View Full Version : run in with braviax
I have had a run in with braviax today. All I did was follow a link to a website. Noticed it was bad and tried to go back, but not in time. msword98 tried to start a process but using zonealarm i stopped it.
Did a scan of my comp with up-to-date avastpro and spybot, but both sade i was ok! Restarted the computer but then both programs said I had problems. One of them identified it as braviax. I tried resetting the comp to an earlier date (bad thing I gather now) which didn't work. I then followed instructions from an article and searched for, and shredded, braviax and delself , plus removed one registry entry each (using regedit) for braviax, delself, cru629 and burito.
Restarted comp without getting the warnings, but now having zonealarm telling me progs where trying to start. Using msconfig i removed from the start-up list msword98.exe, ikowin32.exe and svchost.exe plus shredded the progs.
Now the computer restarts ok. But obviously I'm worried. I hope it's ok if I post my log and ask for help. It should be noted that my Windows XP is bought and registered, but since re-installing it 2 years ago I can no longer install all updates, just some of them. I have tried several fixes for this but I'll live with it.
here is my log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:04:03, on 2009-08-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\Delade filer\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\Mixer.exe
C:\Program\Alwil Software\Avast4\ashDisp.exe
C:\Program\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe
C:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe
C:\Program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program\Rainmeter\Rainmeter.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.162.2.137:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F3 - REG:win.ini: run=
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avast!] C:\Program\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R360 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOE.EXE /FU "C:\WINDOWS\TEMP\E_S87.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Rainmeter.lnk = C:\Program\Rainmeter\Rainmeter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\program\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236795793015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236795781484
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6742 bytes
Hi RobertB
Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) ... by sUBs.
Save it to your desktop. Alternate download link:here (http://www.forospyware.com/sUBs/dds).
Double click the tool to run it.
A black Screen will open... read the contents but do nothing.
When DDS finishes... Notepad will open with 2 reports... DDS.txt and Attach.txt
Ignore the comments about zipping / attaching any of the report files. The 2 report files are not saved anywhere,
if you close Notepad, before copying /pasting them... you will need to run DDS again.
Copy/paste both DDS.txt and Attach.txt reports in your next reply.
Once the reports have been posted, you can delete DDS from your desktop.
Good morning Shaba. :) Here are the logs. But then I should get ready for work.
DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Žgaren at 7:34:45,18 on 2009-08-17
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.46.1053.18.2046.1343 [GMT 2:00]
AV: avast! antivirus 4.8.1335 [VPS 090816-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\Delade filer\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\Mixer.exe
C:\Program\Alwil Software\Avast4\ashDisp.exe
C:\Program\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Rainmeter\Rainmeter.exe
C:\Program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Ägaren\Skrivbord\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 203.162.2.137:80
mSearchAssistant = hxxp://www.google.com
mWinlogon: UIHost=c:\program\tgtsoft\stylexp\logon\CurrentLogon.EXE
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [STYLEXP] c:\program\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program\delade filer\ahead\lib\NMBgMonitor.exe"
uRun: [EPSON Stylus Photo R360 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiboe.exe /fu "c:\windows\temp\E_S87.tmp" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [ATIPTA] c:\program\ati technologies\ati control panel\atiptaxx.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [avast!] c:\program\alwil software\avast4\ashDisp.exe
mRun: [POINTER] point32.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ZoneAlarm Client] "c:\program\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\adobeg~1.lnk - c:\program\delade filer\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\rainme~1.lnk - c:\program\rainmeter\Rainmeter.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\program\micros~3\office10\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236795793015
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236795781484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\hp_gar~1\applic~1\mozilla\firefox\profiles\z3gfs696.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");
============= SERVICES / DRIVERS ===============
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-3 114768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-11-11 353672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-3 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program\alwil software\avast4\ashServ.exe [2006-1-15 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program\alwil software\avast4\ashMaiSv.exe [2006-1-15 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program\alwil software\avast4\ashWebSv.exe [2006-1-15 352920]
=============== Created Last 30 ================
2009-08-14 20:03 <DIR> --d----- c:\program\Trend Micro
2009-08-14 13:34 27,004 -------- c:\windows\system32\hcyahrxj.ngm
==================== Find3M ====================
2009-08-17 07:29 14,155,776 a------- c:\documents and settings\hp_ägaren\ntuser.dat
2009-08-14 15:11 4,212 ac--h--- c:\windows\system32\zllictbl.dat
2009-08-14 15:10 619,072 ac------ c:\windows\system32\drivers\ntfs.sys
2009-03-21 16:28 129,256 ac------ c:\docume~1\hp_gar~1\applic~1\GDIPFONTCACHEV1.DAT
2009-02-13 15:31 187,904 a------- c:\program\A-Patch143b2_WLM9.exe
2008-01-22 21:40 0 ac------ c:\docume~1\hp_gar~1\applic~1\wklnhst.dat
2007-01-30 02:06 280,116 ac------ c:\program\messpatch-g5-81178.exe
2006-11-01 14:07 3,623,736 ac------ c:\program\procexp.exe
2006-01-29 10:14 22 ac-sh--- c:\windows\sminst\HPCD.sys
============= FINISH: 7:35:33,50 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 2006-11-11 18:26:17
System Uptime: 2009-08-17 07:30:33 (0 hours ago)
Motherboard: MSI | | AMETHYST-M
Processor: AMD Athlon(tm) 64 Processor 3400+ | Socket 939 | 1772/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 227 GiB total, 37,167 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 2,519 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP608: 2009-05-20 09:52:24 - Systemkontrollpunkt
RP609: 2009-05-21 10:55:06 - Systemkontrollpunkt
RP610: 2009-05-22 20:21:37 - Systemkontrollpunkt
RP611: 2009-05-24 20:20:42 - Systemkontrollpunkt
RP612: 2009-05-25 22:21:12 - Systemkontrollpunkt
RP613: 2009-05-28 20:41:58 - Systemkontrollpunkt
RP614: 2009-05-29 21:49:46 - Systemkontrollpunkt
RP615: 2009-05-31 01:39:53 - Systemkontrollpunkt
RP616: 2009-06-01 19:28:08 - Systemkontrollpunkt
RP617: 2009-06-02 23:23:00 - Systemkontrollpunkt
RP618: 2009-06-03 23:27:25 - Systemkontrollpunkt
RP619: 2009-06-05 04:25:27 - Systemkontrollpunkt
RP620: 2009-06-06 13:28:49 - Systemkontrollpunkt
RP621: 2009-06-07 13:55:15 - Systemkontrollpunkt
RP622: 2009-06-08 19:58:47 - Systemkontrollpunkt
RP623: 2009-06-09 21:26:00 - Systemkontrollpunkt
RP624: 2009-06-14 20:51:33 - Systemkontrollpunkt
RP625: 2009-06-15 22:30:30 - Systemkontrollpunkt
RP626: 2009-06-16 22:49:27 - Systemkontrollpunkt
RP627: 2009-06-18 19:10:47 - Systemkontrollpunkt
RP628: 2009-06-19 23:03:30 - Systemkontrollpunkt
RP629: 2009-06-21 16:25:40 - Systemkontrollpunkt
RP630: 2009-06-23 02:07:24 - Systemkontrollpunkt
RP631: 2009-06-24 02:37:58 - Systemkontrollpunkt
RP632: 2009-06-25 19:20:59 - Systemkontrollpunkt
RP633: 2009-06-27 17:48:51 - Systemkontrollpunkt
RP634: 2009-06-28 20:16:10 - Systemkontrollpunkt
RP635: 2009-06-29 23:00:15 - Systemkontrollpunkt
RP636: 2009-07-01 23:24:32 - Systemkontrollpunkt
RP637: 2009-07-03 22:16:44 - Systemkontrollpunkt
RP638: 2009-07-08 23:21:46 - Systemkontrollpunkt
RP639: 2009-07-10 22:47:29 - Systemkontrollpunkt
RP640: 2009-07-12 17:03:10 - Systemkontrollpunkt
RP641: 2009-07-13 23:03:32 - Systemkontrollpunkt
RP642: 2009-08-02 01:17:27 - Systemkontrollpunkt
RP643: 2009-08-03 08:01:48 - Systemkontrollpunkt
RP644: 2009-08-04 21:41:20 - Systemkontrollpunkt
RP645: 2009-08-05 22:08:23 - Systemkontrollpunkt
RP646: 2009-08-07 00:21:24 - Systemkontrollpunkt
RP647: 2009-08-08 10:44:18 - Systemkontrollpunkt
RP648: 2009-08-11 18:17:03 - Systemkontrollpunkt
RP649: 2009-08-12 19:53:41 - Systemkontrollpunkt
RP650: 2009-08-13 20:05:32 - Systemkontrollpunkt
RP651: 2009-08-14 17:01:44 - Återställningsåtgärd
RP652: 2009-08-14 17:14:55 - Återställningsåtgärd
RP653: 2009-08-14 18:22:34 - Återställningsåtgärd
RP654: 2009-08-15 18:41:37 - Systemkontrollpunkt
RP655: 2009-08-16 18:50:05 - Systemkontrollpunkt
==== Installed Programs ======================
ABC-View Manager version 1.42
ABC (remove only)
ACDSee
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 7.0.9 - Svenska
Adobe Reader Japanese Fonts
Advanced WindowsCare Personal
Agere Systems PCI Soft Modem
AiO_Scan
AiOSoftware
Alien Skin Eye Candy 5 Nature
Alien Skin Xenofex 2.0
AllToAVI v4 r5394
Apple Software Update
ATI Control Panel
ATI Display Driver
AudibleManager
Auto Gordian Knot 2.45
avast! Antivirus
AviSynth 2.5
BeatportDownloader
BufferChm
Camera RAW Plug-In for EPSON Creativity Suite
CameraDrivers
CamStudio
Choice Guard
Combined Community Codec Pack 2007-07-22
Compatibility Pack for the 2007 Office system
Cool Edit Pro 2.1
Cool Ruler
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN Vision M Series
CueTour
Destinations
DeviceManagementQFolder
DivX Web Player
DocProc
DocumentViewer
DocumentViewerQFolder
DSS DJ 5.01
DVD Decrypter (Remove Only)
eMule
Enhanced Multimedia Keyboard Solution
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Print CD
EPSON PRINT Image Framer Tool
EPSON Printer Software
EPSON Scan Assistant
EPSON Web-To-Page
ERUNT 1.1j
ESPR360_390 User's Guide
Eye Candy 4000
Fax
Google Talk (remove only)
High Definition Audio - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB954550-v5)
HP Deskjet Printer Preload
HP Document Viewer 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Photosmart-kameror 5.0
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
InstantShareDevices
InterVideo WinDVD Player
J2SE Runtime Environment 5.0
JASP Ver 1.6
Java(TM) 6 Update 13
LightScribe System Software 1.14.17.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Swedish Language Pack
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - SVE
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - SVE
Microsoft .NET Framework 3.0 Swedish Language Pack
Microsoft .NET Framework 3.5 Language Pack SP1 - sve
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 4.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.13)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Nero 7 Premium
neroxml
NetOp Guest
NewCopy
NVIDIA Drivers
OmniPage Pro 9.0
PanoStandAlone
PCI Audio Driver
PhotoGallery
PS2
PSPrinters08
PSTAPlugin
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QFolder
QuickTime
RandMap
Readme
Scan
Scan Manager 5.2
ScannerCopy
Security Update for CAPICOM (KB931906)
Segoe UI
SkinsHP1
Snabbkorrigering för Windows Media Player 10 - KB895316
Snabbkorrigering för Windows Media Player 11 (KB939683)
Snabbkorrigering för Windows XP (KB914440)
Snabbkorrigering för Windows XP (KB928388)
Snabbkorrigering för Windows XP (KB952287)
Säkerhetsuppdatering för Step by Step Interactive Training (KB898458)
Säkerhetsuppdatering för Step by Step Interactive Training (KB923723)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB938127)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB939653)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB961260)
Säkerhetsuppdatering för Windows Media Player (KB911564)
Säkerhetsuppdatering för Windows Media Player (KB952069)
Säkerhetsuppdatering för Windows Media Player 10 (KB917734)
Säkerhetsuppdatering för Windows Media Player 11 (KB936782)
Säkerhetsuppdatering för Windows Media Player 11 (KB954154)
Säkerhetsuppdatering för Windows Media Player 6.4 (KB925398)
Säkerhetsuppdatering för Windows XP (KB883939)
Säkerhetsuppdatering för Windows XP (KB890046)
Säkerhetsuppdatering för Windows XP (KB893756)
Säkerhetsuppdatering för Windows XP (KB896358)
Säkerhetsuppdatering för Windows XP (KB896422)
Säkerhetsuppdatering för Windows XP (KB896423)
Säkerhetsuppdatering för Windows XP (KB896424)
Säkerhetsuppdatering för Windows XP (KB896428)
Säkerhetsuppdatering för Windows XP (KB899587)
Säkerhetsuppdatering för Windows XP (KB899591)
Säkerhetsuppdatering för Windows XP (KB900725)
Säkerhetsuppdatering för Windows XP (KB901017)
Säkerhetsuppdatering för Windows XP (KB901190)
Säkerhetsuppdatering för Windows XP (KB901214)
Säkerhetsuppdatering för Windows XP (KB902400)
Säkerhetsuppdatering för Windows XP (KB904706)
Säkerhetsuppdatering för Windows XP (KB905414)
Säkerhetsuppdatering för Windows XP (KB905749)
Säkerhetsuppdatering för Windows XP (KB908519)
Säkerhetsuppdatering för Windows XP (KB911562)
Säkerhetsuppdatering för Windows XP (KB911567)
Säkerhetsuppdatering för Windows XP (KB911927)
Säkerhetsuppdatering för Windows XP (KB912919)
Säkerhetsuppdatering för Windows XP (KB913580)
Säkerhetsuppdatering för Windows XP (KB914388)
Säkerhetsuppdatering för Windows XP (KB914389)
Säkerhetsuppdatering för Windows XP (KB917344)
Säkerhetsuppdatering för Windows XP (KB917422)
Säkerhetsuppdatering för Windows XP (KB917953)
Säkerhetsuppdatering för Windows XP (KB918118)
Säkerhetsuppdatering för Windows XP (KB918439)
Säkerhetsuppdatering för Windows XP (KB918899)
Säkerhetsuppdatering för Windows XP (KB919007)
Säkerhetsuppdatering för Windows XP (KB920213)
Säkerhetsuppdatering för Windows XP (KB920214)
Säkerhetsuppdatering för Windows XP (KB920670)
Säkerhetsuppdatering för Windows XP (KB920683)
Säkerhetsuppdatering för Windows XP (KB920685)
Säkerhetsuppdatering för Windows XP (KB921398)
Säkerhetsuppdatering för Windows XP (KB921503)
Säkerhetsuppdatering för Windows XP (KB921883)
Säkerhetsuppdatering för Windows XP (KB922616)
Säkerhetsuppdatering för Windows XP (KB922819)
Säkerhetsuppdatering för Windows XP (KB923191)
Säkerhetsuppdatering för Windows XP (KB923414)
Säkerhetsuppdatering för Windows XP (KB923689)
Säkerhetsuppdatering för Windows XP (KB923694)
Säkerhetsuppdatering för Windows XP (KB923980)
Säkerhetsuppdatering för Windows XP (KB924191)
Säkerhetsuppdatering för Windows XP (KB924270)
Säkerhetsuppdatering för Windows XP (KB924496)
Säkerhetsuppdatering för Windows XP (KB924667)
Säkerhetsuppdatering för Windows XP (KB925454)
Säkerhetsuppdatering för Windows XP (KB925486)
Säkerhetsuppdatering för Windows XP (KB925902)
Säkerhetsuppdatering för Windows XP (KB926255)
Säkerhetsuppdatering för Windows XP (KB926436)
Säkerhetsuppdatering för Windows XP (KB927779)
Säkerhetsuppdatering för Windows XP (KB927802)
Säkerhetsuppdatering för Windows XP (KB928255)
Säkerhetsuppdatering för Windows XP (KB928843)
Säkerhetsuppdatering för Windows XP (KB929123)
Säkerhetsuppdatering för Windows XP (KB929969)
Säkerhetsuppdatering för Windows XP (KB930178)
Säkerhetsuppdatering för Windows XP (KB931261)
Säkerhetsuppdatering för Windows XP (KB931768)
Säkerhetsuppdatering för Windows XP (KB931784)
Säkerhetsuppdatering för Windows XP (KB932168)
Säkerhetsuppdatering för Windows XP (KB933729)
Säkerhetsuppdatering för Windows XP (KB935839)
Säkerhetsuppdatering för Windows XP (KB935840)
Säkerhetsuppdatering för Windows XP (KB936021)
Säkerhetsuppdatering för Windows XP (KB938464-v2)
Säkerhetsuppdatering för Windows XP (KB938829)
Säkerhetsuppdatering för Windows XP (KB941202)
Säkerhetsuppdatering för Windows XP (KB941568)
Säkerhetsuppdatering för Windows XP (KB941569)
Säkerhetsuppdatering för Windows XP (KB941644)
Säkerhetsuppdatering för Windows XP (KB943055)
Säkerhetsuppdatering för Windows XP (KB943460)
Säkerhetsuppdatering för Windows XP (KB944653)
Säkerhetsuppdatering för Windows XP (KB945553)
Säkerhetsuppdatering för Windows XP (KB946648)
Säkerhetsuppdatering för Windows XP (KB950760)
Säkerhetsuppdatering för Windows XP (KB950762)
Säkerhetsuppdatering för Windows XP (KB951066)
Säkerhetsuppdatering för Windows XP (KB951376-v2)
Säkerhetsuppdatering för Windows XP (KB954600)
Säkerhetsuppdatering för Windows XP (KB955069)
Säkerhetsuppdatering för Windows XP (KB956803)
Säkerhetsuppdatering för Windows XP (KB956841)
Säkerhetsuppdatering för Windows XP (KB957097)
Säkerhetsuppdatering för Windows XP (KB958644)
Säkerhetsuppdatering för Windows XP (KB958687)
Säkerhetsuppdatering för Windows XP (KB960715)
SolutionCenter
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Språkpaket för Microsoft .NET Framework 3.5 SP 1 - sve
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Status
StyleXP (remove only)
t@b ZS4 Video Editor v0.958-686
TrayApp
TrueCrypt
Tweakui Powertoy for Windows XP
Unload
Update for Windows XP (KB953356)
Uppdatering för Windows XP (KB894391)
Uppdatering för Windows XP (KB898461)
Uppdatering för Windows XP (KB900485)
Uppdatering för Windows XP (KB904942)
Uppdatering för Windows XP (KB908531)
Uppdatering för Windows XP (KB910437)
Uppdatering för Windows XP (KB911280)
Uppdatering för Windows XP (KB916595)
Uppdatering för Windows XP (KB920342)
Uppdatering för Windows XP (KB920872)
Uppdatering för Windows XP (KB922582)
Uppdatering för Windows XP (KB925720)
Uppdatering för Windows XP (KB927891)
Uppdatering för Windows XP (KB930916)
Uppdatering för Windows XP (KB931836)
Uppdatering för Windows XP (KB933360)
Uppdatering för Windows XP (KB938828)
UUDeview for Windows
VC 9.0 Runtime
WebFldrs XP
WebReg
VideoLAN VLC media player 0.8.6d
Viktig uppdatering för Windows Media Player 11 (KB959772)
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows Presentation Foundation Language Pack (SVE)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
WinRAR archiver
VobSub v2.23 (Remove Only)
XML Paper Specification Shared Components Language Pack 1.0
XML Paper Specification Shared Components Pack 1.0
XviD MPEG4 Video Codec (remove only)
yEnc32 (remove only)
ZENcast Organizer
ZoneAlarm Pro
==== End Of File ===========================
Please upload this file - c:\windows\system32\hcyahrxj.ngm to http://virusscan.jotti.org and post back results.
there it is :mad:
msword98.exe
Status:
Scan finished. 6 out of 21 scanners reported malware.
Scan taken on: Fri 14 Aug 2009 19:03:24 (CET)
File size: 27004 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: d2d72d9bd11e2c5fc66dc35bbdc486a7
SHA1: de83e366838157489c5e64828d447e602771fb00
Thank you for helping me!
Did you upload this file?
c:\windows\system32\hcyahrxj.ngm
I ask because it says msword98.exe in scan results.
Going to woek now. So won't reply until this evening. Looks like I'm still infected? :mad:
Yes I think so.
Please post detailed results from scan when you have time.
Ok. I will do a scan when I get home again this evening. I'm in the office now. What program do you want a scan from Avast or spybot? Neither picked up anything on Friday. Avast takes more than an hour at intermediate level scan. A thorough scan will take many hours.
I installed all updates for spybot, but can the program itself be an old version?
No, I mean detailed report from jotti :)
Don't know how you get a detailed report. :confused: Is this what you mean? I did a new scan and now I get a different result. I've left the computer on during the day so as not to change anything.
hcyahrxj.ngm
Status:
Scan finished. 6 out of 21 scanners reported malware.
Scan taken on: Mon 17 Aug 2009 08:28:54 (CET)
File size: 27004 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: d2d72d9bd11e2c5fc66dc35bbdc486a7
SHA1: de83e366838157489c5e64828d447e602771fb00
[ArcaVir]
2009-08-15 Downloader.Mutant.Efi
[G DATA]
2009-08-17 Found nothing
[A-Squared]
2009-08-17 Found nothing
[Ikarus]
2009-08-17 Found nothing
[Avast! antivirus]
2009-08-17 Found nothing
[Kaspersky Anti-Virus]
2009-08-17 Trojan-Downloader.Win32.Mutant.efi
[Grisoft AVG Anti-Virus]
2009-08-16 Win32/Heur
[ESET NOD32]
2009-08-16 Win32/Wigon.LW
[Avira AntiVir]
2009-08-14 Found nothing
[Norman Virus Control]
2009-08-14 Found nothing
[Softwin BitDefender]
2009-08-16 Found nothing
[Panda Antivirus]
2009-08-16 Found nothing
[ClamAV]
2009-08-17 Found nothing
[Quick Heal]
2009-08-16 Found nothing
[CPsecure]
2009-08-17 Found nothing
[Sophos]
2009-08-17 Found nothing
[Dr.Web]
2009-08-17 Trojan.DownLoad.41506
[VirusBlokAda VBA32]
2009-08-16 Found nothing
[Frisk F-Prot Antivirus]
2009-08-16 Found nothing
[VirusBuster]
2009-08-16 Found nothing
[F-Secure Anti-Virus]
2009-08-17 Trojan-Downloader.Win32.Mutant.efi
Yes it is.
Please delete that file.
After that:
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
OK Kaspersky result first.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, August 17, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 17, 2009 18:33:58
Records in database: 2641886
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: no
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan statistics:
Objects scanned: 100059
Threats found: 3
Infected objects found: 15
Suspicious objects found: 0
Scan duration: 02:34:42
File name / Threat / Threats count
C:\Documents and Settings\HP_Ägaren\hgoescxl.fsy Infected: Trojan-Downloader.Win32.Mutant.efi 1
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN1.tmp Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN4.tmp Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN5.tmp Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN6.tmp Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN7.tmp Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN8.tmp Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN9.tmp Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BNA.tmp Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BNB.tmp Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BNC.tmp Infected: Trojan-Downloader.Win32.FraudLoad.fge 1
C:\RECYCLER\S-1-5-21-2482541705-948042526-3326623907-1008\Dc2.ngm Infected: Trojan-Downloader.Win32.Mutant.efi 1
C:\WINDOWS\system32\dllcache\ntfs.sys Infected: Virus.Win32.Protector.c 1
C:\WINDOWS\system32\drivers\ntfs.sys Infected: Virus.Win32.Protector.c 1
C:\WINDOWS\Temp\wpv891250109698.exe Infected: Trojan-Downloader.Win32.Mutant.efi 1
Selected area has been scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:08:55, on 2009-08-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\Delade filer\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\Mixer.exe
C:\Program\Alwil Software\Avast4\ashDisp.exe
C:\Program\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe
C:\Program\Rainmeter\Rainmeter.exe
C:\Program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.162.2.137:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F3 - REG:win.ini: run=
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avast!] C:\Program\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R360 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOE.EXE /FU "C:\WINDOWS\TEMP\E_S87.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Rainmeter.lnk = C:\Program\Rainmeter\Rainmeter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\program\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236795793015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236795781484
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6776 bytes
I will turn on avast acanner now. Hope that is ok. Kaspers told me to turn off virus scanners. But running with both avast and tea-timer turned off makes me nervous. I feel naked. :red:
That is ok.
Please scan these in jotti as well:
C:\WINDOWS\system32\drivers\ntfs.sys
C:\WINDOWS\system32\dllcache\ntfs.sys
Good morning.
When I tried uploading windows\system32\drivers\ntfs.sys avast complained and said it was infected. I chose "no action" but jotti says it's empty. It's still there though. 604 kb, created 2004-08-04. But with no more info showing when I hover over it with my mouse. The ones next to it have the same date but say created by microsoft.
I cant even find the folder windows\system32\dllcashe :confused: Strange. I think I can see hidden files. drivers loks like its hidden.
As avast is now picking it up, should I scan the sys32 folder with avast? And let it move infected files to chest?
If it is infected, we will continue with this:
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review along with a fresh hijackthis log.
Hello Shaba. I did one thing wrong :oops: I stopped the avast scans, but forgot to close zonelarm. So I had to manually allow a dozen prosesses. I hope this didn't interfere with the fix.
ComboFix 09-08-10.06 - HP_Ägaren 2009-08-18 16:36.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.46.1053.18.2046.1416 [GMT 2:00]
Running from: c:\documents and settings\HP_Ägaren\Skrivbord\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090817-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\HP_Ägaren\Application Data\Microsoft\Internet Explorer\Quick Launch\avast! Antivirus.lnk
c:\recycler\S-1-5-21-1597953560-603657994-931953664-1008
c:\windows\Blissly2 .jpg
c:\windows\Installer\108f718.msi
c:\windows\Installer\1b9451.msi
c:\windows\Installer\2c474.msi
c:\windows\Installer\35dfa3.msi
c:\windows\Installer\402df.msi
c:\windows\Installer\44ee6f.msi
c:\windows\Installer\6a233.msi
c:\windows\Installer\84f6c4.msi
c:\windows\Installer\ec5a4.msp
c:\windows\Installer\fbb30c.msi
c:\windows\system32\drivers\downld
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
.
((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.
2009-08-14 18:03 . 2009-08-14 18:03 -------- d-----w- c:\program\Trend Micro
2009-08-14 17:52 . 2009-08-14 17:52 -------- d-----w- c:\program\ERUNT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 15:12 . 2007-11-04 12:01 -------- d-----w- c:\program\Accessdiver
2009-08-14 13:13 . 2006-01-15 10:41 -------- d-----w- c:\program\Spybot - Search & Destroy
2009-08-14 13:11 . 2006-11-11 19:13 4212 -c-ha-w- c:\windows\system32\zllictbl.dat
2009-07-05 16:54 . 2009-07-05 17:15 4552192 ----a-w- c:\windows\Internet Logs\xDB9D.tmp
2009-07-05 16:54 . 2009-07-05 17:15 5445120 ----a-w- c:\windows\Internet Logs\xDB9E.tmp
2009-02-13 13:31 . 2009-04-30 17:23 187904 ----a-w- c:\program\A-Patch143b2_WLM9.exe
2007-01-30 00:06 . 2007-07-28 07:04 280116 -c--a-w- c:\program\messpatch-g5-81178.exe
2006-11-01 12:07 . 2006-12-19 13:49 3623736 -c--a-w- c:\program\procexp.exe
2006-01-29 08:14 . 2006-01-29 00:14 22 -csha-w- c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program\TGTSoft\StyleXP\StyleXP.exe" [2006-04-04 1368064]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program\Delade filer\Ahead\lib\NMBgMonitor.exe" [2008-01-22 152872]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-08 344064]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"avast!"="c:\program\Alwil Software\Avast4\ashDisp.exe" [2009-02-05 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"ZoneAlarm Client"="c:\program\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-28 1626112]
c:\documents and settings\All Users\Start-meny\Program\Autostart\
Adobe Gamma Loader.lnk - c:\program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2006-1-15 113664]
Rainmeter.lnk - c:\program\Rainmeter\Rainmeter.exe [2006-1-21 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Ägaren^Start-meny^Program^Autostart^ikowin32.exe]
path=c:\documents and settings\HP_Ägaren\Start-meny\Program\Autostart\ikowin32.exe
backup=c:\windows\pss\ikowin32.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program\\Google\\Google Talk\\googletalk.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-03 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-03 20560]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program\Delade filer\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-POINTER - point32.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 203.162.2.137:80
IE: E&xport to Microsoft Excel - c:\program\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\z3gfs696.default\
FF - plugin: c:\program\Mozilla Firefox\plugins\np-mswmp.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 16:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1168)
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSSV.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program\TGTSoft\StyleXP\StyleXPService.exe
c:\program\Alwil Software\Avast4\aswUpdSv.exe
c:\program\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program\Java\jre6\bin\jqs.exe
c:\program\Delade filer\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program\Microsoft Hardware\Mouse\point32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program\Alwil Software\Avast4\ashMaiSv.exe
c:\program\Alwil Software\Avast4\ashWebSv.exe
c:\program\Delade filer\Ahead\Lib\NMIndexingService.exe
c:\program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-08-18 16:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 14:50
Pre-Run: 39*043*575*808 byte ledigt
Post-Run: 42*865*586*176 byte ledigt
161
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:51:31, on 2009-08-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\Delade filer\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\Mixer.exe
C:\Program\Alwil Software\Avast4\ashDisp.exe
C:\Program\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\TGTSoft\StyleXP\StyleXP.exe
C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Rainmeter\Rainmeter.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe
C:\Program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.162.2.137:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avast!] C:\Program\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Rainmeter.lnk = C:\Program\Rainmeter\Rainmeter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\program\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236795793015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236795781484
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6557 bytes
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
C:\Documents and Settings\HP_Ägaren\hgoescxl.fsy
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN1.tmp
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN4.tmp
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN5.tmp
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN6.tmp
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN7.tmp
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN8.tmp
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN9.tmp
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BNA.tmp
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BNB.tmp
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BNC.tmp
C:\RECYCLER\S-1-5-21-2482541705-948042526-3326623907-1008\Dc2.ngm I
C:\WINDOWS\Temp\wpv891250109698.exe
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
ComboFix 09-08-10.06 - HP_Ägaren 2009-08-18 20:12.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.46.1053.18.2046.1479 [GMT 2:00]
Running from: c:\documents and settings\HP_Ägaren\Skrivbord\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Ägaren\Skrivbord\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090817-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FILE ::
"c:\documents and settings\HP_Ägaren\hgoescxl.fsy"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN1.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN4.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN5.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN6.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN7.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN8.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN9.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BNA.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BNB.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BNC.tmp"
"c:\recycler\S-1-5-21-2482541705-948042526-3326623907-1008\Dc2.ngm I"
"c:\windows\Temp\wpv891250109698.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\HP_Ägaren\hgoescxl.fsy
.
((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.
2009-08-14 18:03 . 2009-08-14 18:03 -------- d-----w- c:\program\Trend Micro
2009-08-14 17:52 . 2009-08-14 17:52 -------- d-----w- c:\program\ERUNT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 15:12 . 2007-11-04 12:01 -------- d-----w- c:\program\Accessdiver
2009-08-14 13:13 . 2006-01-15 10:41 -------- d-----w- c:\program\Spybot - Search & Destroy
2009-08-14 13:11 . 2006-11-11 19:13 4212 -c-ha-w- c:\windows\system32\zllictbl.dat
2009-07-05 16:54 . 2009-07-05 17:15 4552192 ----a-w- c:\windows\Internet Logs\xDB9D.tmp
2009-07-05 16:54 . 2009-07-05 17:15 5445120 ----a-w- c:\windows\Internet Logs\xDB9E.tmp
2009-02-13 13:31 . 2009-04-30 17:23 187904 ----a-w- c:\program\A-Patch143b2_WLM9.exe
2007-01-30 00:06 . 2007-07-28 07:04 280116 -c--a-w- c:\program\messpatch-g5-81178.exe
2006-11-01 12:07 . 2006-12-19 13:49 3623736 -c--a-w- c:\program\procexp.exe
2006-01-29 08:14 . 2006-01-29 00:14 22 -csha-w- c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program\TGTSoft\StyleXP\StyleXP.exe" [2006-04-04 1368064]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program\Delade filer\Ahead\lib\NMBgMonitor.exe" [2008-01-22 152872]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-08 344064]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"avast!"="c:\program\Alwil Software\Avast4\ashDisp.exe" [2009-02-05 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"ZoneAlarm Client"="c:\program\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-28 1626112]
c:\documents and settings\All Users\Start-meny\Program\Autostart\
Adobe Gamma Loader.lnk - c:\program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2006-1-15 113664]
Rainmeter.lnk - c:\program\Rainmeter\Rainmeter.exe [2006-1-21 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Ägaren^Start-meny^Program^Autostart^ikowin32.exe]
path=c:\documents and settings\HP_Ägaren\Start-meny\Program\Autostart\ikowin32.exe
backup=c:\windows\pss\ikowin32.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program\\Google\\Google Talk\\googletalk.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-03 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-03 20560]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program\Delade filer\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 203.162.2.137:80
IE: E&xport to Microsoft Excel - c:\program\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\z3gfs696.default\
FF - plugin: c:\program\Mozilla Firefox\plugins\np-mswmp.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 20:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-18 20:17
ComboFix-quarantined-files.txt 2009-08-18 18:16
ComboFix2.txt 2009-08-18 14:50
Pre-Run: 42*521*108*480 byte ledigt
Post-Run: 42*505*687*040 byte ledigt
134
That looks good :)
Still problems?
I don't have avast, firefox or tea-timer running? :red:
Can I restart computer, turn them on, and check that things work fine?
i mean zone alarm , not firefox
Looks fine. It has moved the mouse buttons back to default. I will change that. :) Two old problems that I dont think are malware related, but just checking. Some scripts won't load for me on firefox. Like the world map at http://www.speedtest.net/ Not a real problem, I use explorer for those and it might be fixed by uninstalling and re-installing firefox.
As I said in my first post some windows updates cant be installed. I will try again when we have finished, but when I investigated a year ago it was a known problem according to microsoft website. So I just have to stay safer until I buy a new computer :)
Yes I suggest reinstalling Firefox.
Some other issues or are you ready for final instructions?
I'm ready. After this I can hopefully use my credit card on the internet safely and donate some money to spybot :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Please download OTCleanIt (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)
Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)
Happy surfing and stay clean! :bigthumb:
Got as far as explorer settings. Left to do are Anti-Maleware and SpywareBlaster. They will not be in conflict with Avast and ZoneAlarm?
The clean-up did not remove the tools. I have ERUNT, erunt-setup, HijackThis, HJITInstall.exe, and NTREGOPT on my desktop. What should I do with them?
Thank you for your time and your help!! :laugh:
No they won't.
It is up to you if you like to keep erunt-setup, HijackThis, HJITInstall.exe.
I would definitely keep ERUNT and don't recommend to use NTREGOPT.
OK. Thank you. I will have a late dinner now, and then rest. I'll do what's left tomorrow, and try the windows updates. You can close this thread. Thank you again! :)
Or so I thought.. Running avast now and it's picking up the trojan. I'll report back when it's finished. :(
One file was left. c:\windows\system 32\dllcache\ntfs.sys Infection Win32:Cutwail-W (Trj). Moved succesfully to chest.
This was after a quick scan. Am I clear now? Any new instruction?
Spybot also found a problem. :sad: I allowed it to fit it.
--- Search result list ---
Hupigon13: [SBI $D5A7DCB6] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Full report is too long to post.
No more instructions? Shall I scan on Kaspersky again and see if it finds more?
Please rescan with spybot and let me know if it finds something.
Nothing. Not even a cookie. But when I close spybot I get two errors. 0x085c40c2 memory reffering to 0x886df10 - memory could not be read. And runtime error 216 at 085C40C2.
As those seem to be spybot related issues, I think that it is worth posting here (http://forums.spybot.info/forumdisplay.php?f=4)
OK. The item avast picked up and the registry spybot picked up are they anything? Or just junk left from the trojan? I still have the infected file in avast chest. Throw away and redo the restore points action? Scan on Kasper to make sure?
They were leftovers.
Yes I suggest to flush avast! quarantine.
Sure you can rescan with kaspersky if you like to :)
LOL Now Kaspersky is in russian. I think this has been mentioned in some other threads as well. Cant see any link for english version. Any other online scanner to suggest? Or maybe I shall have it webtranslated. I think I know what to do on the site now.
Started thread about spybot errors. I'm guessing a new installation will help.Anyway it's only after the scan. :P
This is one:
Please go to ESET Online Scanner (http://www.eset.eu/online-scanner) - © ESET All Rights Reserved... to run an online scan.
Note: You - will - need to use Internet Explorer for this scan!
Check the box next to "YES, I accept the Terms of Use."
Click "Start"
Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
Once installed, the scanner will be initialized.
Click "Start". Make sure that the options: Remove found threats is UNCHECKED
Scan unwanted applications is CHECKED
Click "Scan"
Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
Use Notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste the contents of log.txt in your next reply.
Didn't see latest instruction before going 2 work, so I did a thorough scan with avast, and only found an infected file in restore. No worries. Now I have installed Malwarebytes Anti-Malware, and it finds lots more! :sad: Report follows
Malwarebytes' Anti-Malware 1.40
Database version: 2658
Windows 5.1.2600 Service Pack 2
2009-08-19 22:00:22
mbam-log-2009-08-19 (22-00-22).txt
Scan type: Quick Scan
Objects scanned: 93888
Time elapsed: 5 minute(s), 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\meta4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Ägaren\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Ägaren\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
I apologize for being worried and being a control freak. But I just noticed I have a new quick-launch icon that I don't recognise at all. C:\Program\A-Patch143b2_WLM9.exe
What is this?
Spywareblaster and new safer firefox installed. I'm waiting with windows update in case more clean-up is to be done first.
sorry ignore last post. Now I know what a-patch is :P And its clean says joti :) So its the items on maleware report that are left to decide if they mean that there are more things going on in my comp.
Most of mbam findings were leftovers.
Still something? :)
No :) Now I won't take more of your time. Thank you again!
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.