Malware Infection, keep coming back

Status
Not open for further replies.
M

MrBugger

New member
Hi,

One of my computers showning a lot of malware, need removal help

Br

DDS (Ver_10-03-17.01) - NTFSx86
Run by Olsson at 18:33:41,39 on 2010-07-19
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1086 [GMT 2:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program\Delade filer\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program\Windows Live\Family Safety\fsssvc.exe
C:\Program\F-Secure\Anti-Virus\fssm32.exe
C:\Program\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program\F-Secure\Common\FSMA32.EXE
C:\Program\F-Secure\Common\FSMB32.EXE
C:\Program\F-Secure\Common\FCH32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\F-Secure\Common\FSM32.EXE
C:\Program\Windows Live\Family Safety\fsui.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\F-Secure\Common\FNRB32.EXE
C:\Program\Skype\Phone\Skype.exe
C:\Program\F-Secure\Common\FIH32.EXE
C:\Program\F-Secure\Anti-Virus\fsav32.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program\Java\jre6\bin\java.exe
C:\Program\Spotify\spotify.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Olsson\Skrivbord\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://bilddagboken.se/p/frontpage.html#0
uWindow Title = Pappa Johan äger!!!
uInternet Settings,ProxyOverride = *.local
mWinlogon: Taskman=c:\recycler\s-1-5-21-9735241404-2918741587-970478018-9969\yv8g67.exe
uWinlogon: Shell=c:\recycler\s-1-5-21-9735241404-2918741587-970478018-9969\yv8g67.exe,explorer.exe,c:\documents and settings\olsson\application data\ebzbg.exe
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program\windows live\family safety\fssbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program\windows live\toolbar\wltcore.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program\skype\phone\Skype.exe" /nosplash /minimized
uRun: [xtoe8] c:\windows\system32\hii6e1v2.exe
uRun: [zaawwh2] c:\windows\system32\k95iyzaqq9.exe
uRun: [tje6a] c:\windows\system32\dze8a1hr.exe
uRun: [fbcnt] c:\windows\system32\c8ijeflbc.exe
uRun: [toe9a] c:\windows\system32\2lbcdyu.exe
uRun: [msooz8] c:\windows\system32\hs6t15va.exe
uRun: [djagl] c:\windows\system32\xss70e1a3.exe
uRun: [jaglw] c:\windows\system32\xss70e1a3cn.exe
uRun: [wxdyua] c:\windows\system32\izplr2siej.exe
uRun: [aammi1e] c:\windows\system32\xnejkaw3.exe
uRun: [qwbm9] c:\windows\system32\ukal2xc3e1.exe
uRun: [ghityfq] c:\windows\system32\lgbss9euavg.exe
uRun: [euvlm] c:\windows\system32\p9r0ii9jall.exe
uRun: [ezqlmcx] c:\windows\system32\kvr0ii9ja.exe
uRun: [dopkq] c:\windows\system32\c1yefk9g.exe
uRun: [qrcinj] c:\windows\system32\r4xoepq73s9.exe
uRun: [sxtoo6] c:\windows\system32\d6avrrnd6.exe
uRun: [pvvmmxd] c:\windows\system32\0jeuglw.exe
uRun: [uqwrst] c:\windows\system32\yjffbrsi.exe
uRun: [qbmxt] c:\windows\system32\ntef2rm9sy.exe
uRun: [vbmxtoj] c:\windows\system32\nyjffbrsit.exe
uRun: [pggbs] c:\windows\system32\nytpk1gc71d.exe
uRun: [aqrmm6] c:\windows\system32\0eezqbw.exe
uRun: [vbxtjp] c:\windows\system32\e7plq6sxi.exe
uRun: [pabbxnn] c:\windows\system32\vrm674pqgg.exe
uRun: [mrinjea] c:\windows\system32\zugmhddz.exe
uRun: [wsnjjaq] c:\windows\system32\zugmhddza.exe
uRun: [zplghc] c:\windows\system32\rhd3eu1q.exe
uRun: [ghc3o] c:\windows\system32\2u1q3x7.exe
uRun: [xdtjzq] c:\windows\system32\aagmcs9u.exe
uRun: [ppqb8n] c:\windows\system32\rrd27p0l.exe
uRun: [cnjj7] c:\windows\system32\0mrs9jp.exe
uRun: [stez0v] c:\windows\system32\0riy0uu.exe
uRun: [yezaqg] c:\windows\system32\0iy0uup.exe
uRun: [rnno3] c:\windows\system32\9msnokk.exe
uRun: [whty3a] c:\windows\system32\pfqb60c4o0.exe
uRun: [neezq] c:\windows\system32\xoojaavm.exe
uRun: [qqlcc] c:\windows\system32\zuu6gg6ss.exe
uRun: [kabrsd] c:\windows\system32\tzpgmrnt.exe
uRun: [wmcctup] c:\windows\system32\cs1uzalrhso.exe
uRun: [wsndo9v] c:\windows\system32\78x5oj6.exe
uRun: [ekvqmh] c:\windows\system32\dj625b66.exe
uRun: [mdi3u] c:\windows\system32\5hsdzkf.exe
uRun: [bmcxio] c:\windows\system32\fqwrc870.exe
uRun: [mccy1o] c:\windows\system32\c1sty86k.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DAEMON Tools-1033] "c:\program\d-tools\daemon.exe" -lang 1033
mRun: [snpstd] c:\windows\vsnpstd.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program\java\jre6\bin\jusched.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [F-Secure Manager] "c:\program\f-secure\common\FSM32.EXE" /splash
mRun: [fssui] "c:\program\windows live\family safety\fsui.exe" -autorun
mRun: [QuickTime Task] "c:\program\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\olsson\start-meny\program\autostart\0ofalhn.exe
StartupFolder: c:\documents and settings\olsson\start-meny\program\autostart\3ggbsst.exe
StartupFolder: c:\documents and settings\olsson\start-meny\program\autostart\vvmc6n0t.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\micros~1.lnk - c:\program\microsoft office\office\OSA9.EXE
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\jenny\start-meny\program\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot~1\SDHelper.dll
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194543042140
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program\delade~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2007-11-25 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2007-11-25 5248]
R2 BackWeb Client - 7681197;F-Secure BackWeb;c:\program\f-secure\backweb\7681197\program\SERVIC~1.EXE [2009-9-13 16384]
R2 F-Secure Filter;F-Secure File System Filter;c:\program\f-secure\anti-virus\win2k\FSfilter.sys [2009-9-13 47280]
R2 F-Secure Gatekeeper Handler Starter;F-Secure Gatekeeper Handler Starter;c:\program\f-secure\anti-virus\fsgk32st.exe [2009-9-13 45056]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program\f-secure\anti-virus\win2k\fsgk.sys [2009-9-13 37456]
R2 F-Secure Recognizer;F-Secure File System Recognizer;c:\program\f-secure\anti-virus\win2k\FSrec.sys [2009-9-13 15984]
R2 FSpm;F-Secure Policy Manager;c:\program\f-secure\common\FSpm.sys [2009-9-13 65328]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-20 54752]
R2 fsssvc;Tjänsten Windows Live Family Safety;c:\program\windows live\family safety\fsssvc.exe [2009-8-5 704864]
R3 F-Secure Network Request Broker;F-Secure Network Request Broker;c:\program\f-secure\common\FNRB32.exe [2009-9-13 110668]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2010-1-27 17792]
S2 gupdate;Google Update Service (gupdate);c:\program\google\update\GoogleUpdate.exe [2010-5-13 136176]
S3 F-Secure BackWeb LAN Access;F-Secure BackWeb LAN Access;c:\program\f-secure\backweb\7681197\program\fsbwlan.exe [2009-9-13 39936]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-1 34384]
S3 XDva317;XDva317;\??\c:\windows\system32\xdva317.sys --> c:\windows\system32\XDva317.sys [?]
S3 XDva321;XDva321;\??\c:\windows\system32\xdva321.sys --> c:\windows\system32\XDva321.sys [?]
S3 XDva323;XDva323;\??\c:\windows\system32\xdva323.sys --> c:\windows\system32\XDva323.sys [?]
S3 XDva326;XDva326;\??\c:\windows\system32\xdva326.sys --> c:\windows\system32\XDva326.sys [?]
S3 XDva327;XDva327;\??\c:\windows\system32\xdva327.sys --> c:\windows\system32\XDva327.sys [?]
S3 XDva336;XDva336;\??\c:\windows\system32\xdva336.sys --> c:\windows\system32\XDva336.sys [?]
S3 XDva337;XDva337;\??\c:\windows\system32\xdva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva341;XDva341;\??\c:\windows\system32\xdva341.sys --> c:\windows\system32\XDva341.sys [?]
S3 XDva342;XDva342;\??\c:\windows\system32\xdva342.sys --> c:\windows\system32\XDva342.sys [?]
S3 XDva345;XDva345;\??\c:\windows\system32\xdva345.sys --> c:\windows\system32\XDva345.sys [?]
S3 XDva346;XDva346;\??\c:\windows\system32\xdva346.sys --> c:\windows\system32\XDva346.sys [?]
S3 XDva347;XDva347;\??\c:\windows\system32\xdva347.sys --> c:\windows\system32\XDva347.sys [?]
S3 XDva348;XDva348;\??\c:\windows\system32\xdva348.sys --> c:\windows\system32\XDva348.sys [?]
S3 XDva349;XDva349;\??\c:\windows\system32\xdva349.sys --> c:\windows\system32\XDva349.sys [?]

=============== Created Last 30 ================

2010-07-14 15:14:33 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-07-14 13:52:53 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-26 17:45:36 14720 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-26 15:05:09 0 d-----w- c:\program\iPod
2010-06-26 14:51:28 0 d-----w- c:\program\Bonjour
2010-06-19 17:14:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard

==================== Find3M ====================

2010-06-22 19:15:04 87766 ----a-w- c:\windows\system32\perfc01D.dat
2010-06-22 19:15:04 454926 ----a-w- c:\windows\system32\perfh01D.dat
2010-05-18 14:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-13 11:43:23 321328 ----a-w- c:\program\utorrent.exe
2010-05-13 11:36:24 562864 ----a-w- c:\program\GoogleEarthPluginSetup.exe
2010-05-13 11:18:48 97547048 ----a-w- c:\program\iTunesSetup.exe
2010-05-06 10:36:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:10:15 1851264 ----a-w- c:\windows\system32\win32k.sys
2009-12-28 19:48:53 1971 ----a-w- c:\program\Harry Potter(TM) och Fången från Azkaban.lnk
2008-05-16 18:03:20 32768 --sha-w- c:\windows\system32\config\systemprofile\lokala inställningar\tidigare\history.ie5\mshist012008051620080517\index.dat

============= FINISH: 18:34:28,87 ===============

http://forums.spybot.info/showthread.php?p=378016#post378016
 
Last edited by a moderator:
:snwelcome:


Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.


Yep, you have a lot going on.


Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    MBAMCapture.jpg
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
 
Hi Ken!

Thanks for helping me, you guys do a great job

Just to be sure, i have made 2 post because 2 of my computers is infekted and now you want me do run Malwarebytes on the first one?

Br
 
MB,

Run Malwarebytes on the computer that you posted in this forum for, the one that you posted the DDS log for.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Olsson at 18:33:41,39 on 2010-07-19
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2046.1086 [GMT 2:00]

DO NOT RUN ANY SCANS OR POST ANY LOGS FROM ANY OTHER COMPUTERS, WHEN WE'RE DONE WITH THIS ONE THIS THREAD WILL BE CLOSED AND YOU CAN START A NEW THREAD AND POST FOR THE OTHER ONE.
 
Hi Ken!

Just wanted to be 100% sure. Anyway here is the report from Malwarebytes

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Databasversion: 4340

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-07-23 16:09:08
mbam-log-2010-07-23 (16-09-08).txt

Skanningstyp: Snabbskanning
Antal skannade objekt: 137975
Förfluten tid: 12 minut(er), 8 sekund(er)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 2
Infekterade registerdataposter: 1
Infekterade mappar: 0
Infekterade filer: 67

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Worm.AutoRun) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Infekterade registerdataposter:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\RECYCLER\S-1-5-21-9735241404-2918741587-970478018-9969\yv8g67.exe,explorer.exe,C:\Documents and Settings\Olsson\Application Data\ebzbg.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
C:\RECYCLER\S-1-5-21-9735241404-2918741587-970478018-9969\yv8g67.exe (Trojan.Proxy) -> Delete on reboot.
C:\Documents and Settings\Olsson\Start-meny\Program\Autostart\0ofalhn.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Start-meny\Program\Autostart\3ggbsst.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Start-meny\Program\Autostart\6ioo69a.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Start-meny\Program\Autostart\hi3y3aa9gm.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Start-meny\Program\Autostart\nio5u1lhxi.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Start-meny\Program\Autostart\vvmc6n0t.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Start-meny\Program\Autostart\xteo75lg.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\461.exe (BackDoor.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\463.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\488.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\529.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\583.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\595.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\608.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\613.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\628.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\646.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\667.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\687.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\708.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\727.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\748.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\789.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\797.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\820.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\821.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\822.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\837.exe (BackDoor.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\853.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\884.exe (BackDoor.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\912.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\926.exe (BackDoor.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\948.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\954.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\963.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\977.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\458.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\010.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\054.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\064.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\088.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\094.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\102.exe (Trojan.Renos) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\104.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\106.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\119.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\141.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\148.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\151.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\166.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\184.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\191.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\251.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\258.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\259.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\264.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\280.exe (BackDoor.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\289.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\292.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\339.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\356.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\375.exe (Trojan.DDox) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\401.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\404.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\447.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temp\452.exe (Trojan.DDox) -> Quarantined and deleted successfully.
 
Good ,

The reason we only do one computer at time, believe me I have tried in the past with a user posting logs from other computers while I was trying to clean the one they originally posted for and it can get very confusing, just keep the other one off line until we get this one fixed, then I will close this thread and you can start a new topic for the other one.


I am sure there is more to do.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean






Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
Hi Ken!

I've been waiting 7 hours now for ComboFix to finish. It has been no changes since the screen that says "scanning for infected files"
Should i restars Combofix and try once more or wait?

Br
 
Still the same screen. Have you experienced this kind of long serch? Is it possible to see if the program is working? For me it seems low activity on the harddrive lamp accordning to a search (it has been the same "pulsing" since start)

After we're done i think you have to help me set up better protection for my daughters PC

Br
 
Combofix doesn't usually take more than 20 min or so, go ahead and stop it, reboot and see if it left a report at C:\ComboFix.txt
 
Strange, i was not able to stop Combofix without using the power button. Due to that i didn't find any report. Should i try the Combofix once more?

Br
 
First run this this, lets see how much of this garbage we can remove before we give CF another run



  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in
    Code: 
    netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
 
OTL.txt:

OTL logfile created on: 2010-07-24 12:22:02 - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Olsson\Skrivbord
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000041D | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 71,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 88,00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program
Drive C: | 74,52 Gb Total Space | 9,97 Gb Free Space | 13,37% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JEOH1
Current User Name: Olsson
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Olsson\Skrivbord\OTL.exe (OldTimer Tools)
PRC - C:\Program\Delade filer\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program\F-Secure\BackWeb\7681197\Program\ServiceWrapper-7681197.exe ()
PRC - C:\Program\F-Secure\BackWeb\7681197\Program\backWeb-7681197.exe ()
PRC - C:\Program\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
PRC - C:\Program\Windows Live\Family Safety\fsui.exe (Microsoft Corporation)
PRC - C:\Program\Java\jre6\bin\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Program\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\ATKKBService.exe (ASUSTeK COMPUTER INC.)
PRC - C:\Program\D-Tools\daemon.exe (DAEMON'S HOME)
PRC - C:\WINDOWS\vsnpstd.exe ()
PRC - C:\Program\F-Secure\Common\FSMB32.exe (F-Secure Corporation)
PRC - C:\Program\F-Secure\Common\FNRB32.exe (F-Secure Corporation)
PRC - C:\Program\F-Secure\Common\FSM32.exe (F-Secure Corporation)
PRC - C:\Program\F-Secure\Common\FSMA32.exe (F-Secure Corporation)
PRC - C:\Program\F-Secure\Common\FIH32.exe (F-Secure Corporation)
PRC - C:\Program\F-Secure\Common\FAMEH32.exe (F-Secure Corporation)
PRC - C:\Program\F-Secure\Common\fch32.exe (F-Secure Corporation)
PRC - C:\Program\F-Secure\Anti-Virus\fssm32.exe (F-Secure Corp.)
PRC - C:\Program\F-Secure\Anti-Virus\fsgk32.exe (F-Secure Corp.)
PRC - C:\Program\F-Secure\Anti-Virus\fsav32.exe (F-Secure Corporation)
PRC - C:\Program\F-Secure\Anti-Virus\fsgk32st.exe (F-Secure Corp.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Olsson\Skrivbord\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\Temp\IadHide3.dll (BackWeb)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (getPlus(R) Helper) getPlus(R) -- C:\Program\NOS\bin\getPlus_HelperSvc.exe File not found
SRV - (Apple Mobile Device) -- C:\Program\Delade filer\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (F-Secure BackWeb LAN Access) -- C:\Program\F-Secure\BackWeb\7681197\Program\fsbwlan.exe ()
SRV - (BackWeb Client - 7681197) -- C:\Program\F-Secure\BackWeb\7681197\Program\ServiceWrapper-7681197.exe ()
SRV - (fsssvc) -- C:\Program\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (Adobe LM Service) -- C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (ATKKeyboardService) -- C:\WINDOWS\ATKKBService.exe (ASUSTeK COMPUTER INC.)
SRV - (FSAA) -- C:\Program\F-Secure\Common\FSAA.EXE (F-Secure Corporation. All Rights Reserved.)
SRV - (F-Secure Network Request Broker) -- C:\Program\F-Secure\Common\FNRB32.EXE (F-Secure Corporation)
SRV - (FSMA) -- C:\Program\F-Secure\Common\FSMA32.EXE (F-Secure Corporation)
SRV - (F-Secure Gatekeeper Handler Starter) -- C:\Program\F-Secure\Anti-Virus\fsgk32st.exe (F-Secure Corp.)


========== Driver Services (SafeList) ==========

DRV - (XDva349) -- C:\WINDOWS\System32\XDva349.sys File not found
DRV - (XDva348) -- C:\WINDOWS\System32\XDva348.sys File not found
DRV - (XDva347) -- C:\WINDOWS\System32\XDva347.sys File not found
DRV - (XDva346) -- C:\WINDOWS\System32\XDva346.sys File not found
DRV - (XDva345) -- C:\WINDOWS\System32\XDva345.sys File not found
DRV - (XDva342) -- C:\WINDOWS\System32\XDva342.sys File not found
DRV - (XDva341) -- C:\WINDOWS\System32\XDva341.sys File not found
DRV - (XDva337) -- C:\WINDOWS\System32\XDva337.sys File not found
DRV - (XDva336) -- C:\WINDOWS\System32\XDva336.sys File not found
DRV - (XDva327) -- C:\WINDOWS\System32\XDva327.sys File not found
DRV - (XDva326) -- C:\WINDOWS\System32\XDva326.sys File not found
DRV - (XDva323) -- C:\WINDOWS\System32\XDva323.sys File not found
DRV - (XDva321) -- C:\WINDOWS\System32\XDva321.sys File not found
DRV - (XDva317) -- C:\WINDOWS\System32\XDva317.sys File not found
DRV - (npkcrypt) -- C:\Nexon\v55 Maplestory\npkcrypt.sys File not found
DRV - (GMSIPCI) -- D:\INSTALL\GMSIPCI.SYS File not found
DRV - (catchme) -- C:\DOCUME~1\Olsson\LOKALA~1\Temp\catchme.sys File not found
DRV - (SCREAMINGBDRIVER) -- C:\WINDOWS\system32\drivers\ScreamingBAudio.sys (Screaming Bee LLC)
DRV - (fssfltr) -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys (Microsoft Corporation)
DRV - (VCSVADHWSer) Avnex Virtual Audio Device (WDM) -- C:\WINDOWS\system32\drivers\vcsvad.sys (Avnex)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (EIO) -- C:\WINDOWS\system32\drivers\EIO.sys (ASUSTeK Computer Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys (Realtek Semiconductor Corp.)
DRV - (asuskbnt) -- C:\WINDOWS\system32\drivers\atkkbnt.sys (ASUSTeK COMPUTER INC.)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (d347prt) -- C:\WINDOWS\System32\Drivers\d347prt.sys ( )
DRV - (d347bus) -- C:\WINDOWS\system32\DRIVERS\d347bus.sys ( )
DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)
DRV - (snpstd) USB PC Camera (SN9C102) -- C:\WINDOWS\system32\drivers\snpstd.sys ()
DRV - (FSpm) -- C:\Program\F-Secure\Common\FSpm.sys (F-Secure Corporation)
DRV - (F-Secure Gatekeeper) -- C:\Program\F-Secure\Anti-Virus\win2k\fsgk.sys ()
DRV - (F-Secure Filter) -- C:\Program\F-Secure\Anti-Virus\win2k\FSfilter.sys ()
DRV - (F-Secure Recognizer) -- C:\Program\F-Secure\Anti-Virus\win2k\FSrec.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/index.php
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


[2010-03-10 21:30:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Olsson\Application Data\Mozilla\Extensions
[2010-03-10 21:30:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Olsson\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010-02-27 20:11:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Olsson\Application Data\Mozilla\Firefox\extensions
[2010-02-27 20:11:38 | 000,000,000 | ---D | M] (XfireXO Toolbar) -- C:\Documents and Settings\Olsson\Application Data\Mozilla\Firefox\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}

O1 HOSTS File: ([2010-07-13 11:46:57 | 000,413,362 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 14285 more lines...
O2 - BHO: (Windows Live Family Safety Browser Helper Class) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program\Windows Live\Family Safety\fssbho.dll (Microsoft Corporation)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live inloggningshjälpen) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (no name) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - No CLSID value found.
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [DAEMON Tools-1033] C:\Program\D-Tools\daemon.exe (DAEMON'S HOME)
O4 - HKLM..\Run: [F-Secure Manager] C:\Program\F-Secure\Common\FSM32.EXE (F-Secure Corporation)
O4 - HKLM..\Run: [fssui] C:\Program\Windows Live\Family Safety\fsui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe ()
O4 - HKCU..\Run: [aammi1e] C:\WINDOWS\System32\xnejkaw3.exe File not found
O4 - HKCU..\Run: [aqrmm6] C:\WINDOWS\System32\0eezqbw.exe File not found
O4 - HKCU..\Run: [bmcxio] C:\WINDOWS\System32\fqwrc870.exe File not found
O4 - HKCU..\Run: [cnjj7] C:\WINDOWS\System32\0mrs9jp.exe File not found
O4 - HKCU..\Run: [djagl] C:\WINDOWS\System32\xss70e1a3.exe File not found
O4 - HKCU..\Run: [dopkq] C:\WINDOWS\System32\c1yefk9g.exe File not found
O4 - HKCU..\Run: [ekvqmh] C:\WINDOWS\System32\dj625b66.exe File not found
O4 - HKCU..\Run: [euvlm] C:\WINDOWS\System32\p9r0ii9jall.exe File not found
O4 - HKCU..\Run: [ezqlmcx] C:\WINDOWS\System32\kvr0ii9ja.exe File not found
O4 - HKCU..\Run: [fbcnt] C:\WINDOWS\System32\c8ijeflbc.exe File not found
O4 - HKCU..\Run: [ghc3o] C:\WINDOWS\System32\2u1q3x7.exe File not found
O4 - HKCU..\Run: [ghityfq] C:\WINDOWS\System32\lgbss9euavg.exe File not found
O4 - HKCU..\Run: [jaglw] C:\WINDOWS\System32\xss70e1a3cn.exe File not found
O4 - HKCU..\Run: [kabrsd] C:\WINDOWS\System32\tzpgmrnt.exe File not found
O4 - HKCU..\Run: [mccy1o] C:\WINDOWS\System32\c1sty86k.exe File not found
O4 - HKCU..\Run: [mdi3u] C:\WINDOWS\System32\5hsdzkf.exe File not found
O4 - HKCU..\Run: [mrinjea] C:\WINDOWS\System32\zugmhddz.exe File not found
O4 - HKCU..\Run: [msooz8] C:\WINDOWS\System32\hs6t15va.exe File not found
O4 - HKCU..\Run: [neezq] C:\WINDOWS\System32\xoojaavm.exe File not found
O4 - HKCU..\Run: [pabbxnn] C:\WINDOWS\System32\vrm674pqgg.exe File not found
O4 - HKCU..\Run: [pggbs] C:\WINDOWS\System32\nytpk1gc71d.exe File not found
O4 - HKCU..\Run: [ppqb8n] C:\WINDOWS\System32\rrd27p0l.exe File not found
O4 - HKCU..\Run: [pvvmmxd] C:\WINDOWS\System32\0jeuglw.exe File not found
O4 - HKCU..\Run: [qbmxt] C:\WINDOWS\System32\ntef2rm9sy.exe File not found
O4 - HKCU..\Run: [qqlcc] C:\WINDOWS\System32\zuu6gg6ss.exe File not found
O4 - HKCU..\Run: [qrcinj] C:\WINDOWS\System32\r4xoepq73s9.exe File not found
O4 - HKCU..\Run: [qwbm9] C:\WINDOWS\System32\ukal2xc3e1.exe File not found
O4 - HKCU..\Run: [rnno3] C:\WINDOWS\System32\9msnokk.exe File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [stez0v] C:\WINDOWS\System32\0riy0uu.exe File not found
O4 - HKCU..\Run: [sxtoo6] C:\WINDOWS\System32\d6avrrnd6.exe File not found
O4 - HKCU..\Run: [tje6a] C:\WINDOWS\System32\dze8a1hr.exe File not found
O4 - HKCU..\Run: [toe9a] C:\WINDOWS\System32\2lbcdyu.exe File not found
O4 - HKCU..\Run: [uqwrst] C:\WINDOWS\System32\yjffbrsi.exe File not found
O4 - HKCU..\Run: [vbmxtoj] C:\WINDOWS\System32\nyjffbrsit.exe File not found
O4 - HKCU..\Run: [vbxtjp] C:\WINDOWS\System32\e7plq6sxi.exe File not found
O4 - HKCU..\Run: [whty3a] C:\WINDOWS\System32\pfqb60c4o0.exe File not found
O4 - HKCU..\Run: [wmcctup] C:\WINDOWS\System32\cs1uzalrhso.exe File not found
O4 - HKCU..\Run: [wsndo9v] C:\WINDOWS\System32\78x5oj6.exe File not found
O4 - HKCU..\Run: [wsnjjaq] C:\WINDOWS\System32\zugmhddza.exe File not found
O4 - HKCU..\Run: [wxdyua] C:\WINDOWS\System32\izplr2siej.exe File not found
O4 - HKCU..\Run: [xdtjzq] C:\WINDOWS\System32\aagmcs9u.exe File not found
O4 - HKCU..\Run: [xtoe8] C:\WINDOWS\System32\hii6e1v2.exe File not found
O4 - HKCU..\Run: [yezaqg] C:\WINDOWS\System32\0iy0uup.exe File not found
O4 - HKCU..\Run: [zaawwh2] C:\WINDOWS\System32\k95iyzaqq9.exe File not found
O4 - HKCU..\Run: [zplghc] C:\WINDOWS\System32\rhd3eu1q.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra Button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jenny\Start-meny\Program\IMVU\Run IMVU.lnk ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab (CKAVWebScan Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194543042140 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program\Delade filer\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\Delade filer\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Min aktuella startsida) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Olsson\Lokala inställningar\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Olsson\Lokala inställningar\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007-11-07 11:20:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{9e7c23de-e8e7-11de-843d-001617b20fe8}\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\{9e7c23de-e8e7-11de-843d-001617b20fe8}\Shell\explore\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\{9e7c23de-e8e7-11de-843d-001617b20fe8}\Shell\open\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\{cac0fb4d-8299-11df-851b-001617b20fe8}\Shell\AutoRun\command - "" = G:\autorun.exe -- File not found
O33 - MountPoints2\{cac0fb4d-8299-11df-851b-001617b20fe8}\Shell\explore\command - "" = G:\autorun.exe -- File not found
O33 - MountPoints2\{cac0fb4d-8299-11df-851b-001617b20fe8}\Shell\open\command - "" = G:\autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010-07-24 12:19:49 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Olsson\Skrivbord\OTL.exe
[2010-07-24 11:18:54 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010-07-23 17:16:39 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010-07-23 17:11:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010-07-23 17:11:09 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010-07-23 17:11:09 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010-07-23 17:11:09 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010-07-23 17:11:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010-07-23 17:10:47 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010-07-23 16:54:10 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Olsson\Skrivbord\TFC.exe
[2010-07-23 15:54:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Olsson\Application Data\Malwarebytes
[2010-07-23 15:54:05 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010-07-23 15:54:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010-07-23 15:54:02 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010-07-23 15:54:02 | 000,000,000 | ---D | C] -- C:\Program\Malwarebytes' Anti-Malware
[2010-07-23 15:45:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Olsson\Skrivbord\DDS
[2010-07-14 17:14:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2010-07-14 15:52:53 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010-07-13 13:35:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Olsson\Mina dokument\blandat
[2010-06-28 14:55:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Olsson\Application Data\U3
[2010-06-26 17:05:09 | 000,000,000 | ---D | C] -- C:\Program\iPod
[2010-06-26 16:51:28 | 000,000,000 | ---D | C] -- C:\Program\Bonjour
[2010-06-26 16:48:43 | 000,000,000 | ---D | C] -- C:\Program\Safari
[2008-08-26 20:08:09 | 000,061,440 | ---- | C] ( ) -- C:\WINDOWS\System32\csnpstd.dll
[2008-08-26 20:08:09 | 000,040,960 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnpstd.dll
[2008-08-26 20:08:09 | 000,036,864 | ---- | C] ( ) -- C:\WINDOWS\System32\vsnpstd.dll
[2007-11-25 11:38:46 | 000,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2007-11-25 11:38:46 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys

========== Files - Modified Within 30 Days ==========

[2010-07-24 12:25:00 | 000,000,410 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2C8DC5CE-1445-4847-B385-34C3AC51553E}.job
[2010-07-24 12:19:51 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Olsson\Skrivbord\OTL.exe
[2010-07-24 12:14:39 | 000,191,924 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010-07-24 12:14:09 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-07-24 12:14:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010-07-24 12:12:50 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-07-24 12:12:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-07-24 11:18:17 | 003,742,848 | R--- | M] () -- C:\Documents and Settings\Olsson\Skrivbord\ComboFix.exe
[2010-07-24 11:16:48 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\Olsson\NTUSER.DAT
[2010-07-24 11:14:01 | 000,000,412 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{C4030E41-5E64-40C0-B6D9-D952AC516761}.job
[2010-07-24 10:58:52 | 000,002,149 | ---- | M] () -- C:\Documents and Settings\All Users\Skrivbord\Safari.lnk
[2010-07-23 17:16:48 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010-07-23 16:54:12 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Olsson\Skrivbord\TFC.exe
[2010-07-23 16:47:03 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010-07-23 16:41:17 | 000,000,137 | ---- | M] () -- C:\Documents and Settings\Olsson\Skrivbord\Teen got My Security Engine installed - Safer-Networking Forums.url
[2010-07-23 15:54:08 | 000,000,664 | ---- | M] () -- C:\Documents and Settings\All Users\Skrivbord\Malwarebytes' Anti-Malware.lnk
[2010-07-19 18:28:58 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Olsson\Skrivbord\dds.scr
[2010-07-19 18:14:16 | 000,002,111 | ---- | M] () -- C:\Documents and Settings\All Users\Skrivbord\iTunes.lnk
[2010-07-19 15:35:55 | 000,000,192 | -HS- | M] () -- C:\Documents and Settings\Olsson\ntuser.ini
[2010-07-14 19:00:00 | 000,000,262 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy.job
[2010-07-14 17:05:06 | 000,000,135 | ---- | M] () -- C:\Documents and Settings\All Users\Skrivbord\F-Secure Online Scanner.url
[2010-07-14 16:57:09 | 000,000,153 | ---- | M] () -- C:\Documents and Settings\All Users\Skrivbord\par...avwebscan.html.url
[2010-07-13 11:46:57 | 000,413,362 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010-06-26 19:45:36 | 000,014,720 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010-06-26 16:49:26 | 000,001,842 | ---- | M] () -- C:\Documents and Settings\Olsson\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk

========== Files Created - No Company Name ==========

[2010-07-23 17:16:48 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010-07-23 17:16:44 | 000,260,784 | ---- | C] () -- C:\cmldr
[2010-07-23 17:11:09 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010-07-23 17:11:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010-07-23 17:11:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010-07-23 17:11:09 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010-07-23 17:11:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010-07-23 17:08:09 | 003,742,848 | R--- | C] () -- C:\Documents and Settings\Olsson\Skrivbord\ComboFix.exe
[2010-07-23 16:41:17 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Olsson\Skrivbord\Teen got My Security Engine installed - Safer-Networking Forums.url
[2010-07-23 15:54:08 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\All Users\Skrivbord\Malwarebytes' Anti-Malware.lnk
[2010-07-19 18:28:57 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Olsson\Skrivbord\dds.scr
[2010-07-14 17:05:06 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\All Users\Skrivbord\F-Secure Online Scanner.url
[2010-07-14 16:57:09 | 000,000,153 | ---- | C] () -- C:\Documents and Settings\All Users\Skrivbord\par...avwebscan.html.url
[2010-06-26 19:45:36 | 000,014,720 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010-06-26 17:07:53 | 000,002,111 | ---- | C] () -- C:\Documents and Settings\All Users\Skrivbord\iTunes.lnk
[2010-06-26 16:49:26 | 000,002,149 | ---- | C] () -- C:\Documents and Settings\All Users\Skrivbord\Safari.lnk
[2010-06-26 16:49:26 | 000,001,842 | ---- | C] () -- C:\Documents and Settings\Olsson\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2009-12-28 15:49:49 | 000,132,096 | ---- | C] () -- C:\WINDOWS\System32\RashIcon.dll
[2009-12-28 15:49:49 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\RashProp.dll
[2009-11-21 13:50:55 | 000,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll
[2009-11-21 13:50:55 | 000,023,552 | ---- | C] () -- C:\WINDOWS\xobglu32.dll
[2009-10-29 19:27:45 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2009-09-15 14:22:32 | 002,332,160 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2009-09-13 18:03:10 | 000,000,256 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009-07-31 15:14:38 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\AVERM.dll
[2009-07-31 15:14:38 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\AVEQT.dll
[2008-08-26 20:21:52 | 000,043,729 | ---- | C] () -- C:\WINDOWS\unvpeye.ini
[2008-08-26 20:08:14 | 000,015,541 | ---- | C] () -- C:\WINDOWS\snpstd.ini
[2008-08-26 20:08:13 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\dsnpstd.dll
[2008-08-26 20:08:11 | 000,301,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\snpstd.sys
[2008-07-21 21:27:51 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008-07-21 21:27:50 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008-05-27 00:10:02 | 000,014,772 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2008-05-27 00:10:00 | 000,022,298 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2008-05-27 00:09:58 | 000,014,614 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2008-01-18 16:23:27 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\KMVIDC32.DLL
[2007-11-08 20:07:36 | 000,000,383 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007-11-07 12:04:33 | 000,046,592 | ---- | C] () -- C:\WINDOWS\System32\asfrench.dll
[2007-11-07 12:04:33 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asrussian.dll
[2007-11-07 12:04:33 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asgerman.dll
[2007-11-07 12:04:33 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\aseng.dll
[2007-11-07 12:04:33 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\askorean.dll
[2007-11-07 12:04:33 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\asjapan.dll
[2007-11-07 12:04:33 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\aschs.dll
[2007-11-07 12:04:33 | 000,010,496 | ---- | C] () -- C:\WINDOWS\System32\ATKOSDMini.DLL
[2007-11-07 12:04:33 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\atkid.ini
[2007-11-07 12:04:32 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\ASCHT.dll
[2007-11-07 11:57:40 | 000,135,168 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006-06-01 11:22:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006-06-01 11:22:00 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006-06-01 11:22:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006-06-01 11:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006-06-01 11:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006-06-01 11:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004-08-22 18:04:56 | 000,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll
[2002-05-28 03:52:36 | 000,106,496 | ---- | C] () -- C:\WINDOWS\japi.dll
[2001-06-24 11:32:44 | 000,172,032 | ---- | C] () -- C:\WINDOWS\japi2.dll
[1999-01-22 13:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010-07-14 17:14:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2010-01-17 19:48:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogSys
[2008-07-21 21:19:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\River Past G5
[2010-05-13 13:34:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010-01-17 20:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Olsson\Application Data\Blueberry
[2010-01-17 19:48:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Olsson\Application Data\LogSys
[2009-11-21 20:37:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Olsson\Application Data\Nexon
[2008-07-21 21:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Olsson\Application Data\River Past G5
[2010-02-16 20:11:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Olsson\Application Data\Screaming Bee
[2010-07-19 23:12:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Olsson\Application Data\Spotify
[2010-01-02 13:48:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Olsson\Application Data\TweakNow PowerPack 2009
[2009-12-27 19:40:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Olsson\Application Data\Windows Desktop Search
[2009-12-31 17:05:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Olsson\Application Data\Windows Search
[2010-02-07 11:00:00 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\defrag.job
[2010-02-06 11:00:00 | 000,000,310 | ---- | M] () -- C:\WINDOWS\Tasks\Genomsök alla lokala hårddiskar.job
[2010-07-24 12:25:00 | 000,000,410 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{2C8DC5CE-1445-4847-B385-34C3AC51553E}.job
[2010-07-24 11:14:01 | 000,000,412 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{C4030E41-5E64-40C0-B6D9-D952AC516761}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004-08-04 14:00:00 | 018,778,343 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008-05-16 19:40:48 | 023,884,604 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008-05-16 19:40:48 | 023,884,604 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008-04-13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008-04-13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004-08-04 14:00:00 | 018,778,343 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008-05-16 19:40:48 | 023,884,604 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008-05-16 19:40:48 | 023,884,604 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008-04-13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\Qoobox\32788R22FWJFW\atapi.sys
[2008-04-13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008-04-13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004-08-04 14:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008-04-14 18:04:38 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=0A6DF967AE8E836D053DB46398F603E5 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008-04-14 18:04:38 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=0A6DF967AE8E836D053DB46398F603E5 -- C:\WINDOWS\system32\eventlog.dll
[2004-08-04 14:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=264DBC116901E89565B830B0CC20F922 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008-04-14 18:04:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=4F4A16EAEB932AE413E48923E6A400E0 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008-04-14 18:04:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=4F4A16EAEB932AE413E48923E6A400E0 -- C:\WINDOWS\system32\netlogon.dll
[2004-08-04 14:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=A6FD3341EC1A98A31B044C6E0DAF8F26 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004-08-04 14:00:00 | 000,183,808 | ---- | M] (Microsoft Corporation) MD5=24BADA1C3795CB877C67E0F2F8BBAD1F -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008-04-14 18:04:47 | 000,184,832 | ---- | M] (Microsoft Corporation) MD5=3B50B494647E60CE6AC516E3F5C82B25 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008-04-14 18:04:47 | 000,184,832 | ---- | M] (Microsoft Corporation) MD5=3B50B494647E60CE6AC516E3F5C82B25 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: VIAMRAID.SYS >
[2005-11-23 04:12:24 | 000,092,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=FBF18F9F5FB852C2976723587B44F346 -- C:\Qoobox\32788R22FWJFW\viamraid.sys
[2005-11-23 04:12:24 | 000,092,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=FBF18F9F5FB852C2976723587B44F346 -- C:\WINDOWS\system32\drivers\viamraid.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007-11-07 12:00:26 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007-11-07 12:00:26 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007-11-07 12:00:26 | 000,442,368 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >

Extras.txt:

OTL Extras logfile created on: 2010-07-24 12:22:02 - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Olsson\Skrivbord
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000041D | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 71,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 88,00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program
Drive C: | 74,52 Gb Total Space | 9,97 Gb Free Space | 13,37% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JEOH1
Current User Name: Olsson
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = SafariHTML] -- C:\Program\Safari\Safari.exe (Apple Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program\MSN Messenger\livecall.exe" = C:\Program\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program\Winamp Remote\bin\Orb.exe" = C:\Program\Winamp Remote\bin\Orb.exe:*:Enabled:Orb -- File not found
"C:\Program\Winamp Remote\bin\OrbTray.exe" = C:\Program\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray -- File not found
"C:\Program\Winamp Remote\bin\OrbStreamerClient.exe" = C:\Program\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client -- File not found
"C:\Program\SpacialAudio\SAMBC\SAMBC.exe" = C:\Program\SpacialAudio\SAMBC\SAMBC.exe:*:Enabled:SAMBC -- File not found
"C:\EA Games\Command & Conquer The First Decade\Command & Conquer Red Alert(tm) II\RA2\mph.exe" = C:\EA Games\Command & Conquer The First Decade\Command & Conquer Red Alert(tm) II\RA2\mph.exe:*:Enabled:mph -- ()
"C:\EA Games\Command & Conquer The First Decade\Command & Conquer Red Alert(tm) II\RA2\game.exe" = C:\EA Games\Command & Conquer The First Decade\Command & Conquer Red Alert(tm) II\RA2\game.exe:*:Enabled:game -- (Westwood Studios)
"C:\Program\MSN Messenger\livecall.exe" = C:\Program\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program\River Past\Screen Recorder Pro\ScreenRecorderPro.exe" = C:\Program\River Past\Screen Recorder Pro\ScreenRecorderPro.exe:*:Enabled:River Past Screen Recorder Pro -- File not found
"C:\Spel\Hasbro Interactive\RollerCoaster Tycoon\rct.exe" = C:\Spel\Hasbro Interactive\RollerCoaster Tycoon\rct.exe:*:Enabled:rct -- File not found
"C:\Documents and Settings\Olsson\Skrivbord\rctrec1.exe" = C:\Documents and Settings\Olsson\Skrivbord\rctrec1.exe:*:Enabled:rctrec1 -- File not found
"C:\Mohaa\Mohaa\MOHAA.exe" = C:\Mohaa\Mohaa\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault -- (Electronic Arts Inc.)
"C:\Program\Ventrilo\Ventrilo.exe" = C:\Program\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Team17\Worms Armageddon\WA.exe" = C:\Team17\Worms Armageddon\WA.exe:*:Enabled:Worms Armageddon -- (Team17 Software Ltd)
"C:\Program\Spotify\spotify.exe" = C:\Program\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)
"C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe" = C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe:*:Enabled:Fjärrhjälp - Windows Messenger och tal -- (Microsoft Corporation)
"C:\Program\Xfire\Xfire.exe" = C:\Program\Xfire\Xfire.exe:*:Enabled:Xfire -- File not found
"C:\Program\LimeWire\LimeWire.exe" = C:\Program\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Program\iTunes\iTunes.exe" = C:\Program\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program\Java\jre6\bin\java.exe" = C:\Program\Java\jre6\bin\java.exe:*:Disabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001041D-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01521746-02A6-4A72-00BD-A285DF6B80C6}" = The Sims 2 Studentliv
"{08A247F5-E34F-4D17-8731-0906DF56947E}" = Windows Live Sync
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0EE11800-A1BD-11D3-BFEB-005004AF2D32}" = Risk II
"{14FB2C18-CFC1-4DF4-A9CF-BAD3CCB5AAFD}" = Windows Live Toolbar
"{1A8BAA46-1179-4743-B00E-51B794A018B0}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{236BB7C4-4419-42FD-041D-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 15
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}" = ASUS Enhanced Display Driver
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C941d-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}" = DAEMON Tools
"{4817189D-1785-4627-A33C-39FD90919300}" = The Sims™ 2 Djurliv
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{57383270-6F61-4DC8-A9B8-C1745FC29F38}" = USB PC Camera (SN9C102)
"{5A70922D-9365-43CC-ADA9-CB84E4A54E4E}" = Windows Live Essentials
"{5C648FDB-0138-4619-B66E-230EF53E8E2C}" = The Sims™ 2 Tonårsprylar Prylpaket
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{65F6D25C-2B2B-4673-A81D-E7D7D72B29E4}" = Windows Live Family Safety
"{66D6F3BD-CA23-41A4-9FA3-96B26B32528C}" = Command & Conquer The First Decade
"{6B30FB1E-9F4A-49BA-9D74-174F1ECEB59D}" = Windows Live inloggningsassistenten
"{6E7DD182-9FC6-4651-0095-2E666CC6AF35}" = The Sims 2
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}" = RollerCoaster Tycoon 2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{786C5747-1437-443D-B06E-79A00FE45110}" = Adobe Stock Photos 1.0
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}" = The Sims 2 Arbetsliv
"{84DDE556-43EF-43ed-B2DF-37AF9E5DDD75}" = The Sims™ 2 H&M® Fashion Prylpaket
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{961034C0-58DF-11DF-97FD-005056806466}" = Google Earth Plug-in
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BBE7AA1-AFA8-4D76-8FC2-1FDFD9BD3371}" = Windows Live Mail
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AFAC914D-9E83-4A89-8ABE-427521C82CCF}" = Safari
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B74D4E10-6884-0000-0000-000000000101}" = Adobe Bridge 1.0
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3FE3DD5-92E1-4EC3-BD6B-822DD99E8991}" = Windows Live Photo Gallery
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D7D50E0C-27DD-4999-BC05-E026B580F93A}" = Electronic Arts Product Registration
"{DFEF49D9-FC95-4301-99B9-2FB91C6ABA06}" = The Sims™ 2 Året runt
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E9787678-551D-4478-9682-DBB587257110}" = Adobe Help Center 1.0
"{EC928237-A3BD-4640-ABD0-E49E758F2315}" = Windows Live Messenger
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-041D-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Cross Fire_is1" = Cross Fire En
"F-Secure Anti-Virus" = F-Secure Anti-Virus
"F-Secure BackWeb" = F-Secure BackWeb
"F-Secure Management Agent" = F-Secure Management Agent
"Hospital" = Theme Hospital
"HospitalTycoon" = Hospital Tycoon
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"InstallShield_{D7D50E0C-27DD-4999-BC05-E026B580F93A}" = Electronic Arts Product Registration
"Kaspersky Online Scanner" = Kaspersky Online Scanner
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"RoadRash" = RoadRash
"Spotify" = Spotify
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"SystemRequirementsLab" = System Requirements Lab
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"TweakNow PowerPack 2009_is1" = TweakNow PowerPack 2009
"Ultra MP4 Video Converter_is1" = Ultra MP4 Video Converter 5.2.0603
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Virtual Villagers_is1" = Virtual Villagers
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Worms Armageddon" = Worms Armageddon
"Worms Pinball" = Worms Pinball
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XCC Game Spy" = XCC Game Spy 1.0.8
"Xvid_is1" = Xvid 1.1.2 final uninstall
"Zoo Tycoon 1.0" = Microsoft Zoo Tycoon

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"World of Warcraft Trial" = World of Warcraft Trial

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2010-07-24 06:34:50 | Computer Name = JEOH1 | Source = F-Secure Anti-Virus | ID = 103
Description = 45 2010-07-24 12:34:50+02:00 jeoh1 JEOH1\Olsson F-Secure Anti-Virus

An error occurred while scanning C:\WINDOWS\SYSTEM32\WOW32.DLL.

Error - 2010-07-24 06:34:50 | Computer Name = JEOH1 | Source = F-Secure Anti-Virus | ID = 103
Description = 46 2010-07-24 12:34:50+02:00 jeoh1 JEOH1\Olsson F-Secure Anti-Virus

An error occurred while scanning C:\WINDOWS\SYSTEM32\WOW32.DLL.

Error - 2010-07-24 06:34:50 | Computer Name = JEOH1 | Source = F-Secure Anti-Virus | ID = 103
Description = 47 2010-07-24 12:34:50+02:00 jeoh1 JEOH1\Olsson F-Secure Anti-Virus

An error occurred while scanning C:\WINDOWS\SYSTEM32\WOW32.DLL.

Error - 2010-07-24 06:34:50 | Computer Name = JEOH1 | Source = F-Secure Anti-Virus | ID = 103
Description = 48 2010-07-24 12:34:50+02:00 jeoh1 JEOH1\Olsson F-Secure Anti-Virus

An error occurred while scanning C:\WINDOWS\SYSTEM32\WOW32.DLL.

Error - 2010-07-24 06:34:50 | Computer Name = JEOH1 | Source = F-Secure Anti-Virus | ID = 103
Description = 49 2010-07-24 12:34:50+02:00 jeoh1 JEOH1\Olsson F-Secure Anti-Virus

An error occurred while scanning C:\WINDOWS\SYSTEM32\WOW32.DLL.

Error - 2010-07-24 06:34:50 | Computer Name = JEOH1 | Source = F-Secure Anti-Virus | ID = 103
Description = 50 2010-07-24 12:34:50+02:00 jeoh1 JEOH1\Olsson F-Secure Anti-Virus

An error occurred while scanning C:\WINDOWS\SYSTEM32\WOW32.DLL.

Error - 2010-07-24 06:34:50 | Computer Name = JEOH1 | Source = F-Secure Anti-Virus | ID = 103
Description = 51 2010-07-24 12:34:50+02:00 jeoh1 JEOH1\Olsson F-Secure Anti-Virus

An error occurred while scanning C:\WINDOWS\SYSTEM32\WOW32.DLL.

Error - 2010-07-24 06:34:50 | Computer Name = JEOH1 | Source = F-Secure Anti-Virus | ID = 103
Description = 52 2010-07-24 12:34:50+02:00 jeoh1 JEOH1\Olsson F-Secure Anti-Virus

An error occurred while scanning C:\WINDOWS\SYSTEM32\WOW32.DLL.

Error - 2010-07-24 06:34:50 | Computer Name = JEOH1 | Source = F-Secure Anti-Virus | ID = 103
Description = 53 2010-07-24 12:34:50+02:00 jeoh1 JEOH1\Olsson F-Secure Anti-Virus

An error occurred while scanning C:\WINDOWS\SYSTEM32\WOW32.DLL.

Error - 2010-07-24 06:34:50 | Computer Name = JEOH1 | Source = F-Secure Anti-Virus | ID = 103
Description = 54 2010-07-24 12:34:50+02:00 jeoh1 JEOH1\Olsson F-Secure Anti-Virus

An error occurred while scanning C:\WINDOWS\SYSTEM32\WOW32.DLL.

[ System Events ]
Error - 2010-07-23 11:01:48 | Computer Name = JEOH1 | Source = Dhcp | ID = 1002
Description = IP-adresslånet 192.168.0.25 för det nätverkskort som har nätverksadressen
001617B20FE8 har nekats av DHCP-servern 192.168.0.1 (DHCP-servern skickade ett DHCPNACK-meddelande).

Error - 2010-07-23 11:02:28 | Computer Name = JEOH1 | Source = Service Control Manager | ID = 7000
Description = Tjänsten npkcrypt kunde inte startas på grund av följande fel: %%3

Error - 2010-07-23 11:18:22 | Computer Name = JEOH1 | Source = Service Control Manager | ID = 7034
Description = Tjänsten F-Secure BackWeb avslutades oväntat. Detta har skett 1 gånger.

Error - 2010-07-23 23:01:54 | Computer Name = JEOH1 | Source = Dhcp | ID = 1002
Description = IP-adresslånet 192.168.0.25 för det nätverkskort som har nätverksadressen
001617B20FE8 har nekats av DHCP-servern 192.168.0.1 (DHCP-servern skickade ett DHCPNACK-meddelande).

Error - 2010-07-24 05:12:22 | Computer Name = JEOH1 | Source = Service Control Manager | ID = 7023
Description = Tjänsten HID Input Service avbröts med följande fel: %%126

Error - 2010-07-24 05:12:22 | Computer Name = JEOH1 | Source = Service Control Manager | ID = 7000
Description = Tjänsten npkcrypt kunde inte startas på grund av följande fel: %%3

Error - 2010-07-24 05:23:03 | Computer Name = JEOH1 | Source = Service Control Manager | ID = 7034
Description = Tjänsten F-Secure BackWeb avslutades oväntat. Detta har skett 1 gånger.

Error - 2010-07-24 06:13:12 | Computer Name = JEOH1 | Source = Service Control Manager | ID = 7023
Description = Tjänsten HID Input Service avbröts med följande fel: %%126

Error - 2010-07-24 06:13:12 | Computer Name = JEOH1 | Source = Service Control Manager | ID = 7000
Description = Tjänsten npkcrypt kunde inte startas på grund av följande fel: %%3

Error - 2010-07-24 06:13:56 | Computer Name = JEOH1 | Source = Service Control Manager | ID = 7011
Description = En timeout (30000 ms) inträffade vid väntan på transaktionssvar från
tjänsten NVSvc.


< End of report >
 
Looks like CF may have removed the bad files


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Code: 
    :OTL
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
DRV - (XDva349) -- C:\WINDOWS\System32\XDva349.sys File not found
DRV - (XDva348) -- C:\WINDOWS\System32\XDva348.sys File not found
DRV - (XDva347) -- C:\WINDOWS\System32\XDva347.sys File not found
DRV - (XDva346) -- C:\WINDOWS\System32\XDva346.sys File not found
DRV - (XDva345) -- C:\WINDOWS\System32\XDva345.sys File not found
DRV - (XDva342) -- C:\WINDOWS\System32\XDva342.sys File not found
DRV - (XDva341) -- C:\WINDOWS\System32\XDva341.sys File not found
DRV - (XDva337) -- C:\WINDOWS\System32\XDva337.sys File not found
DRV - (XDva336) -- C:\WINDOWS\System32\XDva336.sys File not found
DRV - (XDva327) -- C:\WINDOWS\System32\XDva327.sys File not found
DRV - (XDva326) -- C:\WINDOWS\System32\XDva326.sys File not found
DRV - (XDva323) -- C:\WINDOWS\System32\XDva323.sys File not found
DRV - (XDva321) -- C:\WINDOWS\System32\XDva321.sys File not found
DRV - (XDva317) -- C:\WINDOWS\System32\XDva317.sys File not found
O4 - HKCU..\Run: [aammi1e] C:\WINDOWS\System32\xnejkaw3.exe File not found
O4 - HKCU..\Run: [aqrmm6] C:\WINDOWS\System32\0eezqbw.exe File not found
O4 - HKCU..\Run: [bmcxio] C:\WINDOWS\System32\fqwrc870.exe File not found
O4 - HKCU..\Run: [cnjj7] C:\WINDOWS\System32\0mrs9jp.exe File not found
O4 - HKCU..\Run: [djagl] C:\WINDOWS\System32\xss70e1a3.exe File not found
O4 - HKCU..\Run: [dopkq] C:\WINDOWS\System32\c1yefk9g.exe File not found
O4 - HKCU..\Run: [ekvqmh] C:\WINDOWS\System32\dj625b66.exe File not found
O4 - HKCU..\Run: [euvlm] C:\WINDOWS\System32\p9r0ii9jall.exe File not found
O4 - HKCU..\Run: [ezqlmcx] C:\WINDOWS\System32\kvr0ii9ja.exe File not found
O4 - HKCU..\Run: [fbcnt] C:\WINDOWS\System32\c8ijeflbc.exe File not found
O4 - HKCU..\Run: [ghc3o] C:\WINDOWS\System32\2u1q3x7.exe File not found
O4 - HKCU..\Run: [ghityfq] C:\WINDOWS\System32\lgbss9euavg.exe File not found
O4 - HKCU..\Run: [jaglw] C:\WINDOWS\System32\xss70e1a3cn.exe File not found
O4 - HKCU..\Run: [kabrsd] C:\WINDOWS\System32\tzpgmrnt.exe File not found
O4 - HKCU..\Run: [mccy1o] C:\WINDOWS\System32\c1sty86k.exe File not found
O4 - HKCU..\Run: [mdi3u] C:\WINDOWS\System32\5hsdzkf.exe File not found
O4 - HKCU..\Run: [mrinjea] C:\WINDOWS\System32\zugmhddz.exe File not found
O4 - HKCU..\Run: [msooz8] C:\WINDOWS\System32\hs6t15va.exe File not found
O4 - HKCU..\Run: [neezq] C:\WINDOWS\System32\xoojaavm.exe File not found
O4 - HKCU..\Run: [pabbxnn] C:\WINDOWS\System32\vrm674pqgg.exe File not found
O4 - HKCU..\Run: [pggbs] C:\WINDOWS\System32\nytpk1gc71d.exe File not found
O4 - HKCU..\Run: [ppqb8n] C:\WINDOWS\System32\rrd27p0l.exe File not found
O4 - HKCU..\Run: [pvvmmxd] C:\WINDOWS\System32\0jeuglw.exe File not found
O4 - HKCU..\Run: [qbmxt] C:\WINDOWS\System32\ntef2rm9sy.exe File not found
O4 - HKCU..\Run: [qqlcc] C:\WINDOWS\System32\zuu6gg6ss.exe File not found
O4 - HKCU..\Run: [qrcinj] C:\WINDOWS\System32\r4xoepq73s9.exe File not found
O4 - HKCU..\Run: [qwbm9] C:\WINDOWS\System32\ukal2xc3e1.exe File not found
O4 - HKCU..\Run: [rnno3] C:\WINDOWS\System32\9msnokk.exe File not found
O4 - HKCU..\Run: [stez0v] C:\WINDOWS\System32\0riy0uu.exe File not found
O4 - HKCU..\Run: [sxtoo6] C:\WINDOWS\System32\d6avrrnd6.exe File not found
O4 - HKCU..\Run: [tje6a] C:\WINDOWS\System32\dze8a1hr.exe File not found
O4 - HKCU..\Run: [toe9a] C:\WINDOWS\System32\2lbcdyu.exe File not found
O4 - HKCU..\Run: [uqwrst] C:\WINDOWS\System32\yjffbrsi.exe File not found
O4 - HKCU..\Run: [vbmxtoj] C:\WINDOWS\System32\nyjffbrsit.exe File not found
O4 - HKCU..\Run: [vbxtjp] C:\WINDOWS\System32\e7plq6sxi.exe File not found
O4 - HKCU..\Run: [whty3a] C:\WINDOWS\System32\pfqb60c4o0.exe File not found
O4 - HKCU..\Run: [wmcctup] C:\WINDOWS\System32\cs1uzalrhso.exe File not found
O4 - HKCU..\Run: [wsndo9v] C:\WINDOWS\System32\78x5oj6.exe File not found
O4 - HKCU..\Run: [wsnjjaq] C:\WINDOWS\System32\zugmhddza.exe File not found
O4 - HKCU..\Run: [wxdyua] C:\WINDOWS\System32\izplr2siej.exe File not found
O4 - HKCU..\Run: [xdtjzq] C:\WINDOWS\System32\aagmcs9u.exe File not found
O4 - HKCU..\Run: [xtoe8] C:\WINDOWS\System32\hii6e1v2.exe File not found
O4 - HKCU..\Run: [yezaqg] C:\WINDOWS\System32\0iy0uup.exe File not found
O4 - HKCU..\Run: [zaawwh2] C:\WINDOWS\System32\k95iyzaqq9.exe File not found
O4 - HKCU..\Run: [zplghc] C:\WINDOWS\System32\rhd3eu1q.exe File not found
O33 - MountPoints2\{9e7c23de-e8e7-11de-843d-001617b20fe8}\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\{9e7c23de-e8e7-11de-843d-001617b20fe8}\Shell\explore\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\{9e7c23de-e8e7-11de-843d-001617b20fe8}\Shell\open\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\{cac0fb4d-8299-11df-851b-001617b20fe8}\Shell\AutoRun\command - "" = G:\autorun.exe -- File not found
O33 - MountPoints2\{cac0fb4d-8299-11df-851b-001617b20fe8}\Shell\explore\command - "" = G:\autorun.exe -- File not found
O33 - MountPoints2\{cac0fb4d-8299-11df-851b-001617b20fe8}\Shell\open\command - "" = G:\autorun.exe -- File not found

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done, post the log it created
 
All processes killed
========== OTL ==========
No active process named Explorer.EXE was found!
Service XDva349 stopped successfully!
Service XDva349 deleted successfully!
File C:\WINDOWS\System32\XDva349.sys File not found not found.
Service XDva348 stopped successfully!
Service XDva348 deleted successfully!
File C:\WINDOWS\System32\XDva348.sys File not found not found.
Service XDva347 stopped successfully!
Service XDva347 deleted successfully!
File C:\WINDOWS\System32\XDva347.sys File not found not found.
Service XDva346 stopped successfully!
Service XDva346 deleted successfully!
File C:\WINDOWS\System32\XDva346.sys File not found not found.
Service XDva345 stopped successfully!
Service XDva345 deleted successfully!
File C:\WINDOWS\System32\XDva345.sys File not found not found.
Service XDva342 stopped successfully!
Service XDva342 deleted successfully!
File C:\WINDOWS\System32\XDva342.sys File not found not found.
Service XDva341 stopped successfully!
Service XDva341 deleted successfully!
File C:\WINDOWS\System32\XDva341.sys File not found not found.
Service XDva337 stopped successfully!
Service XDva337 deleted successfully!
File C:\WINDOWS\System32\XDva337.sys File not found not found.
Service XDva336 stopped successfully!
Service XDva336 deleted successfully!
File C:\WINDOWS\System32\XDva336.sys File not found not found.
Service XDva327 stopped successfully!
Service XDva327 deleted successfully!
File C:\WINDOWS\System32\XDva327.sys File not found not found.
Service XDva326 stopped successfully!
Service XDva326 deleted successfully!
File C:\WINDOWS\System32\XDva326.sys File not found not found.
Service XDva323 stopped successfully!
Service XDva323 deleted successfully!
File C:\WINDOWS\System32\XDva323.sys File not found not found.
Service XDva321 stopped successfully!
Service XDva321 deleted successfully!
File C:\WINDOWS\System32\XDva321.sys File not found not found.
Service XDva317 stopped successfully!
Service XDva317 deleted successfully!
File C:\WINDOWS\System32\XDva317.sys File not found not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\aammi1e deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\aqrmm6 deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\bmcxio deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\cnjj7 deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\djagl deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\dopkq deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ekvqmh deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\euvlm deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ezqlmcx deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\fbcnt deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ghc3o deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ghityfq deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\jaglw deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\kabrsd deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\mccy1o deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\mdi3u deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\mrinjea deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\msooz8 deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\neezq deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\pabbxnn deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\pggbs deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ppqb8n deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\pvvmmxd deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\qbmxt deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\qqlcc deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\qrcinj deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\qwbm9 deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\rnno3 deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\stez0v deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\sxtoo6 deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\tje6a deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\toe9a deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\uqwrst deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\vbmxtoj deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\vbxtjp deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\whty3a deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\wmcctup deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\wsndo9v deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\wsnjjaq deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\wxdyua deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\xdtjzq deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\xtoe8 deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\yezaqg deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\zaawwh2 deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\zplghc deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e7c23de-e8e7-11de-843d-001617b20fe8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9e7c23de-e8e7-11de-843d-001617b20fe8}\ not found.
File F:\autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e7c23de-e8e7-11de-843d-001617b20fe8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9e7c23de-e8e7-11de-843d-001617b20fe8}\ not found.
File F:\autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e7c23de-e8e7-11de-843d-001617b20fe8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9e7c23de-e8e7-11de-843d-001617b20fe8}\ not found.
File F:\autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cac0fb4d-8299-11df-851b-001617b20fe8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cac0fb4d-8299-11df-851b-001617b20fe8}\ not found.
File G:\autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cac0fb4d-8299-11df-851b-001617b20fe8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cac0fb4d-8299-11df-851b-001617b20fe8}\ not found.
File G:\autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cac0fb4d-8299-11df-851b-001617b20fe8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cac0fb4d-8299-11df-851b-001617b20fe8}\ not found.
File G:\autorun.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Jenny
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Olsson
->Temp folder emptied: 46453 bytes
->Temporary Internet Files folder emptied: 9807550 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 1863680 bytes
->Flash cache emptied: 689 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 57827 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 11,00 mb
So things look a little bit brighter now :)

OTL by OldTimer - Version 3.2.9.1 log created on 07242010_145554

Files\Folders moved on Reboot...
C:\Documents and Settings\Olsson\Lokala inställningar\Temporary Internet Files\Content.IE5\DHOBWFPC\showthread[1].htm moved successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\Olsson\Lokala inställningar\Temporary Internet Files\SuggestedSites.dat moved successfully.
C:\WINDOWS\temp\IadHide3.dll moved successfully.

Registry entries deleted on Reboot...
 
I think that there was so much bad stuff clogging up your system that it bogged down Combofix, drag Combofix to the trash and download a fresh copy and run it please and post the report


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
Hi Ken!

Am i doing something wrong? It's been 2 hours now with CF and i still got "scanning for infected files" and minimal hd activity

I have stopped F-Secure and Spyboot. The infected computer is connected to internet, is that wrong thing to have?

Br
 
Ok, go ahead and shut it down, lets run this scan to see if there is any rootkit activity preventing CF from running


Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
 
Hi Ken!

Something is causing GMER from running after about 5 seconds. I get "gmer.exe har stött på ett problem och måste avslutas." Like " gmer.exe has encountered an error and has to be ended. Send a report to Microsoft?

I've tried this twice with a reboot, get the same message

I ended Spybot and F-Secure before starting gmer.exe

Br
 
Start Combofix and it if stalls bring up Task Manager using CTRL+ALT+DELETE. See if any of these processes are running ...Kill Process if they are

findstr
sed
grep.
nircmd.exe
nircmd.cfexe
swsc.cfexe
* .. or any other process that has the .cfexe extension except for CFxxx.cfexe

If ComboFix is still 'hung', then kill process on CFxxx.cfexe
 
Last edited:
Status
Not open for further replies.
Back
Top