PDA

View Full Version : Virtumonde.sdn


Usman
2009-05-02, 22:06
My PC got popups with fake virus scans, so a friend adviced me to try Spybot. I checked for problems, and deleted Fixed the problems. After restarting my computer I found out that the program Virtumonde was still there. I tried to Fix it and restart many times, just to find out that its still on my PC. There is still popups with the virusprograms

Here is the HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:52:54, on 02.05.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\vVX6000.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ld02.exe
C:\Windows\pp06.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\System32\DL32.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\jusched.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=81&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=81&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\ezShellStart.exe
O2 - BHO: Mirar - {00AA0285-B61C-4832-9E01-2ADCDA2DA9DD} - C:\Windows\system32\winle77.dll
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Mirar - {00AA0284-B61C-4832-9E01-2ADCDA2DA9DD} - C:\Windows\system32\winle77.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sysldtray] c:\windows\ld02.exe
O4 - HKLM\..\Run: [pp] c:\windows\pp06.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DL32] DL32
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\Windows\SERVIC~2\LOCALS~1\protect.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper og Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O13 - Gopher Prefix:
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatisk LiveUpdate-planlegging (Automatic LiveUpdate Scheduler) - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
O23 - Service: EasyBits Magic Desktop Services for Windows NT (ezntsvc) - EasyBits Software Corp. - C:\Windows\system32\ezNTSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: HP Chasis Button Service (HPBtnSrv) - Unknown owner - c:\hp\HPEZBTN\HPBtnSrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

--
End of file - 10461 bytes

And thankyou for helping :D
Shaba
2009-05-03, 12:03
Hi Usman

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Usman
2009-05-03, 13:04
Here is the Combofix.txt, it is somehow in norwegian, and i hope it makes no difference.

ComboFix 09-05-02.4 - Jakob 03.05.2009 12:53.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.47.1044.18.3582.2357 [GMT 2:00]
Kjører fra: c:\users\Jakob\Desktop\ComboFix.exe
AV: iolo AntiVirus® *On-access scanning disabled* (Updated)
FW: iolo Personal Firewall® *disabled*
.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Jakob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Download programs.url
c:\users\Jakob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games.url
c:\users\Jakob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChkDisk.dll
c:\users\Jakob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChkDisk.lnk
c:\users\Jakob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Translator.url
c:\users\Jakob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Videos.url
c:\users\Jakob\Desktop\Videos.url
c:\windows\ld02.exe
c:\windows\pp06.exe
c:\windows\system32\dl32.exe

----- BITS: Mulige infiserte sider -----

hxxp://theinstalls.com
.
((((((((((((((((((((((((((( Filer Opprettet Fra 2009-04-03 til 2009-05-03 )))))))))))))))))))))))))))))))))
.

2009-05-03 09:53 . 2009-05-03 09:53 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w c:\program files\Trend Micro
2009-05-02 18:32 . 2009-05-02 18:32 -------- d-----w C:\VundoFix Backups
2009-05-01 06:42 . 2009-05-01 07:20 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-05-01 06:42 . 2009-05-01 07:20 -------- d-----w c:\users\All Users\Spybot - Search & Destroy
2009-05-01 06:42 . 2009-05-01 06:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-30 14:08 . 2009-05-01 07:53 -------- d-----w c:\windows\system32\796525
2009-04-15 15:58 . 2009-04-15 15:58 -------- d-----w c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 09:53 . 2007-12-10 19:34 -------- d-----w c:\program files\Java
2009-05-03 07:52 . 2007-12-11 03:25 76272 ----a-w c:\windows\system32\perfc014.dat
2009-05-03 07:52 . 2007-12-11 03:25 452096 ----a-w c:\windows\system32\perfh014.dat
2009-05-03 07:47 . 2006-11-02 13:01 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-04-18 16:29 . 2009-04-18 16:29 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-04-16 01:13 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-01 15:06 . 2009-04-01 15:06 -------- d-----w c:\program files\MPD
2009-03-17 03:38 . 2009-04-15 08:39 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-15 08:39 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 08:39 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-04 19:33 . 2008-03-30 08:18 -------- d-----w c:\program files\Google
2009-03-03 04:46 . 2009-04-15 08:39 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 08:39 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-15 08:39 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 08:39 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 08:39 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 08:39 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 08:39 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-15 08:39 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-15 08:39 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 08:39 17408 ----a-w c:\windows\system32\iashost.exe
2009-02-23 15:00 . 2009-02-23 15:00 552 ----a-w c:\users\Jakob\AppData\Local\d3d8caps.dat
2009-02-14 21:48 . 2009-02-14 21:48 227 ----a-w c:\windows\PowerReg.dat
2009-02-13 08:49 . 2009-04-15 08:39 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-15 08:39 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 06:55 2033152 ----a-w c:\windows\system32\win32k.sys
2009-02-06 18:59 . 2009-02-06 18:59 308104 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-01-09 06:46 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2007-12-11 03:41 . 2007-12-11 03:29 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00AA0285-B61C-4832-9E01-2ADCDA2DA9DD}]
2009-01-20 21:12 401408 ----a-w c:\windows\system32\winle77.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{00AA0284-B61C-4832-9E01-2ADCDA2DA9DD}"= "c:\windows\system32\winle77.dll" [2009-01-20 401408]

[HKEY_CLASSES_ROOT\clsid\{00aa0284-b61c-4832-9e01-2adcda2da9dd}]
[HKEY_CLASSES_ROOT\TypeLib\{8B4B155A-BA7C-4B17-9136-143E20E50FAE}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{00AA0284-B61C-4832-9E01-2ADCDA2DA9DD}"= "c:\windows\system32\winle77.dll" [2009-01-20 401408]

[HKEY_CLASSES_ROOT\clsid\{00aa0284-b61c-4832-9e01-2adcda2da9dd}]
[HKEY_CLASSES_ROOT\TypeLib\{8B4B155A-BA7C-4B17-9136-143E20E50FAE}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"="DL32" [X]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885400]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"iolo Startup"="c:\program files\iolo\Common\Lib\ioloLManager.exe" [2008-08-15 308080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
"VX6000"="c:\windows\vVX6000.exe" [2006-12-19 994072]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-08-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-27 8473120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-27 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-03 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-25 4702208]

c:\users\Jakob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper og Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6B07BBC0-B55A-44B9-8C1A-1AAD9EFA9930}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{38C3BAAC-1791-4419-8A02-C6CAC24691B8}"= UDP:c:\program files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"{9B37383B-AC38-424B-B419-776B522FD137}"= TCP:c:\program files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"{AAFBB2DF-E9CC-49FC-B682-9A53EA574F0A}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3B62159A-DBBB-49CF-8228-6A52EC1EFAB4}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D5AE4A55-6131-463E-9ED0-141FEEEFFE53}"= UDP:c:\program files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe:iolo Firewall®
"{FC75F2AD-116E-452D-B855-E89AD7F02767}"= TCP:c:\program files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe:iolo Firewall®
"{E53AFCE5-74A0-42B1-ABA8-E9B1ED258E0E}"= UDP:c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe:iolo AntiVirus®
"{7AC3148F-4682-46E0-B21E-FE418267D48C}"= TCP:c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe:iolo AntiVirus®
"{2C0EBB04-509B-44CB-8CBF-9C844B90F0E8}"= UDP:c:\program files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe:iolo AntiVirus® Email Protection
"{E8CB4810-64AF-49D8-ACB8-591AC494035E}"= TCP:c:\program files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe:iolo AntiVirus® Email Protection
"TCP Query User{DE6FDC94-7145-4B5B-8100-74C57868D075}c:\\program files\\tmnationsforever\\tmforever.exe"= UDP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"UDP Query User{6D1A9ADB-2263-44E9-BAC0-AE2F67C4C41A}c:\\program files\\tmnationsforever\\tmforever.exe"= TCP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"{41B887F1-1DF6-466C-B472-0A9031A05EFB}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{98479A11-123C-4F42-B79F-6D6A21D550F7}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{CCC38E8D-64A1-493A-911C-BEAE90E27C96}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DC0F35CE-2FA3-40EA-8F99-A5288FFB24F5}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{975198A6-6F2B-4D1F-AC03-FAF93B01ECBB}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{C0BE3D9A-A0AA-48FC-A110-BD6CB142AA6B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{5AC050E2-AEF4-4D35-8DFE-2092983C5BF7}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{EEFA7CFF-1CE3-4EDC-AB66-C22429F4502F}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{4A3D5ACC-5A71-464B-AE62-31BA56B77119}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{DBD0C6E8-5D3B-465B-AA89-F4F3F1548BAB}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{558A5FFA-2831-4B08-8459-33A57E8DF797}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{926EC8C9-9412-48A7-B6F2-E31312783CFA}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"TCP Query User{547B6AF0-EAFF-4843-962A-78D18A9555CD}c:\\users\\jakob\\desktop\\morrosaker\\spill\\age of empires 2\\age of empires ii\\empires2.exe"= UDP:c:\users\jakob\desktop\morrosaker\spill\age of empires 2\age of empires ii\empires2.exe:empires2.exe
"UDP Query User{6C0C6691-D279-497B-9F9E-673D208DC229}c:\\users\\jakob\\desktop\\morrosaker\\spill\\age of empires 2\\age of empires ii\\empires2.exe"= TCP:c:\users\jakob\desktop\morrosaker\spill\age of empires 2\age of empires ii\empires2.exe:empires2.exe
"TCP Query User{AD75CCD7-D5E7-431B-BD92-8EAD71ABE5CB}c:\\users\\jakob\\downloads\\age of empires 2 & the conquerors expansion - full game - [hussey]\\age2_x1.exe"= UDP:c:\users\jakob\downloads\age of empires 2 & the conquerors expansion - full game - [hussey]\age2_x1.exe:age2_x1.exe
"UDP Query User{261F2FF6-CC7A-4457-AEA8-E2760BC14969}c:\\users\\jakob\\downloads\\age of empires 2 & the conquerors expansion - full game - [hussey]\\age2_x1.exe"= TCP:c:\users\jakob\downloads\age of empires 2 & the conquerors expansion - full game - [hussey]\age2_x1.exe:age2_x1.exe
"TCP Query User{CCEC04CF-D706-4F57-A825-183AB6E97D07}c:\\users\\jakob\\temp\\teamviewer\\version4\\teamviewer.exe"= UDP:c:\users\jakob\temp\teamviewer\version4\teamviewer.exe:teamviewer.exe
"UDP Query User{C20EA074-2141-4146-AB01-3FCC0739F06C}c:\\users\\jakob\\temp\\teamviewer\\version4\\teamviewer.exe"= TCP:c:\users\jakob\temp\teamviewer\version4\teamviewer.exe:teamviewer.exe
"TCP Query User{3AFF9F06-AAE9-4A24-9A66-A9E84AE8F3C9}c:\\users\\jakob\\desktop\\morrosaker\\spill\\empires\\age of empires 2\\age of empires 2 & the conquerors expansion - full game - [hussey]\\age2_x1.exe"= UDP:c:\users\jakob\desktop\morrosaker\spill\empires\age of empires 2\age of empires 2 & the conquerors expansion - full game - [hussey]\age2_x1.exe:age2_x1.exe
"UDP Query User{CA02F546-2D06-4867-90F4-BD85252DDC6D}c:\\users\\jakob\\desktop\\morrosaker\\spill\\empires\\age of empires 2\\age of empires 2 & the conquerors expansion - full game - [hussey]\\age2_x1.exe"= TCP:c:\users\jakob\desktop\morrosaker\spill\empires\age of empires 2\age of empires 2 & the conquerors expansion - full game - [hussey]\age2_x1.exe:age2_x1.exe
"{6EDD0808-0021-48A9-BF9E-C06F1D6AC2E2}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"TCP Query User{5A0A6AAF-1C46-4514-971F-31391669FD28}c:\\program files\\opera\\opera.exe"= UDP:c:\program files\opera\opera.exe:Opera Internet Browser
"UDP Query User{504E3310-1582-4F28-9BF7-4FD9E9E37A9F}c:\\program files\\opera\\opera.exe"= TCP:c:\program files\opera\opera.exe:Opera Internet Browser
"TCP Query User{25C5AE35-63DE-4614-B482-299E43FC12B7}c:\\users\\jakob\\downloads\\utorrent.exe"= UDP:c:\users\jakob\downloads\utorrent.exe:utorrent.exe
"UDP Query User{B2D5BB0F-68D2-46AB-A933-FC8D68243CCD}c:\\users\\jakob\\downloads\\utorrent.exe"= TCP:c:\users\jakob\downloads\utorrent.exe:utorrent.exe
"TCP Query User{BDFBB118-B718-40D6-9065-D678D7460CA0}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{F4A224F6-B93A-4AEF-BDDD-3F0592916971}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\DRIVERS\VX6000Xp.sys [2006-12-19 2383256]
S0 XPacket;iolo Personal Firewall Driver;c:\windows\System32\xpacket.sys [2008-04-17 39424]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2008-09-03 12800]
S2 ezntsvc;EasyBits Magic Desktop Services for Windows NT;c:\windows\system32\ezNTSvc.exe [2008-05-10 33792]
S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [2007-05-29 198240]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-24 596840]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-24 596840]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2008-02-26 493568]


--- Andre tjenester/drivere lastet i minnet ---

*Deregistered* - EagleNT

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{518a387e-c6aa-11dc-88d5-806e6f6e6963}]
\shell\AutoRun\command - E:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - TOMME PEKERE FJERNET - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe


.
------- Tilleggsskanning -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\iavlsp.dll
LSP: c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
.
.
------- Filassosiasjoner -------
.
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 12:55
Windows 6.0.6001 Service Pack 1 NTFS

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...

skanning vellykket
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTERNØKLER ---------------------

[HKEY_USERS\S-1-5-21-1069647053-2654557982-2637549637-1001\Software\SecuROM\License information*]
"datasecu"=hex:15,10,f1,56,81,4f,59,7e,4c,c2,40,c5,ad,a4,0a,2d,94,51,13,9d,08,
f2,dc,4e,12,33,c4,87,1b,06,b3,38,7e,f8,7b,90,8c,01,eb,d8,0b,2f,fe,3e,cb,a9,\
"rkeysecu"=hex:76,1d,f7,2e,a6,93,be,97,6d,7c,90,bd,64,96,7f,7b
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'lsass.exe'(684)
c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
.
Tidspunkt ferdig: 2009-05-03 12:56
ComboFix-quarantined-files.txt 2009-05-03 10:56

Pre-Run: 289*189*527*552 byte ledig
Post-Run: 289*971*998*720 byte ledig

215 --- E O F --- 2009-05-03 07:54





Then, here comes the HiJackThis text:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:20, on 03.05.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\conime.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=81&bd=Pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Mirar - {00AA0285-B61C-4832-9E01-2ADCDA2DA9DD} - C:\Windows\system32\winle77.dll
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Mirar - {00AA0284-B61C-4832-9E01-2ADCDA2DA9DD} - C:\Windows\system32\winle77.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DL32] DL32
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\Windows\SERVIC~2\LOCALS~1\protect.dll,_IWMPEvents@16
O4 - Startup: OneNote 2007 Screen Clipper og Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=1241344468_0c67f40f4e5ecbb846a0e9e55fd6712d&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatisk LiveUpdate-planlegging (Automatic LiveUpdate Scheduler) - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
O23 - Service: EasyBits Magic Desktop Services for Windows NT (ezntsvc) - EasyBits Software Corp. - C:\Windows\system32\ezNTSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: HP Chasis Button Service (HPBtnSrv) - Unknown owner - c:\hp\HPEZBTN\HPBtnSrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

--
End of file - 9032 bytes
Shaba
2009-05-03, 13:19
That is OK :)

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
Usman
2009-05-03, 13:26
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2 - Norsk
Adobe Shockwave Player 11
Apple Mobile Device Support
Authentium AntiVirus SDK - 2
Bonjour
Choice Guard
Compatibility Pack for 2007 Office
CyberLink DVD Suite Deluxe
Dungeon Keeper 2
EasyBits Magic Desktop
Google Earth
Google Toolbar for Internet Explorer
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.5
HP Picasso Media Center Add-In
HP Update
iolo technologies' System Mechanic Professional
iTunes
Java(TM) 6 Update 13
Java(TM) SE Runtime Environment 6 Update 1
Junk Mail filter update
LabelPrint
LightScribe System Software 1.10.16.1
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
MapleStory
MapleStory
Mat på Data 5.0
Microsoft .NET Framework 3.5 Language Pack SP1 - nor
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft LifeCam
Microsoft Office Excel 2007 Help Oppdatering (KB963678)
Microsoft Office Excel MUI (Norwegian (Bokmål)) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (Norwegian (Bokmål)) 2007
Microsoft Office Powerpoint 2007 Help Oppdatering (KB963669)
Microsoft Office PowerPoint MUI (Norwegian (Bokmål)) 2007
Microsoft Office PowerPoint Viewer 2007 (Norwegian (Bokmål))
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Norwegian (Bokmål)) 2007
Microsoft Office Proof (Norwegian (Nynorsk)) 2007
Microsoft Office Proofing (Norwegian (Bokmål)) 2007
Microsoft Office Shared MUI (Norwegian (Bokmål)) 2007
Microsoft Office Word 2007 Help Oppdatering (KB963665)
Microsoft Office Word MUI (Norwegian (Bokmål)) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mirar
MSVCRT
muvee autoProducer 6.1
Norton Security Scan
Norton Security Scan (Symantec Corporation)
NVIDIA Drivers
OGA Notifier 1.7.0105.35.0
Opera 9.63
Opplastingsverktøy for Windows Live
Power2Go
PowerDirector
Python 2.5
Påloggingsassistent for Windows Live
QuickTime
RCT3 Soaked
Realtek High Definition Audio Driver
Roll
save2pc Pro Demo 3.48
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
SPORE™
Språkpakke for Microsoft .NET Framework 3.5 SP1 - NOR
Spybot - Search & Destroy
The Battle for Middle-earth (tm) II
The Sims 2
The Sims 2 Familiepakke - Stæsj
The Sims 2 Forretningsliv
The Sims™ 2 Apartment Life
The Sims™ 2 Bon Voyage
The Sims™ 2 Fritid
The Sims™ 2 Seasons
The Sims™ 2 Teen Style Stuff
TmNationsForever
Update for 2007 Microsoft Office System (KB967642)
Utvidet multimedia-tastaturløsning
VLC media player 0.9.8a
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Fotogalleri
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker Beta
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
Windows Live Sync
WinRAR archiver
Shaba
2009-05-03, 13:37
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.


Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


File::
c:\windows\system32\winle77.dll
c:\users\jakob\downloads\utorrent.exe

Folder::
c:\program files\utorrent

DirLook::
c:\windows\system32\796525

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{5AC050E2-AEF4-4D35-8DFE-2092983C5BF7}c:\\program files\\utorrent\\utorrent.exe"=-
"UDP Query User{EEFA7CFF-1CE3-4EDC-AB66-C22429F4502F}c:\\program files\\utorrent\\utorrent.exe"=¨-
"TCP Query User{25C5AE35-63DE-4614-B482-299E43FC12B7}c:\\users\\jakob\\downloads\\utorrent.exe"= -
"UDP Query User{B2D5BB0F-68D2-46AB-A933-FC8D68243CCD}c:\\users\\jakob\\downloads\\utorrent.exe"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply along with a fresh HijackThis log.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Usman
2009-05-03, 14:09
ComboFix 09-05-02.4 - Jakob 03.05.2009 13:51.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.47.1044.18.3582.2464 [GMT 2:00]
Kjører fra: c:\users\Jakob\Desktop\ComboFix.exe
Command switches brukt :: c:\users\Jakob\Desktop\CFScript.txt
AV: iolo AntiVirus® *On-access scanning enabled* (Updated)
FW: iolo Personal Firewall® *enabled*

FILE ::
c:\users\jakob\downloads\utorrent.exe
c:\windows\system32\winle77.dll
.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\utorrent
c:\program files\utorrent\uTorrent.exe
c:\users\jakob\downloads\utorrent.exe
c:\windows\system32\winle77.dll

.
((((((((((((((((((((((((((( Filer Opprettet Fra 2009-04-03 til 2009-05-03 )))))))))))))))))))))))))))))))))
.

2009-05-03 09:53 . 2009-05-03 09:53 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w c:\program files\Trend Micro
2009-05-02 18:32 . 2009-05-02 18:32 -------- d-----w C:\VundoFix Backups
2009-05-01 06:42 . 2009-05-01 07:20 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-05-01 06:42 . 2009-05-01 07:20 -------- d-----w c:\users\All Users\Spybot - Search & Destroy
2009-05-01 06:42 . 2009-05-01 06:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-30 14:08 . 2009-05-01 07:53 -------- d-----w c:\windows\system32\796525
2009-04-15 15:58 . 2009-04-15 15:58 -------- d-----w c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 11:48 . 2007-12-11 03:25 76272 ----a-w c:\windows\system32\perfc014.dat
2009-05-03 11:48 . 2007-12-11 03:25 452096 ----a-w c:\windows\system32\perfh014.dat
2009-05-03 11:42 . 2006-11-02 13:01 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 09:53 . 2007-12-10 19:34 -------- d-----w c:\program files\Java
2009-04-18 16:29 . 2009-04-18 16:29 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-04-16 01:13 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-01 15:06 . 2009-04-01 15:06 -------- d-----w c:\program files\MPD
2009-03-17 03:38 . 2009-04-15 08:39 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-15 08:39 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 08:39 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-04 19:33 . 2008-03-30 08:18 -------- d-----w c:\program files\Google
2009-03-03 04:46 . 2009-04-15 08:39 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 08:39 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-15 08:39 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 08:39 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 08:39 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 08:39 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 08:39 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-15 08:39 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-15 08:39 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 08:39 17408 ----a-w c:\windows\system32\iashost.exe
2009-02-23 15:00 . 2009-02-23 15:00 552 ----a-w c:\users\Jakob\AppData\Local\d3d8caps.dat
2009-02-14 21:48 . 2009-02-14 21:48 227 ----a-w c:\windows\PowerReg.dat
2009-02-13 08:49 . 2009-04-15 08:39 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-15 08:39 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 06:55 2033152 ----a-w c:\windows\system32\win32k.sys
2009-02-06 18:59 . 2009-02-06 18:59 308104 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-01-09 06:46 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2007-12-11 03:41 . 2007-12-11 03:29 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\796525 ----



((((((((((((((((((((((((((((( SnapShot@2009-05-03_10.56.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-10 19:15 . 2009-05-03 11:45 49730 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-05-03 11:45 74000 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-20 07:59 . 2009-05-03 11:45 10348 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1069647053-2654557982-2637549637-1001_UserData.bin
- 2008-01-19 16:32 . 2009-05-03 10:50 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-19 16:32 . 2009-05-03 11:43 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-19 16:32 . 2009-05-03 11:43 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-19 16:32 . 2009-05-03 10:50 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-19 16:32 . 2009-05-03 11:43 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-19 16:32 . 2009-05-03 10:50 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-03 11:42 . 2009-05-03 11:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-03 07:47 . 2009-05-03 07:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-03 07:47 . 2009-05-03 07:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-03 11:42 . 2009-05-03 11:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-05-03 11:48 586980 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-05-03 07:52 586980 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-05-03 11:48 101052 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-05-03 07:52 101052 c:\windows\System32\perfc009.dat
.
(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"="DL32" [X]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885400]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"iolo Startup"="c:\program files\iolo\Common\Lib\ioloLManager.exe" [2008-08-15 308080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
"VX6000"="c:\windows\vVX6000.exe" [2006-12-19 994072]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-08-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-27 8473120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-27 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-03 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-25 4702208]

c:\users\Jakob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper og Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6B07BBC0-B55A-44B9-8C1A-1AAD9EFA9930}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{38C3BAAC-1791-4419-8A02-C6CAC24691B8}"= UDP:c:\program files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"{9B37383B-AC38-424B-B419-776B522FD137}"= TCP:c:\program files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"{AAFBB2DF-E9CC-49FC-B682-9A53EA574F0A}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3B62159A-DBBB-49CF-8228-6A52EC1EFAB4}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D5AE4A55-6131-463E-9ED0-141FEEEFFE53}"= UDP:c:\program files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe:iolo Firewall®
"{FC75F2AD-116E-452D-B855-E89AD7F02767}"= TCP:c:\program files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe:iolo Firewall®
"{E53AFCE5-74A0-42B1-ABA8-E9B1ED258E0E}"= UDP:c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe:iolo AntiVirus®
"{7AC3148F-4682-46E0-B21E-FE418267D48C}"= TCP:c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe:iolo AntiVirus®
"{2C0EBB04-509B-44CB-8CBF-9C844B90F0E8}"= UDP:c:\program files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe:iolo AntiVirus® Email Protection
"{E8CB4810-64AF-49D8-ACB8-591AC494035E}"= TCP:c:\program files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe:iolo AntiVirus® Email Protection
"TCP Query User{DE6FDC94-7145-4B5B-8100-74C57868D075}c:\\program files\\tmnationsforever\\tmforever.exe"= UDP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"UDP Query User{6D1A9ADB-2263-44E9-BAC0-AE2F67C4C41A}c:\\program files\\tmnationsforever\\tmforever.exe"= TCP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"{41B887F1-1DF6-466C-B472-0A9031A05EFB}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{98479A11-123C-4F42-B79F-6D6A21D550F7}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{CCC38E8D-64A1-493A-911C-BEAE90E27C96}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DC0F35CE-2FA3-40EA-8F99-A5288FFB24F5}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{975198A6-6F2B-4D1F-AC03-FAF93B01ECBB}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{C0BE3D9A-A0AA-48FC-A110-BD6CB142AA6B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"UDP Query User{EEFA7CFF-1CE3-4EDC-AB66-C22429F4502F}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{4A3D5ACC-5A71-464B-AE62-31BA56B77119}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{DBD0C6E8-5D3B-465B-AA89-F4F3F1548BAB}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{558A5FFA-2831-4B08-8459-33A57E8DF797}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{926EC8C9-9412-48A7-B6F2-E31312783CFA}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"TCP Query User{547B6AF0-EAFF-4843-962A-78D18A9555CD}c:\\users\\jakob\\desktop\\morrosaker\\spill\\age of empires 2\\age of empires ii\\empires2.exe"= UDP:c:\users\jakob\desktop\morrosaker\spill\age of empires 2\age of empires ii\empires2.exe:empires2.exe
"UDP Query User{6C0C6691-D279-497B-9F9E-673D208DC229}c:\\users\\jakob\\desktop\\morrosaker\\spill\\age of empires 2\\age of empires ii\\empires2.exe"= TCP:c:\users\jakob\desktop\morrosaker\spill\age of empires 2\age of empires ii\empires2.exe:empires2.exe
"TCP Query User{AD75CCD7-D5E7-431B-BD92-8EAD71ABE5CB}c:\\users\\jakob\\downloads\\age of empires 2 & the conquerors expansion - full game - [hussey]\\age2_x1.exe"= UDP:c:\users\jakob\downloads\age of empires 2 & the conquerors expansion - full game - [hussey]\age2_x1.exe:age2_x1.exe
"UDP Query User{261F2FF6-CC7A-4457-AEA8-E2760BC14969}c:\\users\\jakob\\downloads\\age of empires 2 & the conquerors expansion - full game - [hussey]\\age2_x1.exe"= TCP:c:\users\jakob\downloads\age of empires 2 & the conquerors expansion - full game - [hussey]\age2_x1.exe:age2_x1.exe
"TCP Query User{CCEC04CF-D706-4F57-A825-183AB6E97D07}c:\\users\\jakob\\temp\\teamviewer\\version4\\teamviewer.exe"= UDP:c:\users\jakob\temp\teamviewer\version4\teamviewer.exe:teamviewer.exe
"UDP Query User{C20EA074-2141-4146-AB01-3FCC0739F06C}c:\\users\\jakob\\temp\\teamviewer\\version4\\teamviewer.exe"= TCP:c:\users\jakob\temp\teamviewer\version4\teamviewer.exe:teamviewer.exe
"TCP Query User{3AFF9F06-AAE9-4A24-9A66-A9E84AE8F3C9}c:\\users\\jakob\\desktop\\morrosaker\\spill\\empires\\age of empires 2\\age of empires 2 & the conquerors expansion - full game - [hussey]\\age2_x1.exe"= UDP:c:\users\jakob\desktop\morrosaker\spill\empires\age of empires 2\age of empires 2 & the conquerors expansion - full game - [hussey]\age2_x1.exe:age2_x1.exe
"UDP Query User{CA02F546-2D06-4867-90F4-BD85252DDC6D}c:\\users\\jakob\\desktop\\morrosaker\\spill\\empires\\age of empires 2\\age of empires 2 & the conquerors expansion - full game - [hussey]\\age2_x1.exe"= TCP:c:\users\jakob\desktop\morrosaker\spill\empires\age of empires 2\age of empires 2 & the conquerors expansion - full game - [hussey]\age2_x1.exe:age2_x1.exe
"{6EDD0808-0021-48A9-BF9E-C06F1D6AC2E2}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"TCP Query User{5A0A6AAF-1C46-4514-971F-31391669FD28}c:\\program files\\opera\\opera.exe"= UDP:c:\program files\opera\opera.exe:Opera Internet Browser
"UDP Query User{504E3310-1582-4F28-9BF7-4FD9E9E37A9F}c:\\program files\\opera\\opera.exe"= TCP:c:\program files\opera\opera.exe:Opera Internet Browser
"TCP Query User{BDFBB118-B718-40D6-9065-D678D7460CA0}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{F4A224F6-B93A-4AEF-BDDD-3F0592916971}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\DRIVERS\VX6000Xp.sys [2006-12-19 2383256]
S0 XPacket;iolo Personal Firewall Driver;c:\windows\System32\xpacket.sys [2008-04-17 39424]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2008-09-03 12800]
S2 ezntsvc;EasyBits Magic Desktop Services for Windows NT;c:\windows\system32\ezNTSvc.exe [2008-05-10 33792]
S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [2007-05-29 198240]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-24 596840]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-24 596840]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2008-02-26 493568]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{518a387e-c6aa-11dc-88d5-806e6f6e6963}]
\shell\AutoRun\command - E:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - TOMME PEKERE FJERNET - - - -

BHO-{00AA0285-B61C-4832-9E01-2ADCDA2DA9DD} - c:\windows\system32\winle77.dll
Toolbar-{00AA0284-B61C-4832-9E01-2ADCDA2DA9DD} - c:\windows\system32\winle77.dll
WebBrowser-{00AA0284-B61C-4832-9E01-2ADCDA2DA9DD} - c:\windows\system32\winle77.dll


.
------- Tilleggsskanning -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\iavlsp.dll
LSP: c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 13:54
Windows 6.0.6001 Service Pack 1 NTFS

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...


c:\users\Jakob\AppData\Local\Temp\catchme.dll 53248 bytes executable

skanning vellykket
skjulte filer: 1

**************************************************************************
.
--------------------- LÅSTE REGISTERNØKLER ---------------------

[HKEY_USERS\S-1-5-21-1069647053-2654557982-2637549637-1001\Software\SecuROM\License information*]
"datasecu"=hex:15,10,f1,56,81,4f,59,7e,4c,c2,40,c5,ad,a4,0a,2d,94,51,13,9d,08,
f2,dc,4e,12,33,c4,87,1b,06,b3,38,7e,f8,7b,90,8c,01,eb,d8,0b,2f,fe,3e,cb,a9,\
"rkeysecu"=hex:76,1d,f7,2e,a6,93,be,97,6d,7c,90,bd,64,96,7f,7b
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'lsass.exe'(640)
c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
.
Tidspunkt ferdig: 2009-05-03 13:55
ComboFix-quarantined-files.txt 2009-05-03 11:55
ComboFix2.txt 2009-05-03 10:56

Pre-Run: 290*196*004*864 byte ledig
Post-Run: 290*169*233*408 byte ledig

214 --- E O F --- 2009-05-03 07:54





Fresh HJT :D





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:09:03, on 03.05.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\schtasks.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Program Files\iolo\System Mechanic Professional\SMSystemAnalyzer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=81&bd=Pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DL32] DL32
O4 - Startup: OneNote 2007 Screen Clipper og Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=1241344468_0c67f40f4e5ecbb846a0e9e55fd6712d&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatisk LiveUpdate-planlegging (Automatic LiveUpdate Scheduler) - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
O23 - Service: EasyBits Magic Desktop Services for Windows NT (ezntsvc) - EasyBits Software Corp. - C:\Windows\system32\ezNTSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: HP Chasis Button Service (HPBtnSrv) - Unknown owner - c:\hp\HPEZBTN\HPBtnSrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

--
End of file - 8736 bytes
Shaba
2009-05-03, 14:11
Looks better :)

Have you set this?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
Usman
2009-05-03, 14:18
I dont think so, what is it?
Shaba
2009-05-03, 14:24
Proxy server in internet explorer.
Usman
2009-05-03, 14:26
oh, i dont thik ive set it, but anyways, Thankyou very much for helping me remove the trojan :laugh:
Shaba
2009-05-03, 14:30
Then we continue :)


Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


Folder::
c:\windows\system32\796525

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{41B887F1-1DF6-466C-B472-0A9031A05EFB}"=-
"{98479A11-123C-4F42-B79F-6D6A21D550F7}"=-
"UDP Query User{EEFA7CFF-1CE3-4EDC-AB66-C22429F4502F}c:\\program files\\utorrent\\utorrent.exe"=-

DDS::
uInternet Settings,ProxyServer = http=localhost:7171


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Usman
2009-05-03, 14:37
ComboFix 09-05-02.4 - Jakob 03.05.2009 14:33.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.47.1044.18.3582.2352 [GMT 2:00]
Kjører fra: c:\users\Jakob\Desktop\ComboFix.exe
Command switches brukt :: c:\users\Jakob\Desktop\CFScript.txt
AV: iolo AntiVirus® *On-access scanning disabled* (Updated)
FW: iolo Personal Firewall® *enabled*
.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\796525

.
((((((((((((((((((((((((((( Filer Opprettet Fra 2009-04-03 til 2009-05-03 )))))))))))))))))))))))))))))))))
.

2009-05-03 09:53 . 2009-05-03 09:53 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w c:\program files\Trend Micro
2009-05-02 18:32 . 2009-05-02 18:32 -------- d-----w C:\VundoFix Backups
2009-05-01 06:42 . 2009-05-01 07:20 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-05-01 06:42 . 2009-05-01 07:20 -------- d-----w c:\users\All Users\Spybot - Search & Destroy
2009-05-01 06:42 . 2009-05-01 06:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-15 15:58 . 2009-04-15 15:58 -------- d-----w c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 11:48 . 2007-12-11 03:25 76272 ----a-w c:\windows\system32\perfc014.dat
2009-05-03 11:48 . 2007-12-11 03:25 452096 ----a-w c:\windows\system32\perfh014.dat
2009-05-03 11:42 . 2006-11-02 13:01 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 09:53 . 2007-12-10 19:34 -------- d-----w c:\program files\Java
2009-04-18 16:29 . 2009-04-18 16:29 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-04-16 01:13 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-01 15:06 . 2009-04-01 15:06 -------- d-----w c:\program files\MPD
2009-03-17 03:38 . 2009-04-15 08:39 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-15 08:39 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 08:39 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-04 19:33 . 2008-03-30 08:18 -------- d-----w c:\program files\Google
2009-03-03 04:46 . 2009-04-15 08:39 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 08:39 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-15 08:39 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 08:39 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 08:39 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 08:39 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 08:39 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-15 08:39 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-15 08:39 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 08:39 17408 ----a-w c:\windows\system32\iashost.exe
2009-02-23 15:00 . 2009-02-23 15:00 552 ----a-w c:\users\Jakob\AppData\Local\d3d8caps.dat
2009-02-14 21:48 . 2009-02-14 21:48 227 ----a-w c:\windows\PowerReg.dat
2009-02-13 08:49 . 2009-04-15 08:39 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-15 08:39 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 06:55 2033152 ----a-w c:\windows\system32\win32k.sys
2009-02-06 18:59 . 2009-02-06 18:59 308104 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-01-09 06:46 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2007-12-11 03:41 . 2007-12-11 03:29 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-05-03_10.56.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-10 19:15 . 2009-05-03 11:45 49730 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-05-03 11:45 74000 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-20 07:59 . 2009-05-03 11:45 10348 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1069647053-2654557982-2637549637-1001_UserData.bin
- 2008-01-19 16:32 . 2009-05-03 10:50 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-19 16:32 . 2009-05-03 11:59 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-19 16:32 . 2009-05-03 11:59 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-19 16:32 . 2009-05-03 10:50 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-19 16:32 . 2009-05-03 11:59 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-19 16:32 . 2009-05-03 10:50 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-03 11:42 . 2009-05-03 11:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-03 07:47 . 2009-05-03 07:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-03 07:47 . 2009-05-03 07:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-03 11:42 . 2009-05-03 11:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-05-03 11:48 586980 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-05-03 07:52 586980 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-05-03 11:48 101052 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-05-03 07:52 101052 c:\windows\System32\perfc009.dat
.
(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"="DL32" [X]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885400]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"iolo Startup"="c:\program files\iolo\Common\Lib\ioloLManager.exe" [2008-08-15 308080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
"VX6000"="c:\windows\vVX6000.exe" [2006-12-19 994072]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-08-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-27 8473120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-27 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-03 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-25 4702208]

c:\users\Jakob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper og Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6B07BBC0-B55A-44B9-8C1A-1AAD9EFA9930}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{38C3BAAC-1791-4419-8A02-C6CAC24691B8}"= UDP:c:\program files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"{9B37383B-AC38-424B-B419-776B522FD137}"= TCP:c:\program files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"{AAFBB2DF-E9CC-49FC-B682-9A53EA574F0A}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3B62159A-DBBB-49CF-8228-6A52EC1EFAB4}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D5AE4A55-6131-463E-9ED0-141FEEEFFE53}"= UDP:c:\program files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe:iolo Firewall®
"{FC75F2AD-116E-452D-B855-E89AD7F02767}"= TCP:c:\program files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe:iolo Firewall®
"{E53AFCE5-74A0-42B1-ABA8-E9B1ED258E0E}"= UDP:c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe:iolo AntiVirus®
"{7AC3148F-4682-46E0-B21E-FE418267D48C}"= TCP:c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe:iolo AntiVirus®
"{2C0EBB04-509B-44CB-8CBF-9C844B90F0E8}"= UDP:c:\program files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe:iolo AntiVirus® Email Protection
"{E8CB4810-64AF-49D8-ACB8-591AC494035E}"= TCP:c:\program files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe:iolo AntiVirus® Email Protection
"TCP Query User{DE6FDC94-7145-4B5B-8100-74C57868D075}c:\\program files\\tmnationsforever\\tmforever.exe"= UDP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"UDP Query User{6D1A9ADB-2263-44E9-BAC0-AE2F67C4C41A}c:\\program files\\tmnationsforever\\tmforever.exe"= TCP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"{CCC38E8D-64A1-493A-911C-BEAE90E27C96}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DC0F35CE-2FA3-40EA-8F99-A5288FFB24F5}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{975198A6-6F2B-4D1F-AC03-FAF93B01ECBB}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{C0BE3D9A-A0AA-48FC-A110-BD6CB142AA6B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{4A3D5ACC-5A71-464B-AE62-31BA56B77119}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{DBD0C6E8-5D3B-465B-AA89-F4F3F1548BAB}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{558A5FFA-2831-4B08-8459-33A57E8DF797}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{926EC8C9-9412-48A7-B6F2-E31312783CFA}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"TCP Query User{547B6AF0-EAFF-4843-962A-78D18A9555CD}c:\\users\\jakob\\desktop\\morrosaker\\spill\\age of empires 2\\age of empires ii\\empires2.exe"= UDP:c:\users\jakob\desktop\morrosaker\spill\age of empires 2\age of empires ii\empires2.exe:empires2.exe
"UDP Query User{6C0C6691-D279-497B-9F9E-673D208DC229}c:\\users\\jakob\\desktop\\morrosaker\\spill\\age of empires 2\\age of empires ii\\empires2.exe"= TCP:c:\users\jakob\desktop\morrosaker\spill\age of empires 2\age of empires ii\empires2.exe:empires2.exe
"TCP Query User{AD75CCD7-D5E7-431B-BD92-8EAD71ABE5CB}c:\\users\\jakob\\downloads\\age of empires 2 & the conquerors expansion - full game - [hussey]\\age2_x1.exe"= UDP:c:\users\jakob\downloads\age of empires 2 & the conquerors expansion - full game - [hussey]\age2_x1.exe:age2_x1.exe
"UDP Query User{261F2FF6-CC7A-4457-AEA8-E2760BC14969}c:\\users\\jakob\\downloads\\age of empires 2 & the conquerors expansion - full game - [hussey]\\age2_x1.exe"= TCP:c:\users\jakob\downloads\age of empires 2 & the conquerors expansion - full game - [hussey]\age2_x1.exe:age2_x1.exe
"TCP Query User{CCEC04CF-D706-4F57-A825-183AB6E97D07}c:\\users\\jakob\\temp\\teamviewer\\version4\\teamviewer.exe"= UDP:c:\users\jakob\temp\teamviewer\version4\teamviewer.exe:teamviewer.exe
"UDP Query User{C20EA074-2141-4146-AB01-3FCC0739F06C}c:\\users\\jakob\\temp\\teamviewer\\version4\\teamviewer.exe"= TCP:c:\users\jakob\temp\teamviewer\version4\teamviewer.exe:teamviewer.exe
"TCP Query User{3AFF9F06-AAE9-4A24-9A66-A9E84AE8F3C9}c:\\users\\jakob\\desktop\\morrosaker\\spill\\empires\\age of empires 2\\age of empires 2 & the conquerors expansion - full game - [hussey]\\age2_x1.exe"= UDP:c:\users\jakob\desktop\morrosaker\spill\empires\age of empires 2\age of empires 2 & the conquerors expansion - full game - [hussey]\age2_x1.exe:age2_x1.exe
"UDP Query User{CA02F546-2D06-4867-90F4-BD85252DDC6D}c:\\users\\jakob\\desktop\\morrosaker\\spill\\empires\\age of empires 2\\age of empires 2 & the conquerors expansion - full game - [hussey]\\age2_x1.exe"= TCP:c:\users\jakob\desktop\morrosaker\spill\empires\age of empires 2\age of empires 2 & the conquerors expansion - full game - [hussey]\age2_x1.exe:age2_x1.exe
"{6EDD0808-0021-48A9-BF9E-C06F1D6AC2E2}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"TCP Query User{5A0A6AAF-1C46-4514-971F-31391669FD28}c:\\program files\\opera\\opera.exe"= UDP:c:\program files\opera\opera.exe:Opera Internet Browser
"UDP Query User{504E3310-1582-4F28-9BF7-4FD9E9E37A9F}c:\\program files\\opera\\opera.exe"= TCP:c:\program files\opera\opera.exe:Opera Internet Browser
"TCP Query User{BDFBB118-B718-40D6-9065-D678D7460CA0}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{F4A224F6-B93A-4AEF-BDDD-3F0592916971}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\DRIVERS\VX6000Xp.sys [2006-12-19 2383256]
S0 XPacket;iolo Personal Firewall Driver;c:\windows\System32\xpacket.sys [2008-04-17 39424]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2008-09-03 12800]
S2 ezntsvc;EasyBits Magic Desktop Services for Windows NT;c:\windows\system32\ezNTSvc.exe [2008-05-10 33792]
S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [2007-05-29 198240]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-24 596840]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-24 596840]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2008-02-26 493568]


--- Andre tjenester/drivere lastet i minnet ---

*Deregistered* - EagleNT

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{518a387e-c6aa-11dc-88d5-806e6f6e6963}]
\shell\AutoRun\command - E:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Tilleggsskanning -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\iavlsp.dll
LSP: c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 14:35
Windows 6.0.6001 Service Pack 1 NTFS

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...

skanning vellykket
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTERNØKLER ---------------------

[HKEY_USERS\S-1-5-21-1069647053-2654557982-2637549637-1001\Software\SecuROM\License information*]
"datasecu"=hex:15,10,f1,56,81,4f,59,7e,4c,c2,40,c5,ad,a4,0a,2d,94,51,13,9d,08,
f2,dc,4e,12,33,c4,87,1b,06,b3,38,7e,f8,7b,90,8c,01,eb,d8,0b,2f,fe,3e,cb,a9,\
"rkeysecu"=hex:76,1d,f7,2e,a6,93,be,97,6d,7c,90,bd,64,96,7f,7b
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'lsass.exe'(640)
c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
.
Tidspunkt ferdig: 2009-05-03 14:36
ComboFix-quarantined-files.txt 2009-05-03 12:36
ComboFix2.txt 2009-05-03 11:55
ComboFix3.txt 2009-05-03 10:56

Pre-Run: 290*195*881*984 byte ledig
Post-Run: 290*169*479*168 byte ledig

198 --- E O F --- 2009-05-03 07:54
Shaba
2009-05-03, 14:53
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Usman
2009-05-03, 22:34
I tried to scan "my computer" but it stopped after around an hour at 20%. its trying to scan "C:\Users\Jakob\De...STG.[www.usabit.com]" After around 3 hours, it sitt didnt move, so i tried again, just to find out that it stopped at the same place. I followed your steps, but it just stopped at 20%. Either i did something wrong or it doesnt work :S
Shaba
2009-05-04, 06:08
So then please use this instead:

Please go to ESET Online Scanner (http://www.eset.eu/online-scanner) - © ESET All Rights Reserved... to run an online scan.
Note: You - will - need to use Internet Explorer for this scan!
Check the box next to "YES, I accept the Terms of Use."
Click "Start"
Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
Once installed, the scanner will be initialized.
Click "Start". Make sure that the options: Remove found threats is UNCHECKED
Scan unwanted applications is CHECKED
Click "Scan"
Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
Use Notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste the contents of log.txt in your next reply.
Usman
2009-05-04, 07:57
After some hours kaspersky actually worked. so here is a kaspersky report:

Monday, May 4, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 03, 2009 21:16:33
Records in database: 2124774


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics
Files scanned 177827
Threat name 9
Infected objects 12
Suspicious objects 0
Duration of the scan 07:48:00

File name Threat name Threats count
C:\Program Files\EA GAMES\The Sims 2 Fritid\TSBin\Sims2EP7.exe Infected: Trojan-Dropper.Win32.Agent.xwd 1

C:\Qoobox\Quarantine\C\Users\Jakob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChkDisk.dll.vir Infected: Rootkit.Win32.Small.sy 1

C:\Qoobox\Quarantine\C\Windows\ld02.exe.vir Infected: Backdoor.Win32.Lithium.dw 1

C:\Qoobox\Quarantine\C\Windows\System32\DL32.exe.vir Infected: Trojan.Win32.Agent2.iwh 1

C:\Users\Jakob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Jakob\AppData\Local\Microsoft\Windows\TEMPOR~1\VIRTUA~1\C\Users\Jakob\protect.dll Infected: Rootkit.Win32.Small.sy 1

C:\Users\Jakob\AppData\Local\VirtualStore\Program Files\XPPoliceAntivirus\setup.dat Infected: Trojan.Win32.FraudPack.kez 1

C:\Users\Jakob\AppData\Local\VirtualStore\Program Files\XPPoliceAntivirus\setup.dat Infected: not-a-virus:FraudTool.Win32.Agent.jz 1

C:\Users\Jakob\AppData\Local\VirtualStore\Program Files\XPPoliceAntivirus\setup.dat Infected: not-a-virus:FraudTool.Win32.Agent.ju 1

C:\Users\Jakob\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\4d5f6528-1e7d827f Infected: Exploit.Java.ByteVerify 1

C:\Users\Jakob\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\1caddd6a-7575c25e Infected: Trojan-Downloader.Java.OpenStream.ac 1

C:\Users\Jakob\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\25d09bb3-649c0306 Infected: Exploit.Java.ByteVerify 1

C:\Users\Jakob\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\538bb179-23960672 Infected: Trojan-Downloader.Java.OpenStream.ac 1

The selected area was scanned.



HJT:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:55:25, on 04.05.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\schtasks.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\hp\kbd\kbd.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\iolo\System Mechanic Professional\SMSystemAnalyzer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nb_no&c=81&bd=Pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DL32] DL32
O4 - Startup: OneNote 2007 Screen Clipper og Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=1241344468_0c67f40f4e5ecbb846a0e9e55fd6712d&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatisk LiveUpdate-planlegging (Automatic LiveUpdate Scheduler) - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
O23 - Service: EasyBits Magic Desktop Services for Windows NT (ezntsvc) - EasyBits Software Corp. - C:\Windows\system32\ezNTSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: HP Chasis Button Service (HPBtnSrv) - Unknown owner - c:\hp\HPEZBTN\HPBtnSrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

--
End of file - 8825 bytes
Shaba
2009-05-04, 08:28
Good :)

Do you recognize this file?

C:\Program Files\EA GAMES\The Sims 2 Fritid\TSBin\Sims2EP7.exe
Usman
2009-05-04, 09:18
it is sims 2, never play it though.
Shaba
2009-05-04, 17:07
So then we do this:

Please click this link-->Jotti (http://virusscan.jotti.org/)

Copy/paste the file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\Program Files\EA GAMES\The Sims 2 Fritid\TSBin\Sims2EP7.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
Usman
2009-05-04, 17:31
Service load: 0% 100%

File: Sims2EP7.exe
Status: INFECTED/MALWARE
MD5: 57bf18d5a7c8361d59c2909968e6d41c
Packers detected: -

Scanner results
Scan taken on 04 May 2009 15:23:48 (GMT)
A-Squared Found nothing
AntiVir Found BDS/Bifrose.JT
ArcaVir Found nothing
Avast Found Win32:Pakes-APP
AVG Antivirus Found nothing
BitDefender Found MemScan:Trojan.FakeAlert.AJF
ClamAV Found Trojan.Dropper-3074
CPsecure Found Troj.Downloader.W32.Small.uny
Dr.Web Found Trojan.MulDrop.27760
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Dropper.Win32.Agent.xwd
Ikarus Found Virus.Win32.Pakes.APP
Kaspersky Anti-Virus Found Trojan-Dropper.Win32.Agent.xwd
NOD32 Found probably a variant of Win32/TrojanDownloader.Small.NZM (probable variant)
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found Mal/EncPk-BU
VirusBuster Found nothing
VBA32 Found Trojan.MulDrop.12389



Like this?
I have no problem deleting the game, if that is what i need to do, because, as i said, i never play it
Shaba
2009-05-04, 17:39
No need to delete game, just delete this file:

C:\Program Files\EA GAMES\The Sims 2 Fritid\TSBin\Sims2EP7.exe

Delete this folder:

C:\Users\Jakob\AppData\Local\VirtualStore\Program Files\XPPoliceAntivirus

And empty these folders:

C:\Users\Jakob\AppData\LocalLow\Sun\Java\Deployment\cache
C:\Qoobox\Quarantine

Empty Recycle Bin.

Still problems?
Usman
2009-05-04, 17:48
I deleted the sims thing, and the C:\Qoobox\Quarantine, but i couldnt find the appdata folder.
Usman
2009-05-04, 17:49
Nevermind, i had to search for it, it was in a hidden folder or something, i think everything is nice now. Thankyou very much for the help :bigthumb:
Shaba
2009-05-04, 17:50
Please see this (http://www.bleepingcomputer.com/tutorials/tutorial130.html) and let me know if you now can find it.
Usman
2009-05-04, 17:54
it showed up when i searched for it, so i actually found it :)
Shaba
2009-05-04, 18:01
Good :)

Still some issues?
Usman
2009-05-04, 18:03
i did a search with spybot, and the Virtumonde was gone, but i found four different tracking cookies. They where called Tradedoubler, Starcounter, CasaleMedia and doubleclick if that is any help, should i post them in another thread than malware removal?
Shaba
2009-05-04, 18:04
This (http://www.spybot.info/en/faq/37.html) should help :)
Usman
2009-05-04, 18:22
Done:D:
Thank you very much for the help. :bigthumb:
Shaba
2009-05-04, 18:44
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

You can fix these, they are leftovers:

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKCU\..\Run: [DL32] DL32

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows Vista System Restore Guide (http://www.bleepingcomputer.com/tutorials/tutorial143.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)

Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :bigthumb:
Usman
2009-05-04, 19:20
I will do, and again thankyou for everything!:santa:
Shaba
2009-05-06, 18:42
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.