View Full Version : Hit by trojan JS:FakeAV*
KaffeKlavs
2009-08-30, 18:29
Dear Sirs,
Thank you very much for a nice forum.
My computer suddenly got infected after clicking on one of my friend's videos in Facebook. Now I cannot remove the trojans again. Internet Explorer is blocked for downloading malwareremoval programs and pup-ups is randomly starting. e.g:
http:61.235.11.83/redirctsodt/popup
Firefox is not working, I cannot download Spybot S&D and most tool is blocked for Download. The browser Safari is the only one I can use.
My Avast antivirus programme has detected/deleted/revomed following virus/trojans:
27-08-2009 18:00:50 SYSTEM 1628 Sign of "Win32:LdPinch-CYW [Trj]" has been found in "C:\Windows\srpira1251388849.eXE" file.
27-08-2009 18:17:03 SYSTEM 1628 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WY10EAER\ticedu_info[1].htm" file.
27-08-2009 18:17:09 SYSTEM 1628 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LVIYM277\script_en[1].js" file.
27-08-2009 18:17:16 SYSTEM 1628 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LVIYM277\script_en[1].js" file.
27-08-2009 18:17:20 SYSTEM 1628 Sign of "JS:FakeAV-X [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HRX6FIG5\26[1].htm" file.
27-08-2009 18:17:26 SYSTEM 1628 Sign of "VBS:Malware-gen" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WY10EAER\text_constants_en[1].js" file.
27-08-2009 18:17:26 SYSTEM 1628 Sign of "JS:FakeAV-Z [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LVIYM277\destrub[1].js" file.
27-08-2009 18:17:32 SYSTEM 1628 Sign of "JS:FakeAV-Y [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MEO2HXOJ\unic_scripts[1].js" file.
27-08-2009 18:31:23 Ditte 5392 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WY10EAER\ticedu_info[1].htm" file.
27-08-2009 18:36:56 SYSTEM 1584 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BRBCV8DE\ticedu_info[1].htm" file.
27-08-2009 18:37:16 SYSTEM 1584 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BRBCV8DE\script_en[1].js" file.
27-08-2009 18:37:19 SYSTEM 1584 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BRBCV8DE\script_en[1].js" file.
27-08-2009 18:37:24 SYSTEM 1584 Sign of "JS:FakeAV-X [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMR7I01\26[1].htm" file.
27-08-2009 18:37:43 SYSTEM 1584 Sign of "VBS:Malware-gen" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BRBCV8DE\text_constants_en[1].js" file.
27-08-2009 18:37:43 SYSTEM 1584 Sign of "JS:FakeAV-Z [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BRBCV8DE\destrub[1].js" file.
27-08-2009 18:38:07 SYSTEM 1584 Sign of "JS:FakeAV-Y [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMR7I01\unic_scripts[1].js" file.
27-08-2009 18:39:42 SYSTEM 1584 Sign of "JS:FakeAV-X [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\330N50ID\26[1].htm" file.
27-08-2009 18:39:42 SYSTEM 1584 Sign of "JS:FakeAV-Z [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4BL247CM\destrub[1].js" file.
27-08-2009 18:40:00 SYSTEM 1584 Sign of "VBS:Malware-gen" has been found in "C:\Users\Ditte\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\TPI6T4NL\text_constants_en[1].js" file.
27-08-2009 18:40:00 SYSTEM 1584 Sign of "JS:FakeAV-Z [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\TPI6T4NL\destrub[1].js" file.
27-08-2009 18:44:02 SYSTEM 1584 Sign of "JS:FakeAV-Y [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\DYDKZAIY\unic_scripts[1].js" file.
27-08-2009 18:45:59 SYSTEM 1584 Sign of "JS:FakeAV-X [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LWS2J3KI\26[1].htm" file.
27-08-2009 18:46:00 SYSTEM 1584 Sign of "JS:FakeAV-Z [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\L8EULX2U\destrub[1].js" file.
27-08-2009 18:46:09 SYSTEM 1584 Sign of "JS:FakeAV-Z [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4BL247CM\destrub[1].js" file.
27-08-2009 18:46:09 SYSTEM 1584 Sign of "VBS:Malware-gen" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4BL247CM\text_constants_en[1].js" file.
27-08-2009 18:46:15 SYSTEM 1584 Sign of "JS:FakeAV-Y [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LWS2J3KI\unic_scripts[1].js" file.
27-08-2009 18:51:35 SYSTEM 1584 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\L8EULX2U\index[1].htm" file.
27-08-2009 18:52:11 SYSTEM 1584 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7EB8GL42\index[1].htm" file.
27-08-2009 19:09:51 Ditte 4432 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7EB8GL42\index[1].htm" file.
27-08-2009 19:16:03 SYSTEM 1608 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6YTDTP4P\ticedu_info[1].htm" file.
27-08-2009 19:16:17 SYSTEM 1608 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LIRX3AU7\script_en[1].js" file.
27-08-2009 19:16:21 SYSTEM 1608 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LIRX3AU7\script_en[1].js" file.
27-08-2009 19:16:26 SYSTEM 1608 Sign of "JS:FakeAV-X [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XEG63NS7\26[1].htm" file.
27-08-2009 19:16:30 SYSTEM 1608 Sign of "VBS:Malware-gen" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6YTDTP4P\text_constants_en[1].js" file.
27-08-2009 19:16:31 SYSTEM 1608 Sign of "JS:FakeAV-Z [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6YTDTP4P\destrub[1].js" file.
27-08-2009 19:30:50 SYSTEM 1608 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VPPF76FQ\index[1].htm" file.
27-08-2009 19:32:21 SYSTEM 1608 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LIRX3AU7\index[1].htm" file.
27-08-2009 19:47:17 Ditte 752 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LIRX3AU7\index[1].htm" file.
30-08-2009 13:29:57 Ditte 480 Function setifaceUpdatePackages() has failed. Return code is 0x2000000A, dwRes is 2000000A.
30-08-2009 13:30:20 Ditte 2980 Function setifaceUpdatePackages() has failed. Return code is 0x2000000A, dwRes is 2000000A.
30-08-2009 13:31:15 Ditte 4248 Function setifaceUpdatePackages() has failed. Return code is 0x2000000A, dwRes is 2000000A.
30-08-2009 13:44:11 SYSTEM 1636 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\99JGY5CT\hownet_info[1].htm" file.
30-08-2009 13:44:55 SYSTEM 1636 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KJ24P0CR\script_en[1].js" file.
30-08-2009 13:45:07 SYSTEM 1636 Sign of "JS:FakeAV-W [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KJ24P0CR\script_en[1].js" file.
30-08-2009 13:45:15 SYSTEM 1636 Sign of "JS:FakeAV-X [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P1POVD47\26[1].htm" file.
30-08-2009 13:45:23 SYSTEM 1636 Sign of "VBS:Malware-gen" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\99JGY5CT\text_constants_en[1].js" file.
30-08-2009 13:45:24 SYSTEM 1636 Sign of "JS:FakeAV-Z [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DH6QMX5E\destrub[1].js" file.
30-08-2009 13:45:38 SYSTEM 1636 Sign of "JS:FakeAV-Y [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P1POVD47\unic_scripts[1].js" file.
30-08-2009 13:46:16 Ditte 4248 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\DDnsFilter\DDnsFilter.dll" file.
30-08-2009 13:48:54 SYSTEM 1636 Sign of "JS:FakeAV-X [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KJ24P0CR\26[1].htm" file.
30-08-2009 13:49:10 SYSTEM 1636 Sign of "VBS:Malware-gen" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P1POVD47\text_constants_en[1].js" file.
30-08-2009 13:49:10 SYSTEM 1636 Sign of "JS:FakeAV-Z [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P1POVD47\destrub[1].js" file.
30-08-2009 13:49:11 SYSTEM 1636 Sign of "JS:FakeAV-Y [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P1POVD47\unic_scripts[1].js" file.
30-08-2009 13:56:07 Ditte 4248 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\DDnsFilter\DDnsFilter.dll" file.
30-08-2009 13:58:37 SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DH6QMX5E\index[1].htm" file.
30-08-2009 14:03:04 SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\99JGY5CT\index[1].htm" file.
30-08-2009 14:04:36 SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DH6QMX5E\index[1].htm" file.
30-08-2009 14:07:01 Ditte 4248 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\DDnsFilter\trzD28A.tmp" file.
30-08-2009 14:24:01 Ditte 4248 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WY10EAER\prx90[1].exe\[Embedded_I#0b110]" file.
30-08-2009 14:24:41 Ditte 4248 Sign of "JS:ScriptIP-inf [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4BL247CM\popup[1].htm" file.
30-08-2009 14:25:19 Ditte 4248 Sign of "JS:ScriptIP-inf [Trj]" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LIRX3AU7\popup[1].htm" file.
30-08-2009 14:25:28 Ditte 4248 Sign of "VBS:Malware-gen" has been found in "C:\Users\Ditte\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P1POVD47\text_constants_en[1].js" file.
30-08-2009 14:49:31 Ditte 4248 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\DDnsFilter\trzEC24.tmp" file.
30-08-2009 15:36:49 Ditte 4248 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\DDnsFilter\trzEC24.tmp" file.
HERE IS MY HIJACK LOG:
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:55:25, on 30-08-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\LG Software\LG Magnifier\MagnifyingGlass.exe
C:\Program Files\LG Software\On Screen Display\HotKey.exe
C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\pp11.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\windows sidebar\gadgets\LGSmartI.Gadget\plugins\LGSmartI.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\LG Software\LG Magnifier\Maglev.exe
C:\Users\Ditte\AppData\Local\Temp\9b1lanxj.tmp\HiJackThis.exe
C:\Users\Ditte\AppData\Local\Temp\rfn58kvz.tmp\spybotsd162.exe
C:\Users\Ditte\AppData\Local\Temp\is-JE75S.tmp\spybotsd162.tmp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.psy.ku.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lge.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LG Magnifier] %ProgramFiles%\LG Software\LG Magnifier\MagnifyingGlass.exe
O4 - HKLM\..\Run: [KeybdUtility] C:\Program Files\LG Software\On Screen Display\HotKey.exe
O4 - HKLM\..\Run: [BatteryMiser 5] C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe
O4 - HKLM\..\Run: [LG Intelligent Update] "C:\Program Files\lg_swupdate\giljabistart.exe" Gilautouc
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sysldtray] c:\windows\ld14.exe
O4 - HKLM\..\Run: [pp] c:\windows\pp11.exe
O4 - HKLM\..\Run: [ParetoLogic Anti-Virus PLUS] "C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" -NM -hidesplash
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Blog det - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog det i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: websrvx - Unknown owner - C:\Program Files\websrvx\websrvx.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
--
End of file - 8802 bytes
Please help.
Kind regards,
Klavs
Hi KaffeKlavs
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
KaffeKlavs
2009-09-02, 15:17
Tanks!
Combo fix succeeded.
Here is my log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:09:20, on 02-09-2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\LG Software\LG Magnifier\MagnifyingGlass.exe
C:\Program Files\LG Software\On Screen Display\HotKey.exe
C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe
C:\Program Files\lg_swupdate\GiljabiStart.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\LG Software\LG Magnifier\Maglev.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\windows sidebar\gadgets\LGSmartI.Gadget\plugins\LGSmartI.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.psy.ku.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LG Magnifier] %ProgramFiles%\LG Software\LG Magnifier\MagnifyingGlass.exe
O4 - HKLM\..\Run: [KeybdUtility] C:\Program Files\LG Software\On Screen Display\HotKey.exe
O4 - HKLM\..\Run: C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe
O4 - HKLM\..\Run: [LG Intelligent Update] "C:\Program Files\lg_swupdate\giljabistart.exe" Gilautouc
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Blog det - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog det i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5726/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 8446 bytes
[B]COMBO FIX logfile:
ComboFix 09-09-01.04 - Ditte 02-09-2009 10:37.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.45.1030.18.1789.937 [GMT 2:00]
Kører fra: c:\users\Ditte\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3938201625-3565709897-1874259408-500
c:\$recycle.bin\S-1-5-21-964531593-2803657163-574968662-500
c:\windows\010112010146101105.te
.
((((((((((((((((((((((((((((((((((((((( Drivers/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SfX
((((((((((((((((((((((((((((( Filer skabt fra 2009-08-02 til 2009-09-02 )))))))))))))))))))))))))))))))))))
.
2009-09-02 08:50 . 2009-09-02 08:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-02 08:50 . 2009-09-02 08:50 -------- d-----w- c:\users\Admin\AppData\Local\temp
2009-08-31 20:57 . 2009-08-31 20:57 -------- d-----w- c:\users\Ditte\AppData\Roaming\Malwarebytes
2009-08-31 20:57 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 20:57 . 2009-08-31 20:57 -------- d-----w- c:\programdata\Malwarebytes
2009-08-31 20:57 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-31 20:57 . 2009-08-31 23:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 17:15 . 2009-08-31 17:15 -------- d-----w- c:\windows\McAfee.com
2009-08-31 13:49 . 2009-08-31 14:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-31 13:49 . 2009-08-31 13:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-31 09:26 . 2009-08-31 09:26 -------- d-----w- c:\users\Admin\AppData\Local\Mozilla
2009-08-31 09:25 . 2009-08-31 09:25 -------- d-----w- c:\users\Admin\AppData\Roaming\Skinux
2009-08-31 09:24 . 2009-08-31 09:24 -------- d-----w- c:\users\Admin\AppData\Local\Apple Computer
2009-08-31 09:24 . 2009-08-31 09:24 -------- d-----w- c:\users\Admin\AppData\Roaming\ATI
2009-08-31 09:24 . 2009-08-31 09:24 -------- d-----w- c:\users\Admin\AppData\Local\ATI
2009-08-31 09:23 . 2009-08-31 09:23 52776 ----a-w- c:\users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-30 15:44 . 2009-08-30 15:44 -------- d-----w- c:\windows\system32\ca-ES
2009-08-30 15:44 . 2009-08-30 15:44 -------- d-----w- c:\windows\system32\eu-ES
2009-08-30 15:44 . 2009-08-30 15:44 -------- d-----w- c:\windows\system32\vi-VN
2009-08-30 14:13 . 2009-09-01 00:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-30 14:09 . 2009-08-30 14:09 -------- d-----w- c:\program files\Microsoft
2009-08-30 14:08 . 2009-08-30 14:08 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-30 14:06 . 2009-08-30 14:12 -------- d-----w- c:\program files\Windows Live
2009-08-30 14:06 . 2009-08-30 14:06 -------- d-----w- c:\windows\PCHEALTH
2009-08-30 14:05 . 2006-11-29 11:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-08-30 14:02 . 2009-08-30 14:02 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-30 13:42 . 2009-08-30 13:42 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-30 13:36 . 2005-08-25 16:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-08-30 13:36 . 2009-08-30 13:46 -------- d-----w- c:\program files\SpywareBlaster
2009-08-30 13:17 . 2009-09-02 08:51 5324064 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-30 12:58 . 2009-09-02 08:16 -------- d-----w- c:\programdata\ParetoLogic
2009-08-30 12:58 . 2009-09-02 08:16 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-08-30 12:58 . 2009-08-30 12:58 -------- d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS
2009-08-30 12:56 . 2009-08-30 12:56 -------- d-----w- c:\users\Ditte\AppData\Local\Downloaded Installations
2009-08-30 11:33 . 2009-08-30 11:33 -------- d-----w- c:\windows\system32\EventProviders
2009-08-26 21:37 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-26 18:07 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
2009-08-26 18:07 . 2009-06-05 09:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-26 18:07 . 2009-06-05 09:53 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-19 17:47 . 2009-04-11 06:28 758784 ----a-w- c:\windows\system32\qmgr.dll
2009-08-19 17:46 . 2009-04-11 06:28 343040 ----a-w- c:\windows\system32\wmicmiplugin.dll
2009-08-19 17:45 . 2009-04-11 06:28 20992 ----a-w- c:\windows\system32\wsdchngr.dll
2009-08-19 17:44 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2009-08-19 17:44 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2009-08-19 17:44 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2009-08-12 08:44 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 08:44 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 08:44 . 2009-07-15 12:39 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 08:44 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 08:44 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-12 08:44 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-12 08:43 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-12 08:43 . 2009-04-11 06:28 53248 ----a-w- c:\windows\system32\tsgqec.dll
2009-08-12 08:43 . 2009-04-11 06:28 136192 ----a-w- c:\windows\system32\aaclient.dll
2009-08-12 08:43 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-03 20:14 . 2009-08-03 20:14 -------- d-----w- c:\program files\iPod
2009-08-03 20:14 . 2009-08-03 20:14 -------- d-----w- c:\program files\iTunes
2009-08-03 20:08 . 2009-08-03 20:08 75040 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 11:27 . 2008-07-31 15:53 -------- d-----w- c:\users\Ditte\AppData\Roaming\OpenOffice.org2
2009-09-02 08:51 . 2009-08-30 13:17 72380 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-02 08:51 . 2007-08-30 15:35 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-01 09:21 . 2008-07-31 15:54 1 ----a-w- c:\users\Ditte\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-08-31 16:44 . 2009-06-16 13:37 -------- d-----w- c:\program files\Canon
2009-08-31 13:41 . 2007-08-29 23:18 463344 ----a-w- c:\windows\system32\perfh006.dat
2009-08-31 13:41 . 2007-08-29 23:18 77202 ----a-w- c:\windows\system32\perfc006.dat
2009-08-31 10:25 . 2008-07-12 13:22 -------- d-----w- c:\program files\Java
2009-08-31 09:25 . 2009-06-16 13:54 -------- d-----w- c:\programdata\CanonIJPLM
2009-08-30 15:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-08-30 15:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-08-30 15:45 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-30 15:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-08-30 15:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-08-30 15:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-08-30 15:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-08-30 15:43 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-30 12:46 . 2008-07-12 19:14 -------- d-----w- c:\users\Ditte\AppData\Roaming\Apple Computer
2009-08-30 11:40 . 2007-08-30 19:57 -------- d-----w- c:\program files\lg_swupdate
2009-08-30 11:38 . 2007-08-30 19:57 42288 ----a-w- c:\windows\system32\giljabiunis.exe
2009-08-30 11:38 . 2007-08-30 19:57 1140016 ----a-w- c:\windows\system32\CS.dll
2009-08-17 19:20 . 2008-08-10 12:28 -------- d-----w- c:\program files\Safari
2009-08-17 16:10 . 2009-07-13 13:11 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:05 . 2009-07-13 13:12 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2009-07-13 13:12 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:05 . 2009-07-13 13:11 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-17 16:04 . 2009-07-13 13:12 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2009-07-13 13:12 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:02 . 2009-07-13 13:12 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-13 12:17 . 2008-09-15 20:06 -------- d-----w- c:\users\Ditte\AppData\Roaming\XnView
2009-08-03 20:14 . 2008-07-12 19:10 -------- d-----w- c:\program files\Common Files\Apple
2009-07-26 14:54 . 2009-07-26 14:54 -------- d-----w- c:\programdata\Hewlett-Packard
2009-07-25 03:23 . 2008-12-18 18:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 21:52 . 2009-07-29 14:14 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 14:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 14:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 14:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-13 13:11 . 2009-07-13 13:11 -------- d-----w- c:\program files\Alwil Software
2009-07-13 13:00 . 2008-07-12 11:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-13 12:58 . 2008-07-12 11:15 -------- d-----w- c:\programdata\Symantec
2009-07-10 11:16 . 2009-07-10 11:16 307048 ----a-w- c:\windows\WLXPGSS.SCR
2009-06-15 14:53 . 2009-07-25 12:36 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:52 . 2009-07-25 12:36 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-07-25 12:36 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-25 12:36 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:42 . 2009-07-25 12:36 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-13 05:57 . 2009-06-13 05:57 456304 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb2DFB.tmp.exe
.
((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-04-04 2475568]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-29 894248]
"LG Magnifier"="c:\program files\LG Software\LG Magnifier\MagnifyingGlass.exe" [2007-05-09 140856]
"KeybdUtility"="c:\program files\LG Software\On Screen Display\HotKey.exe" [2007-07-24 2868528]
"BatteryMiser 5"="c:\program files\LG Software\BatteryMiser\BatteryMiser5.exe" [2007-06-21 341296]
"LG Intelligent Update"="c:\program files\lg_swupdate\giljabistart.exe" [2009-08-30 251184]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-29 185872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-08-10 4702208]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-08-03 1826816]
c:\users\Ditte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-5-30 393216]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-5-10 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"= "c:\windows\system32\bmpsap.dll" [2006-12-11 114688]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):9d,85,3f,da,15,2a,ca,01
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BF83BDD3-904D-4EAF-A95A-1077CBF8FC48}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4C26A139-0BCD-4EB9-AD71-546C1B12AE7F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{EABF21D9-6149-4D26-84D5-A61E09D5E213}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{A18C1D98-B74F-4036-AFBB-DBAD18845FA5}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4741C6C1-3D89-45CB-9306-43B82956DADE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{21D76B0C-FE2B-4D53-A0D0-974C7B7B31D9}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{53246324-C97D-4424-A078-1A6D5CA6A917}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{EEEFCF7F-DB55-4A96-B6D8-317F796D7A7E}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{3204C62C-5129-4ABD-9C78-2C411636FE59}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{233040FC-053F-4CE1-A069-7333680B3B84}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [13-07-2009 15:12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [13-07-2009 15:12 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [13-07-2009 15:11 53328]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [31-08-2009 15:49 1153368]
S3 MRV6X32U;Vista 32-bits Native WiFi Driver - USB;c:\windows\System32\drivers\MRVW23B.sys [04-08-2008 17:06 231040]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Indhold af mappen 'Planlagte Opgaver'
.
.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.psy.ku.dk/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: landbobanken.dk
FF - ProfilePath - c:\users\Ditte\AppData\Roaming\Mozilla\Firefox\Profiles\8igihh5o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 13:25
Windows 6.0.6002 Service Pack 2 NTFS
scanner skjulte processer ...
scanner skjulte autostarter ...
scanner skjulte filer ...
scanning gennemført med succes
skjulte filer: 0
**************************************************************************
.
--------------------- DLLs startet under kørende Processer ---------------------
- - - - - - - > 'Explorer.exe'(1388)
c:\program files\LG Software\BatteryMiser\McIdle.dll
.
------------------------ Andre kørende processer ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\ijplmsvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\LG Software\LG Magnifier\Maglev.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\windows\ehome\ehmsas.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\program files\Windows Sidebar\Gadgets\LGSmartI.Gadget\plugins\LGSmartI.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Gennemført tid: 2009-09-02 13:34 - maskinen blev genstartet
ComboFix-quarantined-files.txt 2009-09-02 11:34
Pre-Kørsel: 116.712.529.920 byte ledig
Post-Kørsel: 116.560.912.384 byte ledig
251 --- E O F --- 2009-09-01 07:41
3699
KaffeKlavs
2009-09-02, 15:59
Malwarebytes still finds 18 viras which cannot be moved - even after reboot!
see log here:
Malwarebytes' Anti-Malware 1.40
Database version: 2723
Windows 6.0.6002 Service Pack 2
02-09-2009 14:56:06
mbam-log-2009-09-02 (14-56-06).txt
Skan type: Hurtig skanning
Objekter skannet: 88749
Tid tilbagelagt: 5 minute(s), 57 second(s)
Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 18
Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)
Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)
Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)
Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)
Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)
Inficerede Mapper:
(Ingen mistænkelige filer fundet)
Inficerede Filer:
C:\Users\All Users\lsass32.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\All Users\Documents\gosub._sy (Malware.Trace) -> Delete on reboot.
C:\Users\All Users\Documents\qyrupelin.sys (Malware.Trace) -> Delete on reboot.
C:\Users\Public\Documents\My Music\foronandand.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\Public\Documents\My Music\inout.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\Public\Documents\My Music\My Music.exe (Worm.AutoRun) -> Delete on reboot.
C:\Users\Public\Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Public\Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot.
C:\Users\Public\Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\My Pictures.exe (Worm.AutoRun) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\Sample Pictures\Blue hills.exe (Trojan.Xanib) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\Sample Pictures\Sunset.exe (Trojan.Xanib) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\Sample Pictures\Water lilies.exe (Trojan.Xanib) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\Sample Pictures\Winter.exe (Trojan.Xanib) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Public\Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot.
So let's see what combofix can do.
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
C:\Users\All Users\lsass32.exe
C:\Users\All Users\Documents\gosub._sy
C:\Users\All Users\Documents\qyrupelin.sys
C:\Users\Public\Documents\My Music\foronandand.exe
C:\Users\Public\Documents\My Music\inout.exe
C:\Users\Public\Documents\My Music\My Music.exe
C:\Users\Public\Documents\My Music\My Music.url
C:\Users\Public\Documents\My Music\New Song.lagu
C:\Users\Public\Documents\My Music\Video.vidz
C:\Users\Public\Documents\My Pictures\aweks.pikz
C:\Users\Public\Documents\My Pictures\My Pictures.exe
C:\Users\Public\Documents\My Pictures\My Pictures.url
C:\Users\Public\Documents\My Pictures\Sample Pictures
C:\Users\Public\Documents\My Pictures\Sample Pictures\Sunset.exe
C:\Users\Public\Documents\My Pictures\Sample Pictures\Water lilies.exe
C:\Users\Public\Documents\My Pictures\Sample Pictures\Winter.exe
C:\Users\Public\Documents\My Pictures\seram.pikz
C:\Users\Public\Documents\My Videos\My Video.url
c:\programdata\Google\Google Toolbar\Update\gtb2DFB.tmp.exe
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
KaffeKlavs
2009-09-04, 01:22
ComboFix cannot complete its tasks... the programme stops in the middle of the analysis!
- have retried 3 times following your guide lines! what can be the problem?
Here is the log on a normal run of ComboFix without dragging the txt.file
ComboFix 09-09-03.02 - Ditte 04-09-2009 0:05.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.45.1030.18.1789.883 [GMT 2:00]
Kører fra: c:\users\Ditte\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((( Filer skabt fra 2009-08-03 til 2009-09-03 )))))))))))))))))))))))))))))))))))
.
2009-09-03 22:13 . 2009-09-03 22:13 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-03 22:13 . 2009-09-03 22:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-03 22:13 . 2009-09-03 22:13 -------- d-----w- c:\users\Admin\AppData\Local\temp
2009-09-02 12:08 . 2009-09-02 12:08 -------- d-----w- c:\program files\Trend Micro
2009-08-31 20:57 . 2009-08-31 20:57 -------- d-----w- c:\users\Ditte\AppData\Roaming\Malwarebytes
2009-08-31 20:57 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 20:57 . 2009-08-31 20:57 -------- d-----w- c:\programdata\Malwarebytes
2009-08-31 20:57 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-31 20:57 . 2009-09-02 12:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 17:15 . 2009-08-31 17:15 -------- d-----w- c:\windows\McAfee.com
2009-08-31 13:49 . 2009-08-31 14:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-31 13:49 . 2009-08-31 13:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-31 09:26 . 2009-08-31 09:26 -------- d-----w- c:\users\Admin\AppData\Local\Mozilla
2009-08-31 09:25 . 2009-08-31 09:25 -------- d-----w- c:\users\Admin\AppData\Roaming\Skinux
2009-08-31 09:24 . 2009-08-31 09:24 -------- d-----w- c:\users\Admin\AppData\Local\Apple Computer
2009-08-31 09:24 . 2009-08-31 09:24 -------- d-----w- c:\users\Admin\AppData\Roaming\ATI
2009-08-31 09:24 . 2009-08-31 09:24 -------- d-----w- c:\users\Admin\AppData\Local\ATI
2009-08-31 09:23 . 2009-08-31 09:23 52776 ----a-w- c:\users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-30 15:44 . 2009-08-30 15:44 -------- d-----w- c:\windows\system32\ca-ES
2009-08-30 15:44 . 2009-08-30 15:44 -------- d-----w- c:\windows\system32\eu-ES
2009-08-30 15:44 . 2009-08-30 15:44 -------- d-----w- c:\windows\system32\vi-VN
2009-08-30 14:13 . 2009-09-01 00:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-30 14:09 . 2009-08-30 14:09 -------- d-----w- c:\program files\Microsoft
2009-08-30 14:08 . 2009-08-30 14:08 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-30 14:06 . 2009-08-30 14:12 -------- d-----w- c:\program files\Windows Live
2009-08-30 14:06 . 2009-08-30 14:06 -------- d-----w- c:\windows\PCHEALTH
2009-08-30 14:05 . 2006-11-29 11:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-08-30 14:02 . 2009-08-30 14:02 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-30 13:42 . 2009-08-30 13:42 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-30 13:36 . 2005-08-25 16:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-08-30 13:36 . 2009-08-30 13:46 -------- d-----w- c:\program files\SpywareBlaster
2009-08-30 13:17 . 2009-09-02 08:51 5324064 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-30 12:58 . 2009-09-02 08:16 -------- d-----w- c:\programdata\ParetoLogic
2009-08-30 12:58 . 2009-09-02 08:16 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-08-30 12:58 . 2009-08-30 12:58 -------- d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS
2009-08-30 12:56 . 2009-08-30 12:56 -------- d-----w- c:\users\Ditte\AppData\Local\Downloaded Installations
2009-08-30 11:33 . 2009-08-30 11:33 -------- d-----w- c:\windows\system32\EventProviders
2009-08-26 21:37 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-26 18:07 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
2009-08-26 18:07 . 2009-06-05 09:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-26 18:07 . 2009-06-05 09:53 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-19 17:47 . 2009-04-11 06:28 758784 ----a-w- c:\windows\system32\qmgr.dll
2009-08-19 17:46 . 2009-04-11 06:28 343040 ----a-w- c:\windows\system32\wmicmiplugin.dll
2009-08-19 17:45 . 2009-04-11 06:28 20992 ----a-w- c:\windows\system32\wsdchngr.dll
2009-08-19 17:44 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2009-08-19 17:44 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2009-08-19 17:44 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2009-08-12 08:44 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 08:44 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 08:44 . 2009-07-15 12:39 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 08:44 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 08:44 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-12 08:44 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-12 08:43 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-12 08:43 . 2009-04-11 06:28 53248 ----a-w- c:\windows\system32\tsgqec.dll
2009-08-12 08:43 . 2009-04-11 06:28 136192 ----a-w- c:\windows\system32\aaclient.dll
2009-08-12 08:43 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 12:39 . 2008-07-31 15:53 -------- d-----w- c:\users\Ditte\AppData\Roaming\OpenOffice.org2
2009-09-02 13:53 . 2007-08-30 15:35 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-02 08:51 . 2009-08-30 13:17 72380 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-31 16:44 . 2009-06-16 13:37 -------- d-----w- c:\program files\Canon
2009-08-31 13:41 . 2007-08-29 23:18 463344 ----a-w- c:\windows\system32\perfh006.dat
2009-08-31 13:41 . 2007-08-29 23:18 77202 ----a-w- c:\windows\system32\perfc006.dat
2009-08-31 10:25 . 2008-07-12 13:22 -------- d-----w- c:\program files\Java
2009-08-31 09:25 . 2009-06-16 13:54 -------- d-----w- c:\programdata\CanonIJPLM
2009-08-30 15:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-08-30 15:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-08-30 15:45 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-30 15:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-08-30 15:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-08-30 15:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-08-30 15:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-08-30 12:46 . 2008-07-12 19:14 -------- d-----w- c:\users\Ditte\AppData\Roaming\Apple Computer
2009-08-30 11:40 . 2007-08-30 19:57 -------- d-----w- c:\program files\lg_swupdate
2009-08-30 11:38 . 2007-08-30 19:57 42288 ----a-w- c:\windows\system32\giljabiunis.exe
2009-08-30 11:38 . 2007-08-30 19:57 1140016 ----a-w- c:\windows\system32\CS.dll
2009-08-17 19:20 . 2008-08-10 12:28 -------- d-----w- c:\program files\Safari
2009-08-17 16:10 . 2009-07-13 13:11 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:05 . 2009-07-13 13:12 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2009-07-13 13:12 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:05 . 2009-07-13 13:11 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-17 16:04 . 2009-07-13 13:12 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2009-07-13 13:12 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:02 . 2009-07-13 13:12 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-13 12:17 . 2008-09-15 20:06 -------- d-----w- c:\users\Ditte\AppData\Roaming\XnView
2009-08-03 20:14 . 2009-08-03 20:14 -------- d-----w- c:\program files\iTunes
2009-08-03 20:14 . 2009-08-03 20:14 -------- d-----w- c:\program files\iPod
2009-08-03 20:14 . 2008-07-12 19:10 -------- d-----w- c:\program files\Common Files\Apple
2009-07-26 14:54 . 2009-07-26 14:54 -------- d-----w- c:\programdata\Hewlett-Packard
2009-07-25 03:23 . 2008-12-18 18:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 21:52 . 2009-07-29 14:14 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 14:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 14:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 14:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-13 13:11 . 2009-07-13 13:11 -------- d-----w- c:\program files\Alwil Software
2009-07-13 13:00 . 2008-07-12 11:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-13 12:58 . 2008-07-12 11:15 -------- d-----w- c:\programdata\Symantec
2009-07-10 11:16 . 2009-07-10 11:16 307048 ----a-w- c:\windows\WLXPGSS.SCR
2009-06-15 14:53 . 2009-07-25 12:36 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:52 . 2009-07-25 12:36 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-07-25 12:36 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-25 12:36 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:42 . 2009-07-25 12:36 289792 ----a-w- c:\windows\system32\atmfd.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-02_11.26.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-30 15:58 . 2009-09-03 12:40 61006 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-09-03 12:40 85884 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-12 11:07 . 2009-09-03 12:41 13210 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3938201625-3565709897-1874259408-1000_UserData.bin
- 2008-07-13 02:56 . 2009-09-02 08:53 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-13 02:56 . 2009-09-03 21:14 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-13 02:56 . 2009-09-02 08:53 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-13 02:56 . 2009-09-03 21:14 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-13 02:56 . 2009-09-02 08:53 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-13 02:56 . 2009-09-03 21:14 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 07:11 . 2006-11-02 07:11 2560 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.18101_none_0e09b1f3ef71cee4\AcRes.dll
+ 2008-07-15 11:05 . 2008-07-15 11:05 2560 c:\windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18320_none_0c0c9e03f25c9b24\AcRes.dll
- 2009-09-02 08:52 . 2009-09-02 08:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-09-03 12:33 . 2009-09-03 12:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-09-03 12:33 . 2009-09-03 12:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-09-02 08:52 . 2009-09-02 08:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-08-19 17:46 . 2009-04-11 06:28 1696768 c:\windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.18101_none_43e7c8d8be626492\gameux.dll
+ 2008-07-15 11:05 . 2008-07-15 11:05 1695744 c:\windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18320_none_41eab4e8c14d30d2\gameux.dll
+ 2006-11-02 10:22 . 2009-09-03 12:38 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2006-11-02 10:22 . 2009-09-01 00:02 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-09-03 12:47 . 2009-09-03 22:04 6365184 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2009-06-05 12:54 . 2009-09-03 12:38 191889259 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-04-04 2475568]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-29 894248]
"LG Magnifier"="c:\program files\LG Software\LG Magnifier\MagnifyingGlass.exe" [2007-05-09 140856]
"KeybdUtility"="c:\program files\LG Software\On Screen Display\HotKey.exe" [2007-07-24 2868528]
"BatteryMiser 5"="c:\program files\LG Software\BatteryMiser\BatteryMiser5.exe" [2007-06-21 341296]
"LG Intelligent Update"="c:\program files\lg_swupdate\giljabistart.exe" [2009-08-30 251184]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-29 185872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-08-10 4702208]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-08-03 1826816]
c:\users\Ditte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-5-30 393216]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-5-10 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"= "c:\windows\system32\bmpsap.dll" [2006-12-11 114688]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):9d,85,3f,da,15,2a,ca,01
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BF83BDD3-904D-4EAF-A95A-1077CBF8FC48}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4C26A139-0BCD-4EB9-AD71-546C1B12AE7F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{EABF21D9-6149-4D26-84D5-A61E09D5E213}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{A18C1D98-B74F-4036-AFBB-DBAD18845FA5}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4741C6C1-3D89-45CB-9306-43B82956DADE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{21D76B0C-FE2B-4D53-A0D0-974C7B7B31D9}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{53246324-C97D-4424-A078-1A6D5CA6A917}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{EEEFCF7F-DB55-4A96-B6D8-317F796D7A7E}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{3204C62C-5129-4ABD-9C78-2C411636FE59}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{233040FC-053F-4CE1-A069-7333680B3B84}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [13-07-2009 15:12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [13-07-2009 15:12 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [13-07-2009 15:11 53328]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [31-08-2009 15:49 1153368]
S3 MRV6X32U;Vista 32-bits Native WiFi Driver - USB;c:\windows\System32\drivers\MRVW23B.sys [04-08-2008 17:06 231040]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.psy.ku.dk/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: landbobanken.dk
FF - ProfilePath - c:\users\Ditte\AppData\Roaming\Mozilla\Firefox\Profiles\8igihh5o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 00:13
Windows 6.0.6002 Service Pack 2 NTFS
scanner skjulte processer ...
scanner skjulte autostarter ...
scanner skjulte filer ...
scanning gennemført med succes
skjulte filer: 0
**************************************************************************
.
--------------------- DLLs startet under kørende Processer ---------------------
- - - - - - - > 'Explorer.exe'(1144)
c:\program files\LG Software\BatteryMiser\McIdle.dll
.
Gennemført tid: 2009-09-03 0:20
ComboFix-quarantined-files.txt 2009-09-03 22:20
ComboFix2.txt 2009-09-02 11:34
Pre-Kørsel: 115.668.766.720 byte ledig
Post-Kørsel: 115.221.966.848 byte ledig
240 --- E O F --- 2009-09-01 07:41
Please try that again in safe mode :)
KaffeKlavs
2009-09-06, 02:08
In 'Safe mode' the programme Combo Fix says:
failed to get data for 'EnableLUA'
It does not finish the analysis and never starts on the stage 1,2,3 etc.
Download Avenger (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog and unzip it to your Desktop.
Note: This program must be run from an account with Administrator priviledges.
Open the Avenger folder and double click Avenger.exe to launch the program.
Copy the text in the code box below and Paste it into the Input script here: box.
Files to delete:
C:\Users\All Users\lsass32.exe
C:\Users\All Users\Documents\gosub._sy
C:\Users\All Users\Documents\qyrupelin.sys
C:\Users\Public\Documents\My Music\foronandand.exe
C:\Users\Public\Documents\My Music\inout.exe
C:\Users\Public\Documents\My Music\My Music.exe
C:\Users\Public\Documents\My Music\My Music.url
C:\Users\Public\Documents\My Music\New Song.lagu
C:\Users\Public\Documents\My Music\Video.vidz
C:\Users\Public\Documents\My Pictures\aweks.pikz
C:\Users\Public\Documents\My Pictures\My Pictures.exe
C:\Users\Public\Documents\My Pictures\My Pictures.url
C:\Users\Public\Documents\My Pictures\Sample Pictures
C:\Users\Public\Documents\My Pictures\Sample Pictures\Sunset.exe
C:\Users\Public\Documents\My Pictures\Sample Pictures\Water lilies.exe
C:\Users\Public\Documents\My Pictures\Sample Pictures\Winter.exe
C:\Users\Public\Documents\My Pictures\seram.pikz
C:\Users\Public\Documents\My Videos\My Video.url
c:\programdata\Google\Google Toolbar\Update\gtb2DFB.tmp.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Ensure the following:
Scan for Rootkits is checked.
Automatically disable any rootkits found is Unchecked.
Press the Execute key.
Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
Post the log back here please. (it can also be found at C:\avenger.txt)
KaffeKlavs
2009-09-06, 15:17
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: could not open file "C:\Users\All Users\lsass32.exe"
Deletion of file "C:\Users\All Users\lsass32.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\All Users\Documents\gosub._sy"
Deletion of file "C:\Users\All Users\Documents\gosub._sy" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\All Users\Documents\qyrupelin.sys"
Deletion of file "C:\Users\All Users\Documents\qyrupelin.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Music\foronandand.exe"
Deletion of file "C:\Users\Public\Documents\My Music\foronandand.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Music\inout.exe"
Deletion of file "C:\Users\Public\Documents\My Music\inout.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Music\My Music.exe"
Deletion of file "C:\Users\Public\Documents\My Music\My Music.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Music\My Music.url"
Deletion of file "C:\Users\Public\Documents\My Music\My Music.url" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Music\New Song.lagu"
Deletion of file "C:\Users\Public\Documents\My Music\New Song.lagu" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Music\Video.vidz"
Deletion of file "C:\Users\Public\Documents\My Music\Video.vidz" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Pictures\aweks.pikz"
Deletion of file "C:\Users\Public\Documents\My Pictures\aweks.pikz" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Pictures\My Pictures.exe"
Deletion of file "C:\Users\Public\Documents\My Pictures\My Pictures.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Pictures\My Pictures.url"
Deletion of file "C:\Users\Public\Documents\My Pictures\My Pictures.url" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Pictures\Sample Pictures"
Deletion of file "C:\Users\Public\Documents\My Pictures\Sample Pictures" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Pictures\Sample Pictures\Sunset.exe"
Deletion of file "C:\Users\Public\Documents\My Pictures\Sample Pictures\Sunset.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Pictures\Sample Pictures\Water lilies.exe"
Deletion of file "C:\Users\Public\Documents\My Pictures\Sample Pictures\Water lilies.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Pictures\Sample Pictures\Winter.exe"
Deletion of file "C:\Users\Public\Documents\My Pictures\Sample Pictures\Winter.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Pictures\seram.pikz"
Deletion of file "C:\Users\Public\Documents\My Pictures\seram.pikz" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Users\Public\Documents\My Videos\My Video.url"
Deletion of file "C:\Users\Public\Documents\My Videos\My Video.url" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
File "c:\programdata\Google\Google Toolbar\Update\gtb2DFB.tmp.exe" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
KaffeKlavs
2009-09-06, 15:25
Malwarebytes' Anti-Malware 1.40
Database version: 2723
Windows 6.0.6002 Service Pack 2
06-09-2009 14:24:30
mbam-log-2009-09-06 (14-24-30).txt
Skan type: Hurtig skanning
Objekter skannet: 87314
Tid tilbagelagt: 6 minute(s), 30 second(s)
Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 18
Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)
Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)
Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)
Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)
Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)
Inficerede Mapper:
(Ingen mistænkelige filer fundet)
Inficerede Filer:
C:\Users\All Users\lsass32.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\All Users\Documents\gosub._sy (Malware.Trace) -> Delete on reboot.
C:\Users\All Users\Documents\qyrupelin.sys (Malware.Trace) -> Delete on reboot.
C:\Users\Public\Documents\My Music\foronandand.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\Public\Documents\My Music\inout.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\Public\Documents\My Music\My Music.exe (Worm.AutoRun) -> Delete on reboot.
C:\Users\Public\Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Public\Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot.
C:\Users\Public\Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\My Pictures.exe (Worm.AutoRun) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\Sample Pictures\Blue hills.exe (Trojan.Xanib) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\Sample Pictures\Sunset.exe (Trojan.Xanib) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\Sample Pictures\Water lilies.exe (Trojan.Xanib) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\Sample Pictures\Winter.exe (Trojan.Xanib) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Public\Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot.
Are you able to find those files?
I ask because Avenger wasn't and it usually means that they don't exist.
KaffeKlavs
2009-09-06, 17:41
I have tried to make random searches for the files Malwarebyte has found, but the directory it is referring to does not exist nor does the files!!!
I'll send you the first log Malwarebytes produced September 1 whn the computer actually did strange pop-ups etc. Now the comp is action normally gain -but you never know whats hiding? Do you know why malwarebytes produces a log with infected files when they don't exist?
OLD log (before our conversation started):
Malwarebytes' Anti-Malware 1.40
Database version: 2723
Windows 6.0.6002 Service Pack 2
01-09-2009 01:27:22
mbam-log-2009-09-01 (01-27-22).txt
Skan type: Fuldstændig skanning (C:\|)
Objekter skannet: 241458
Tid tilbagelagt: 2 hour(s), 24 minute(s), 31 second(s)
Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 1
Inficerede Registeringsdatabase Værdier: 1
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 2
Inficerede Filer: 22
Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)
Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)
Inficerede Registeringsdatabase Nøgler:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsFilter (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Inficerede Registeringsdatabase Værdier:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ddnsfilter (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)
Inficerede Mapper:
C:\Program Files\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\DDnsFilter (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Inficerede Filer:
C:\Program Files\DDnsFilter\ddnsfilter.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\All Users\lsass32.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\All Users\Documents\gosub._sy (Malware.Trace) -> Delete on reboot.
C:\Users\All Users\Documents\qyrupelin.sys (Malware.Trace) -> Delete on reboot.
C:\Users\Public\Documents\My Music\foronandand.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\Public\Documents\My Music\inout.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\Public\Documents\My Music\My Music.exe (Worm.AutoRun) -> Delete on reboot.
C:\Users\Public\Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Public\Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot.
C:\Users\Public\Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\My Pictures.exe (Worm.AutoRun) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\Sample Pictures\Blue hills.exe (Trojan.Xanib) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\Sample Pictures\Sunset.exe (Trojan.Xanib) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\Sample Pictures\Water lilies.exe (Trojan.Xanib) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\Sample Pictures\Winter.exe (Trojan.Xanib) -> Delete on reboot.
C:\Users\Public\Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Public\Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot.
C:\Windows\0101120101464857.xe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Windows\01011201014650120.xe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Windows\0535251103110107106.yux (KoobFace.Trace) -> Quarantined and deleted successfully.
Well then it might be error in malwarebytes definitions.
If we find out that it is, you will need to post to their forums (http://www.malwarebytes.org/forums/index.php?act=idx).
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
KaffeKlavs
2009-09-06, 22:35
It took me over 30 minutes to access Kaspersky online scanner from The Firefox browser. Explorer could not access at all.
Even in Safe mode it has now taken more than 1 hour to download the databasfiles and it is still only half way. When I access my wire less internet connection with other computers the connection works fine!
Can this be true? (still waiting for Kaspersky to down load the 67.000 kb in total - now downloading aprox. 10 kb per. sec).....even when I write this message to you the computer cant catch op with the typing
Hard to say.
Let's check this:
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)
Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..
KaffeKlavs
2009-09-10, 00:44
Hi there,
The owner of this computer could not wait any longer for me and you to finish the job with cleaning the computer because she is writing her master thesis, so she sent the computer to a repair shop. Now after two days the computer is back from the shop and it seam to still have malware/trojans inside. Therefore I will resume the process with you the following days. Right now I'm doing the Kaspersky scan, which is now posible and after that I will send you the log at continue with the steps you gav me about gmer.exe.
Tanks until now
Klavs
Due to the lack of feedback this Topic is closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
Everyone else please begin a New Topic.