View Full Version : Possible worm found in the system start tool
Hey
When I use System startup in Spybot it finds a file with no name or not any description.
In the description in the panel it's called one of these:
system32.exe
pathex.exe, svchost.exe
MSPF.EXE
dllvirtual.exe
dllvirtual.dll
dllvirtual.js
ajsha5.exe
ne.exe
iexpl0re.exe
gbpm.exe
My computer is running quiet slow and crashing sometimes. I'm wondering if this is a worm or something else that slows my system somehow. I have also been thinking about formatting my computer, but I thought that it might be a good idea to check this out first.
I see that you have to supply a DDS or something with your post? How to?
Kind regards and thanks for your patience
Kristian
redcar92
2011-03-20, 17:04
Hello Sandahl and welcome to Safer Networking forum.
I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.
Please observe these rules while we work: Read the entire procedure It is important to perform ALL actions in sequence. If you don't know, stop and ask! Don't keep going on. Please reply to this thread. Do not start a new topic. Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it. Remember, absence of symptoms does not mean the infection is all gone. Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible.
Please bear with me, I will post back to you as soon as I can.
IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.
Vista and Windows 7 users:
These tools MUST be run from the executable. (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")
Stay with this topic until I give you the all clean post.
Thanks,
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)
redcar92
2011-03-20, 21:07
Greetings Sandahl
Your computer appears to have been infected by a key-logger trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps
Next
Please download DDS from LINK 1 (http://download.bleepingcomputer.com/sUBs/dds.scr) or LINK 2 (http://download.bleepingcomputer.com/sUBs/dds.com)
and save it to your desktop.
Vista and Windows 7 users:
These tools MUST be run from the executable. (.exe) every time you run them
With Admin Rights (Right click, choose "Run as Administrator")
XP users
Double click dds.scr to run the tool.
When done, two DDS.txt's will open.
Save both reports to your desktop.
Please include the contents of the following in your reply using Copy / Paste:
DDS.txt & Attach.txt
Next
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
Extract the contents of the zipped file to desktop.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Logs to post:
DDS.txt
Attach.txt
GMER.txt
Thanks
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)
Hey
Thank you for your time! And no worries about all that - I'm just really glad that someone want to help me with this! And I don't think I can find any other programs than you suggest ;-)
When I run the DDS I can't chose the option run as administrator?? I don't know why. I am familiar with this option and has used it many times before - but when I right click the Icon the option just isn't there.
Anyhow I here are the things you asked for if they are usable:
DDS:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Kristian at 23:16:37,01 on 20-03-2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.45.1030.18.2942.1544 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\bgsvcgen.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\IoctlSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k HPService
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\GTC\OSD\OSD.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchProtocolHost.exe
C:\PROGRA~1\MI1933~1\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Kristian\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.iaaf.org/index.html
uDefault_Page_URL = hxxp://www.aldi.com/
mDefault_Page_URL = hxxp://www.aldi.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {75CD0BC5-E317-449C-9FF6-4986B3D48F64} - No File
TB: {A8415B7A-F661-4D31-92D7-4398E50483DF} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [OSD] c:\program files\gtc\osd\OSD.exe
StartupFolder: c:\users\kristian\appdata\roaming\microsoft\windows\start menu\programs\startup\Dropbox.lnk.disabled
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\HP Digital Imaging Monitor.lnk.disabled
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\WDDMStatus.lnk.disabled
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&ksporter til Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} - c:\program files\soundtaxi\YouTubeRipper.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: danid.dk
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kristian\appdata\roaming\mozilla\firefox\profiles\m21pwz0l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.iaaf.org/index.html
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Manager Tweak: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB} - %profile%\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\program files\nokia\nokia pc suite 7\bkmrksync
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
R1 MpKsl1c1b4aa8;MpKsl1c1b4aa8;c:\programdata\microsoft\microsoft antimalware\definition updates\{0bf590be-8b73-4f3a-b85b-1134e658ee75}\MpKsl1c1b4aa8.sys [2011-3-20 28752]
R2 FontCache;Tjenesten Windows-skrifttypecache;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-10-13 1153368]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-11-8 237568]
R2 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2010-11-8 1060352]
R2 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2010-11-8 484352]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 43392]
R3 mtc0303;BIOS Service Provider;c:\windows\system32\drivers\mtcBSv32.sys [2008-3-14 33792]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr28.sys [2008-12-11 436224]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-9-8 23096]
R3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2009-8-22 3768]
R3 VIACRX86;VIACRX86;c:\windows\system32\drivers\viacr.sys [2008-12-11 59264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2009-9-8 245760]
S3 STSService;STSService;c:\program files\soundtaxi media suite\STSService.exe [2009-8-26 327680]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-20 21:53:01 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{0bf590be-8b73-4f3a-b85b-1134e658ee75}\MpKsl1c1b4aa8.sys
2011-03-20 13:02:04 5943120 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{0bf590be-8b73-4f3a-b85b-1134e658ee75}\mpengine.dll
2011-03-08 21:58:39 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-08 21:58:39 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-08 21:58:39 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-08 21:58:39 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-08 21:58:37 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-08 21:58:36 677888 ----a-w- c:\windows\system32\mstsc.exe
.
==================== Find3M ====================
.
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
.
============= FINISH: 23:17:33,20 ===============
And Attach:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 25-02-2009 20:53:03
System Uptime: 20-03-2011 22:52:21 (1 hours ago)
.
Motherboard: Notebook | | E5411
Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz | Socket 479 | 2000/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 279 GiB total, 115,315 GiB free.
D: is FIXED (FAT32) - 20 GiB total, 8,812 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4-netværkskort
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart B110 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart B110 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.2 - Dansk
Adobe Shockwave Player 11
Adobe® Photoshop® Album Starter Edition 3.2
Apple Application Support
Apple Software Update
Azurewave Wireless LAN
B110
BufferChm
Corel MediaOne
CorelDRAW Essential Edition 3
CyberLink MakeDisc
CyberLink MediaShow
CyberLink PhotoNow
CyberLink PowerDirector
CyberLink PowerDVD 8
CyberLink PowerProducer
CyberLink YouCam
D3DX10
Destinations
DeviceDiscovery
Digital Signatur
DivX Setup
Driveropdatering til Windows Mobile-enheder
Dropbox
EN
Garmin Training Center
Garmin USB Drivers
GearDrvs
GoGear SA018 Device Manager
GPBaseService2
Histology Explorer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 14.0
HP Imaging Device Functions 14.0
HP Photosmart Wireless B110 All-In-One Driver Software 14.0 Rel. 7
HP Smart Web Printing 4.60
HP Solution Center 14.0
HP Update
HPAppStudio
HPDiagnosticAlert
HPPhotoGadget
HPProductAssistant
HPSSupply
Java(TM) 6 Update 13
Junk Mail filter update
MarketResearch
Microsoft .NET Framework 3.5 Language Pack SP1 - dan
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile DAN Language Pack
Microsoft .NET Framework 4 Client Profile DAN sprogpakke
Microsoft Antimalware
Microsoft Antimalware Service DA-DK Language Pack
Microsoft Application Error Reporting
Microsoft Default Manager
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (Danish) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Danish) 2007
Microsoft Office Groove MUI (Danish) 2007
Microsoft Office InfoPath MUI (Danish) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (Danish) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (Danish) 2007
Microsoft Office PowerPoint MUI (Danish) 2007
Microsoft Office Proof (Danish) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proofing (Danish) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (Danish) 2007
Microsoft Office Shared MUI (Danish) 2007
Microsoft Office Word MUI (Danish) 2007
Microsoft Search Enhancement Pack
Microsoft Security Client
Microsoft Security Client DA-DK Language Pack
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.6.13)
MSN Toolbar
MSN Toolbar Platform
MSVC80_x86_v2
MSVC90_x86
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8 Essentials
neroxml
Network
Nokia Connectivity Cable Driver
Nokia MTP driver
Nokia PC Suite
Nokia Software Updater
NVIDIA Drivers
OGA Notifier 2.0.0048.0
Opdatering til Microsoft Office Excel 2007 Help (KB963678)
Opdatering til Microsoft Office Powerpoint 2007 Help (KB963669)
Opdatering til Microsoft Office Word 2007 Help (KB963665)
PC Connectivity Solution
PHOTOfunSTUDIO HD Edition
PS_AIO_07_B110_SW_Min
QuickTime
QuickTransfer
Realtek High Definition Audio Driver
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
SES Driver
Shop for HP Supplies
SmartWebPrinting
SolutionCenter
SoundTaxi 3.8.9
SoundTaxi Media Suite 3.8.9
Spelling Dictionaries Support For Adobe Reader 9
Sprogpakke til Microsoft .NET Framework 3.5 SP1 - dansk
Spybot - Search & Destroy
Status
Synaptics Pointing Device Driver
System Requirements Lab
System Utility 20.01.081006.0
Toolbox
Total Commander (Remove or Repair)
TrayApp
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2508979)
Update Manager
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.0.1
WD SmartWare
WebReg
Windows-driverpakke - Nokia Modem (06/09/2010 7.01.0.8)
Windows-driverpakke - Nokia Modem (10/07/2010 4.6)
Windows-driverpakke - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Driver Package - Dynastream Innovations (libusb0) LibUsbDevices (07/07/2009 1.12.2)
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Mobile-enheder
.
==== End Of File ===========================
GMER.txt:
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-21 14:35:40
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000005a WDC_WD32 rev.11.0
Running: gmer.exe; Driver: C:\Users\Kristian\AppData\Local\Temp\fglcrkoc.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EC0F340, 0x3EDF57, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[5064] USER32.dll!CreateWindowExW 760C1305 5 Bytes JMP 6A4ADB6C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5064] USER32.dll!DialogBoxParamW 760E10B0 5 Bytes JMP 6A3D5501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5064] USER32.dll!DialogBoxIndirectParamW 760E2EF5 5 Bytes JMP 6A5A502F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5064] USER32.dll!DialogBoxParamA 760F8152 5 Bytes JMP 6A5A4FCC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5064] USER32.dll!DialogBoxIndirectParamA 760F847D 5 Bytes JMP 6A5A5092 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5064] USER32.dll!MessageBoxIndirectA 7610D4D9 5 Bytes JMP 6A5A4F61 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5064] USER32.dll!MessageBoxIndirectW 7610D5D3 5 Bytes JMP 6A5A4EF6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5064] USER32.dll!MessageBoxExA 7610D639 5 Bytes JMP 6A5A4E94 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5064] USER32.dll!MessageBoxExW 7610D65D 5 Bytes JMP 6A5A4E32 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!CreateDialogParamW 760B72A2 5 Bytes JMP 6A4ADEF8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!GetAsyncKeyState 760B863C 5 Bytes JMP 6A3C8F37 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!SetWindowsHookExW 760B87AD 5 Bytes JMP 6A4A9B15 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!CallNextHookEx 760B8E3B 5 Bytes JMP 6A49D16D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!UnhookWindowsHookEx 760B98DB 5 Bytes JMP 6A414666 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!EnableWindow 760BCD8B 5 Bytes JMP 6A4ADD85 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!CreateWindowExW 760C1305 5 Bytes JMP 6A4ADB6C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!GetKeyState 760C8CB1 5 Bytes JMP 6A4AD333 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!IsDialogMessageW 760D0745 5 Bytes JMP 6A3D5A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!CreateDialogParamA 760D17AA 5 Bytes JMP 6A5A5CB4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!IsDialogMessage 760D1847 5 Bytes JMP 6A5A5550 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!CreateDialogIndirectParamA 760D26F1 5 Bytes JMP 6A5A5CEB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!CreateDialogIndirectParamW 760D9A62 5 Bytes JMP 6A5A5D22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!SetKeyboardState 760E0987 5 Bytes JMP 6A5A58BF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!DialogBoxParamW 760E10B0 5 Bytes JMP 6A3D5501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!DialogBoxIndirectParamW 760E2EF5 5 Bytes JMP 6A5A502F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!SendInput 760E2F75 5 Bytes JMP 6A5A647B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!EndDialog 760E326E 5 Bytes JMP 6A3D7EBA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!SetCursorPos 760F6FB2 5 Bytes JMP 6A5A64CF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!DialogBoxParamA 760F8152 5 Bytes JMP 6A5A4FCC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!DialogBoxIndirectParamA 760F847D 5 Bytes JMP 6A5A5092 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!MessageBoxIndirectA 7610D4D9 5 Bytes JMP 6A5A4F61 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!MessageBoxIndirectW 7610D5D3 5 Bytes JMP 6A5A4EF6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!MessageBoxExA 7610D639 5 Bytes JMP 6A5A4E94 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!MessageBoxExW 7610D65D 5 Bytes JMP 6A5A4E32 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] USER32.dll!keybd_event 7610D972 5 Bytes JMP 6A5A67FF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] SHELL32.dll!SHRestricted + D95 76CD89A8 4 Bytes [4D, 30, F7, 6D] {DEC EBP; XOR BH, DH; INSD }
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] SHELL32.dll!SHRestricted + D9D 76CD89B0 8 Bytes [57, 2F, F7, 6D, 9C, 5B, F6, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] ole32.dll!OleLoadFromStream 764C1E80 5 Bytes JMP 6A5A53B0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] ole32.dll!CoCreateInstance 764F9F3E 5 Bytes JMP 6A4ADBC8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] ws2_32.dll!closesocket 76C2330C 5 Bytes JMP 5EE341DF C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] ws2_32.dll!recv 76C2343A 5 Bytes JMP 5EE34549 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] ws2_32.dll!socket 76C236D1 5 Bytes JMP 5EE3354C C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] ws2_32.dll!connect 76C240D9 5 Bytes JMP 5EE335DC C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] ws2_32.dll!getaddrinfo 76C2418A 5 Bytes JMP 5EE33704 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5136] ws2_32.dll!send 76C2659B 5 Bytes JMP 5EE33B92 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\PROGRA~1\MI1933~1\Office12\OUTLOOK.EXE[6004] kernel32.dll!SetUnhandledExceptionFilter 75FFA84F 4 Bytes JMP 62A954C1 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\PROGRA~1\MI1933~1\Office12\OUTLOOK.EXE[6004] ole32.dll!OleLoadFromStream 764C1E80 5 Bytes JMP 6354D62A C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a94018d9d
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a94018d9d@002403c72a74 0xD5 0xDD 0xC9 0xA6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a94018d9d (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a94018d9d@002403c72a74 0xD5 0xDD 0xC9 0xA6 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Photosmart B110 series@ChangeID 350815
---- EOF - GMER 1.0.15 ----
Thank you for all your help!
Kristian
redcar92
2011-03-22, 02:32
Greetings Kristain,
Good news, your logs look good so far.
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/mbam/mbam-setup.exe).
Right click mbam-setup.exe click on Run as Administrator to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Next
Please use Internet Explorer to download and run the following scan: Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click the Details tab.
Copy and paste the contents of the C:\Program Files\ESET\log.txt into your next reply.
Logs to post:
mbam.txt
log.txt
Thanks
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)
Hey again
That went pretty smooth but I think it found something. Here are the logs
mbam:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6133
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019
22-03-2011 18:51:41
mbam-log-2011-03-22 (18-51-41).txt
Skanningstype: Hurtig skanning
Objekter skannet: 155557
Tid gået: 6 minut(ter), 7 sekund(er)
Hukommelses Processorer Inficeret: 0
Hukommelses Moduler Inficeret: 0
Registreringsdatabasenøgler Inficeret: 1
Registreringsdatabaseværdier Inficeret: 0
Registreringsdatabasedata Objekter Inficeret: 0
Inficerede Mapper: 0
Inficerede Filer: 2
Hukommelses Processorer Inficeret:
(Ingen skadelige objekter blev fundet)
Hukommelses Moduler Inficeret:
(Ingen skadelige objekter blev fundet)
Registreringsdatabasenøgler Inficeret:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0140DF95-9128-4053-AE72-F43F0CFCA062} (Trojan.Agent) -> Quarantined and deleted successfully.
Registreringsdatabaseværdier Inficeret:
(Ingen skadelige objekter blev fundet)
Registreringsdatabasedata Objekter Inficeret:
(Ingen skadelige objekter blev fundet)
Inficerede Mapper:
(Ingen skadelige objekter blev fundet)
Inficerede Filer:
c:\Windows\System32\SiKernel.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\fdgg34353edfgdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.
And Eset:
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinKoobface1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinKoobface1.zip Win32/Bagle.gen.zip worm
I hope there's still good news! :) Thanks for all your help so far.
redcar92
2011-03-22, 22:21
Could you post how your pc is behaving now, please?
Thanks,
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)
It hasn't crashed since - so that is a good sign... :)
It did do one wired thing when I started it up this morning - after i put in the password the screen went wite and a box popped up which said something about system32 or something - couldn't copy the screen for you since it wouldn't let me do anything until i closed it. But when i closed that box the computer went on to my desktop and has behaved normally since... Also tried to restart the computer and that went fine.
redcar92
2011-03-24, 00:53
Greetings Kristain,
OK things are better and I think the following will improve performance even more.
Next
Your Java appears to be down level.
Navigate to Control Panel then open on Programs and Features.
Highlight eachJava then click on Uninstall in tool bar.
Visit this site (http://www.java.com/en/) to down load and install the latest Java.
Next
Your Adobe is a bit down level also.
Navigate to Control Panel then open on Programs and Features.
Highlight Adobe Reader then click on Uninstall
Visit this site http://www.adobe.com/downloads/ (http://www.adobe.com/downloads/)select Adobe Reader to download and install.
Next
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
http://i24.photobucket.com/albums/c30/ken545/Atribune.jpg
The last two entries in the ESET log are bad files that SpyBot has quarantined, where they can do not harm. If you clear/empty the SpyBot Quarantine they will be completely removed from your PC.
Please let me know how things are going, we are almost finished.
Thanks
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)
This went all fine. I got the two updates and cleaned up with ATF. My computer is faster already! :) Thanks!
But i don't know were to find the quarantine folder. Do i find it using explorer or is it via the Spybot program? I tried to look it up in the help section but it only says something about uninstalling Spybot...
redcar92
2011-03-25, 22:47
Greetings Kristain, :clap:
To remove quarantined items from Spybot, you should run Spybot S&D. After it opens click on the Recovery icon on the left side. Click on each item with a check box, then click on Purge selected items in the toolbar. This will remove all items that Spybot has isolated/quarantined.
Please let me know how things are going and when you think we are done.
Thanks
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)
Hola! :)
Fantastic... that was easy... :) just need to poen my eyes... :P
I guess that if the trojan is gone that should be it. :) that was my main concern... :) Thank you very much...
btw your guides are very easy to read and understand! :)
Kristian
redcar92
2011-03-26, 18:37
OK Kristian, you did a good job, thank you for your patience and hard work. I willclose this thread in a day or two.
Thanks,
Bill :thanks:
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)
Hey Bill
I was wondering if I could ask you one last question...
I found the registry cleanup in spybot, but I must admit tat I don't know much about that either... Can I just delete a lot of the inconsistencies that spybot finds?
I got the log for you... I understand if this is too much trouble... :)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-10-13 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi
2011-03-22 Includes\AdwareC.sbi
2010-08-13 Includes\Cookies.sbi
2010-12-14 Includes\Dialer.sbi
2011-03-08 Includes\DialerC.sbi
2011-02-24 Includes\HeavyDuty.sbi
2010-11-30 Includes\Hijackers.sbi
2011-03-08 Includes\HijackersC.sbi
2010-09-15 Includes\iPhone.sbi
2010-12-14 Includes\Keyloggers.sbi
2011-03-08 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2011-02-24 Includes\Malware.sbi
2011-03-22 Includes\MalwareC.sbi
2011-02-24 Includes\PUPS.sbi
2011-03-15 Includes\PUPSC.sbi
2010-01-25 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2011-03-08 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2011-02-24 Includes\Spyware.sbi
2011-03-15 Includes\SpywareC.sbi
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi
2011-03-22 Includes\TrojansC-02.sbi
2011-03-03 Includes\TrojansC-03.sbi
2011-03-08 Includes\TrojansC-04.sbi
2011-03-21 Includes\TrojansC-05.sbi
2011-03-08 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Category: Startup file does not exist
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Malwarebytes' Anti-Malware (reboot)
Filename:
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\%CommonProgramFiles%\System\wab32.dll
Filename: %CommonProgramFiles%\System\wab32.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Nokia\NoA\cryptodll.dll
Filename: C:\Program Files\Common Files\Nokia\NoA\cryptodll.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Nokia\NoA\libeay32.dll
Filename: C:\Program Files\Common Files\Nokia\NoA\libeay32.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Nokia\NoA\nokiaaserver.exe
Filename: C:\Program Files\Common Files\Nokia\NoA\nokiaaserver.exe
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Nokia\NoA\QtCore4.dll
Filename: C:\Program Files\Common Files\Nokia\NoA\QtCore4.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Nokia\NoA\QtGui4.dll
Filename: C:\Program Files\Common Files\Nokia\NoA\QtGui4.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Nokia\NoA\QtNetwork4.dll
Filename: C:\Program Files\Common Files\Nokia\NoA\QtNetwork4.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Nokia\NoA\qtsecurestorage.dll
Filename: C:\Program Files\Common Files\Nokia\NoA\qtsecurestorage.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Nokia\NoA\qtsecurestorageserver.dll
Filename: C:\Program Files\Common Files\Nokia\NoA\qtsecurestorageserver.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Nokia\NoA\QtXml4.dll
Filename: C:\Program Files\Common Files\Nokia\NoA\QtXml4.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Nokia\NoA\ssleay32.dll
Filename: C:\Program Files\Common Files\Nokia\NoA\ssleay32.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Nokia\NoA\wrtserviceipcserver.dll
Filename: C:\Program Files\Common Files\Nokia\NoA\wrtserviceipcserver.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\ConfServer\ConfServer.dll
Filename: C:\Program Files\Common Files\PCSuite\ConfServer\ConfServer.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\ConfServer\confserver.xml
Filename: C:\Program Files\Common Files\PCSuite\ConfServer\confserver.xml
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\DataLayer\calendar.xml
Filename: C:\Program Files\Common Files\PCSuite\DataLayer\calendar.xml
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\DataLayer\contacts.xml
Filename: C:\Program Files\Common Files\PCSuite\DataLayer\contacts.xml
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\DataLayer\messages.xml
Filename: C:\Program Files\Common Files\PCSuite\DataLayer\messages.xml
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\DataLayer\notes.xml
Filename: C:\Program Files\Common Files\PCSuite\DataLayer\notes.xml
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\DataLayer\sml.dll
Filename: C:\Program Files\Common Files\PCSuite\DataLayer\sml.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\Engines\SecurePlatformToolkit.dll
Filename: C:\Program Files\Common Files\PCSuite\Engines\SecurePlatformToolkit.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\Protocols\NclPhonet.dll
Filename: C:\Program Files\Common Files\PCSuite\Protocols\NclPhonet.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\Protocols\NOX.dll
Filename: C:\Program Files\Common Files\PCSuite\Protocols\NOX.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\Services\NclCapability.dll
Filename: C:\Program Files\Common Files\PCSuite\Services\NclCapability.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\Services\NclDS.dll
Filename: C:\Program Files\Common Files\PCSuite\Services\NclDS.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\Services\NclFT.dll
Filename: C:\Program Files\Common Files\PCSuite\Services\NclFT.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\Services\NclPIMAccess.dll
Filename: C:\Program Files\Common Files\PCSuite\Services\NclPIMAccess.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\Services\NclSync.dll
Filename: C:\Program Files\Common Files\PCSuite\Services\NclSync.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\Services\NclSyncHandler.dll
Filename: C:\Program Files\Common Files\PCSuite\Services\NclSyncHandler.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
Filename: C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\PCSuite\Services\sml.dll
Filename: C:\Program Files\Common Files\PCSuite\Services\sml.dll
Data:
Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OSD.exe
Filename: C:\Program Files\GTC
Data:
Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\STMediaSuite
Filename: C:\Program Files\SoundTaxi Media Suite
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Users\Kristian\AppData\Local\Temp\HPDiagnosticAlert\strings.xml
Filename: C:\Users\Kristian\AppData\Local\Temp\HPDiagnosticAlert\strings.xml
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Windows\system32\ConnAPI.dll
Filename: C:\Windows\system32\ConnAPI.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Windows\system32\DAAPI.dll
Filename: C:\Windows\system32\DAAPI.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Windows\system32\NclAPI.dll
Filename: C:\Windows\system32\NclAPI.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Windows\system32\NclTools.dll
Filename: C:\Windows\system32\NclTools.dll
Data:
Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Windows\system32\VersitConverter.dll
Filename: C:\Windows\system32\VersitConverter.dll
Data:
Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Filename: cmmgr32.exe
Data:
Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\fsquirt.exe
Filename: fsquirt.exe
Data:
Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\HTML Help\IMTCEN.CHM
Filename: IMTCEN.CHM
Data:
Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\HTML Help\IMTCTC.CHM
Filename: IMTCTC.CHM
Data:
Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\migwiz.exe
Filename: migwiz.exe
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0406-0000-0000000FF1CE}_ENTERPRISER_{652017DD-E99F-4420-9CC8-AC25CE8375A5}
Filename: msiexec /package {90120000-0015-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0406-0000-0000000FF1CE}_ENTERPRISER_{652017DD-E99F-4420-9CC8-AC25CE8375A5}
Filename: msiexec /package {90120000-0016-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0406-0000-0000000FF1CE}_ENTERPRISER_{7304A9DD-2F95-4147-8CD4-E135168C61E6}
Filename: msiexec /package {90120000-0016-0406-0000-0000000FF1CE} /uninstall {7304A9DD-2F95-4147-8CD4-E135168C61E6}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0406-0000-0000000FF1CE}_ENTERPRISER_{0C315122-B0FA-428D-A3BB-6F6510F866FF}
Filename: msiexec /package {90120000-0018-0406-0000-0000000FF1CE} /uninstall {0C315122-B0FA-428D-A3BB-6F6510F866FF}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0406-0000-0000000FF1CE}_ENTERPRISER_{652017DD-E99F-4420-9CC8-AC25CE8375A5}
Filename: msiexec /package {90120000-0018-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0406-0000-0000000FF1CE}_ENTERPRISER_{652017DD-E99F-4420-9CC8-AC25CE8375A5}
Filename: msiexec /package {90120000-0019-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0406-0000-0000000FF1CE}_ENTERPRISER_{652017DD-E99F-4420-9CC8-AC25CE8375A5}
Filename: msiexec /package {90120000-001A-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0406-0000-0000000FF1CE}_ENTERPRISER_{652017DD-E99F-4420-9CC8-AC25CE8375A5}
Filename: msiexec /package {90120000-001B-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0406-0000-0000000FF1CE}_ENTERPRISER_{EA60117C-C535-4A3F-AED1-C888F5114210}
Filename: msiexec /package {90120000-001B-0406-0000-0000000FF1CE} /uninstall {EA60117C-C535-4A3F-AED1-C888F5114210}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0406-0000-0000000FF1CE}_ENTERPRISER_{25E093C2-374E-44A9-9BCE-3881BD442F3F}
Filename: msiexec /package {90120000-001F-0406-0000-0000000FF1CE} /uninstall {25E093C2-374E-44A9-9BCE-3881BD442F3F}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISER_{A0516415-ED61-419A-981D-93596DA74165}
Filename: msiexec /package {90120000-001F-0407-0000-0000000FF1CE} /uninstall {A0516415-ED61-419A-981D-93596DA74165}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Filename: msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0406-0000-0000000FF1CE}_ENTERPRISER_{652017DD-E99F-4420-9CC8-AC25CE8375A5}
Filename: msiexec /package {90120000-0044-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0406-0000-0000000FF1CE}_ENTERPRISER_{50865937-2EBB-4BBF-8861-BF5972C95D4B}
Filename: msiexec /package {90120000-006E-0406-0000-0000000FF1CE} /uninstall {50865937-2EBB-4BBF-8861-BF5972C95D4B}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0406-0000-0000000FF1CE}_ENTERPRISER_{652017DD-E99F-4420-9CC8-AC25CE8375A5}
Filename: msiexec /package {90120000-00A1-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0406-0000-0000000FF1CE}_ENTERPRISER_{652017DD-E99F-4420-9CC8-AC25CE8375A5}
Filename: msiexec /package {90120000-00BA-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{1109D0B3-EFA3-4553-AAED-4C3E9AD130E8}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {1109D0B3-EFA3-4553-AAED-4C3E9AD130E8}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{1142CCEC-ACA9-484B-BA90-C3A5CA1988C5}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {1142CCEC-ACA9-484B-BA90-C3A5CA1988C5}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{210B16C0-CEBD-4DE9-B474-04A7E8735E16}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {210B16C0-CEBD-4DE9-B474-04A7E8735E16}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{329050A9-EF80-40F9-B633-74508F54C1FF}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {329050A9-EF80-40F9-B633-74508F54C1FF}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3A4CDE54-2403-483D-8D9A-15E3264410DF}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {3A4CDE54-2403-483D-8D9A-15E3264410DF}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3DED0A62-44C8-4E00-A785-5212F297A9D9}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {3DED0A62-44C8-4E00-A785-5212F297A9D9}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{536FB502-775F-4494-BACE-C02CC90B7A5B}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {536FB502-775F-4494-BACE-C02CC90B7A5B}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{5A4E43D5-858F-49BD-BA72-8F30E1793060}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {5A4E43D5-858F-49BD-BA72-8F30E1793060}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{5C497F0B-2061-4CC9-A61C-6B45B867354D}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {5C497F0B-2061-4CC9-A61C-6B45B867354D}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{6FC5C4C1-D7AE-44C3-94B7-6424FC3E752F}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {6FC5C4C1-D7AE-44C3-94B7-6424FC3E752F}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{752A0B7C-BD24-4362-AC86-AB63FEE6F46F}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {752A0B7C-BD24-4362-AC86-AB63FEE6F46F}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{7A5B74FA-7A92-4FC9-821A-2DD5D4E73E48}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {7A5B74FA-7A92-4FC9-821A-2DD5D4E73E48}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{7F207DCA-3399-40CB-A968-6E5991B1421A}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {7F207DCA-3399-40CB-A968-6E5991B1421A}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{8CCB781A-CF6B-4FCB-B6D8-59C64DF5C6DB}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {8CCB781A-CF6B-4FCB-B6D8-59C64DF5C6DB}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{B23002DD-34EC-4988-B810-A5E2A0BF04F1}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {B23002DD-34EC-4988-B810-A5E2A0BF04F1}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{B91E2AEC-7F93-4E33-ACF6-EC90640CBE4F}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {B91E2AEC-7F93-4E33-ACF6-EC90640CBE4F}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{CD769337-C8AC-46DB-A7DC-643E50089263}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {CD769337-C8AC-46DB-A7DC-643E50089263}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{D2137BBA-250B-4548-BC1C-19E5009893D7}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {D2137BBA-250B-4548-BC1C-19E5009893D7}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{F5B70033-E79C-4569-90BF-BC9B4E4F3F46}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {F5B70033-E79C-4569-90BF-BC9B4E4F3F46}
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Filename: msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Data:
Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\HTML Help\NRTHelp.chm
Filename: NRTHelp.chm
Data:
Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\nwind9.cnt
Filename: nwind9.cnt
Data:
Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\nwind9.hlp
Filename: nwind9.hlp
Data:
Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\nwindcs9.cnt
Filename: nwindcs9.cnt
Data:
Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\nwindcs9.hlp
Filename: nwindcs9.hlp
Data:
Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.exe
Filename: setup.exe
Data:
Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\table30.exe
Filename: table30.exe
Data:
redcar92
2011-03-28, 01:27
Hi Kristian,
It's not that I am too busy but I don't know enough about that log to give you an accurate reply. :red: In order to get a good answer you should post your request HERE (http://forums.spybot.info/forumdisplay.php?f=4) These people have much more experience and expertise than I.
Thanks,
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)
ok thanks! :) Thank you very much for all your help!
Kristian
redcar92
2011-03-31, 20:33
Greetings Kristain,
By all indication your sysem looks clean now.
Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
Next
Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.**
The easiest and safest way to do this is:
1. Create a new Restore Point
Click on the Start button to open your Start Menu.
Click on the Control Panel menu option.
Click on the System and Maintenance menu option.
Click on the System menu option.
Click on System Protection in the left-hand task list.
Create the manual restore point you should click on the Create button.**When you press this button a prompt will appear asking you to provide a title for this manual restore point.
Type in a title for the manual restore point and press the Create button.
Close the System window after you have been advised that the procedure has been successfully completed..
2. Clear your existing system restore points except for the new clean restore point you just created:
Go to Start > Run and type in cleanmgr
Click on Clean up system files
Select the More options tab
Next to System Restore click Clean up
This will remove all restore points except the new one you just created.
Here are some tips to reduce the potential for spyware infection in the future:
1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
2. Use and Update an Anti-Virus Software - I can not overemphasize the need for you to use and update your Anti-virus application on a regular basis.**With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.
3. FIREWALL
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here (http://www.bleepingcomputer.com/forums/tutorial60.html)
Do not install more than one firewall program because they will conflict with each other
4. Make sure you keep your Windows OS current by visiting Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp)**regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.
5. Consider a custom hosts file such as MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.htm). This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002 (http://www.mvps.org/winhelp2002/hosts.htm)
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
6. Download and install the free version of WinPatrol (http://www.winpatrol.com/). This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial (http://www.winpatrol.com/features.html) to help you get started with the program.
7. Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware (http://forum.malwareremoval.com/viewtopic.php?t=13)
8. Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Thanks
Bill
In Training at WTT Classroom (http://forums.whatthetech.com/forums.html)
oldman960
2011-04-09, 00:14
Since this issue appears to be resolved ... this Topic has been closed.