A case of Virtumundo.

**Serebii** · 2008-06-04, 14:58

Another case of Virtumundo here.
It cut out my internet totally and slowed down the computer. I'm running a Windows XP SP2 on the infected machine and it uses Norton AntiVirus 2002.
Also, I CAN'T get into safe mode nor boot from the norton CD. When I get into the boot menu or the part where the computer seems to want response on what file on the CD to boot on, the keyboard shuts down. Norton didn't even detect Virtumundo, however Spybot detects it but can't remove it. I do a search and remove the Virtumundo and Virtumundo.dll entries, reboots and search again, then it looks like a few entries are gone, but it's still atlease 1 one of each left. Oh, and I can't post a kaspersky log since the computer can't get out on the internet, sorry.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:13:51, on 2008-05-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program\NORTON~1\navapw32.exe
C:\Program\Windows Defender\MSASCui.exe
C:\Program\Java\jre1.6.0_06\bin\jusched.exe
C:\Program\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\INTERNAT.EXE
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://distans.kunskapsskolan.se/Ci...e/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: (192.168.0.101) (wishwow.dnsalias.net)
O1 - Hosts: (80.216.85.33) (wishwow.dnsalias.net)
O1 - Hosts: Internal IP = 192.168.0.101
O2 - BHO: (no name) - {14397ACC-B4E5-4433-B856-375E3683892C} - C:\WINDOWS\system32\hgGvwurr.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54018E98-10E3-46C6-9673-2999253F9C65} - C:\WINDOWS\system32\awtuvVNF.dll
O2 - BHO: (no name) - {5BFD3F74-3B04-4B3C-812F-CC96992EFE2B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B787A692-F7F6-43DC-8557-345DCDA4601F} - (no file)
O2 - BHO: {9319d53b-19aa-5399-4914-078fccb6b2de} - {ed2b6bcc-f870-4194-9935-aa91b35d9139} - C:\WINDOWS\system32\setskgws.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program\FlashGet\getflash.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BM77c04df3] Rundll32.exe "C:\WINDOWS\system32\xaowumks.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program\FlashGet\jc_link.htm
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa...bs/tgctlsr.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\MI1933~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: awtuvVNF - C:\WINDOWS\SYSTEM32\awtuvVNF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe

--
End of file - 10142 bytes

PS: Shaba, sorry I didn't turn up again and thank you, I forgot it, however, smitfraud was completely gone, thanks!

**Shaba** · 2008-06-05, 16:24

Hi Serebii

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

**Serebii** · 2008-06-05, 18:36

Thanks for the reply, I will be away for a few days, until sunday, but here's the reports. Oh, between, HJT got some weird problem, I don't know what, and opened a IE7 window. Will give better info later.

ComboFix log:
ComboFix 08-06-04.5 - Lukas 2008-06-05 17:40:36.1 - NTFSx86
Running from: C:\Documents and Settings\Lukas\Skrivbord\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM77c04df3.xml
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~1\F?nts\
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aphklopg.ini
C:\WINDOWS\system32\awtuvVNF.dll
C:\WINDOWS\system32\bIhNnnmp.ini
C:\WINDOWS\system32\bIhNnnmp.ini2
C:\WINDOWS\system32\hokaesln.dll
C:\WINDOWS\system32\kceypbgv.dll
C:\WINDOWS\system32\kwsagxpc.dll
C:\WINDOWS\system32\ljiuabpc.ini
C:\WINDOWS\system32\lwpwgtfs.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ppfxoemc.dll
C:\WINDOWS\system32\rruwvGgh.ini
C:\WINDOWS\system32\rruwvGgh.ini2
C:\WINDOWS\system32\sDNmlnnn.ini
C:\WINDOWS\system32\sDNmlnnn.ini2
C:\WINDOWS\system32\setskgws.dll
C:\WINDOWS\system32\sftgwpwl.ini
C:\WINDOWS\system32\tcehfuvu.ini
C:\WINDOWS\system32\uhysdgud.dll
C:\WINDOWS\system32\vgbpyeck.ini
C:\WINDOWS\system32\wgpljpuf.dll
C:\WINDOWS\system32\xaowumks.dll
C:\WINDOWS\system32\xxyyaXoM.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-05-31 20:12 . 2008-05-31 20:12 <KAT> d-------- C:\Program\Trend Micro
2008-05-31 18:01 . 2008-05-31 18:02 <KAT> d-------- C:\Documents and Settings\Lukas\Application Data\Juce VST Host
2008-05-31 15:25 . 2008-05-31 16:40 <KAT> d-------- C:\Documents and Settings\Lukas\Application Data\Cakewalk
2008-05-31 15:22 . 2008-05-31 15:22 118,784 --a------ C:\WINDOWS\dsdxirmv.exe
2008-05-31 14:48 . 2006-02-24 10:00 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-05-31 14:48 . 2006-02-24 10:00 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2008-05-31 14:48 . 2006-02-24 10:00 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-05-31 14:48 . 2004-04-13 14:48 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-05-31 14:45 . 2008-05-31 15:16 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Cakewalk
2008-05-29 17:28 . 2008-05-31 18:39 327 --a------ C:\WINDOWS\wininit.ini
2008-05-27 21:42 . 2008-05-28 15:58 <KAT> d-------- C:\Program\Stardock
2008-05-27 21:42 . 2008-05-27 21:42 <KAT> d-------- C:\Program\Delade filer\Stardock
2008-05-25 19:43 . 2008-05-25 19:43 <KAT> d-------- C:\Program\JAIME
2008-05-25 18:59 . 2008-05-30 16:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-25 18:59 . 2008-05-25 18:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-25 17:24 . 2008-05-25 17:24 <KAT> d-------- C:\WINDOWS\profiles
2008-05-25 17:24 . 2008-05-25 17:24 2,557 --a------ C:\WINDOWS\identitydb.obj
2008-05-20 20:33 . 2008-05-20 20:33 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-20 20:01 . 2008-05-20 20:01 <KAT> d-------- C:\Program\Bonjour
2008-05-20 19:50 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-05-20 15:58 . 2008-05-20 15:58 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-19 21:08 . 2008-05-19 21:08 <KAT> d-------- C:\Program\Delade filer\Bcgsoft
2008-05-18 17:11 . 2008-05-18 17:11 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Muzzy Lane Software
2008-05-17 13:59 . 2002-07-08 00:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-05-17 13:59 . 2006-11-30 15:49 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-05-17 13:58 . 2008-05-17 13:58 <KAT> d-------- C:\Program\Outsim
2008-05-17 13:58 . 2008-05-17 14:00 <KAT> d-------- C:\Program\Image-Line
2008-05-14 14:36 . 2008-05-14 14:52 23 --a------ C:\WINDOWS\BlendSettings.ini
2008-05-14 13:25 . 2008-05-14 13:25 <KAT> d-------- C:\Program\PowerISO
2008-05-14 03:29 . 2008-05-14 03:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-05-11 17:48 . 2008-05-11 17:48 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-05-11 17:43 . 2008-05-11 17:43 <KAT> d-------- C:\Program\Messenger Plus! Live
2008-05-07 15:51 . 2001-09-28 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-07 15:50 . 2004-08-03 22:31 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2008-05-06 16:58 . 1997-08-13 05:08 248,080 --------- C:\WINDOWS\system32\voxrt24.dll
2008-05-06 16:58 . 1997-08-13 05:08 17,680 --------- C:\WINDOWS\system32\msrt24.acm
2008-05-06 14:20 . 2008-05-06 14:22 <KAT> d-------- C:\Program\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 12:51 --------- d-----w C:\Program\Mozilla Thunderbird
2008-05-31 12:42 --------- d-----w C:\Program\Paint Shop Pro 5
2008-05-31 11:15 --------- d-----w C:\Documents and Settings\Lukas\Application Data\Symantec
2008-05-28 13:58 --------- d-----w C:\Documents and Settings\Lukas\Application Data\uTorrent
2008-05-28 13:54 --------- d-----w C:\Program\uTorrent
2008-05-26 16:03 --------- d-----w C:\Program\SystemRequirementsLab
2008-05-26 16:03 --------- d-----w C:\Documents and Settings\Lukas\Application Data\SystemRequirementsLab
2008-05-26 14:20 --------- d-s---w C:\Program\Xfire
2008-05-26 06:34 --------- d-----w C:\Documents and Settings\Lukas\Application Data\Xfire
2008-05-25 15:58 --------- d-----w C:\Program\Java
2008-05-21 18:16 --------- d-----w C:\Program\Windows Live Safety Center
2008-05-20 18:01 --------- d-----w C:\Program\Delade filer\Adobe
2008-05-19 16:54 --------- d--h--w C:\Program\InstallShield Installation Information
2008-05-17 16:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-14 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-28 17:49 --------- d-----w C:\Documents and Settings\Lukas\Application Data\Lucasarts
2008-04-25 14:59 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-04-20 16:23 --------- d-----w C:\Documents and Settings\Lukas\Application Data\Hamachi
2008-04-20 11:47 65,536 ----a-w C:\WINDOWS\IFinst27.exe
2008-04-07 16:41 --------- d-----w C:\Program\Microsoft Works
2008-04-07 16:40 --------- d-----w C:\Program\MSBuild
2008-04-07 16:35 --------- d-----w C:\Program\Microsoft.NET
2008-04-07 16:29 --------- d-----w C:\Program\Microsoft Visual Studio 8
2008-04-07 15:30 --------- d-----w C:\Program\fragMOTION 0.9.1a
2008-04-06 16:17 --------- d-----w C:\Documents and Settings\Lukas\Application Data\OpenOffice.org2
2008-04-05 14:08 --------- d-----w C:\Documents and Settings\Lukas\Application Data\fretsonfire
2008-04-02 16:23 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2008-03-28 17:28 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-28 17:28 286,720 ------w C:\WINDOWS\Setup1.exe
2008-03-27 10:35 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-03-27 10:35 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-03-23 10:12 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-19 16:39 17,408 ----a-w C:\psapi.dll
2007-02-18 18:04 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14397ACC-B4E5-4433-B856-375E3683892C}]
C:\WINDOWS\system32\hgGvwurr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:34 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAV Agent"="C:\Program\NORTON~1\navapw32.exe" [2001-09-10 12:24 74832]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"IntelliPoint"="C:\Program\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 03:09 842584]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 06:42 577536 C:\WINDOWS\soundman.exe]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30 45632]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-09-28 14:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:34 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"MSACM.msrt24"= msrt24.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 06:03 81920 C:\Program\Delade filer\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Team17\\Worms World Party\\wwp.exe"=
"C:\\Team17\\Worms2\\Frontend.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program\\Xfire\\xfire.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program\\NetMeeting\\conf.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\YoYoGames\\yoyo70.exe"=
"G:\\Program\\Miro\\Miro_Downloader.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=
"G:\\Program\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"G:\\Program\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe"=
"C:\\Program\\FlashGet\\flashget.exe"=
"C:\\Program\\Mozilla Firefox\\firefox.exe"=
"G:\\Program\\Warsow\\warsow_x86.exe"=
"G:\\Program\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"G:\\PacSteamT\\SteamApps\\rubbah__lezer_dock\\day of defeat\\hl.exe"=
"G:\\PacSteamT\\SteamApps\\rubbah__lezer_dock\\counter-strike\\hl.exe"=
"G:\\Program\\Podbot\\hl.exe"=
"E:\\Program\\Red Storm\\RavenShield\\system\\ravenshield.exe"=
"E:\\Program\\Red Storm\\RavenShield\\system\\UCC.exe"=
"E:\\Program\\NCsoft\\Exteel\\System\\Exteel.exe"=
"C:\\Program\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"E:\\Quake III Arena\\quake3.exe"=
"E:\\Program\\EA GAMES\\Battlefield 2\\BF2.exe"=
"E:\\Program\\Strategy First\\Making History 2.0\\bin\\makehist.exe"=
"E:\\Program\\The Game Creators\\FPS Creator Demo\\FPSC-Game.exe"=
"E:\\Program\\Tom Clancy's Splinter Cell Chaos Theory\\Chaos Theory\\System\\SPLINTERCELL3.EXE"=
"C:\\Program\\Bonjour\\mDNSResponder.exe"=
"E:\\Program\\Dreamweaver\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4001:TCP"= 4001:TCP:EclipseEvolution-ServerPort
"5121:TCP"= 5121:TCP:map-server.exe
"6121:TCP"= 6121:TCP:char-server.exe
"6900:TCP"= 6900:TCP:login-server.exe
"4444:TCP"= 4444:TCP:map-server

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 21:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 18:39]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 12:58]
S1 lusbaudio;Logitech USB-mikrofon;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 23:05]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Lukas\Skrivbord\MoonLight\IlvMoney1129.sys []
S3 npkycryp;npkycryp;C:\Program\Gravity\RO\npkycryp.sys []
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 23:05]
S3 Revolution1;Revolution1;C:\Documents and Settings\Lukas\Skrivbord\Revolution_Engine_6.2_By_SHAK3\SHAK3.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{405319ba-fa41-11db-9379-00e04c3928c8}]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45bd2ab0-f8a6-11db-9376-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45bd2ab1-f8a6-11db-9376-00e04c3928c8}]
\Shell\AutoRun\command - F:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 15:55:23 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program\Windows Defender\MpCmdRun.exe
"2008-05-23 17:51:36 C:\WINDOWS\Tasks\Norton AntiVirus - Sök igenom datorn.job"

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:23, on 2008-06-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\NORTON~1\navapw32.exe
C:\Program\Java\jre1.6.0_06\bin\jusched.exe
C:\Program\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://distans.kunskapsskolan.se/Ci...e/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {14397ACC-B4E5-4433-B856-375E3683892C} - C:\WINDOWS\system32\hgGvwurr.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program\FlashGet\getflash.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program\FlashGet\jc_link.htm
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa...bs/tgctlsr.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\MI1933~1\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe

--
End of file - 9312 bytes

**Shaba** · 2008-06-05, 18:40

Hi

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\dsdxirmv.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14397ACC-B4E5-4433-B856-375E3683892C}]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

**Serebii** · 2008-06-09, 12:42

Okay, here is a ComboFix log and a fresh HJT. Not sure if you need this, but better safe then sorry?

Combofix:

ComboFix 08-06-04.5 - Lukas 2008-06-09 10:59:34.2 - NTFSx86
Running from: C:\Documents and Settings\Lukas\Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lukas\Skrivbord\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\dsdxirmv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dsdxirmv.exe
.
---- Previous Run -------
.
C:\WINDOWS\BM77c04df3.xml
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~1\F?nts\
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aphklopg.ini
C:\WINDOWS\system32\awtuvVNF.dll
C:\WINDOWS\system32\bIhNnnmp.ini
C:\WINDOWS\system32\bIhNnnmp.ini2
C:\WINDOWS\system32\hokaesln.dll
C:\WINDOWS\system32\kceypbgv.dll
C:\WINDOWS\system32\kwsagxpc.dll
C:\WINDOWS\system32\ljiuabpc.ini
C:\WINDOWS\system32\lwpwgtfs.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ppfxoemc.dll
C:\WINDOWS\system32\rruwvGgh.ini
C:\WINDOWS\system32\rruwvGgh.ini2
C:\WINDOWS\system32\sDNmlnnn.ini
C:\WINDOWS\system32\sDNmlnnn.ini2
C:\WINDOWS\system32\setskgws.dll
C:\WINDOWS\system32\sftgwpwl.ini
C:\WINDOWS\system32\tcehfuvu.ini
C:\WINDOWS\system32\uhysdgud.dll
C:\WINDOWS\system32\vgbpyeck.ini
C:\WINDOWS\system32\wgpljpuf.dll
C:\WINDOWS\system32\xaowumks.dll
C:\WINDOWS\system32\xxyyaXoM.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-05-31 20:12 . 2008-05-31 20:12 <KAT> d-------- C:\Program\Trend Micro
2008-05-31 18:01 . 2008-05-31 18:02 <KAT> d-------- C:\Documents and Settings\Lukas\Application Data\Juce VST Host
2008-05-31 15:25 . 2008-05-31 16:40 <KAT> d-------- C:\Documents and Settings\Lukas\Application Data\Cakewalk
2008-05-31 14:48 . 2006-02-24 10:00 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-05-31 14:48 . 2006-02-24 10:00 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2008-05-31 14:48 . 2006-02-24 10:00 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-05-31 14:48 . 2004-04-13 14:48 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-05-31 14:45 . 2008-05-31 15:16 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Cakewalk
2008-05-29 17:28 . 2008-05-31 18:39 327 --a------ C:\WINDOWS\wininit.ini
2008-05-27 21:42 . 2008-05-28 15:58 <KAT> d-------- C:\Program\Stardock
2008-05-27 21:42 . 2008-05-27 21:42 <KAT> d-------- C:\Program\Delade filer\Stardock
2008-05-25 19:43 . 2008-05-25 19:43 <KAT> d-------- C:\Program\JAIME
2008-05-25 18:59 . 2008-05-30 16:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-25 18:59 . 2008-05-25 18:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-25 17:24 . 2008-05-25 17:24 <KAT> d-------- C:\WINDOWS\profiles
2008-05-25 17:24 . 2008-05-25 17:24 2,557 --a------ C:\WINDOWS\identitydb.obj
2008-05-20 20:33 . 2008-05-20 20:33 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-20 20:01 . 2008-05-20 20:01 <KAT> d-------- C:\Program\Bonjour
2008-05-20 19:50 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-05-20 15:58 . 2008-05-20 15:58 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-19 21:08 . 2008-05-19 21:08 <KAT> d-------- C:\Program\Delade filer\Bcgsoft
2008-05-18 17:11 . 2008-05-18 17:11 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Muzzy Lane Software
2008-05-17 13:59 . 2002-07-08 00:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-05-17 13:59 . 2006-11-30 15:49 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-05-17 13:58 . 2008-05-17 13:58 <KAT> d-------- C:\Program\Outsim
2008-05-17 13:58 . 2008-05-17 14:00 <KAT> d-------- C:\Program\Image-Line
2008-05-14 14:36 . 2008-05-14 14:52 23 --a------ C:\WINDOWS\BlendSettings.ini
2008-05-14 13:25 . 2008-05-14 13:25 <KAT> d-------- C:\Program\PowerISO
2008-05-14 03:29 . 2008-05-14 03:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-05-11 17:48 . 2008-05-11 17:48 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-05-11 17:43 . 2008-05-11 17:43 <KAT> d-------- C:\Program\Messenger Plus! Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 12:51 --------- d-----w C:\Program\Mozilla Thunderbird
2008-05-31 12:42 --------- d-----w C:\Program\Paint Shop Pro 5
2008-05-31 11:15 --------- d-----w C:\Documents and Settings\Lukas\Application Data\Symantec
2008-05-28 13:58 --------- d-----w C:\Documents and Settings\Lukas\Application Data\uTorrent
2008-05-28 13:54 --------- d-----w C:\Program\uTorrent
2008-05-26 16:03 --------- d-----w C:\Program\SystemRequirementsLab
2008-05-26 16:03 --------- d-----w C:\Documents and Settings\Lukas\Application Data\SystemRequirementsLab
2008-05-26 14:20 --------- d-s---w C:\Program\Xfire
2008-05-26 06:34 --------- d-----w C:\Documents and Settings\Lukas\Application Data\Xfire
2008-05-25 15:58 --------- d-----w C:\Program\Java
2008-05-21 18:16 --------- d-----w C:\Program\Windows Live Safety Center
2008-05-20 18:01 --------- d-----w C:\Program\Delade filer\Adobe
2008-05-19 16:54 --------- d--h--w C:\Program\InstallShield Installation Information
2008-05-17 16:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-14 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-06 12:22 --------- d-----w C:\Program\Macromedia
2008-04-28 17:49 --------- d-----w C:\Documents and Settings\Lukas\Application Data\Lucasarts
2008-04-25 14:59 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-04-20 16:23 --------- d-----w C:\Documents and Settings\Lukas\Application Data\Hamachi
2008-04-20 11:47 65,536 ----a-w C:\WINDOWS\IFinst27.exe
2008-04-02 16:23 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2008-03-28 17:28 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-28 17:28 286,720 ------w C:\WINDOWS\Setup1.exe
2008-03-28 16:06 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-03-27 12:16 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2008-03-27 12:16 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2008-03-27 12:16 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2008-03-27 10:35 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-03-27 10:35 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:52 162,592 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-23 10:12 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-20 16:52 81,920 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-03-20 16:52 233,472 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-03-20 08:10 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 16:39 17,408 ----a-w C:\psapi.dll
2007-02-18 18:04 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-05_18.16.09.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-26 11:50:00 297,984 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll
+ 2007-03-06 03:38:50 15,072 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll
+ 2007-03-06 03:38:55 214,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe
+ 2007-03-06 03:38:48 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll
+ 2007-03-06 03:39:14 719,584 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe
+ 2007-03-06 03:40:05 381,152 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll
- 2008-06-05 15:52:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 08:54:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-26 12:01:27 294,912 -c----w C:\WINDOWS\system32\dllcache\msctf.dll
- 2004-08-03 23:33:46 294,400 ----a-w C:\WINDOWS\system32\MSCTF.dll
+ 2008-02-26 12:01:27 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:34 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAV Agent"="C:\Program\NORTON~1\navapw32.exe" [2001-09-10 12:24 74832]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"IntelliPoint"="C:\Program\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 03:09 842584]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 06:42 577536 C:\WINDOWS\soundman.exe]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30 45632]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-09-28 14:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:34 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"MSACM.msrt24"= msrt24.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 06:03 81920 C:\Program\Delade filer\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Team17\\Worms World Party\\wwp.exe"=
"C:\\Team17\\Worms2\\Frontend.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program\\Xfire\\xfire.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program\\NetMeeting\\conf.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\YoYoGames\\yoyo70.exe"=
"G:\\Program\\Miro\\Miro_Downloader.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=
"G:\\Program\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"G:\\Program\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe"=
"C:\\Program\\FlashGet\\flashget.exe"=
"C:\\Program\\Mozilla Firefox\\firefox.exe"=
"G:\\Program\\Warsow\\warsow_x86.exe"=
"G:\\Program\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"G:\\PacSteamT\\SteamApps\\rubbah__lezer_dock\\day of defeat\\hl.exe"=
"G:\\PacSteamT\\SteamApps\\rubbah__lezer_dock\\counter-strike\\hl.exe"=
"G:\\Program\\Podbot\\hl.exe"=
"E:\\Program\\Red Storm\\RavenShield\\system\\ravenshield.exe"=
"E:\\Program\\Red Storm\\RavenShield\\system\\UCC.exe"=
"E:\\Program\\NCsoft\\Exteel\\System\\Exteel.exe"=
"C:\\Program\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"E:\\Quake III Arena\\quake3.exe"=
"E:\\Program\\EA GAMES\\Battlefield 2\\BF2.exe"=
"E:\\Program\\Strategy First\\Making History 2.0\\bin\\makehist.exe"=
"E:\\Program\\The Game Creators\\FPS Creator Demo\\FPSC-Game.exe"=
"E:\\Program\\Tom Clancy's Splinter Cell Chaos Theory\\Chaos Theory\\System\\SPLINTERCELL3.EXE"=
"C:\\Program\\Bonjour\\mDNSResponder.exe"=
"E:\\Program\\Dreamweaver\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4001:TCP"= 4001:TCP:EclipseEvolution-ServerPort
"5121:TCP"= 5121:TCP:map-server.exe
"6121:TCP"= 6121:TCP:char-server.exe
"6900:TCP"= 6900:TCP:login-server.exe
"4444:TCP"= 4444:TCP:map-server

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 21:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 18:39]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 12:58]
S1 lusbaudio;Logitech USB-mikrofon;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 23:05]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Lukas\Skrivbord\MoonLight\IlvMoney1129.sys []
S3 npkycryp;npkycryp;C:\Program\Gravity\RO\npkycryp.sys []
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 23:05]
S3 Revolution1;Revolution1;C:\Documents and Settings\Lukas\Skrivbord\Revolution_Engine_6.2_By_SHAK3\SHAK3.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{405319ba-fa41-11db-9379-00e04c3928c8}]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45bd2ab0-f8a6-11db-9376-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45bd2ab1-f8a6-11db-9376-00e04c3928c8}]
\Shell\AutoRun\command - F:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-09 08:57:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program\Windows Defender\MpCmdRun.exe
"2008-05-23 17:51:36 C:\WINDOWS\Tasks\Norton AntiVirus - Sök igenom datorn.job"
- C:\Program\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 11:06:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-06-09 11:10:00
ComboFix-quarantined-files.txt 2008-06-09 09:08:52

Pre-Run: 832,122,880 byte ledigt
Post-Run: 821,719,040 byte ledigt

240 --- E O F --- 2008-06-05 16:16:16

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:02, on 2008-06-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\NORTON~1\navapw32.exe
C:\Program\Java\jre1.6.0_06\bin\jusched.exe
C:\Program\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://distans.kunskapsskolan.se/Ci...e/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program\FlashGet\getflash.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program\FlashGet\jc_link.htm
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa...bs/tgctlsr.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\MI1933~1\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe

--
End of file - 9137 bytes

**Shaba** · 2008-06-09, 16:31

Hi

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
Click the Save Report As... button (see red arrow below)
In the Save as... prompt, select Desktop
In the File name box, name the file KasScan-ddmmyy (or similar)
In the Save as type prompt, select Text file (see below)
Now click on the Save as Text button
Savethe file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

**Shaba** · 2008-06-14, 11:24

Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.

Thread: A case of Virtumundo.

Thread Tools

Display

A case of Virtumundo.

Tags for this Thread

Posting Permissions