom
2009-04-17 16:01 . 2008-12-11 06:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-17 16:00 . 2009-03-06 14:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-17 16:00 . 2008-12-18 10:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-17 16:00 . 2008-12-10 10:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-17 16:00 . 2009-04-17 16:21 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-17 16:00 . 2009-04-17 16:00 -------- d-----w c:\documents and settings\Yones\Application Data\PC Tools
2009-04-16 22:16 . 2002-12-28 23:14 81920 ----a-w c:\windows\system32\Startup.cpl
2009-04-16 22:14 . 2009-04-16 22:14 -------- d-----w c:\documents and settings\Administratör\Lokala inställningar\Application Data\kyoku-senbi
2009-04-16 22:14 . 2009-04-16 22:14 -------- d-----w c:\documents and settings\Administratör\Application Data\kyoku-senbi
2009-04-16 22:11 . 2009-04-16 22:11 -------- d-----w c:\documents and settings\Administratör\Application Data\Malwarebytes
2009-04-16 15:18 . 2009-04-16 15:18 -------- d-----w c:\documents and settings\Yones\Application Data\Antispyware
2009-04-06 16:15 . 2009-04-18 08:27 -------- d-----w c:\documents and settings\Yones\Application Data\Skype
2009-04-06 16:14 . 2009-04-06 16:14 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-06 15:37 . 2009-04-17 20:04 -------- d-----w c:\documents and settings\Yones\Tracing
2009-04-04 11:05 . 2009-04-04 11:07 -------- d-----w c:\documents and settings\Yones\Application Data\TrueCrypt
2009-04-04 11:04 . 2009-04-04 11:04 215872 ----a-w c:\windows\system32\drivers\truecrypt.sys
2009-03-25 18:21 . 2005-05-11 01:54 258352 ----a-w c:\windows\system32\unicows.dll
2009-03-25 17:10 . 2009-03-25 17:11 -------- d-----w c:\documents and settings\Yones\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 08:35 . 2007-12-27 22:37 -------- d-----w c:\program\DC++
2009-04-18 08:19 . 2009-03-13 08:06 83998 ----a-w c:\windows\system32\perfc041.dat
2009-04-18 08:19 . 2009-03-13 08:06 429310 ----a-w c:\windows\system32\perfh041.dat
2009-04-18 08:19 . 2001-09-28 14:00 84520 ----a-w c:\windows\system32\perfc01D.dat
2009-04-18 08:19 . 2001-09-28 14:00 430168 ----a-w c:\windows\system32\perfh01D.dat
2009-04-18 08:14 . 2008-06-29 07:33 15612 ----a-w c:\windows\system32\tablet.dat
2009-04-18 08:14 . 2009-02-14 09:06 27552 ----a-w C:\aaw7boot.log
2009-04-17 23:09 . 2008-01-04 20:43 -------- d-----w c:\documents and settings\Yones\Application Data\mIRC
2009-04-17 22:23 . 2008-01-04 11:16 -------- d-----w c:\program\lolifox
2009-04-17 18:27 . 2008-01-04 20:43 -------- d-----w c:\program\mIRC
2009-04-17 17:52 . 2008-01-04 22:33 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-17 17:52 . 2009-04-17 16:00 -------- d-----w c:\program\Spyware Doctor
2009-04-17 16:20 . 2009-04-17 16:20 -------- d-----w c:\program\microsoft frontpage
2009-04-17 16:01 . 2009-04-17 16:00 -------- d-----w c:\program\Delade filer\PC Tools
2009-04-17 15:37 . 2008-10-11 09:47 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-16 22:11 . 2008-12-13 20:54 -------- d-----w c:\program\Malwarebytes' Anti-Malware
2009-04-16 22:01 . 2007-12-27 22:26 98304 ----a-w c:\windows\DUMP7762.tmp
2009-04-15 20:05 . 2007-12-27 22:37 -------- d-----w c:\program\uTorrent
2009-04-13 14:10 . 2009-04-09 22:43 -------- d-----w c:\program\AV Vcs 4.0 DIAMOND
2009-04-10 10:45 . 2008-01-07 18:19 -------- d-----w c:\documents and settings\Yones\Application Data\Teleca
2009-04-10 07:01 . 2009-02-01 14:19 -------- d-----w c:\documents and settings\Yones\Application Data\Spotify
2009-04-06 16:14 . 2009-04-06 16:14 -------- d-----r c:\program\Skype
2009-04-06 15:32 . 2009-04-06 15:26 -------- d-----w c:\program\Microsoft
2009-04-06 15:32 . 2008-03-02 18:53 -------- d-----w c:\program\Windows Live
2009-04-06 15:25 . 2009-04-06 15:25 -------- d-----w c:\program\Windows Live SkyDrive
2009-04-06 15:23 . 2009-04-06 15:23 -------- d-----w c:\program\Delade filer\Windows Live
2009-04-06 13:32 . 2008-12-13 20:54 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 . 2008-12-13 20:54 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 11:04 . 2009-04-04 11:04 -------- d-----w c:\program\TrueCrypt
2009-04-03 11:54 . 2007-12-27 23:35 -------- d--h--w c:\program\InstallShield Installation Information
2009-03-28 09:09 . 2008-08-24 11:55 -------- d-----w c:\program\Microsoft Silverlight
2009-03-26 15:09 . 2008-07-05 18:27 -------- d-----w c:\program\PokerStars
2009-03-24 22:46 . 2009-01-10 19:45 -------- d-----w c:\documents and settings\Yones\Application Data\Microgaming
2009-03-16 14:35 . 2009-03-16 14:35 -------- d-----w c:\documents and settings\Administratör\Application Data\Uniblue
2009-03-16 13:26 . 2009-03-16 13:26 -------- d-----w c:\documents and settings\Administratör\Application Data\SUPERAntiSpyware.com
2009-03-16 13:26 . 2009-03-12 20:32 -------- d-----w c:\program\SUPERAntiSpyware
2009-03-15 09:17 . 2008-04-13 18:09 -------- d-----w c:\program\Avi2Dvd
2009-03-15 09:09 . 2008-10-19 17:28 -------- d-----w c:\program\ElcomSoft
2009-03-15 09:06 . 2008-06-06 22:46 -------- d-----w c:\program\Steam
2009-03-13 08:37 . 2007-12-29 10:51 -------- d-----w c:\program\BitComet
2009-03-12 20:32 . 2009-03-12 20:32 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-12 20:32 . 2009-03-12 20:32 -------- d-----w c:\documents and settings\Yones\Application Data\SUPERAntiSpyware.com
2009-03-12 20:31 . 2008-01-17 14:14 -------- d-----w c:\program\Delade filer\Wise Installation Wizard
2009-03-12 15:53 . 2009-03-12 14:30 244 ---ha-w C:\sqmnoopt05.sqm
2009-03-12 15:53 . 2009-03-12 14:30 232 ---ha-w C:\sqmdata05.sqm
2009-03-12 15:51 . 2009-03-12 14:29 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-12 15:51 . 2009-03-12 14:29 232 ---ha-w C:\sqmdata04.sqm
2009-03-12 15:51 . 2009-03-12 14:28 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-12 15:51 . 2009-03-12 14:28 232 ---ha-w C:\sqmdata03.sqm
2009-03-12 15:51 . 2009-03-12 14:28 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-12 15:51 . 2009-03-12 14:28 232 ---ha-w C:\sqmdata02.sqm
2009-03-12 15:50 . 2008-09-24 13:45 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-12 15:50 . 2008-09-24 13:45 232 ---ha-w C:\sqmdata01.sqm
2009-03-12 15:47 . 2008-04-14 18:00 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-12 15:47 . 2008-04-14 18:00 232 ---ha-w C:\sqmdata00.sqm
2009-03-12 15:33 . 2009-03-12 14:54 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-12 15:33 . 2009-03-12 14:54 232 ---ha-w C:\sqmdata19.sqm
2009-03-12 15:31 . 2009-03-12 14:41 244 ---ha-w C:\sqmnoopt18.sqm
2009-03-12 15:31 . 2009-03-12 14:41 232 ---ha-w C:\sqmdata18.sqm
2009-03-12 15:30 . 2009-03-12 14:39 244 ---ha-w C:\sqmnoopt17.sqm
2009-03-12 15:30 . 2009-03-12 14:39 232 ---ha-w C:\sqmdata17.sqm
2009-03-12 15:30 . 2009-03-12 14:38 244 ---ha-w C:\sqmnoopt16.sqm
2009-03-12 15:30 . 2009-03-12 14:38 232 ---ha-w C:\sqmdata16.sqm
2009-03-12 15:30 . 2009-03-12 14:38 244 ---ha-w C:\sqmnoopt15.sqm
2009-03-12 15:30 . 2009-03-12 14:38 232 ---ha-w C:\sqmdata15.sqm
2009-03-12 15:29 . 2009-03-12 14:37 244 ---ha-w C:\sqmnoopt14.sqm
2009-03-12 15:29 . 2009-03-12 14:37 232 ---ha-w C:\sqmdata14.sqm
2009-03-12 15:27 . 2009-03-12 14:37 244 ---ha-w C:\sqmnoopt13.sqm
2009-03-12 15:27 . 2009-03-12 14:37 232 ---ha-w C:\sqmdata13.sqm
2009-03-12 15:26 . 2009-03-12 14:35 244 ---ha-w C:\sqmnoopt12.sqm
2009-03-12 15:26 . 2009-03-12 14:35 232 ---ha-w C:\sqmdata12.sqm
2009-03-12 15:26 . 2009-03-12 14:35 244 ---ha-w C:\sqmnoopt11.sqm
2009-03-12 15:26 . 2009-03-12 14:35 232 ---ha-w C:\sqmdata11.sqm
2009-03-12 15:25 . 2009-03-12 14:34 244 ---ha-w C:\sqmnoopt10.sqm
2009-03-12 15:25 . 2009-03-12 14:34 232 ---ha-w C:\sqmdata10.sqm
2009-03-12 15:24 . 2009-03-12 14:34 244 ---ha-w C:\sqmnoopt09.sqm
2009-03-12 15:24 . 2009-03-12 14:34 232 ---ha-w C:\sqmdata09.sqm
2009-03-12 15:24 . 2009-03-12 14:34 244 ---ha-w C:\sqmnoopt08.sqm
2009-03-12 15:24 . 2009-03-12 14:34 232 ---ha-w C:\sqmdata08.sqm
2009-03-12 15:24 . 2009-03-12 14:33 244 ---ha-w C:\sqmnoopt07.sqm
2009-03-12 15:24 . 2009-03-12 14:33 232 ---ha-w C:\sqmdata07.sqm
2009-03-12 15:23 . 2009-03-12 14:30 244 ---ha-w C:\sqmnoopt06.sqm
2009-03-12 15:23 . 2009-03-12 14:30 232 ---ha-w C:\sqmdata06.sqm
2009-03-10 15:37 . 2009-03-10 15:37 -------- d-----w c:\documents and settings\Yones\Application Data\Personal
2009-03-10 15:37 . 2009-03-10 15:37 -------- d-----w c:\program\Personal
2009-03-09 17:17 . 2009-03-09 17:17 -------- d-----w c:\program\Atari
2009-03-06 16:43 . 2009-02-20 17:39 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-06 16:43 . 2009-02-20 16:44 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-05 20:08 . 2008-07-08 11:31 -------- d-----w c:\program\Trafikskolan TEO 2007
2009-03-04 21:53 . 2009-03-04 19:56 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-03 17:11 . 2009-03-03 17:11 -------- d-----w c:\program\FLV Player
2009-02-26 16:48 . 2008-12-26 23:46 -------- d-----w c:\program\Full Tilt Poker
2009-02-24 17:27 . 2009-02-24 17:27 -------- d-----w c:\program\WinPcap
2009-02-21 12:58 . 2009-02-21 12:58 -------- d-----w c:\program\Square Soft, Inc
2009-02-20 16:42 . 2009-02-20 16:42 -------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-20 16:42 . 2009-02-20 16:42 -------- d-----w c:\program\Lavasoft
2009-02-20 16:42 . 2008-01-17 14:15 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-17 19:09 . 2008-02-04 18:21 -------- d-----w c:\program\VSO
2009-02-06 17:13 . 2009-02-06 17:13 308088 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 16:52 . 2009-02-06 16:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2008-07-19 14:47 . 2008-07-19 14:47 2 --shatr c:\windows\winstart.bat
2008-12-07 13:37 . 2008-12-07 13:37 8 --sh--r c:\windows\system32\95C3BE6739.sys
2008-09-03 15:39 . 2008-09-03 15:39 32768 --sha-w c:\windows\system32\config\systemprofile\Lokala inställningar\Tidigare\History.IE5\MSHist012008090320080904\index.dat
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret ))))))))))))))))))))))))))))))))))))))))))))))) (starting points for the registry)
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22ED5426-F8A1-4280-B972-6F5D1B6DAD3D}]
2006-11-15 09:46 96256 ----a-w c:\windows\system32\asferro.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-20 81920]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Skype"="c:\program\Skype\Phone\Skype.exe" [2009-03-27 24103720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-12 8466432]
"HP Software Update"="c:\program\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-12 81920]
"SynTPStart"="c:\program\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"H2O"="c:\program\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-22 385024]
"amd_dc_opt"="c:\program\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-07-12 1626112]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-07-26 61952]

c:\documents and settings\Yones\Start-meny\Program\Autostart\
Sk„rmurklipp och start f”r OneNote 2007.lnk - c:\program\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start-meny\Program\Autostart\
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-4 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^BankID säkerhetsprogram.lnk]
backup=c:\windows\pss\BankID säkerhetsprogram.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Yones^Start-meny^Program^Autostart^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2009-03-06 16:43 515416 ----a-w c:\program\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 21:16 39792 ----a-w c:\program\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-09-03 18:12 111936 ----a-w c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
2007-06-29 14:03 36864 ----a-w c:\program\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 ----a-w c:\program\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e-kort]
2007-05-10 08:36 233472 ----a-w c:\program\ekort\ekort.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-11-01 01:16 133104 ----atw c:\documents and settings\Yones\Lokala inställningar\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2007-08-24 05:00 33648 ----a-w c:\program\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 11:01 1037736 ----a-w c:\program\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-09-10 15:40 289576 ----a-w c:\program\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
2006-02-13 16:33 214648 ----a-w c:\program\Octoshape Streaming Services\Yones\OctoshapeClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 13:09 413696 ----a-w c:\program\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-01-26 12:36 495616 ----a-r c:\program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 15:46 1460560 ----a-w c:\program\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2008-11-11 19:05 1410296 ----a-w c:\program\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-10 04:43 136600 ----a-w c:\program\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-02-17 10:43 1830128 ----a-w c:\program\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-02-04 18:11 185896 ----a-w c:\program\Delade filer\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
2008-08-26 16:48 2019624 ----a-w c:\program\Uniblue\RegistryBooster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program\\uTorrent\\uTorrent.exe"=
"c:\\Program\\DC++\\DCPlusPlus.exe"=
"c:\\Program\\mIRC\\mirc.exe"=
"c:\\Program\\Spotify\\spotify.exe"=
"c:\\Program\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8837:TCP"= 8837:TCP:BitComet 8837 TCP
"8837:UDP"= 8837:UDP:BitComet 8837 UDP
"53:UDP"= 53:UDP:Promo

R1 epfwtdir;epfwtdir; [x]
R2 ekrn;Eset Service; [x]
R2 gupdate1c9891dd0fbf580;Google Update Service (gupdate1c9891dd0fbf580);c:\program\Google\Update\GoogleUpdate.exe [2009-02-07 133104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program\Lavasoft\Ad-Aware\AAWService.exe [2009-03-13 951632]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2008-12-10 64392]
R3 RkPavproc1;RkPavproc1; [x]
R3 SASENUM;SASENUM;c:\program\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\DRIVERS\sea1bus.sys [2007-02-08 61536]
R3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\DRIVERS\sea1mdfl.sys [2007-02-08 9360]
R3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\DRIVERS\sea1mdm.sys [2007-02-08 97088]
R3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\sea1mgmt.sys [2007-02-08 88624]
R3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\DRIVERS\sea1nd5.sys [2007-02-08 18704]
R3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\sea1obex.sys [2007-02-08 86432]
R3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\DRIVERS\sea1unic.sys [2007-02-08 90800]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2008-06-06 33088]
R3 ThreatFire;ThreatFire; [x]
S0 drvvkdbl;drvvkdbl;c:\windows\system32\drivers\drvvkdbl.sys [2001-09-28 23424]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-06 64160]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-06 130424]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-06-06 51520]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-06-06 38208]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2008-12-11 159600]
S1 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-15 27992]
S1 SASDIFSV;SASDIFSV;c:\program\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
S3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2005-05-09 33792]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f26be04-93b8-11dd-8647-001e682caa16}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4a7ab86-d7ee-11dc-851d-001b246c2370}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-04-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 16:43]

2009-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-11 07:30]

2009-04-18 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program\Google\Update\GoogleUpdate.exe [2009-02-07 12:15]
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - - (Parentless posts removed)

BHO-{E71F5184-35A9-3C29-99D1-B72C4506A596} - (no file)
Notify-avgrsstarter - (no file)
Notify-avldr - (no file)
MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program\Uniblue\RegistryBooster 2\RegistryBooster.exe


.
------- Extra genomsökning ------- (extra search)
.
uStart Page = hxxp://start.icq.com/
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet
IE: &Download by Orbit
IE: &Grab video by Orbit
IE: Do&wnload selected by Orbit
IE: Down&load all by Orbit
IE: E&xportera till Microsoft Excel - c:\program\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - c:\microgaming\Poker\UnibetpokerMPP\MPPoker.exe
LSP: c:\program\Delade filer\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Yones\Application Data\Mozilla\Firefox\Profiles\fik53167.default\
FF - prefs.js: browser.startup.homepage - www.google.se
FF - component: c:\program\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Yones\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\program\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program\Microsoft Research\HDView for Firefox\nphdview.dll
FF - plugin: c:\program\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program\Octoshape Streaming Services\Yones\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll
FF - plugin: c:\program\Personal\bin\np_prsnl.dll
FF - plugin: c:\program\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICY ----
c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 10:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LÅSTA REGISTERNYCKLAR --------------------- (Locked registrykeys)

[HKEY_USERS\S-1-5-21-1275210071-764733703-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:01,8d,d5,54,08,d5,7c,ab,d2,48,6a,9d,ae,8f,4c,41,0b,06,1c,ec,ef,30,b0,
3a,34,38,0a,3c,64,b7,ef,8d,68,e4,ac,a7,41,6b,43,93,5b,78,03,de,2e,16,75,48,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1275210071-764733703-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:bc,c1,c7,ed,df,e2,b4,c1,15,84,c6,13,8a,17,02,18,eb,14,14,27,80,
80,35,39,81,c2,c0,57,85,76,8e,e8,03,e8,b4,38,14,f6,b7,1e,46,f0,5b,e7,d2,a4,\
"rkeysecu"=hex:f5,c9,49,c0,a2,97,98,e4,40,dd,a6,5e,2b,58,c9,79
.
--------------------- DLLer som "laddats" under processer som körs --------------------- (DLLer that have been "loaded" under processes that are enabled)

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(684)
c:\windows\system32\setupapi.dll
c:\program\Delade filer\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(928)
c:\windows\system32\tabhook.dll
c:\windows\System32\cscui.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
Sluttid: 2009-04-18 10:57
ComboFix-quarantined-files.txt 2009-04-18 08:57

Före genomsökningen: 6*719*610*880 byte ledigt
Efter genomsökningen: 8*458*260*480 byte ledigt

Current=4 Default=4 Failed=2 LastKnownGood=3 Sets=1,2,3,4
375 --- E O F --- 2008-12-19 01:33


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:50, on 2009-04-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Google\Update\GoogleUpdate.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\CDBurnerXP\NMSAccessU.exe
C:\Program\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Hp\HP Software Update\HPWuSchd2.exe
C:\Program\SyncroSoft\Pos\H2O\cledx.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Skype\Phone\Skype.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program\DAEMON Tools\daemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - (no file)
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: e-kort Browser Helper Object - {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D} - C:\Program\ekort\Bhoekort.dll
O2 - BHO: (no name) - {22ED5426-F8A1-4280-B972-6F5D1B6DAD3D} - C:\WINDOWS\system32\asferro.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E71F5184-35A9-3C29-99D1-B72C4506A596} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [H2O] C:\Program\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Skärmurklipp och start för OneNote 2007.lnk = C:\Program\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Unibet Poker - {C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - C:\Microgaming\Poker\UnibetpokerMPP\MPPoker.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: e-kort - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program\ekort\ekort.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Yones\Start-meny\Program\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Yones\Start-meny\Program\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start-meny\Program\UltimateBet\UltimateBet.lnk (HKCU)
O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start-meny\Program\UltimateBet\UltimateBet.lnk (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.6.0_10) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O20 - Winlogon Notify: crypt - C:\WINDOWS\
O20 - Winlogon Notify: __c00EF984 - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: Eset Service (ekrn) - Unknown owner - C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9891dd0fbf580) (gupdate1c9891dd0fbf580) - Google Inc. - C:\Program\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program\CDBurnerXP\NMSAccessU.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: ThreatFire - PC Tools - C:\Program\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 11183 bytes

Uninstall list:

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Ableton Live v5.0.3
Ad-Aware
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Illustrator CS2
Adobe Photoshop CS2
Adobe Reader 8.1.2 - Svenska
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Aegisub 1.10 (Remove Only)
Apple Software Update
AV Voice Changer Software DIAMOND 4.0
AVG Anti-Rootkit Free
AviSynth 2 (remove only)
AviSynth 2.5
AVS DVD Player version 2.4
BankID säkerhetsprogram 4.10
Bit Che
Bonjour
Canon iP1600
CDBurnerXP
CDex extraction audio
CDisplay 1.8
Choice Guard
Collab
Combined Community Codec Pack 2008-09-21 16:18
Conexant HD Audio
ConvertXtoDVD 2.2.3.258h
Corel Painter X
DC++ 0.674
Disc2Phone
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DivxToDVD 0.5.2b
Driver Magician 3.32
Dual-Core Optimizer
EA SPORTS online 2008
e-kort
eMule
EncryptPDF v2.3
ERUNT 1.1j
ESET NOD32 Antivirus
FaceGen Modeller 3.3 Free
Final Fantasy VII
Final Fantasy VII XP Patch
FLV Player 2.0 (build 25)
Focus Magic 3.02
Fraps
Free Music Zilla
FTP Commander Pro
Full Tilt Poker
GameShadow
Google Earth
Google Update Helper
Google Updater
HDView for Firefox
HijackThis 2.0.2
Holdem Indicator 1.2.7
Hotfix for Windows Media Format 11 SDK (KB929399)
HP Update
ImgBurn (Remove Only)
iTunes
Ivacy Monitor 1.1.2
Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Junk Mail filter update
Kontrollpanelen MobileMe
lolifox (0.3.6)
Magic ISO Maker v5.5 (build 0273)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 SP1 with KB886903 Hotfix
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Access MUI (Swedish) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Swedish) 2007
Microsoft Office Groove MUI (Swedish) 2007
Microsoft Office InfoPath MUI (Swedish) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (Swedish) 2007
Microsoft Office Outlook MUI (Swedish) 2007
Microsoft Office PowerPoint MUI (Swedish) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (Finnish) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Swedish) 2007
Microsoft Office Proofing (Swedish) 2007
Microsoft Office Publisher MUI (Swedish) 2007
Microsoft Office Shared MUI (Swedish) 2007
Microsoft Office Word MUI (Swedish) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
mIRC
mkv2vob
MKVtoolnix 2.2.0
Mozilla Firefox (3.0.8)
MSVC80_x86
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
neroxml
Nokia Connectivity Cable Driver
NVIDIA Drivers
NVIDIA nTune
OpenOffice.org Installer 1.0
Pacific Poker
Panda ActiveScan 2.0
PartyPoker
PC Connectivity Solution
Pen Tablet
Poker Indicator 2.2.1
Poker Superstars II
PokerStars
PokerStove version 1.21
PowerStrip 3 (remove only)
QuickTime
RealPlayer
RESIDENT EVIL2
Safari
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Segoe UI
Silent Hill 2
Sixth Sense 1.1.0.93
Skype™ 4.0
Snabbkorrigering för Windows Internet Explorer 7 (KB947864)
Snabbkorrigering för Windows Media Player 11 (KB939683)
Snabbkorrigering för Windows XP (KB952287)
Songkicker iTunes Plug-in
Sony Ericsson PC Suite
Sony Ericsson Themes Creator 3.19
Sony Media Manager 2.2
Sony Vegas 7.0
SopCast 2.0.4
Spotify
Spybot - Search & Destroy
Spyware Doctor 6.0
Steam
Steinberg Cubase SX v3.1.1.944
SUPERAntiSpyware Free Edition
Svenska Spels Poker
Synaptics Pointing Device Driver
SyncroSoft Emu (Remove only)
Syncrosoft's License Control
System Requirements Lab
TBS WMP Plug-in
Trafikskolan TEO 2007
TrueCrypt
TVUPlayer 2.3.7.1
UltimateBet
Unibet Poker
Uniblue RegistryBooster 2009
Uniblue RegistryBooster 2009
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb958619)
USB Mass Storage Toolbox
Ventrilo
Ventrilo Client
VentriloMIX
Winamp AudioPlayer
WinAVI Video Converter
Windows Imaging Component
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live inloggningsassistenten
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Vista Sounds Pack
Windows-drivrutinspaket - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows-drivrutinspaket - Nokia Modem (10/12/2007 3.6)
winLAME prerelease4
WinRAR
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01

keigo
2009-04-18, 12:25
Though I might add that yesterday, when I did a scan with GMER, it found this:

"WARNING !!!

GMER has found system modification, which might have been caused by ROOTKIT activity"

After a scan in GMER, it found msqpdxserv.sys which was highlighted in red.

---- Services - GMER 1.0.15 ----

Service system32\drivers\msqpdxmxoeoipu.sys(***hidden***) [DISABLED] msqpdxserv.sys <-- ROOTKIT

I disabled it. Thought it might be a good thing to know.

pskelley
2009-04-18, 15:13
Before we start, please view this information:
File Sharing, otherwise known as Peer To Peer. (P2P)
uTorrent, eMule, BitComet
http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Unless you are prepared to remove p2p, do not progress past this point, just let me know and I will be glad to close the thread.

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Adobe Reader 8.1.2 - Svenska <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

AVG Anti-Rootkit Free <<< obsolete, uninstall this.
http://free.grisoft.com/ww.download-avg-anti-spyware-and-anti-rootkit

eMule <<< p2p program, must be uninstalled.

Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
All out of date and unsafe, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

SUPERAntiSpyware Free Edition <<< I suggest you uninstall this program.

Follow the instructions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:


Driver::
msqpdxmxoeoipu

File::
C:\WINDOWS\system32\asferro.dll
C:\system32\drivers\msqpdxmxoeoipu.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22ED5426-F8A1-4280-B972-6F5D1B6DAD3D}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f26be04-93b8-11dd-8647-001e682caa16}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4a7ab86-d7ee-11dc-851d-001b246c2370}]

Folder::
c:\program\uTorrent
c:\program\BitComet

Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - (no file)
O2 - BHO: (no name) - {22ED5426-F8A1-4280-B972-6F5D1B6DAD3D} - C:\WINDOWS\system32\asferro.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E71F5184-35A9-3C29-99D1-B72C4506A596} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O20 - Winlogon Notify: crypt - C:\WINDOWS\
O20 - Winlogon Notify: __c00EF984 - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

(if you still have MBAM, no need to download again but do update before you run it and follow the posted instgructions)

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks

If you are using a USB or Flash drive, please let me know.

keigo
2009-04-18, 19:48
I've deleted the P2P software you told me to do. Though I couldn't find BitComet in the Add and remove programs section.

Anyway, here are the logs.

Combofix

ComboFix 09-04-18.05 - Yones 2009-04-18 16:17:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.46.1053.18.2047.1295 [GMT 2:00]
Körs från: C:\Documents and Settings\Yones\Skrivbord\ComboFix.exe
Använda kommandoväxlar :: C:\Documents and Settings\Yones\Skrivbord\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Skapade en ny återställningspunkt

FILE ::
C:\system32\drivers\msqpdxmxoeoipu.sys
C:\WINDOWS\system32\asferro.dll
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program\BitComet
c:\program\BitComet\BitComet.xml
c:\program\BitComet\Downloads.xml
c:\program\BitComet\Favourite.xml
c:\program\BitComet\rules\dhtnodes.dat
c:\program\BitComet\share\my_shares.xml
c:\program\BitComet\tools\BitCometBHO_1.1.11.30.dll
c:\program\BitComet\torrents\CU123.part1.rar.xml
c:\program\BitComet\torrents\Hells.Kitchen.US.S04E02.HDTV.XviD-XOR.avi.torrent
c:\program\BitComet\torrents\Hells.Kitchen.US.S04E02.HDTV.XviD-XOR.avi.xml
c:\program\BitComet\torrents\Juno.CUSTOM.SWESUB.DVDSCR-aTerFalleT.xml
c:\program\uTorrent\2007 TEXAS CALCULATEM v8 PRO -(ORiON)-.zip.torrent
c:\program\uTorrent\20090216.mp3.torrent
c:\program\uTorrent\American.Psycho.2000.SWESUB.DVDRip.XviD-ThaKebab.torrent
c:\program\uTorrent\ArtyTorrent Pack 16-Loopmasters Deep Trance Techno WAV Samples.torrent
c:\program\uTorrent\F.E.A.R_2_Project_Origin-DIE.torrent
c:\program\uTorrent\FEAR2.torrent
c:\program\uTorrent\FIFA.09-RELOADED.torrent
c:\program\uTorrent\Full Tilt Poker - Learn From The Pros S01E11 XviD.avi.torrent
c:\program\uTorrent\Hancock.PROPER.R5.LiNE.XViD-ALLiANCE.torrent
c:\program\uTorrent\Harold.and.Kumar.Escape.from.Guantanamo.Bay.UNRATED.DVDR-Replica.torrent
c:\program\uTorrent\Hells.Kitchen.S01.SWESUB.PDTV.XViD-GAY4LiFE.torrent
c:\program\uTorrent\main.ico
c:\program\uTorrent\MGS4PreorderDVD.torrent
c:\program\uTorrent\My.Sassy.Girl.2001.Korean.DC.DVDrip.Xvid.AC3.Subs.MB.torrent
c:\program\uTorrent\New Folder.torrent
c:\program\uTorrent\Onizuka.torrent
c:\program\uTorrent\Online Holdem Card Indicator +Patch.torrent
c:\program\uTorrent\Oval.Office.Commander.in.Chief-TiNYiSO.torrent
c:\program\uTorrent\Perfect_World_International.exe.torrent
c:\program\uTorrent\Poker Academy Pro 2.5.9.rar.torrent
c:\program\uTorrent\Poker Stars Beginners Course.rar.torrent
c:\program\uTorrent\Poker.After.Dark.S05E01.PDTV.XVID-BAJSKORV.torrent
c:\program\uTorrent\Poker.Indicator.v1.5.2+Keygen..zip.torrent
c:\program\uTorrent\Poker.Office.V.2.5.1.Code.Incl.+Full.Tilt.Poker+Cash.Bonus(Texas.Holdem.Indicator).zip.torrent
c:\program\uTorrent\Poker.Office.v2.38.Incl.Keys.PROPER-BOA.rar.torrent
c:\program\uTorrent\Poker_Superstars_2-Razor1911.torrent
c:\program\uTorrent\Pokerbility.Online.Poker.Cheat.Tool.IV10IV.Crack.Free.100%.WORKING.zip.torrent
c:\program\uTorrent\Pokerhandboken.Med.Dan.Glimne.2005.SWEDISH.DVDRip.XViD-TiLT.torrent
c:\program\uTorrent\Pokermiljonen.S05E01.SWEDiSH.PDTV.XviD-TS.torrent
c:\program\uTorrent\PokerTracker.3.00.3.Incl.Crack.rar.torrent
c:\program\uTorrent\preliminary investigation.torrent
c:\program\uTorrent\REC.2007.DVDRip.x264-TDM.torrent
c:\program\uTorrent\Resident Evil Degeneration[2008]DvDrip[Eng]-FXG.torrent
c:\program\uTorrent\resume.dat
c:\program\uTorrent\resume.dat.old
c:\program\uTorrent\Rocky.1-5.720p.x264-TTi.torrent
c:\program\uTorrent\rss.dat
c:\program\uTorrent\rss.dat.old
c:\program\uTorrent\Sanitarium.torrent
c:\program\uTorrent\settings.dat
c:\program\uTorrent\settings.dat.old
c:\program\uTorrent\SILENT.HILL.3.DVD-DEViANCE.2.torrent
c:\program\uTorrent\Splinter.2008.LIMITED.DVDRip.XviD-AMIABLE.torrent
c:\program\uTorrent\Spring 2008 CMs and PVs.torrent
c:\program\uTorrent\Stir Of Echoes 1999 Dvdrip Xvid.avi.torrent
c:\program\uTorrent\tabs.bmp
c:\program\uTorrent\The Asia Pacific Poker Tour.torrent
c:\program\uTorrent\The Pirate Bay Trial Day 3.mp3.torrent
c:\program\uTorrent\The.80th.Annual.Academy.Awards.HDTV.XviD-aAF-CD1.avi.torrent
c:\program\uTorrent\The.Matrix.Path.Of.Neo-RELOADED.torrent
c:\program\uTorrent\Theory of Poker.rar.torrent
c:\program\uTorrent\Top Spin.torrent
c:\program\uTorrent\Trade.2007.LiMiTED.NORDiC.PAL.DVDR-APOCALYPSE.torrent
c:\program\uTorrent\Trance Refill for Reason 3.0.rar.torrent
c:\program\uTorrent\tray.ico
c:\program\uTorrent\Trollkarlens.Hemligheter.S01E01.SWESUB.PDTV.XviD-RUViL.torrent
c:\program\uTorrent\Tropic.Thunder.2008.DVDSCR.XViD-HEFTY.torrent
c:\program\uTorrent\tstatus.bmp
c:\program\uTorrent\UEFA.EURO.2008-ViTALiTY.torrent
c:\program\uTorrent\UnHackMe.v4.7.Build.287.Cracked-ViRiLiTY.torrent
c:\program\uTorrent\utorrent.lng
c:\program\uTorrent\Wasabi.2001.Swesub.Xvid.SpanskaFlugan.torrent
c:\program\uTorrent\Wasabi.avi.torrent
c:\program\uTorrent\Wasabi.DVDRip.SVCD.SWESUB-SMB.torrent
c:\program\uTorrent\Waterboys.torrent
c:\program\uTorrent\WBTPB.pdf.torrent
c:\program\uTorrent\Vengeance Effects Vol 1.torrent
c:\program\uTorrent\vengeance Effects vol1.rar.torrent
c:\program\uTorrent\VENGEANCE ESSENTIAL CLUB SOUNDS vol-1.rar.torrent
c:\program\uTorrent\World.of.Warcraft.RETAIL.EU.1.torrent
c:\program\uTorrent\World.of.Warcraft.RETAIL.EU.torrent
c:\program\uTorrent\World_Series_Of_Poker_2008-PROCYON.torrent
c:\program\uTorrent\WPT.S05.PokerStars.Caribbean.Poker.Adventure_FR_[CW].avi.torrent
c:\program\uTorrent\Zombie.Mayhem.SWE.DVDR-iNTERNATiONALS.EXCLUSIVE.torrent
C:\WINDOWS\system32\asferro.dll . . . . misslyckades radera (deletion failed)

.
(((((((((((((((((((((((( Filer Skapade från 2009-03-18 till 2009-04-18 ))))))))))))))))))))))))))))))
.

2009-04-18 14:07:34 . 2009-04-18 14:08:35 0 d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2009-04-18 14:02:20 . 2009-04-18 14:01:59 73728 ----a-w C:\WINDOWS\system32\javacpl.cpl
2009-04-18 13:46:22 . 2009-04-18 13:46:22 0 d-----w C:\Documents and Settings\Yones\Application Data\Foxit
2009-04-17 16:21:57 . 2009-04-17 16:21:57 0 d-----w C:\Documents and Settings\LocalService\Start-meny
2009-04-17 16:21:13 . 2008-06-06 10:15:34 38208 ----a-w C:\WINDOWS\system32\drivers\TfSysMon.sys
2009-04-17 16:21:13 . 2008-06-06 10:15:32 33088 ----a-w C:\WINDOWS\system32\drivers\TfNetMon.sys
2009-04-17 16:21:13 . 2008-06-06 10:15:30 12608 ----a-w C:\WINDOWS\system32\drivers\TfKbMon.sys
2009-04-17 16:21:13 . 2008-06-06 10:15:28 51520 ----a-w C:\WINDOWS\system32\drivers\TfFsMon.sys
2009-04-17 16:20:49 . 2009-04-17 16:20:49 0 d-----w C:\WINDOWS\system32\xircom
2009-04-17 16:01:07 . 2008-12-11 06:38:22 159600 ----a-w C:\WINDOWS\system32\drivers\pctgntdi.sys
2009-04-17 16:00:53 . 2009-03-06 14:45:06 130424 ----a-w C:\WINDOWS\system32\drivers\PCTCore.sys
2009-04-17 16:00:53 . 2008-12-18 10:16:56 73840 ----a-w C:\WINDOWS\system32\drivers\PCTAppEvent.sys
2009-04-17 16:00:41 . 2008-12-10 10:36:04 64392 ----a-w C:\WINDOWS\system32\drivers\pctplsg.sys
2009-04-17 16:00:35 . 2009-04-17 16:21:46 0 d-----w C:\Documents and Settings\All Users\Application Data\PC Tools
2009-04-17 16:00:35 . 2009-04-17 16:00:35 0 d-----w C:\Documents and Settings\Yones\Application Data\PC Tools
2009-04-16 22:16:27 . 2002-12-28 23:14:38 81920 ----a-w C:\WINDOWS\system32\Startup.cpl
2009-04-16 22:14:43 . 2009-04-16 22:14:43 0 d-----w C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\kyoku-senbi
2009-04-16 22:14:43 . 2009-04-16 22:14:43 0 d-----w C:\Documents and Settings\Administratör\Application Data\kyoku-senbi
2009-04-16 22:11:18 . 2009-04-16 22:11:18 0 d-----w C:\Documents and Settings\Administratör\Application Data\Malwarebytes
2009-04-16 15:18:09 . 2009-04-16 15:18:59 0 d-----w C:\Documents and Settings\Yones\Application Data\Antispyware
2009-04-06 16:15:10 . 2009-04-18 14:20:49 0 d-----w C:\Documents and Settings\Yones\Application Data\Skype
2009-04-06 16:14:44 . 2009-04-06 16:14:58 0 d-----w C:\Documents and Settings\All Users\Application Data\Skype
2009-04-06 15:37:09 . 2009-04-18 13:33:45 0 d-----w C:\Documents and Settings\Yones\Tracing
2009-04-04 11:05:38 . 2009-04-04 11:07:17 0 d-----w C:\Documents and Settings\Yones\Application Data\TrueCrypt
2009-04-04 11:04:57 . 2009-04-04 11:04:57 215872 ----a-w C:\WINDOWS\system32\drivers\truecrypt.sys
2009-03-25 18:21:41 . 2005-05-11 01:54:30 258352 ----a-w C:\WINDOWS\system32\unicows.dll
2009-03-25 17:10:57 . 2009-03-25 17:11:52 0 d-----w C:\Documents and Settings\Yones\Application Data\GetRightToGo
2009-03-24 11:03:08 . 2009-03-24 11:03:08 7808 ----a-w C:\WINDOWS\system32\drivers\psi_mf.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.


[B]And the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:40:39, on 2009-04-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Google\Update\GoogleUpdate.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\CDBurnerXP\NMSAccessU.exe
C:\Program\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\SyncroSoft\Pos\H2O\cledx.exe
C:\Program\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Winamp Remote\bin\OrbTray.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program\Secunia\PSI\psi.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Yones\Lokala inställningar\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\VentriloMIX\Ventrilo 2.1.4.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - (no file)
O2 - BHO: e-kort Browser Helper Object - {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D} - C:\Program\ekort\Bhoekort.dll
O2 - BHO: (no name) - {22ED5426-F8A1-4280-B972-6F5D1B6DAD3D} - C:\WINDOWS\system32\asferro.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E71F5184-35A9-3C29-99D1-B72C4506A596} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [H2O] C:\Program\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Orb] "C:\Program\Winamp Remote\bin\OrbTray.exe" /background
O4 - Startup: Secunia PSI.lnk = C:\Program\Secunia\PSI\psi.exe
O4 - Startup: Skärmurklipp och start för OneNote 2007.lnk = C:\Program\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Unibet Poker - {C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - C:\Microgaming\Poker\UnibetpokerMPP\MPPoker.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: e-kort - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program\ekort\ekort.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Yones\Start-meny\Program\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Yones\Start-meny\Program\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start-meny\Program\UltimateBet\UltimateBet.lnk (HKCU)
O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start-meny\Program\UltimateBet\UltimateBet.lnk (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.6.0_10) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O20 - Winlogon Notify: __c00EF984 - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: Eset Service (ekrn) - Unknown owner - C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9891dd0fbf580) (gupdate1c9891dd0fbf580) - Google Inc. - C:\Program\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program\CDBurnerXP\NMSAccessU.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: ThreatFire - PC Tools - C:\Program\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 11454 bytes

Okay, I'll continue with 3) now.

pskelley
2009-04-18, 19:56
Please read the instructions carefully:

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
Review the instructions again and be sure you are following them carefully.

keigo
2009-04-19, 01:46
Sorry about that. I don't know how I missed the last part that was highlighted in red.


Anyway here are the logs:

Combofix

ComboFix 09-04-18.05 - Yones 2009-04-18 16:17:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.46.1053.18.2047.1295 [GMT 2:00]
Körs från: C:\Documents and Settings\Yones\Skrivbord\ComboFix.exe
Använda kommandoväxlar :: C:\Documents and Settings\Yones\Skrivbord\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Skapade en ny återställningspunkt

FILE ::
C:\system32\drivers\msqpdxmxoeoipu.sys
C:\WINDOWS\system32\asferro.dll
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar )))))))))))))))))))))))))))))))))))))))))))))))) (other deletions)
.

c:\program\BitComet
c:\program\BitComet\BitComet.xml
c:\program\BitComet\Downloads.xml
c:\program\BitComet\Favourite.xml
c:\program\BitComet\rules\dhtnodes.dat
c:\program\BitComet\share\my_shares.xml
c:\program\BitComet\tools\BitCometBHO_1.1.11.30.dll
c:\program\BitComet\torrents\CU123.part1.rar.xml
c:\program\BitComet\torrents\Hells.Kitchen.US.S04E02.HDTV.XviD-XOR.avi.torrent
c:\program\BitComet\torrents\Hells.Kitchen.US.S04E02.HDTV.XviD-XOR.avi.xml
c:\program\BitComet\torrents\Juno.CUSTOM.SWESUB.DVDSCR-aTerFalleT.xml
c:\program\uTorrent\2007 TEXAS CALCULATEM v8 PRO -(ORiON)-.zip.torrent
c:\program\uTorrent\20090216.mp3.torrent
c:\program\uTorrent\American.Psycho.2000.SWESUB.DVDRip.XviD-ThaKebab.torrent
c:\program\uTorrent\ArtyTorrent Pack 16-Loopmasters Deep Trance Techno WAV Samples.torrent
c:\program\uTorrent\F.E.A.R_2_Project_Origin-DIE.torrent
c:\program\uTorrent\FEAR2.torrent
c:\program\uTorrent\FIFA.09-RELOADED.torrent
c:\program\uTorrent\Full Tilt Poker - Learn From The Pros S01E11 XviD.avi.torrent
c:\program\uTorrent\Hancock.PROPER.R5.LiNE.XViD-ALLiANCE.torrent
c:\program\uTorrent\Harold.and.Kumar.Escape.from.Guantanamo.Bay.UNRATED.DVDR-Replica.torrent
c:\program\uTorrent\Hells.Kitchen.S01.SWESUB.PDTV.XViD-GAY4LiFE.torrent
c:\program\uTorrent\main.ico
c:\program\uTorrent\MGS4PreorderDVD.torrent
c:\program\uTorrent\My.Sassy.Girl.2001.Korean.DC.DVDrip.Xvid.AC3.Subs.MB.torrent
c:\program\uTorrent\New Folder.torrent
c:\program\uTorrent\Onizuka.torrent
c:\program\uTorrent\Online Holdem Card Indicator +Patch.torrent
c:\program\uTorrent\Oval.Office.Commander.in.Chief-TiNYiSO.torrent
c:\program\uTorrent\Perfect_World_International.exe.torrent
c:\program\uTorrent\Poker Academy Pro 2.5.9.rar.torrent
c:\program\uTorrent\Poker Stars Beginners Course.rar.torrent
c:\program\uTorrent\Poker.After.Dark.S05E01.PDTV.XVID-BAJSKORV.torrent
c:\program\uTorrent\Poker.Indicator.v1.5.2+Keygen..zip.torrent
c:\program\uTorrent\Poker.Office.V.2.5.1.Code.Incl.+Full.Tilt.Poker+Cash.Bonus(Texas.Holdem.Indicator).zip.torrent
c:\program\uTorrent\Poker.Office.v2.38.Incl.Keys.PROPER-BOA.rar.torrent
c:\program\uTorrent\Poker_Superstars_2-Razor1911.torrent
c:\program\uTorrent\Pokerbility.Online.Poker.Cheat.Tool.IV10IV.Crack.Free.100%.WORKING.zip.torrent
c:\program\uTorrent\Pokerhandboken.Med.Dan.Glimne.2005.SWEDISH.DVDRip.XViD-TiLT.torrent
c:\program\uTorrent\Pokermiljonen.S05E01.SWEDiSH.PDTV.XviD-TS.torrent
c:\program\uTorrent\PokerTracker.3.00.3.Incl.Crack.rar.torrent
c:\program\uTorrent\preliminary investigation.torrent
c:\program\uTorrent\REC.2007.DVDRip.x264-TDM.torrent
c:\program\uTorrent\Resident Evil Degeneration[2008]DvDrip[Eng]-FXG.torrent
c:\program\uTorrent\resume.dat
c:\program\uTorrent\resume.dat.old
c:\program\uTorrent\Rocky.1-5.720p.x264-TTi.torrent
c:\program\uTorrent\rss.dat
c:\program\uTorrent\rss.dat.old
c:\program\uTorrent\Sanitarium.torrent
c:\program\uTorrent\settings.dat
c:\program\uTorrent\settings.dat.old
c:\program\uTorrent\SILENT.HILL.3.DVD-DEViANCE.2.torrent
c:\program\uTorrent\Splinter.2008.LIMITED.DVDRip.XviD-AMIABLE.torrent
c:\program\uTorrent\Spring 2008 CMs and PVs.torrent
c:\program\uTorrent\Stir Of Echoes 1999 Dvdrip Xvid.avi.torrent
c:\program\uTorrent\tabs.bmp
c:\program\uTorrent\The Asia Pacific Poker Tour.torrent
c:\program\uTorrent\The Pirate Bay Trial Day 3.mp3.torrent
c:\program\uTorrent\The.80th.Annual.Academy.Awards.HDTV.XviD-aAF-CD1.avi.torrent
c:\program\uTorrent\The.Matrix.Path.Of.Neo-RELOADED.torrent
c:\program\uTorrent\Theory of Poker.rar.torrent
c:\program\uTorrent\Top Spin.torrent
c:\program\uTorrent\Trade.2007.LiMiTED.NORDiC.PAL.DVDR-APOCALYPSE.torrent
c:\program\uTorrent\Trance Refill for Reason 3.0.rar.torrent
c:\program\uTorrent\tray.ico
c:\program\uTorrent\Trollkarlens.Hemligheter.S01E01.SWESUB.PDTV.XviD-RUViL.torrent
c:\program\uTorrent\Tropic.Thunder.2008.DVDSCR.XViD-HEFTY.torrent
c:\program\uTorrent\tstatus.bmp
c:\program\uTorrent\UEFA.EURO.2008-ViTALiTY.torrent
c:\program\uTorrent\UnHackMe.v4.7.Build.287.Cracked-ViRiLiTY.torrent
c:\program\uTorrent\utorrent.lng
c:\program\uTorrent\Wasabi.2001.Swesub.Xvid.SpanskaFlugan.torrent
c:\program\uTorrent\Wasabi.avi.torrent
c:\program\uTorrent\Wasabi.DVDRip.SVCD.SWESUB-SMB.torrent
c:\program\uTorrent\Waterboys.torrent
c:\program\uTorrent\WBTPB.pdf.torrent
c:\program\uTorrent\Vengeance Effects Vol 1.torrent
c:\program\uTorrent\vengeance Effects vol1.rar.torrent
c:\program\uTorrent\VENGEANCE ESSENTIAL CLUB SOUNDS vol-1.rar.torrent
c:\program\uTorrent\World.of.Warcraft.RETAIL.EU.1.torrent
c:\program\uTorrent\World.of.Warcraft.RETAIL.EU.torrent
c:\program\uTorrent\World_Series_Of_Poker_2008-PROCYON.torrent
c:\program\uTorrent\WPT.S05.PokerStars.Caribbean.Poker.Adventure_FR_[CW].avi.torrent
c:\program\uTorrent\Zombie.Mayhem.SWE.DVDR-iNTERNATiONALS.EXCLUSIVE.torrent
C:\WINDOWS\system32\asferro.dll . . . . misslyckades radera (deletion failed)

.
(((((((((((((((((((((((( Filer Skapade från 2009-03-18 till 2009-04-18 ))))))))))))))))))))))))))))))
.

2009-04-18 14:07:34 . 2009-04-18 14:08:35 0 d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2009-04-18 14:02:20 . 2009-04-18 14:01:59 73728 ----a-w C:\WINDOWS\system32\javacpl.cpl
2009-04-18 13:46:22 . 2009-04-18 13:46:22 0 d-----w C:\Documents and Settings\Yones\Application Data\Foxit
2009-04-17 16:21:57 . 2009-04-17 16:21:57 0 d-----w C:\Documents and Settings\LocalService\Start-meny
2009-04-17 16:21:13 . 2008-06-06 10:15:34 38208 ----a-w C:\WINDOWS\system32\drivers\TfSysMon.sys
2009-04-17 16:21:13 . 2008-06-06 10:15:32 33088 ----a-w C:\WINDOWS\system32\drivers\TfNetMon.sys
2009-04-17 16:21:13 . 2008-06-06 10:15:30 12608 ----a-w C:\WINDOWS\system32\drivers\TfKbMon.sys
2009-04-17 16:21:13 . 2008-06-06 10:15:28 51520 ----a-w C:\WINDOWS\system32\drivers\TfFsMon.sys
2009-04-17 16:20:49 . 2009-04-17 16:20:49 0 d-----w C:\WINDOWS\system32\xircom
2009-04-17 16:01:07 . 2008-12-11 06:38:22 159600 ----a-w C:\WINDOWS\system32\drivers\pctgntdi.sys
2009-04-17 16:00:53 . 2009-03-06 14:45:06 130424 ----a-w C:\WINDOWS\system32\drivers\PCTCore.sys
2009-04-17 16:00:53 . 2008-12-18 10:16:56 73840 ----a-w C:\WINDOWS\system32\drivers\PCTAppEvent.sys
2009-04-17 16:00:41 . 2008-12-10 10:36:04 64392 ----a-w C:\WINDOWS\system32\drivers\pctplsg.sys
2009-04-17 16:00:35 . 2009-04-17 16:21:46 0 d-----w C:\Documents and Settings\All Users\Application Data\PC Tools
2009-04-17 16:00:35 . 2009-04-17 16:00:35 0 d-----w C:\Documents and Settings\Yones\Application Data\PC Tools
2009-04-16 22:16:27 . 2002-12-28 23:14:38 81920 ----a-w C:\WINDOWS\system32\Startup.cpl
2009-04-16 22:14:43 . 2009-04-16 22:14:43 0 d-----w C:\Documents and Settings\Administratör\Lokala inställningar\Application Data\kyoku-senbi
2009-04-16 22:14:43 . 2009-04-16 22:14:43 0 d-----w C:\Documents and Settings\Administratör\Application Data\kyoku-senbi
2009-04-16 22:11:18 . 2009-04-16 22:11:18 0 d-----w C:\Documents and Settings\Administratör\Application Data\Malwarebytes
2009-04-16 15:18:09 . 2009-04-16 15:18:59 0 d-----w C:\Documents and Settings\Yones\Application Data\Antispyware
2009-04-06 16:15:10 . 2009-04-18 14:20:49 0 d-----w C:\Documents and Settings\Yones\Application Data\Skype
2009-04-06 16:14:44 . 2009-04-06 16:14:58 0 d-----w C:\Documents and Settings\All Users\Application Data\Skype
2009-04-06 15:37:09 . 2009-04-18 13:33:45 0 d-----w C:\Documents and Settings\Yones\Tracing
2009-04-04 11:05:38 . 2009-04-04 11:07:17 0 d-----w C:\Documents and Settings\Yones\Application Data\TrueCrypt
2009-04-04 11:04:57 . 2009-04-04 11:04:57 215872 ----a-w C:\WINDOWS\system32\drivers\truecrypt.sys
2009-03-25 18:21:41 . 2005-05-11 01:54:30 258352 ----a-w C:\WINDOWS\system32\unicows.dll
2009-03-25 17:10:57 . 2009-03-25 17:11:52 0 d-----w C:\Documents and Settings\Yones\Application Data\GetRightToGo
2009-03-24 11:03:08 . 2009-03-24 11:03:08 7808 ----a-w C:\WINDOWS\system32\drivers\psi_mf.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.

[B]HJT log (scanned again after the malware bytes scan)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:36:44, on 2009-04-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\CDBurnerXP\NMSAccessU.exe
C:\Program\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\SyncroSoft\Pos\H2O\cledx.exe
C:\Program\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Skype\Phone\Skype.exe
C:\Program\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program\Secunia\PSI\psi.exe
C:\Program\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: e-kort Browser Helper Object - {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D} - C:\Program\ekort\Bhoekort.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [H2O] C:\Program\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Orb] "C:\Program\Winamp Remote\bin\OrbTray.exe" /background
O4 - Startup: Secunia PSI.lnk = C:\Program\Secunia\PSI\psi.exe
O4 - Startup: Skärmurklipp och start för OneNote 2007.lnk = C:\Program\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Unibet Poker - {C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - C:\Microgaming\Poker\UnibetpokerMPP\MPPoker.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: e-kort - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program\ekort\ekort.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Yones\Start-meny\Program\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Yones\Start-meny\Program\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start-meny\Program\UltimateBet\UltimateBet.lnk (HKCU)
O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start-meny\Program\UltimateBet\UltimateBet.lnk (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.6.0_10) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: Eset Service (ekrn) - Unknown owner - C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9891dd0fbf580) (gupdate1c9891dd0fbf580) - Google Inc. - C:\Program\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program\CDBurnerXP\NMSAccessU.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: ThreatFire - PC Tools - C:\Program\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 10850 bytes

Malwarebytes log

Malwarebytes' Anti-Malware 1.36
Databasversion: 2001
Windows 5.1.2600 Service Pack 2

2009-04-19 00:27:45
mbam-log-2009-04-19 (00-27-45).txt

Skanningstyp: Fullständig skanning (C:\|)
Antal skannade objekt: 223347
Förfluten tid: 1 hour(s), 20 minute(s), 14 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 4
Infekterade registervärden: 4
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 9

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22ed5426-f8a1-4280-b972-6f5d1b6dad3d} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{22ed5426-f8a1-4280-b972-6f5d1b6dad3d} (Trojan.BHO.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drvvkdbl (Rootkit.Sentinel) -> Delete on reboot.

Infekterade registervärden:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
C:\WINDOWS\system32\asferro.dll (Trojan.BHO.H) -> Delete on reboot.
C:\System Volume Information\_restore{C3F21E2A-CE88-4260-87E2-660D9286E0E6}\RP485\A0134439.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C3F21E2A-CE88-4260-87E2-660D9286E0E6}\RP485\A0134440.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C3F21E2A-CE88-4260-87E2-660D9286E0E6}\RP485\A0134441.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C3F21E2A-CE88-4260-87E2-660D9286E0E6}\RP485\A0134442.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C3F21E2A-CE88-4260-87E2-660D9286E0E6}\RP489\A0134797.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Yones\Lokala inställningar\Temp\yasbvwpn.dat (Rootkit.Agent) -> Delete on reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Yones\Yones.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\drvvkdbl.sys (Rootkit.Sentinel) -> Delete on reboot.

"If you are using a USB or Flash drive, please let me know." I'm not using that.

Anyway, I conducted a scan again, and the computer seems 100% clean!! Thank you so much for your help. I didn't know I had so many malicious files on my computer... Well, I've most certainly learnt my lesson by now.

Again, thank you so much for your help, and keep up the good work. You guys are needed! =D

pskelley
2009-04-19, 02:06
I wanted to mention these files: C:\sqmnoopt05.sqm
You can see a lot with different numbers in the combofix log, this is what they are: http://www.what-is-exe.com/filenames/sqmdata00-sqm.html

Anyway, I conducted a scan again, and the computer seems 100% clean!!
Stick with me a bit longer while we do this to be sure:

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update Spyware Doctor with AntiVirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx

keigo
2009-04-20, 12:45
Update Spyware Doctor with AntiVirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.

I followed the instructions again and I didn't found anything (even with Ad-aware), so I suppose it's safe to say that it's okay from here. You may close the thread now.

Again, thank you so much for your help! :bigthumb:

pskelley
2009-04-20, 13:01
Thanks much for taking the time to let me know:bigthumb: safe surfing.