Infected with trojan horse SHeur3.XCC

loophole5 · May 16, 2010

it looks like it ended up in my temporary files as well as the svchosts.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:11:18, on 2010-05-16
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adblock Pro - {F385C231-605B-4d8f-ACA9-DBFF765BBE17} - C:\Program Files\Adblock Pro\AdblockPro.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RtHDVCpl] "RtHDVCpl.exe"
O4 - HKLM\..\Run: [TPwrMain] "%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE"
O4 - HKLM\..\Run: [HSON] "%ProgramFiles%\TOSHIBA\TBS\HSON.exe"
O4 - HKLM\..\Run: [SmoothView] "%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe"
O4 - HKLM\..\Run: [HWSetup] "C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] "C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Desktop SMS] "C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe" /auto
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IgfxTray] "C:\Windows\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\Windows\system32\igfxpers.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "KHALMNPR.EXE"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NÄTVERKSTJÄNST')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Block This Image (ABP) - C:\Program Files\Adblock Pro\blockimg.html
O8 - Extra context menu item: &Blockera bilden (ABP) - C:\Program Files\Adblock Pro\blockimg.html
O8 - Extra context menu item: Edit in &Picnik - http://www.picnik.com/extensions/ie-import.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?SW (file missing)
O9 - Extra button: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O9 - Extra 'Tools' menuitem: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9029 bytes
------------------------------------
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

DDS log

DDS (Ver_09-09-29.01) - NTFSx86
Run by Niklas at 18:15:48,49 on 2010-05-16
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.46.1053.18.2037.733 [GMT 2:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Niklas\Pictures\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adblock Pro: {f385c231-605b-4d8f-aca9-dbff765bbe17} - c:\program files\adblock pro\AdblockPro.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
uRun: [TOSCDSPD] "c:\program files\toshiba\toscdspd\TOSCDSPD.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
mRun: [RtHDVCpl] "RtHDVCpl.exe"
mRun: [TPwrMain] "%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE"
mRun: [HSON] "%ProgramFiles%\TOSHIBA\TBS\HSON.exe"
mRun: [SmoothView] "%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe"
mRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUP
mRun: [SVPWUTIL] "c:\program files\toshiba\utilities\SVPWUTIL.exe" SVPwUTIL
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Desktop SMS] "c:\program files\idm\desktop sms\DesktopSMS.exe" /auto
mRun: [NvSvc] "RUNDLL32.EXE" c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [Kernel and Hardware Abstraction Layer] "KHALMNPR.EXE"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Block This Image (ABP) - c:\program files\adblock pro\blockimg.html
IE: &Blockera bilden (ABP) - c:\program files\adblock pro\blockimg.html
IE: Edit in &Picnik - http://www.picnik.com/extensions/ie-import.html
IE: {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?SW
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - {7685B225-8229-4321-BA13-A24485B0A760} - c:\program files\adblock pro\AdblockPro.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-30 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-30 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-30 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-17 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-25 21504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

=============== Created Last 30 ================

2010-05-16 18:10 <DIR> --d----- c:\program files\Trend Micro
2010-05-12 15:27 <DIR> --d----- c:\program files\Vuze
2010-05-12 15:27 <DIR> --d----- c:\program files\Vuze_Remote
2010-05-12 13:47 738,816 a------- c:\windows\system32\inetcomm.dll
2010-04-28 09:59 293,376 a------- c:\windows\system32\browserchoice.exe

==================== Find3M ====================

2010-05-16 15:43 4,180 a------- c:\users\niklas\appdata\roaming\wklnhst.dat
2010-05-12 14:23 597,836 a------- c:\windows\system32\perfh01D.dat
2010-05-12 14:23 117,416 a------- c:\windows\system32\perfc01D.dat
2010-04-21 10:05 242,896 a------- c:\windows\system32\drivers\avgtdix.sys
2010-03-17 10:52 12,464 a------- c:\windows\system32\avgrsstx.dll
2010-03-09 18:25 78,336 a------- c:\windows\system32\ieencode.dll
2010-03-09 17:42 834,048 a------- c:\windows\system32\wininet.dll
2010-03-04 19:33 430,080 a------- c:\windows\system32\vbscript.dll
2010-02-21 01:06 24,064 a------- c:\windows\system32\nshhttp.dll
2010-02-21 01:05 30,720 a------- c:\windows\system32\httpapi.dll
2010-02-18 16:07 3,600,776 a------- c:\windows\system32\ntkrnlpa.exe
2010-02-18 16:07 3,548,040 a------- c:\windows\system32\ntoskrnl.exe
2010-02-18 15:30 200,704 a------- c:\windows\system32\iphlpsvc.dll
2009-11-17 09:12 51,200 a------- c:\windows\inf\infpub.dat
2009-11-17 09:12 665,600 a------- c:\windows\inf\drvindex.dat
2009-11-17 09:12 143,360 a------- c:\windows\inf\infstrng.dat
2009-11-17 09:12 86,016 a------- c:\windows\inf\infstor.dat
2008-05-25 12:37 174 a--sh--- c:\program files\desktop.ini
2007-05-11 18:48 819,183 a----r-- c:\program files\fmXML_setup.exe
2006-11-21 07:00 290,490 a------- c:\windows\inf\perflib\041d\perfi.dat
2006-11-21 07:00 290,490 a------- c:\windows\inf\perflib\041d\perfh.dat
2006-11-21 07:00 35,978 a------- c:\windows\inf\perflib\041d\perfd.dat
2006-11-21 07:00 35,978 a------- c:\windows\inf\perflib\041d\perfc.dat
2006-11-02 11:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 11:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 11:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 11:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-08-03 00:26 80,930,336 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-10-22 22:52 32,768 a--sh--- c:\windows\temp\cookies\index.dat
2009-10-22 22:52 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-10-22 22:52 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 18:17:56,10 ===============

and here is the attachment:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 2007-09-26 17:12:09
System Uptime: 2010-05-16 17:49:30 (1 hours ago)

Motherboard: TOSHIBA | | ISRAE
Processor: Genuine Intel(R) CPU T2080 @ 1.73GHz | U2E1 | 1733/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 32,031 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 73 GiB total, 72,932 GiB free.
F: is CDROM (UDF)
O: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

==== Installed Programs ======================

Ad-Aware
Adblock Pro 2.6
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.1.0 - Svenska
AdVantage (Powering DAEMON Tools)
Ask Toolbar
Atheros Driver Installation Program
µTorrent
AutoUpdate
AVG Free 9.0
Azureus Vuze
Bluetooth Stack for Windows by Toshiba
Camera Assistant Software for Toshiba
CD/DVD Drive Acoustic Silencer
CDDRV_Installer
Desktop SMS
DivX Converter
DivX Player
DivX Web Player
DVD MovieFactory for TOSHIBA
Far Cry
FM Graphics Guru 1.1
FM Modifier 2.25
fmXML version 0.2
Football Manager 2009
Football Manager 2010
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImageShack Uploader 2.2.0
Intel(R) Graphics Media Accelerator Driver
Jasc Animation Shop 3
Java(TM) SE Runtime Environment 6
Junk Mail filter update
K-Lite Codec Pack 5.0.5 (Full)
KhalInstallWrapper
Logitech SetPoint
Microsoft .NET Framework 3.5 Language Pack SP1 - sve
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft XML Parser
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
myphotobook 3.1
NBA Live '97
NVIDIA Drivers
Pcsx2 0.9.6
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Encoder (KB954156)
SopCast 3.0.3
Språkpaket för Microsoft .NET Framework 3.5 SP 1 - sve
Steam
Svenska Spels Poker
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA Administratörslösenord
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Hardware Setup
Toshiba Online Product Information
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBAs maskinvaruinstallningar
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Utility Common Driver
VideoAvatar
VideoLAN VLC media player 0.8.6c
Windows Live Communications Platform
Windows Live Essentials
Windows Live inloggningsassistenten
Windows Live Mail
Windows Live Messenger
Windows Live Upload Tool
Windows Media Encoder 9 Series
WinDVD for TOSHIBA
WinPcap 4.0.2
WinRAR
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vuze
Vuze_Remote Toolbar

==== End Of File ===========================

ken545 · May 21, 2010

Hello loophole5

Welcome to Safer Networking.

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Please download ATF Cleaner by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Please download Malwarebytes from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

loophole5 · May 22, 2010

Hi Ken and thanks for your help.

I think i dodged a bullet with the trojan it looks like it only ended up in the tempfiles which atf cleaner emptyed.

Malwarebytes only found some adaware infections here is the log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Databasversion: 4131

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

2010-05-22 23:48:39
mbam-log-2010-05-22 (23-48-39).txt

Skanningstyp: Snabbskanning
Antal skannade objekt: 117421
Förfluten tid: 6 minut(er), 38 sekund(er)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 6
Infekterade registervärden: 1
Infekterade registerdataposter: 0
Infekterade mappar: 1
Infekterade filer: 7

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
HKEY_CLASSES_ROOT\TypeLib\{dabf362d-d442-4402-9208-ca9ed70dd01e} (Adware.Advantage) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{5ac3a9ef-c0f8-41d4-b4e2-b7cebb794151} (Adware.Advantage) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{862def42-89aa-49fa-ae1f-8a84b1b08a17} (Adware.Advantage) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f6e4845d-1d13-4bc0-942d-b9191524cc48} (Adware.Advantage) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{602d9049-b4ac-4a25-bf75-a9b54d747cba} (Adware.Advantage) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\advantage (Adware.Vomba) -> No action taken.

Infekterade registervärden:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desktop sms (Worm.P2P) -> No action taken.

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
C:\Program Files\Advantage (Adware.Advantage) -> No action taken.

Infekterade filer:
C:\Program Files\Advantage\AdVantage.cch (Adware.Advantage) -> No action taken.
C:\Program Files\Advantage\AdVantage.db (Adware.Advantage) -> No action taken.
C:\Program Files\Advantage\AdVantage.htm (Adware.Advantage) -> No action taken.
C:\Program Files\Advantage\AdVUninst.exe (Adware.Advantage) -> No action taken.
C:\Program Files\Advantage\ffext.mod (Adware.Advantage) -> No action taken.
C:\Program Files\Advantage\TR.dll (Adware.Advantage) -> No action taken.
C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe (Worm.P2P) -> No action taken.

ken545 · May 23, 2010

Hi,

You had Malwarebytes set to TAKE NO ACTION, which didn't accomplish much, you need to rerun the program and this time select REMOVED SELECTED

Random System Information Tool

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

loophole5 · May 23, 2010

Hi again Ken

I dont know why the log said so. Like you said the computer wanted me to reboot the system and i did with the result that the logfile i saved a totaly different result. Anyway here are the new logs as requested.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Databasversion: 4131

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

2010-05-23 10:38:11
mbam-log-2010-05-23 (10-38-11).txt

Skanningstyp: Snabbskanning
Antal skannade objekt: 117203
Förfluten tid: 9 minut(er), 23 sekund(er)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 0

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
(Inga illasinnade poster hittades)

Logfile of random's system information tool 1.07 (written by random/random)
Run by Niklas at 2010-05-23 10:42:17
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 35 GB (45%) free of 76 GB
Total RAM: 2037 MB (31% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:42:25, on 2010-05-23
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Niklas\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PU1ET64K\RSIT[1].exe
C:\Program Files\trend micro\Niklas.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adblock Pro - {F385C231-605B-4d8f-ACA9-DBFF765BBE17} - C:\Program Files\Adblock Pro\AdblockPro.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RtHDVCpl] "RtHDVCpl.exe"
O4 - HKLM\..\Run: [TPwrMain] "%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE"
O4 - HKLM\..\Run: [HSON] "%ProgramFiles%\TOSHIBA\TBS\HSON.exe"
O4 - HKLM\..\Run: [SmoothView] "%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe"
O4 - HKLM\..\Run: [HWSetup] "C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] "C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IgfxTray] "C:\Windows\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\Windows\system32\igfxpers.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "KHALMNPR.EXE"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NÄTVERKSTJÄNST')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Block This Image (ABP) - C:\Program Files\Adblock Pro\blockimg.html
O8 - Extra context menu item: &Blockera bilden (ABP) - C:\Program Files\Adblock Pro\blockimg.html
O8 - Extra context menu item: Edit in &Picnik - http://www.picnik.com/extensions/ie-import.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?SW (file missing)
O9 - Extra button: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O9 - Extra 'Tools' menuitem: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9105 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Ad-Aware Update (Daily 1).job
C:\Windows\tasks\Ad-Aware Update (Daily 2).job
C:\Windows\tasks\Ad-Aware Update (Daily 3).job
C:\Windows\tasks\Ad-Aware Update (Daily 4).job
C:\Windows\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
AskBar BHO - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-08-06 279944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2010-04-21 1615200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-03-27 501384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live inloggningshjälpen - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F385C231-605B-4d8f-ACA9-DBFF765BBE17}]
Adblock Pro - C:\Program Files\Adblock Pro\AdblockPro.dll [2008-04-07 458752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{3041d03e-fd4b-44e0-b742-2d9b88305f98} - Ask Toolbar - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-08-06 279944]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-01-18 4349952]
"TPwrMain"=C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [2006-12-20 411768]
"HSON"=C:\Program Files\TOSHIBA\TBS\HSON.exe [2006-12-07 55416]
"SmoothView"=C:\Program Files\Toshiba\SmoothView\SmoothView.exe [2007-02-06 509496]
"HWSetup"=C:\Program Files\TOSHIBA\Utilities\HWSetup.exe [2006-11-01 413696]
"SVPWUTIL"=C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe [2006-03-20 438272]
"NDSTray.exe"=NDSTray.exe []
"NvSvc"=C:\Windows\system32\nvsvc.dll [2007-01-13 90191]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2007-01-13 7766016]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2007-01-13 81920]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2006-11-28 98304]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2006-11-28 106496]
"Persistence"=C:\Windows\system32\igfxpers.exe [2006-11-28 81920]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-02-02 835584]
"Camera Assistant Software"=C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe [2007-02-13 405504]
"Kernel and Hardware Abstraction Layer"=C:\Windows\KHALMNPR.EXE [2008-02-29 76304]
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2010-04-21 2064736]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-04-29 1090952]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"TOSCDSPD"=C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [2006-11-13 413696]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"DAEMON Tools"=C:\Program Files\DAEMON Tools\daemon.exe [2007-09-18 171464]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2009-07-26 3883840]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2006-11-28 212992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64598df2-6c42-11dc-9bfa-806e6f6e6963}]
shell\AutoRun\command - F:\autorun.exe

======List of files/folders created in the last 1 months======

2010-05-23 10:42:17 ----D---- C:\rsit
2010-05-22 23:40:23 ----D---- C:\Users\Niklas\AppData\Roaming\Malwarebytes
2010-05-22 23:39:54 ----D---- C:\ProgramData\Malwarebytes
2010-05-22 23:39:54 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-05-16 18:10:22 ----D---- C:\Program Files\Trend Micro
2010-05-12 15:27:38 ----D---- C:\Program Files\Vuze
2010-05-12 15:27:32 ----D---- C:\Program Files\Vuze_Remote
2010-05-12 13:47:16 ----A---- C:\Windows\system32\inetcomm.dll
2010-04-28 09:59:07 ----A---- C:\Windows\system32\browserchoice.exe

======List of files/folders modified in the last 1 months======

2010-05-23 10:42:25 ----D---- C:\Windows\Prefetch
2010-05-23 10:42:07 ----D---- C:\Windows\Temp
2010-05-22 23:54:46 ----D---- C:\Windows\Tasks
2010-05-22 23:51:25 ----SHD---- C:\Windows\Installer
2010-05-22 23:51:24 ----D---- C:\Windows\system32\drivers
2010-05-22 23:49:01 ----RD---- C:\Program Files
2010-05-22 23:39:54 ----D---- C:\ProgramData
2010-05-22 15:12:08 ----D---- C:\Windows\system32\Tasks
2010-05-18 14:13:42 ----SHD---- C:\System Volume Information
2010-05-18 06:03:06 ----D---- C:\Users\Niklas\AppData\Roaming\Azureus
2010-05-12 15:27:26 ----D---- C:\Windows\System32
2010-05-12 15:25:44 ----D---- C:\Users\Niklas\AppData\Roaming\uTorrent
2010-05-12 14:25:53 ----D---- C:\Windows\winsxs
2010-05-12 14:23:15 ----D---- C:\Windows\inf
2010-05-12 14:23:15 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-05-12 14:13:13 ----D---- C:\Program Files\Windows Mail
2010-05-12 14:07:46 ----D---- C:\Windows\system32\catroot
2010-05-12 13:42:06 ----D---- C:\Windows\system32\catroot2
2010-04-30 20:51:06 ----A---- C:\Windows\system32\mrt.exe
2010-04-28 10:07:01 ----RSD---- C:\Windows\Fonts

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2010-03-17 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2010-03-17 29512]
R1 AvgTdiX;AVG Free Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2010-04-21 242896]
R3 AgereSoftModem;TOSHIBA V92 Software Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2006-11-28 1161888]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2007-01-23 689664]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-11-28 1476096]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-01-18 1729632]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\Windows\system32\DRIVERS\LHidFilt.Sys [2008-02-29 35344]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\Windows\system32\DRIVERS\LMouFilt.Sys [2008-02-29 36880]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-04 59392]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-11 89088]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-02-02 182328]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver; C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 16128]
R3 tifm21;tifm21; C:\Windows\system32\drivers\tifm21.sys [2006-07-06 168448]
R3 tosrfec;Bluetooth ACPI; C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 9216]
R3 usbvideo;USB-videoenhet (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2006-11-02 132352]
R3 UVCFTR;UVCFTR; C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-01-26 17712]
S3 ajkz7qf3;ajkz7qf3; C:\Windows\system32\drivers\ajkz7qf3.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-11-28 1476096]
S3 MSKSSRV;Tjänstproxy för Microsoft-direktuppspelning; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Klockproxy för Microsoft-direktuppspelning; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Kvalitetshanteringsproxy för Microsoft-direktuppspelning; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Tee/Sink-to-Sink-konverterare för Microsoft-direktuppspelning; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NETw3v32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 1781760]
S3 NPF;NetGroup Packet Filter Driver; C:\Windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2007-01-13 4452288]
S3 Tosrfcom;Tosrfcom; C:\Windows\system32\drivers\Tosrfcom.sys []
S3 TpChoice;Touch Pad Detection Filter driver; C:\Windows\system32\DRIVERS\TpChoice.sys []
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-10-01 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S4 KR10I;KR10I; C:\Windows\system32\drivers\kr10i.sys [2007-01-18 219392]
S4 KR10N;KR10N; C:\Windows\system32\drivers\kr10n.sys [2007-01-18 211072]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg9emc;AVG Free E-mail Scanner; C:\Program Files\AVG\AVG9\avgemc.exe [2010-03-17 916760]
R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-03-17 308064]
R2 CFSvcs;ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2006-11-14 40960]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-05 1181328]
R2 TODDSrv;TOSHIBA Optical Disc Drive Service; C:\Windows\system32\TODDSrv.exe [2006-05-25 114688]
R2 TosCoSrv;TOSHIBA Power Saver; C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe [2006-12-20 428152]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service; c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-02 118784]
R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2006-08-23 49152]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [2008-05-02 121360]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-11-06 92792]
S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2008-09-26 87288]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-05-23 10:42:28

======Uninstall list======

-->"C:\Program Files\InstallShield Installation Information\{A644254B-92F6-4970-8635-AB0775371E72}\setup.exe" --u:{A644254B-92F6-4970-8635-AB0775371E72}
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{622E6F16-0904-49B6-BBE1-4CC836314CCF}\setup.exe" -l0x1d
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{697AFC77-F318-4CD4-BF16-F50F4C1072DA}\setup.exe" -l0x1d
Ad-Aware-->"C:\ProgramData\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\ProgramData\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
Adblock Pro 2.6-->C:\Program Files\Adblock Pro\uninst.exe
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.1.0 - Svenska-->MsiExec.exe /I{AC76BA86-7AD7-1053-7B44-A71000000002}
AdVantage (Powering DAEMON Tools)-->"C:\Program Files\AdVantage\AdVUninst.exe" /r DAEM /d "AdVantage (Powering DAEMON Tools)" /m "AdVantage is safe advertising software that supports DAEMON Tools.\nAdVantage is certified by TRUSTe as a Trusted Download.\n\nAre you sure you want to uninstall AdVantage support for DAEMON Tools?"
Ask Toolbar-->"C:\Program Files\AskBarDis\unins000.exe"
Atheros Driver Installation Program-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\Setup.exe" -l0x1d -removeonly
AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL
Azureus Vuze-->C:\Users\Niklas\Documents\Azureus\uninstall.exe
Bluetooth Stack for Windows by Toshiba-->MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Camera Assistant Software for Toshiba-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{37C866E4-AA67-4725-9E95-A39968DD7960}\setup.exe" -l0x1d
CD/DVD Drive Acoustic Silencer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\setup.exe" -l0x1d
CDDRV_Installer-->MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Desktop SMS-->MsiExec.exe /I{5980B928-1C95-4B3E-957B-B02D8147FF9E}
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD MovieFactory for TOSHIBA-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}\setup.exe" -l0x1d
Far Cry-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC} /l2057
FM Graphics Guru 1.1-->C:\Program Files\Sports Interactive\FM Graphics Guru 1.1\Uninstal.exe
FM Modifier 2.25-->MsiExec.exe /I{AE86AE81-CD7F-496F-A39F-0210C985E71B}
fmXML version 0.2-->"C:\Program Files\fmXML\unins000.exe"
Football Manager 2009-->"C:\Program Files\Sports Interactive\Football Manager 2009\Uninstall_Football Manager 2009\Avinstallera Football Manager 2009.exe"
Football Manager 2010-->"C:\Program Files\Sports Interactive\Football Manager 2010\Uninstall_Football Manager 2010\Avinstallera Football Manager 2010.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
ImageShack Uploader 2.2.0-->MsiExec.exe /X{8BCD7AE7-F713-4D50-BAB9-7839B9386870}
Intel(R) Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
Jasc Animation Shop 3-->MsiExec.exe /I{174D5678-D941-433C-BD23-58A5C7B0D36D}
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Junk Mail filter update-->MsiExec.exe /I{E2DFE069-083E-4631-9B6C-43C48E991DE5}
KhalInstallWrapper-->MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
K-Lite Codec Pack 5.0.5 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Logitech SetPoint-->C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x001d -removeonly
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 3.5 Language Pack SP1 - sve-->MsiExec.exe /I{7D7152AF-581B-316F-8CA4-15342C3EFA4B}
Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Works-->MsiExec.exe /I{8BA42EAE-19AD-4BF2-88C0-0232B1FBFDE2}
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 4.0 SP2 and SOAP Toolkit 3.0-->MsiExec.exe /I{32343DB6-9A52-40C9-87E4-5E7C79791C87}
myphotobook 3.1-->C:\Program Files\myphotobook\uninst.exe
NBA Live '97-->C:\Windows\uninst.exe -f"C:\EA Sports\NBA Live '97\DeIsL1.isu"
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
Pcsx2 0.9.6-->MsiExec.exe /I{0E2B767B-EA6A-489B-BF83-8083FE1DB661}
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x001d -removeonly
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Media Encoder (KB954156)-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E} MSIPATCHREMOVE={E836F1B7-43FB-46B0-A0D9-E4D2A5951659} /qb
SopCast 3.0.3-->C:\Program Files\SopCast\uninst.exe
Språkpaket för Microsoft .NET Framework 3.5 SP 1 - sve-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack SP1 - sve\setup.exe
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Svenska Spels Poker-->C:\Casino\SVENSK~1\UNWISE.EXE C:\Casino\SVENSK~1\INSTALL.LOG
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers.-->C:\Program Files\InstallShield Installation Information\{0409969E-BEFB-44D3-90B9-63BE50FBAE5E}\setup.exe -runfromtemp -l0x0409
TOSHIBA Administratörslösenord-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE} /l1053
TOSHIBA Assist-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe" -l0x1d
TOSHIBA ConfigFree-->C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe -runfromtemp -l0x001duninstall -removeonly
TOSHIBA Disc Creator-->MsiExec.exe /X{5DA0E02F-970B-424B-BF41-513A5018E4C0}
TOSHIBA Extended Tiles for Windows Mobility Center-->C:\Program Files\InstallShield Installation Information\{617C36FD-0CBE-4600-84B2-441CEB12FADF}\setup.exe -runfromtemp -l0x041d
Toshiba Online Product Information-->C:\Program Files\InstallShield Installation Information\{2290A680-4083-410A-ADCC-7092C67FC052}\setup.exe -runfromtemp -l0x001d -removeonly
TOSHIBA SD Memory Utilities-->MsiExec.exe /X{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}
TOSHIBA Software Modem-->Tosmreg -U
TOSHIBA Value Added Package-->C:\Program Files\InstallShield Installation Information\{FEDD27A0-B306-45EF-BF58-B527406B42C8}\setup.exe -runfromtemp -l0x041d
TOSHIBAs maskinvaruinstallningar-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5279374D-87FE-4879-9385-F17278EBB9D3} /l1053
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
VideoAvatar-->"C:\Program Files\GeoVid\Video Avatar\unins000.exe"
VideoLAN VLC media player 0.8.6c-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Live Communications Platform-->MsiExec.exe /I{ED00D08A-3C5F-488D-93A0-A04F21F23956}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{5A70922D-9365-43CC-ADA9-CB84E4A54E4E}
Windows Live inloggningsassistenten-->MsiExec.exe /I{6B30FB1E-9F4A-49BA-9D74-174F1ECEB59D}
Windows Live Mail-->MsiExec.exe /I{9BBE7AA1-AFA8-4D76-8FC2-1FDFD9BD3371}
Windows Live Messenger-->MsiExec.exe /X{EC928237-A3BD-4640-ABD0-E49E758F2315}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Encoder 9 Series-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
WinDVD for TOSHIBA-->C:\Program Files\InstallShield Installation Information\{20471B27-D702-4FE8-8DEC-0702CC8C0A85}\setup.exe -runfromtemp -l0x041d
WinPcap 4.0.2-->C:\Program Files\WinPcap\uninstall.exe
WinRAR -->C:\Program Files\WinRAR\uninstall.exe
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\Windows\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Vuze_Remote Toolbar-->C:\PROGRA~1\VUZE_R~1\UNWISE.EXE /U C:\PROGRA~1\VUZE_R~1\INSTALL.LOG
Vuze-->C:\Program Files\Vuze\uninstall.exe

======Security center information======

AS: Windows Defender

======System event log======

Computer Name: hemdator
Event Code: 1003
Message: Datorn kunde inte förnya adressen från nätverket (från DHCP-servern) för nätverkskortet med nätverksadressen 001B9E359097. Följande fel uppstod:
Åtgärden avbröts av användaren.. Datorn kommer att fortsätta försöka erhålla en ny adress själv från DHCP-servern.
Record Number: 145782
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090908083328.000000-000
Event Type: Varning
User:

Computer Name: hemdator
Event Code: 1003
Message: Datorn kunde inte förnya adressen från nätverket (från DHCP-servern) för nätverkskortet med nätverksadressen 001B9E359097. Följande fel uppstod:
Åtgärden avbröts av användaren.. Datorn kommer att fortsätta försöka erhålla en ny adress själv från DHCP-servern.
Record Number: 145771
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090908071311.000000-000
Event Type: Varning
User:

Computer Name: hemdator
Event Code: 1003
Message: Datorn kunde inte förnya adressen från nätverket (från DHCP-servern) för nätverkskortet med nätverksadressen 001B9E359097. Följande fel uppstod:
Åtgärden avbröts av användaren.. Datorn kommer att fortsätta försöka erhålla en ny adress själv från DHCP-servern.
Record Number: 145770
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090908071310.000000-000
Event Type: Varning
User:

Computer Name: hemdator
Event Code: 1003
Message: Datorn kunde inte förnya adressen från nätverket (från DHCP-servern) för nätverkskortet med nätverksadressen 001B9E359097. Följande fel uppstod:
Åtgärden avbröts av användaren.. Datorn kommer att fortsätta försöka erhålla en ny adress själv från DHCP-servern.
Record Number: 145769
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090908071310.000000-000
Event Type: Varning
User:

Computer Name: hemdator
Event Code: 1003
Message: Datorn kunde inte förnya adressen från nätverket (från DHCP-servern) för nätverkskortet med nätverksadressen 001B9E359097. Följande fel uppstod:
Åtgärden avbröts av användaren.. Datorn kommer att fortsätta försöka erhålla en ny adress själv från DHCP-servern.
Record Number: 145768
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090908071310.000000-000
Event Type: Varning
User:

=====Application event log=====

Computer Name: hemdator
Event Code: 3026
Message: Det gick inte att köra Advise Status Change. Systemet har troligen för lite resurser. Frigör resurser och starta om tjänsten.

Kontext: program Windows, katalog SystemIndex

Information:
Innehållsindextjänsten har stoppats. (0x80041812)

Record Number: 966
Source Name: Microsoft-Windows-Search
Time Written: 20070926152230.000000-000
Event Type: Fel
User:

Computer Name: hemdator
Event Code: 3026
Message: Det gick inte att köra Advise Status Change. Systemet har troligen för lite resurser. Frigör resurser och starta om tjänsten.

Kontext: program Windows, katalog SystemIndex

Information:
Innehållsindextjänsten har stoppats. (0x80041812)

Record Number: 965
Source Name: Microsoft-Windows-Search
Time Written: 20070926152230.000000-000
Event Type: Fel
User:

Computer Name: hemdator
Event Code: 3026
Message: Det gick inte att köra Advise Status Change. Systemet har troligen för lite resurser. Frigör resurser och starta om tjänsten.

Kontext: program Windows, katalog SystemIndex

Information:
Innehållsindextjänsten har stoppats. (0x80041812)

Record Number: 964
Source Name: Microsoft-Windows-Search
Time Written: 20070926152230.000000-000
Event Type: Fel
User:

Computer Name: hemdator
Event Code: 3026
Message: Det gick inte att köra Advise Status Change. Systemet har troligen för lite resurser. Frigör resurser och starta om tjänsten.

Kontext: program Windows, katalog SystemIndex

Information:
Innehållsindextjänsten har stoppats. (0x80041812)

Record Number: 963
Source Name: Microsoft-Windows-Search
Time Written: 20070926152230.000000-000
Event Type: Fel
User:

Computer Name: hemdator
Event Code: 1008
Message: Det görs ett försök att ta bort den gamla katalogen.

Record Number: 958
Source Name: Microsoft-Windows-Search
Time Written: 20070926152215.000000-000
Event Type: Varning
User:

=====Security event log=====

Computer Name: hemdator
Event Code: 4634
Message: Utloggning har skett på ett konto.

Subjekt:
Säkerhets-ID: S-1-5-21-3954783600-1880665666-2513795363-1000
Kontonamn: Niklas
Kontodomän: hemdator
Inloggnings-ID: 0x3249f80

Inloggningstyp: 7

Händelsen skapas när en inloggningssession förstörs. Det kan vara positivt korrelerat med en inloggningshändelse med värdet för inloggnings-ID-numret. Inloggnings-ID-nummer är endast unika mellan omstarter på samma dator.
Record Number: 59266
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090414171552.284400-000
Event Type: Lyckad granskning
User:

Computer Name: hemdator
Event Code: 4624
Message: En inloggning har skett på ett konto.

Subjekt:
Säkerhets-ID: S-1-5-18
Kontonamn: HEMDATOR$
Kontodomän: WORKGROUP
Inloggnings-ID: 0x3e7

Inloggningstyp: 7

Ny inloggning:
Säkerhets-ID: S-1-5-21-3954783600-1880665666-2513795363-1000
Kontonamn: Niklas
Kontodomän: hemdator
Inloggnings-ID: 0x3249f80
Inloggnings-GUID: {00000000-0000-0000-0000-000000000000}

Processinformation:
Process-ID: 0x338
Processnamn: C:\Windows\System32\winlogon.exe

Nätverksinformation:
Arbetsstationens namn: HEMDATOR
Källnätverksadress: 127.0.0.1
Källport: 0

Detaljerad autentiseringsinformation:
Inloggningsprocess: User32
Autentiseringspaket: Negotiate
Överförda tjänster: -
Paketnamn (endast NTLM): -
Nyckellängd: 0

Händelsen skapas när en inloggningssession skapas. Den skapas på datorn som inloggningen skedde på.

Subjektsfälten anger vilket konto på det lokala systemet som inloggningen begärdes för. Detta är oftast en tjänst, till exempel tjänsten Server, eller en lokal process som exempelvis Winlogon.exe eller Services.exe.

Fältet för inloggningstyp anger vilken typ av inloggning som skedde. De vanligaste typerna är 2 (interaktiv) och 3 (nätverk).

Fälten Ny inloggning anger kontot som den nya inloggningen skapades för, d.v.s. det konto som var inloggat.

Nätverksfälten anger varifrån en begäran om fjärrinloggning skickades. Arbetsstationens namn är inte alltid tillgängligt och fältet kan i vissa fall lämnas tomt.

I fälten med autentiseringsinformation finns detaljerad information om den här specifika inloggningsbegäran.
- Inloggnings-GUID är ett unikt ID som kan användas till att korrelera händelsen med en KDC-händelse.
- Överförda tjänster anger vilka mellanliggande tjänster som har deltagit i inloggningsbegäran.
- Paketets namn anger vilket underprotokoll som användes tillsammans med NTLM-protokollen.
- Nyckellängden anger längden på den skapade sessionsnyckeln. Värdet är 0 om ingen sessionsnyckel begärdes.
Record Number: 59265
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090414171552.284400-000
Event Type: Lyckad granskning
User:

Computer Name: hemdator
Event Code: 4634
Message: Utloggning har skett på ett konto.

Subjekt:
Säkerhets-ID: S-1-5-21-3954783600-1880665666-2513795363-1000
Kontonamn: Niklas
Kontodomän: hemdator
Inloggnings-ID: 0x3249f8d

Inloggningstyp: 7

Händelsen skapas när en inloggningssession förstörs. Det kan vara positivt korrelerat med en inloggningshändelse med värdet för inloggnings-ID-numret. Inloggnings-ID-nummer är endast unika mellan omstarter på samma dator.
Record Number: 59264
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090414171552.284400-000
Event Type: Lyckad granskning
User:

Computer Name: hemdator
Event Code: 4648
Message: Ett inloggningsförsök med uttryckliga autentiseringsuppgifter gjordes.

Subjekt:
Säkerhets-ID: S-1-5-18
Kontonamn: HEMDATOR$
Kontodomän: WORKGROUP
Inloggnings-ID: 0x3e7
Inloggnings-GUID: {00000000-0000-0000-0000-000000000000}

Konto vars autentiseringsuppgifter användes:
Kontonamn: Niklas
Kontodomän: hemdator
Inloggnings-GUID: {00000000-0000-0000-0000-000000000000}

Målserver:
Målservernamn: localhost
Ytterligare information: localhost

Processinformation:
Process-ID: 0x338
Processnamn: C:\Windows\System32\winlogon.exe

Nätverksinformation:
Nätverksadress: 127.0.0.1
Port: 0

Händelsen skapas när en process försöker logga in ett konto genom att uttryckligen ange kontots autentiseringsuppgifter. Detta förekommer oftast i konfigurationer av kommandotyp, som schemalagda aktiviteter, eller när kommandot RUNAS används.
Record Number: 59263
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090414171552.284400-000
Event Type: Lyckad granskning
User:

Computer Name: hemdator
Event Code: 4672
Message: Särskilda privilegier tilldelades till ny inloggning.

Subjekt:
Säkerhets-ID: S-1-5-21-3954783600-1880665666-2513795363-1000
Kontonamn: Niklas
Kontodomän: hemdator
Inloggnings-ID: 0x31cf103

Privilegier: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 59262
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090414165732.459200-000
Event Type: Lyckad granskning
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 14 Stepping 12, GenuineIntel
"PROCESSOR_REVISION"=0e0c
"NUMBER_OF_PROCESSORS"=2

-----------------EOF-----------------

ken545 · May 23, 2010

Great :bigthumb:

Let me point out a few things.

askBar<-- Not malicious but it does track your surfing, up to you to keep it or not

Vuze <--This alters your browser and your search, again your call to keep it or not

uTorrent <--File sharing is not recommended as they have become the biggest source of infection , your downloading that file from and unknown source and you have no idea what that file will contain.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)

If you uninstall ASK, then remove these also if still present
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

I am looking at a malicious driver on your system, but it may be gone, we need to check

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again

C:\Windows\system32\drivers\ajkz7qf3.sys

If the site is busy you can try this one

http://virusscan.jotti.org/en

loophole5 · May 23, 2010

I think i might as well remove both vuze and utorrent i rarely use them anymore.

I hope this is the file log your requesting:

File size: 19944 bytes
MD5...: 1f05b78ab91c9075565a9d8a4b880bc4
SHA1..: 218442cd7afecbc8d102c4e31d9ef3528642191b
SHA256: 737be9f9376dab0ccdfed93ea6d67f0c432367ea63cd772a453485be769af3bd
ssdeep: 384:zzY0Vgd1RrKzBpWk4UwWFSn8G6FuT+quHpBjbOjBMwzt8:zz/Vgd1gzQUSuB
xkMwzt8

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5005
timedatestamp.....: 0x49e01eed (Sat Apr 11 04:39:09 2009)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x19b0 0x1a00 6.30 4ac8c9f82cf23d85316bd85d3d8e4efb
.rdata 0x3000 0xae 0x200 1.49 3d541e69f96e97a837841ad289adeac7
.data 0x4000 0xc 0x200 0.18 7c80b151582aa6280e754b477343e54e
INIT 0x5000 0x364 0x400 4.51 f238fffd3a9917d72f4888f4276b3b06
.rsrc 0x6000 0x3f8 0x400 3.38 5c8a106a7c9416fb469c83dfab844abd
.reloc 0x7000 0x8a 0x200 1.37 064d7db7c16955d4dc6d3f7afb703e06

( 2 imports )
> ataport.SYS: AtaPortNotification, AtaPortWritePortUchar, AtaPortWritePortUlong, AtaPortGetPhysicalAddress, AtaPortConvertPhysicalAddressToUlong, AtaPortGetScatterGatherList, AtaPortReadPortUchar, AtaPortStallExecution, AtaPortGetParentBusType, AtaPortRequestCallback, AtaPortWritePortBufferUshort, AtaPortGetUnCachedExtension, AtaPortCompleteRequest, AtaPortMoveMemory, AtaPortCompleteAllActiveRequests, AtaPortReleaseRequestSenseIrb, AtaPortBuildRequestSenseIrb, AtaPortReadPortUshort, AtaPortReadPortBufferUshort, AtaPortInitialize, AtaPortGetDeviceBase, AtaPortDeviceStateChange
> NTOSKRNL.exe: KeTickCount

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:

ken545 · May 23, 2010

I think the newer version of Malwarebytes removes that stuff without user intervention. But its clean now and thats all that matters

It doesn't look like the entire report for that file, can you try it again and even try it at Jotti.com

loophole5 · May 24, 2010

Your correct there were a few at the top that i didnt got in my first post.

a-squared 4.5.0.50 2010.05.10 -
AhnLab-V3 2010.05.23.00 2010.05.22 -
AntiVir 8.2.1.242 2010.05.23 -
Antiy-AVL 2.0.3.7 2010.05.24 -
Authentium 5.2.0.5 2010.05.23 -
Avast 4.8.1351.0 2010.05.23 -
Avast5 5.0.332.0 2010.05.23 -
AVG 9.0.0.787 2010.05.23 -
BitDefender 7.2 2010.05.24 -
CAT-QuickHeal 10.00 2010.05.24 -
ClamAV 0.96.0.3-git 2010.05.22 -
Comodo 4930 2010.05.24 -
DrWeb 5.0.2.03300 2010.05.24 -
eSafe 7.0.17.0 2010.05.23 -
eTrust-Vet 35.2.7506 2010.05.24 -
F-Prot 4.6.0.103 2010.05.23 -
F-Secure 9.0.15370.0 2010.05.24 -
Fortinet 4.1.133.0 2010.05.23 -
GData 21 2010.05.24 -
Ikarus T3.1.1.84.0 2010.05.24 -
Jiangmin 13.0.900 2010.05.22 -
Kaspersky 7.0.0.125 2010.05.24 -
McAfee 5.400.0.1158 2010.05.24 -
McAfee-GW-Edition 2010.1 2010.05.23 -
Microsoft 1.5802 2010.05.24 -
NOD32 5139 2010.05.23 -
Norman 6.04.12 2010.05.23 -
nProtect 2010-05-23.01 2010.05.23 -
Panda 10.0.2.7 2010.05.23 -
PCTools 7.0.3.5 2010.05.24 -
Prevx 3.0 2010.05.24 -
Rising 22.49.00.03 2010.05.24 -
Sophos 4.53.0 2010.05.24 -
Sunbelt 6346 2010.05.24 -
Symantec 20101.1.0.89 2010.05.24 -
TheHacker 6.5.2.0.286 2010.05.24 -
TrendMicro 9.120.0.1004 2010.05.24 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.24 -
VBA32 3.12.12.5 2010.05.22 -
ViRobot 2010.5.20.2326 2010.05.24 -
VirusBuster 5.0.27.0 2010.05.23 -
Övrig information
File size: 19944 bytes
MD5...: 1f05b78ab91c9075565a9d8a4b880bc4
SHA1..: 218442cd7afecbc8d102c4e31d9ef3528642191b
SHA256: 737be9f9376dab0ccdfed93ea6d67f0c432367ea63cd772a453485be769af3bd
ssdeep: 384:zzY0Vgd1RrKzBpWk4UwWFSn8G6FuT+quHpBjbOjBMwzt8:zz/Vgd1gzQUSuB
xkMwzt8

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5005
timedatestamp.....: 0x49e01eed (Sat Apr 11 04:39:09 2009)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x19b0 0x1a00 6.30 4ac8c9f82cf23d85316bd85d3d8e4efb
.rdata 0x3000 0xae 0x200 1.49 3d541e69f96e97a837841ad289adeac7
.data 0x4000 0xc 0x200 0.18 7c80b151582aa6280e754b477343e54e
INIT 0x5000 0x364 0x400 4.51 f238fffd3a9917d72f4888f4276b3b06
.rsrc 0x6000 0x3f8 0x400 3.38 5c8a106a7c9416fb469c83dfab844abd
.reloc 0x7000 0x8a 0x200 1.37 064d7db7c16955d4dc6d3f7afb703e06

( 2 imports )
> ataport.SYS: AtaPortNotification, AtaPortWritePortUchar, AtaPortWritePortUlong, AtaPortGetPhysicalAddress, AtaPortConvertPhysicalAddressToUlong, AtaPortGetScatterGatherList, AtaPortReadPortUchar, AtaPortStallExecution, AtaPortGetParentBusType, AtaPortRequestCallback, AtaPortWritePortBufferUshort, AtaPortGetUnCachedExtension, AtaPortCompleteRequest, AtaPortMoveMemory, AtaPortCompleteAllActiveRequests, AtaPortReleaseRequestSenseIrb, AtaPortBuildRequestSenseIrb, AtaPortReadPortUshort, AtaPortReadPortBufferUshort, AtaPortInitialize, AtaPortGetDeviceBase, AtaPortDeviceStateChange
> NTOSKRNL.exe: KeTickCount

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: ATAPI IDE Miniport Driver
original name: atapi.sys
internal name: atapi.sys
file version.: 6.0.6002.18005 (lh_sp2rtm.090410-1830)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

ken545 · May 24, 2010

Thanks for rerunning that scan. Looks OK, how are things running now ?

loophole5 · May 24, 2010

It feels OK slightly faster than normal and no real problem. I have the occasional popup from LiveJasmin but that has nothing to do with the trojan as far as i know. I work a lot with uploading celebpics on a forum community.

So thanks a lot for the help. If i want it go smoother than this i need to make a system restore there are to much crap on my computer right now so its time for it anyway.

ken545 · May 24, 2010

Don't do a system restore or you will just reinfect your self again as all we removed is backed up in that program, we need to flush it all out and create a new restore point.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Reboot your computer

Turn ON System Restore.

Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Create a new Restore Point <-- Very Important

Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point

System Restore Tutorial <-- If you need it

LiveJasmin <--Bad site, you should not have those popups.

Open Internet Explorer and go to Tools> Internet Options. Advanced Tab> Reset Internet Explorer Setting> Reset....takes a few seconds...ok your way out

Then go to the General Tab > Browsing History > Delete and delete it all. Then close out IE

Go to Start. Run and type in CMD and hit enter
At the command prompt type in ipconfig /flushdns
Hit enter

Let me know if any of this helped ?

loophole5 · May 24, 2010

Well the connection got really rapid straight away but the popup is there like clockwork. It will appear at least once on one of my sources where i find pics. forum.phun.org

And also show up about 2 to 4 times on imagebam when i upload the pics. I have never even clicked on any banner at all so i dont know how or what ive done to makeing it appear all the time.

The system restore went easy eventough i had to read the tutorial.

loophole5 · May 24, 2010

I just need too clarify its only when i visit that site as well as the imagehost above it shows up. If i go to a really crappy site that are swarmed with popups and commercials it doesnt show at all.

ken545 · May 24, 2010

Ok, lets do this

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

loophole5 · May 24, 2010

Hi again Ken thanks for hanging in there.

I thought i´d give you a small update on how things are running. It seems like we are on the right track atleast. The number of popups are not as frequent as earlier but still present they are almost completely gone from the imagehosts. But still there on the homepage i mentioned. It doesnt come every time i go there its more like it is running on some timer that every other 3 to 5 hours it comes up like some hickup or something. Anyway here are the logs.

ComboFix 10-05-24.03 - Niklas 2010-05-24 22:23:48.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.46.1053.18.2037.1263 [GMT 2:00]
Körs från: c:\users\Niklas\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((( Filer Skapade från 2010-04-24 till 2010-05-24 ))))))))))))))))))))))))))))))
.

2010-05-24 20:11 . 2010-05-24 20:11 -------- d-----w- c:\users\Niklas\AppData\Roaming\AVG9
2010-05-24 13:27 . 2010-05-24 13:28 -------- d-----w- c:\users\Niklas\AppData\Local\Adobe
2010-05-23 08:42 . 2010-05-23 08:42 -------- d-----w- C:\rsit
2010-05-22 21:40 . 2010-05-22 21:40 -------- d-----w- c:\users\Niklas\AppData\Roaming\Malwarebytes
2010-05-22 21:39 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-22 21:39 . 2010-05-22 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-22 21:39 . 2010-05-22 21:39 -------- d-----w- c:\programdata\Malwarebytes
2010-05-22 21:39 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-16 16:10 . 2010-05-23 08:42 -------- d-----w- c:\program files\Trend Micro
2010-05-12 13:27 . 2010-05-12 13:27 -------- d-----w- c:\program files\Vuze
2010-05-12 13:27 . 2010-05-12 13:27 -------- d-----w- c:\program files\Vuze_Remote
2010-05-12 11:47 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-04-28 07:59 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-24 13:36 . 2007-10-11 19:41 4258 ----a-w- c:\users\Niklas\AppData\Roaming\wklnhst.dat
2010-05-18 04:03 . 2007-09-27 13:05 -------- d-----w- c:\users\Niklas\AppData\Roaming\Azureus
2010-05-12 13:27 . 2010-05-12 13:27 -------- d-----w- c:\program files\Vuze
2010-05-12 13:27 . 2010-05-12 13:27 -------- d-----w- c:\program files\Vuze_Remote
2010-05-12 13:25 . 2007-09-26 16:28 -------- d-----w- c:\users\Niklas\AppData\Roaming\uTorrent
2010-05-12 12:23 . 2006-11-21 05:03 597836 ----a-w- c:\windows\system32\perfh01D.dat
2010-05-12 12:23 . 2006-11-21 05:03 117416 ----a-w- c:\windows\system32\perfc01D.dat
2010-05-12 12:13 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-21 08:05 . 2009-10-30 06:17 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-17 08:52 . 2010-03-17 08:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-17 08:52 . 2009-10-30 06:17 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-17 08:51 . 2009-10-30 06:17 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-09 16:25 . 2010-03-31 08:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-31 08:29 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-04 17:33 . 2010-04-14 08:46 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 07:31 . 2007-09-26 14:34 78912 ----a-w- c:\users\Niklas\AppData\Local\GDIPFONTCACHEV1.DAT
2007-05-11 16:48 . 2007-09-27 10:58 819183 ----a-r- c:\program files\fmXML_setup.exe
2009-08-02 22:26 . 2008-07-29 10:57 80930336 --sha-w- c:\windows\System32\drivers\fidbox.dat
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 14:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-13 413696]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883840]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 4349952]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-19 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-02-06 509496]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-20 438272]
"NDSTray.exe"="NDSTray.exe" [BU]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-13 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-13 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-13 81920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-28 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-28 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-28 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-02-02 835584]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-02-13 405504]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-28 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-26 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):d0,90,99,6b,77,52,ca,01

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2007-10-04 685816]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-05 1181328]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\DRIVERS\TpChoice.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-09-23 64288]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-17 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-21 242896]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-17 916760]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-17 308064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://forums.superiorpics.com/ubbthreads/ubbthreads.php
IE: {{C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?SW
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

AddRemove-AdVantage_DAEM - c:\program files\AdVantage\AdVUninst.exe
AddRemove-Azureus Vuze - c:\users\Niklas\Documents\Azureus\uninstall.exe
AddRemove-NBA Live '97 - c:\ea sports\NBA Live '97\DeIsL1.isu

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-24 22:31
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\users\Niklas\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000a5
.
Sluttid: 2010-05-24 22:34:13
ComboFix-quarantined-files.txt 2010-05-24 20:34

Före genomsökningen: 46*736*973*824 byte ledigt
Efter genomsökningen: 46*629*584*896 byte ledigt

- - End Of File - - 7D1B5FC68CDDE5553C82E7DB6C648DF9

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:41:19, on 2010-05-24
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.superiorpics.com/ubbthreads/ubbthreads.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adblock Pro - {F385C231-605B-4d8f-ACA9-DBFF765BBE17} - C:\Program Files\Adblock Pro\AdblockPro.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RtHDVCpl] "RtHDVCpl.exe"
O4 - HKLM\..\Run: [TPwrMain] "%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE"
O4 - HKLM\..\Run: [HSON] "%ProgramFiles%\TOSHIBA\TBS\HSON.exe"
O4 - HKLM\..\Run: [SmoothView] "%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe"
O4 - HKLM\..\Run: [HWSetup] "C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] "C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IgfxTray] "C:\Windows\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\Windows\system32\igfxpers.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "KHALMNPR.EXE"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?SW (file missing)
O9 - Extra button: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O9 - Extra 'Tools' menuitem: Adblock Pro Preferences - {E7FD3540-AB30-40f1-91E7-101F733C1FD5} - C:\Program Files\Adblock Pro\AdblockPro.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6914 bytes

ken545 · May 24, 2010

So what your saying is if you go to a regular site like say msn.com, there are no popups ? Are you being redirected in any of your searches.

c:\windows\system32\browserchoice.exe <-- delete this file, let me know if it would not delete

CF did not remove anything bad and the rest of your logs look fine

loophole5 · May 25, 2010

That is pretty much correct it is limited to the places i have stated earlier. If you say that my computer is clean as far as you can tell from the logs (there are no guarantees) it is probably related to the webpages.

About the file it will not be deleted since i dont have the proper authorization im not entirely sure how i change that on Vista.:red:

ken545 · May 25, 2010

Not all but most programs require you to right click on the .exe file and RUN AS ADMINISTRATOR.

Please download OTM by OldTimer and save it to your desktop.
Double click the

icon on your desktop.

Paste the following code under the

area.
Do not include the word "Code".

Code:

:Processes
explorer.exe

:Files
c:\windows\system32\browserchoice.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[reboot]

Push the large

button.
OTM may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the

line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

loophole5 · May 25, 2010

here is the log.

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
File move failed. c:\windows\system32\browserchoice.exe scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Niklas
->Temp folder emptied: 119453 bytes
->Temporary Internet Files folder emptied: 55674409 bytes
->Java cache emptied: 5185900 bytes
->Flash cache emptied: 90976 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 58,00 mb

OTM by OldTimer - Version 3.1.12.0 log created on 05252010_220533

Files moved on Reboot...
File move failed. c:\windows\system32\browserchoice.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Infected with trojan horse SHeur3.XCC

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member