Problems with Virtumonde & trojan-dropper.win32.agent.dgo

habe81 · Jan 11, 2008

S&D says that i have virtumonde om my computer and f-secure informs me about trojan-dropper.win32.agent.dgo.
Can U help me please!

habe81 · Jan 11, 2008

habe81 said:
S&D says that i have virtumonde om my computer and f-secure informs me about trojan-dropper.win32.agent.dgo.
Can U help me please!

Info from HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:48:02, on 2008-01-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program\SMART Board Software\SMARTBoardService.exe
C:\Program\F-Secure Internet Security\Common\FCH32.EXE
C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program\F-Secure Internet Security\FSPC\fspc.exe
C:\Program\Canon\CAL\CALMAIN.exe
C:\Program\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeHotKey.exe
C:\Program\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program\Spybot - Search & Destroy\SpybotSD.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.se/0SESVSE/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program\The_Pirate_Bay\tbThe_.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkklm.exe
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38CF2AB0-5342-4E53-B998-C2A502A24B53} - C:\WINDOWS\system32\jkklm.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program\SMART Board Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7A082521-DFCC-487C-A9E9-C184E88C090F} - C:\WINDOWS\system32\mllji.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A1C77420-D2AF-4A94-88DA-77CE0C551BED} - C:\WINDOWS\system32\cbxuvvw.dll (file missing)
O2 - BHO: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program\The_Pirate_Bay\tbThe_.dll
O2 - BHO: (no name) - {A7CFDAF0-5987-4DFD-AFC7-0FCB959FE444} - C:\WINDOWS\system32\mlljh.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O3 - Toolbar: Sök i NE - {ACECC8E8-45A5-41ec-A82A-B3363103E293} - C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program\The_Pirate_Bay\tbThe_.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program\Delade filer\InstallShield\UpdateService\isuspm .exe" -scheduler
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\RunOnce: [SpybotDeletingA2776] command /c del "C:\WINDOWS\system32\jkklm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9686] cmd /c del "C:\WINDOWS\system32\jkklm.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-507921405-299502267-682003330-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Master')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NE sökverktyg 2.0.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sök i NE - res://C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll/NeSearch.html
O8 - Extra context menu item: Översätt i NE - res://C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll/NeTranslate.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Föräldra-... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Föräldra-... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {358DFA15-D48C-4296-8D16-7405F918333B} (Fronter OES2 release 20) - http://fronter.com/lund/links/Fronter_oes_prj.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168555682343
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.ne.se/sokverktyg/installation/setup.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O20 - Winlogon Notify: cbxuvvw - cbxuvvw.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: SMART Board-tjänsten (SMART Board Service) - SMART Technologies Inc. - C:\Program\SMART Board Software\SMARTBoardService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 12509 bytes

habe81 · Jan 11, 2008

Kaspersky Online Scanner Report part 1

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 11, 2008 4:15:31 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/01/2008
Kaspersky Anti-Virus database records: 507502
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
M:\

Scan Statistics:
Total number of scanned objects: 210095
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 05:16:43

Infected Object Name / Virus Name / Last Action
C:\ATI-CPanel\ATIPTAXX.0XE Object is locked skipped
C:\Documents and Settings\All Users\Application Data\F-Secure\logs\FSMA\fsma.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Application Data\Sun\Java\Deployment\cache\6.0\21\4a05ca95-253e6527/Baaaaa.class Infected: Trojan.Java.ClassLoader.ap skipped
C:\Documents and Settings\Hannes & Petra\Application Data\Sun\Java\Deployment\cache\6.0\21\4a05ca95-253e6527/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped
C:\Documents and Settings\Hannes & Petra\Application Data\Sun\Java\Deployment\cache\6.0\21\4a05ca95-253e6527/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped
C:\Documents and Settings\Hannes & Petra\Application Data\Sun\Java\Deployment\cache\6.0\21\4a05ca95-253e6527 ZIP: infected - 3 skipped
C:\Documents and Settings\Hannes & Petra\Application Data\Sun\Java\Deployment\cache\6.0\44\6310f1ec-43dbd8f4.0 Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temp\Perflib_Perfdata_cf4.dat Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temp\RCX18.0mp Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temp\RCX1B.0mp Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temp\RCX1E.0mp Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temp\RCX23.0mp Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temp\RCX27.0mp Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temp\TMP4F.0mp Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temp\TMP59.0mp Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temp\TMP9.0mp Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temp\TMPC.0mp Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temp\~DF3FBE.tmp Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Temporary Internet Files\Content.IE5\RB4NETI6\hctp[1] Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hannes & Petra\Lokala inställningar\Tidigare\History.IE5\MSHist012008011120080112\index.dat Object is locked skipped
C:\Documents and Settings\Hannes & Petra\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Hannes & Petra\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Master\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Master\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Master\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Master\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Master\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-01-11.07-45-02.log Object is locked skipped
C:\Program\Delade filer\InstallShield\UpdateService\ISUSPM .0XE Object is locked skipped
C:\Program\F-Secure Internet Security\Anti-Virus\dbupdate.log Object is locked skipped
C:\Program\F-Secure Internet Security\Anti-Virus\deleteme_msg.log Object is locked skipped
C:\Program\F-Secure Internet Security\Anti-Virus\fsqh.exe.Qrt.log Object is locked skipped
C:\Program\F-Secure Internet Security\Anti-Virus\perf.dat Object is locked skipped
C:\Program\F-Secure Internet Security\Anti-Virus\power.dat Object is locked skipped
C:\Program\F-Secure Internet Security\Common\FSM32.0XE Object is locked skipped
C:\Program\F-Secure Internet Security\Common\FSM32.1XE Object is locked skipped
C:\Program\F-Secure Internet Security\Common\FSM32.2XE Object is locked skipped
C:\Program\F-Secure Internet Security\Common\policy.bpf Object is locked skipped
C:\Program\F-Secure Internet Security\Common\policy.ipf Object is locked skipped
C:\Program\F-Secure Internet Security\FSAUA\content\SCDB31\2008010701\lib\Mail\SpamAssassin\Plugin.pm Object is locked skipped
C:\Program\F-Secure Internet Security\FSAUA\fsbwupst.log Object is locked skipped
C:\Program\F-Secure Internet Security\FSAUA\program\fsaua.dbg Object is locked skipped
C:\Program\F-Secure Internet Security\FSAUA\program\fsaua.log Object is locked skipped
C:\Program\F-Secure Internet Security\FSGUI\FSSW.0XE Object is locked skipped
C:\Program\F-Secure Internet Security\FSGUI\TNBUtil.0xe Object is locked skipped
C:\Program\F-Secure Internet Security\FSGUI\TNBUtil.1xe Object is locked skipped
C:\Program\F-Secure Internet Security\FSPC\csdk\Stlst\StatListDb.dat Object is locked skipped
C:\Program\F-Secure Internet Security\FSPC\csdk\Stlst\StatListDb.idx Object is locked skipped
C:\Program\F-Secure Internet Security\FSPC\csdk\urlcache\domainNames.dat Object is locked skipped
C:\Program\F-Secure Internet Security\FSPC\csdk\urlcache\domainNames.idx Object is locked skipped
C:\Program\F-Secure Internet Security\FSPC\csdk\urlcache\urlCacheDb.dat Object is locked skipped
C:\Program\F-Secure Internet Security\FSPC\csdk\urlcache\urlCacheDb.idx Object is locked skipped
C:\Program\F-Secure Internet Security\FSPC\logs\fspcwld.dat Object is locked skipped
C:\Program\F-Secure Internet Security\FSPC\logs\fspcwli.dat Object is locked skipped
C:\Program\F-Secure Internet Security\Spam Control\log\fs_sa_log.txt Object is locked skipped
C:\Program\F-Secure Internet Security\TNB\TNBUTIL.0XE Object is locked skipped
C:\Program\iTunes\ITUNESHELPER.0XE Object is locked skipped
C:\Program\MSN Messenger\MSNMSGR.0XE Object is locked skipped
C:\Program\PowerISO\PWRISOVM.0XE Object is locked skipped
C:\Program\QuickTime\QTTASK .0XE Object is locked skipped
C:\Program\SMART Board Software\SMARTBoardService.log Object is locked skipped
C:\RECYCLER\S-1-5-21-507921405-299502267-682003330-1006\Dc3\search.dll Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BE7C63FB-2A17-4DC2-8A20-E82FC2408429}\RP379\A0114211.0xe Object is locked skipped
C:\System Volume Information\_restore{BE7C63FB-2A17-4DC2-8A20-E82FC2408429}\RP383\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cbxuvvw.0ll Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\CTFMON.0XE Object is locked skipped
C:\WINDOWS\system32\ctfmon.1xe Object is locked skipped
C:\WINDOWS\system32\ctfmon.exe.0mp Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jkklm.0xe Object is locked skipped
C:\WINDOWS\system32\mllji.0xe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\AVPB287.tmp Object is locked skipped
C:\WINDOWS\Temp\AVPB288.tmp Object is locked skipped
C:\WINDOWS\Temp\AVPB28B.tmp Object is locked skipped
C:\WINDOWS\Temp\AVPB28C.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_27c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

habe81 · Jan 11, 2008

KASPERSKY ONLINE SCANNER REPORT part 2

F:\Documents and Settings\Admin2\Application Data\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\F-Secure\System Control\flhist.bin Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Microsoft\Internet Explorer\Quick Launch\Starta webbläsaren Internet Explorer.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Microsoft\Internet Explorer\Quick Launch\Visa skrivbordet.scf Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Microsoft\Protect\S-1-5-21-1202660629-1682526488-682003330-1006\b786a3b8-ce7e-4789-924d-3777436ebc7b Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Microsoft\Protect\S-1-5-21-1202660629-1682526488-682003330-1006\Preferred Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Microsoft\Windows\Themes\Custom.theme Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Sun\Java\Deployment\deployment.properties Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Teleca\DM\DEVREP\devrep.xml Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Teleca\DM\DEVREP\devrepSchema.xdr Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Teleca\Telecalib\Logging\Application logs\applauncher_all_log.txt Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Teleca\Telecalib\Logging\Application logs\capman_all_log.txt Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Teleca\Telecalib\Logging\Application logs\DM_log.txt Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Teleca\Telecalib\Logging\Application logs\SpecificMPM_log.txt Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Teleca\Telecalib\Logging\teleca_common_log.txt Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Teleca\Telecalib\Logging\tlib.info Object is locked skipped
F:\Documents and Settings\Admin2\Application Data\Teleca\Telecalib\Logging\tlib.init Object is locked skipped
F:\Documents and Settings\Admin2\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Admin2\dotNetFx.log Object is locked skipped
F:\Documents and Settings\Admin2\Favoriter\Desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Favoriter\Länkar\Anpassa länkar.url Object is locked skipped
F:\Documents and Settings\Admin2\Favoriter\Länkar\Gratis Hotmail.url Object is locked skipped
F:\Documents and Settings\Admin2\Favoriter\Länkar\Windows Media.url Object is locked skipped
F:\Documents and Settings\Admin2\Favoriter\Länkar\Windows.url Object is locked skipped
F:\Documents and Settings\Admin2\Favoriter\MSN.url Object is locked skipped
F:\Documents and Settings\Admin2\Favoriter\Radiostationsguiden.url Object is locked skipped
F:\Documents and Settings\Admin2\langpackSetup.log Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Application Data\GDIPFONTCACHEV1.DAT Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Application Data\IconCache.db Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142050}\1053.MST Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142050}\Java 2 Runtime Environment, SE v1.4.2_05.msi Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temp\jusched.log Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temp\~bwtemp.bpf Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\BW3YDSSS\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\BW3YDSSS\stngs_ua[1].gif Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\BW3YDSSS\switch3_ua[1].gif Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\BW3YDSSS\UAHelp_Metrics[1].css Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\E9432F41\cstmz_ua[1].gif Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\E9432F41\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\E9432F41\lgn_ua[1].gif Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\E9432F41\popup[1].js Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\E9432F41\switch1_ua[1].gif Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\KNINI1WB\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\KNINI1WB\fvrts_ua[1].gif Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\KNINI1WB\switch2_ua[1].gif Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\KNINI1WB\UAHelp_Classic[1].css Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\W4PAJZRL\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\W4PAJZRL\HelpLA_lib[1].js Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\W4PAJZRL\mydcs_ua[1].gif Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\Content.IE5\W4PAJZRL\ua[1].gif Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Temporary Internet Files\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Tidigare\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Tidigare\History.IE5\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Tidigare\History.IE5\MSHist012005032820050404\index.dat Object is locked skipped
F:\Documents and Settings\Admin2\Lokala inställningar\Tidigare\History.IE5\MSHist012005040420050405\index.dat Object is locked skipped
F:\Documents and Settings\Admin2\Mallar\amipro.sam Object is locked skipped
F:\Documents and Settings\Admin2\Mallar\excel.xls Object is locked skipped
F:\Documents and Settings\Admin2\Mallar\excel4.xls Object is locked skipped
F:\Documents and Settings\Admin2\Mallar\lotus.wk4 Object is locked skipped
F:\Documents and Settings\Admin2\Mallar\powerpnt.ppt Object is locked skipped
F:\Documents and Settings\Admin2\Mallar\presenta.shw Object is locked skipped
F:\Documents and Settings\Admin2\Mallar\quattro.wb2 Object is locked skipped
F:\Documents and Settings\Admin2\Mallar\sndrec.wav Object is locked skipped
F:\Documents and Settings\Admin2\Mallar\winword.doc Object is locked skipped
F:\Documents and Settings\Admin2\Mallar\winword2.doc Object is locked skipped
F:\Documents and Settings\Admin2\Mallar\wordpfct.wpd Object is locked skipped
F:\Documents and Settings\Admin2\Mallar\wordpfct.wpg Object is locked skipped
F:\Documents and Settings\Admin2\Mina dokument\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Mina dokument\Min musik\Desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Mina dokument\Min musik\Exempelmusik.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Mina dokument\Mina bilder\Desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Mina dokument\Mina bilder\Exempelbilder.lnk Object is locked skipped
F:\Documents and Settings\Admin2\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Admin2\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\Admin2\ntuser.ini Object is locked skipped
F:\Documents and Settings\Admin2\Recent\AddOn.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Recent\Desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Recent\install.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Recent\Need For Speed - Porsche 2000.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Recent\readme.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Recent\Recovery-Info.lnk Object is locked skipped
F:\Documents and Settings\Admin2\SendTo\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\SendTo\E-postmottagare.MAPIMail Object is locked skipped
F:\Documents and Settings\Admin2\SendTo\Komprimerad mapp.ZFSendToTarget Object is locked skipped
F:\Documents and Settings\Admin2\SendTo\Mina dokument.mydocs Object is locked skipped
F:\Documents and Settings\Admin2\SendTo\Skrivbord (skapa genväg).DeskLink Object is locked skipped
F:\Documents and Settings\Admin2\Skrivbord\Recovery-Info.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Autostart\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Fjärrhjälp.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Internet Explorer.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Outlook Express.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\Adressbok.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\Anteckningar.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\Guiden Programkompatibilitet.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\Hjälpmedel\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\Hjälpmedel\Hjälpmedelshanteraren.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\Hjälpmedel\Skärmförstoraren.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\Hjälpmedel\Skärmtangentbordet.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\Kommandotolken.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\Synkronisera.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\Underhållning\desktop.ini Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\Underhållning\Windows Media Player.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\Upptäck Windows XP.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Tillbehör\Utforskaren.lnk Object is locked skipped
F:\Documents and Settings\Admin2\Start-meny\Program\Windows Media Player.lnk Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{BE7C63FB-2A17-4DC2-8A20-E82FC2408429}\RP383\change.log Object is locked skipped

Scan process completed.

Shaba · Jan 16, 2008

Hi habe81

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

habe81 · Jan 17, 2008

Thank you for helping me

My friend tried to help me and I think she succeded, but to be 100% shure, here are the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:17:06, on 2008-01-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program\SMART Board Software\SMARTBoardService.exe
C:\Program\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program\F-Secure Internet Security\Common\FCH32.EXE
C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program\F-Secure Internet Security\FSPC\fspc.exe
C:\Program\Canon\CAL\CALMAIN.exe
C:\Program\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\F-Secure Internet Security\Common\FSM32.EXE
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program\SMART Board Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7A082521-DFCC-487C-A9E9-C184E88C090F} - C:\WINDOWS\system32\mllji.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A7CFDAF0-5987-4DFD-AFC7-0FCB959FE444} - C:\WINDOWS\system32\mlljh.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O3 - Toolbar: Sök i NE - {ACECC8E8-45A5-41ec-A82A-B3363103E293} - C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: NE sökverktyg 2.0.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sök i NE - res://C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll/NeSearch.html
O8 - Extra context menu item: Översätt i NE - res://C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll/NeTranslate.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Föräldra-... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Föräldra-... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {358DFA15-D48C-4296-8D16-7405F918333B} (Fronter OES2 release 20) - http://fronter.com/lund/links/Fronter_oes_prj.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168555682343
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.ne.se/sokverktyg/installation/setup.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O20 - Winlogon Notify: cbxuvvw - cbxuvvw.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: SMART Board-tjänsten (SMART Board Service) - SMART Technologies Inc. - C:\Program\SMART Board Software\SMARTBoardService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 10453 bytes

habe81 · Jan 17, 2008

part 2

ComboFix 08-01-18.1 - Hannes & Petra 2008-01-17 22:05:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1053.18.378 [GMT 1:00]
Running from: C:\Documents and Settings\Hannes & Petra\Skrivbord\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hhqxpurj.dll
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini2
C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\ijllm.ini2
C:\WINDOWS\system32\mlkkj.ini
C:\WINDOWS\system32\mlkkj.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-17 22:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 15:21 . 2008-01-17 15:21 <KAT> d-------- C:\Documents and Settings\Barnen\Application Data\Share-to-Web Upload Folder
2008-01-16 17:16 . 2008-01-16 17:16 <KAT> d-------- C:\Documents and Settings\Barnen\Application Data\F-Secure
2008-01-16 17:13 . 2008-01-16 17:13 <KAT> d-------- C:\Documents and Settings\Barnen\Application Data\Grisoft
2008-01-16 16:40 . 2006-12-27 19:57 <KAT> dr------- C:\Documents and Settings\Barnen\Start-meny
2008-01-16 16:40 . 2006-12-27 19:09 <KAT> d-------- C:\Documents and Settings\Barnen\Skrivbord
2008-01-16 16:40 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Barnen\Skrivare
2008-01-16 16:40 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Barnen\Nätverket
2008-01-16 16:40 . 2008-01-16 16:42 <KAT> dr------- C:\Documents and Settings\Barnen\Mina dokument
2008-01-16 16:40 . 2006-12-27 19:04 <KAT> d--h----- C:\Documents and Settings\Barnen\Mallar
2008-01-16 16:40 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Barnen\Lokala inställningar
2008-01-16 16:40 . 2008-01-17 16:10 <KAT> dr------- C:\Documents and Settings\Barnen\Favoriter
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> dr------- C:\Documents and Settings\Administratör\Start-meny
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> dr------- C:\Documents and Settings\Administratör\Start-meny
2008-01-15 22:44 . 2006-12-27 19:09 <KAT> d-------- C:\Documents and Settings\Administratör\Skrivbord
2008-01-15 22:44 . 2006-12-27 19:09 <KAT> d-------- C:\Documents and Settings\Administratör\Skrivbord
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Administratör\Skrivare
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Administratör\Skrivare
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Administratör\Nätverket
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Administratör\Nätverket
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d-------- C:\Documents and Settings\Administratör\Mina dokument
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d-------- C:\Documents and Settings\Administratör\Mina dokument
2008-01-15 22:44 . 2006-12-27 19:04 <KAT> d--h----- C:\Documents and Settings\Administratör\Mallar
2008-01-15 22:44 . 2006-12-27 19:04 <KAT> d--h----- C:\Documents and Settings\Administratör\Mallar
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Administratör\Lokala inställningar
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Administratör\Lokala inställningar
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d-------- C:\Documents and Settings\Administratör\Favoriter
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d-------- C:\Documents and Settings\Administratör\Favoriter
2008-01-15 22:22 . 2008-01-15 22:33 6,144 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-15 19:02 . 2008-01-15 19:02 <KAT> d-------- C:\Documents and Settings\Master\Application Data\Grisoft
2008-01-14 00:00 . 2008-01-14 00:00 <KAT> d-------- C:\Documents and Settings\Hannes & Petra\Application Data\Grisoft
2008-01-14 00:00 . 2008-01-14 00:00 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-14 00:00 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-11 10:32 . 2008-01-11 10:32 <KAT> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-11 10:32 . 2008-01-11 10:32 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 09:47 . 2008-01-11 09:47 <KAT> d-------- C:\Program\Trend Micro
2008-01-10 22:37 . 2007-05-25 14:09 58,128 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-01-10 22:37 . 2007-05-25 14:09 37,008 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-01-10 16:23 . 2008-01-11 10:30 367 --a------ C:\WINDOWS\wininit.ini
2008-01-10 15:43 . 2008-01-11 12:00 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-10 11:51 . 2008-01-10 22:48 268 --a------ C:\WINDOWS\system32\CTSTATUS.FCS
2008-01-10 11:31 . 2008-01-15 23:06 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-01-10 09:37 . 2008-01-10 09:37 212,992 --a------ C:\Updater .exe
2008-01-09 21:52 . 2008-01-09 21:55 <KAT> d-------- C:\Documents and Settings\Hannes & Petra\Dolly Parton - The Very Best Of Vol.2 (2007) - Country
2008-01-06 10:54 . 2008-01-06 10:54 <KAT> d-------- C:\Documents and Settings\Master\Application Data\Teleca
2008-01-06 10:50 . 2008-01-06 10:50 <KAT> d-------- C:\Documents and Settings\Master\Application Data\Sony Ericsson
2007-12-30 14:19 . 2007-12-30 14:19 <KAT> d-------- C:\Program\Lavasoft
2007-12-24 18:47 . 2001-07-03 16:36 241,664 --a------ C:\WINDOWS\system32\DartSnmp2.dll
2007-12-24 18:47 . 2000-12-03 23:22 163,840 --a------ C:\WINDOWS\system32\DartSnmp.dll
2007-12-24 18:47 . 2000-10-03 23:54 159,744 --a------ C:\WINDOWS\system32\DartSock.dll
2007-12-24 18:47 . 2001-07-03 16:31 77,824 --a------ C:\WINDOWS\system32\DartService.dll
2007-12-24 18:47 . 2000-10-03 23:54 49,152 --a------ C:\WINDOWS\system32\DartObjects.dll
2007-12-24 18:47 . 2001-01-08 09:37 27,640 --a------ C:\WINDOWS\system32\drivers\Me102man.sys
2007-12-24 18:47 . 2002-08-02 16:32 15,360 --a------ C:\WINDOWS\system32\drivers\Me102rb.sys
2007-12-24 18:47 . 2000-11-08 21:26 39 --a------ C:\WINDOWS\SNMPmanager.ini
2007-12-24 18:27 . 2007-12-24 18:27 <KAT> d-------- C:\Program\NETGEAR
2007-12-24 18:27 . 1998-06-24 00:00 166,200 --a------ C:\WINDOWS\system32\MSMASK32.OCX
2007-12-24 18:22 . 2007-12-24 18:44 <KAT> d-------- C:\Netgear trådlöst
2007-12-19 23:50 . 2008-01-10 09:50 <KAT> d-------- C:\Program\PowerISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 23:54 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\ZipGenius
2008-01-15 22:12 --------- d-----w C:\Program\F-Secure Internet Security
2008-01-15 20:11 --------- d-----w C:\Program\The_Pirate_Bay
2008-01-15 19:59 --------- d-----w C:\Program\GameShadow
2008-01-10 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2008-01-10 18:29 --------- d-----w C:\Program\Delade filer\Wise Installation Wizard
2008-01-10 17:24 --------- d-----w C:\Program\ZipGenius 6
2008-01-10 17:24 --------- d-----w C:\Program\XviD
2008-01-10 17:24 --------- d-----w C:\Program\Windows Media Connect 2
2008-01-10 09:04 --------- d-----w C:\Program\MSN Messenger
2008-01-10 09:03 --------- d-----w C:\Program\QuickTime
2008-01-10 09:03 --------- d-----w C:\Program\iTunes
2008-01-10 08:34 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\uTorrent
2008-01-08 18:45 --------- d-----w C:\Program\Windows Live Toolbar
2008-01-08 18:45 --------- d-----w C:\Program\TPlayer
2008-01-08 18:45 --------- d-----w C:\Program\Reasonable NoClone 2007 Enterprise
2008-01-08 18:45 --------- d-----w C:\Program\Real Alternative
2008-01-08 18:45 --------- d-----w C:\Program\MagicISO
2008-01-08 18:45 --------- d-----w C:\Program\Halvan
2007-12-24 17:47 --------- d--h--w C:\Program\InstallShield Installation Information
2007-12-22 15:34 --------- d-----w C:\Program\sixteen tons entertainment
2007-12-18 18:27 --------- d-----w C:\Program\Pettson2
2007-12-14 22:20 --------- d-----w C:\Program\uTorrent
2007-12-14 16:12 --------- d-----w C:\Program\Azureus
2007-12-14 16:11 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\Azureus
2007-12-14 16:00 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\.BitTornado
2007-12-12 06:13 --------- d-----w C:\Program\Sony
2007-12-12 06:12 --------- d-----w C:\Program\Sony Setup
2007-12-11 21:29 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\Viewpoint
2007-12-11 21:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-10 20:40 --------- d-----w C:\Program\Ubisoft
2007-12-10 20:35 --------- d-----w C:\Program\Winamp
2007-12-09 16:05 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\InstallShield
2007-12-09 10:37 --------- d-----w C:\Program\Fox
2007-12-06 20:50 --------- d-----w C:\Program\PAN Vision
2007-11-26 19:20 --------- d-----w C:\Program\MSECache
2007-11-21 22:58 --------- d-----w C:\Program\MSXML 4.0
2007-11-20 20:59 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\Teleca
2007-11-20 20:55 --------- d-----w C:\Program\Delade filer\Teleca Shared
2007-11-20 20:54 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\Sony Ericsson
2007-11-20 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-11-20 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-11-20 20:53 --------- d-----w C:\Program\Sony Ericsson
2007-11-20 20:53 --------- d-----w C:\Program\Delade filer\Sony Ericsson Shared
2007-11-18 14:30 --------- d-----w C:\Program\Activision
2007-11-07 09:29 722,432 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:45 1,289,728 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2004-08-04 12:00 94,816 --sh--w C:\WINDOWS\twain.dll
2004-08-04 12:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 12:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 12:00 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 12:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 12:00 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:30 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 12:00 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 12:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

Code:

<pre>
----a-w           212,992 2008-01-10 08:37:10  C:\Updater .exe
----a-w            63,712 2008-01-10 08:37:12  C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w            39,792 2008-01-10 08:37:14  C:\Program\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w           183,208 2008-01-10 21:41:49  C:\Program\F-Secure Internet Security\Common\FSM32 .EXE
----a-w           740,208 2008-01-10 21:41:53  C:\Program\F-Secure Internet Security\FSGUI\TNBUtil .exe
----a-w           700,416 2008-01-10 08:37:09  C:\Program\F-Secure Internet Security\TNB\TNBUtil .exe
----a-w            68,856 2008-01-10 08:37:24  C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           132,496 2008-01-10 08:37:06  C:\Program\Java\jre1.6.0_03\bin\jusched .exe
----a-w         5,674,352 2008-01-10 08:37:30  C:\Program\MSN Messenger\MsnMsgr .Exe
----a-w           528,384 2008-01-10 08:37:19  C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A082521-DFCC-487C-A9E9-C184E88C090F}]
C:\WINDOWS\system32\mllji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7CFDAF0-5987-4DFD-AFC7-0FCB959FE444}]
C:\WINDOWS\system32\mlljh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{ACECC8E8-45A5-41EC-A82A-B3363103E293}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

[HKEY_CLASSES_ROOT\clsid\{acecc8e8-45a5-41ec-a82a-b3363103e293}]
[HKEY_CLASSES_ROOT\NE.NeToolBar]
[HKEY_CLASSES_ROOT\TypeLib\{37686C62-D497-42E3-BAAB-78D89A74E151}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"SoundMan"="SOUNDMAN.EXE" [2004-10-27 14:49 73728 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\ATI-CPanel\atiptaxx.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"QuickTime Task"="C:\Program\QuickTime\QTTask .exe" [ ]
"Sony Ericsson PC Suite"="C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [ ]
"F-Secure Manager"="C:\Program\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 14:12 183208]
"F-Secure TNB"="C:\Program\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 14:11 740208]
"!AVG Anti-Spyware"="C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Gamma Loader.lnk.disabled [2007-01-19 17:03:26]
HPAiODevice(hp psc 900 series) - 1.lnk - C:\Program\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe [2002-07-23 09:49:32]
Microsoft Office.lnk.disabled [2007-01-03 09:08:59]
NE s”kverktyg 2.0.lnk.disabled [2007-02-07 16:34:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuvvw]
cbxuvvw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe
"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.Exe" /background
"swg"=C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Uniblue Registry Booster2"=C:\Program\Uniblue\RegistryBooster2\RegistryBooster.exe /S
"updateMgr"=C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iRiver Updater"=\Updater.exe
"ISUSPM"="C:\Program\Delade filer\InstallShield\UpdateService\isuspm .exe" -scheduler
"Adobe Photo Downloader"="C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe"

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-05-25 14:09]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program\F-Secure Internet Security\HIPS\fshs.sys [2007-05-25 14:12]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 14:08]
S2 ME102MAN;NETGEAR ME102 Access Point;C:\WINDOWS\system32\Drivers\ME102MAN.sys [2001-01-08 09:37]
S3 s716bus;Sony Ericsson Device 716 driver (WDM);C:\WINDOWS\system32\DRIVERS\s716bus.sys [2007-04-04 12:43]
S3 s716mdfl;Sony Ericsson Device 716 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s716mdfl.sys [2007-04-04 12:43]
S3 s716mdm;Sony Ericsson Device 716 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s716mdm.sys [2007-04-04 12:43]
S3 s716mgmt;Sony Ericsson Device 716 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s716mgmt.sys [2007-04-04 12:43]
S3 s716nd5;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (NDIS);C:\WINDOWS\system32\DRIVERS\s716nd5.sys [2007-04-04 12:43]
S3 s716obex;Sony Ericsson Device 716 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s716obex.sys [2007-04-04 12:43]
S3 s716unic;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (WDM);C:\WINDOWS\system32\DRIVERS\s716unic.sys [2007-04-04 12:43]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\z530bus.sys [2006-02-17 20:26]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 14:09]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 14:09]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 09:58:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program\Apple Software Update\SoftwareUpdate.exe
"2008-01-17 20:25:40 C:\WINDOWS\Tasks\Kontrollera uppdateringar för Windows Live Toolbar.job"
- C:\Program\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-18 21:08:29 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\Program\F-SECU~1\ANTI-V~1\fsav.exeP /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\Program\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 22:13:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 22:15:14
ComboFix-quarantined-files.txt 2008-01-18 21:14:25
.
2008-01-08 21:06:06 --- E O F ---

Shaba · Jan 18, 2008

Hi

Open notepad and copy/paste the text in the quotebox below into it:

Code:

RenV::
----a-w           212,992 2008-01-10 08:37:10  C:\Updater .exe
----a-w            63,712 2008-01-10 08:37:12  C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w            39,792 2008-01-10 08:37:14  C:\Program\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w           183,208 2008-01-10 21:41:49  C:\Program\F-Secure Internet Security\Common\FSM32 .EXE
----a-w           740,208 2008-01-10 21:41:53  C:\Program\F-Secure Internet Security\FSGUI\TNBUtil .exe
----a-w           700,416 2008-01-10 08:37:09  C:\Program\F-Secure Internet Security\TNB\TNBUtil .exe
----a-w            68,856 2008-01-10 08:37:24  C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           132,496 2008-01-10 08:37:06  C:\Program\Java\jre1.6.0_03\bin\jusched .exe
----a-w         5,674,352 2008-01-10 08:37:30  C:\Program\MSN Messenger\MsnMsgr .Exe
----a-w           528,384 2008-01-10 08:37:19  C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A082521-DFCC-487C-A9E9-C184E88C090F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7CFDAF0-5987-4DFD-AFC7-0FCB959FE444}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuvvw]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

habe81 · Jan 19, 2008

ComboFix 08-01-18.1 - Hannes & Petra 2008-01-20 13:48:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.46.1053.18.241 [GMT 1:00]
Running from: C:\Documents and Settings\Hannes & Petra\Skrivbord\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-17 22:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 15:21 . 2008-01-17 15:21 <KAT> d-------- C:\Documents and Settings\Barnen\Application Data\Share-to-Web Upload Folder
2008-01-16 17:16 . 2008-01-16 17:16 <KAT> d-------- C:\Documents and Settings\Barnen\Application Data\F-Secure
2008-01-16 17:13 . 2008-01-16 17:13 <KAT> d-------- C:\Documents and Settings\Barnen\Application Data\Grisoft
2008-01-16 16:40 . 2006-12-27 19:57 <KAT> dr------- C:\Documents and Settings\Barnen\Start-meny
2008-01-16 16:40 . 2006-12-27 19:09 <KAT> d-------- C:\Documents and Settings\Barnen\Skrivbord
2008-01-16 16:40 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Barnen\Skrivare
2008-01-16 16:40 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Barnen\Nätverket
2008-01-16 16:40 . 2008-01-16 16:42 <KAT> dr------- C:\Documents and Settings\Barnen\Mina dokument
2008-01-16 16:40 . 2006-12-27 19:04 <KAT> d--h----- C:\Documents and Settings\Barnen\Mallar
2008-01-16 16:40 . 2008-01-18 22:15 <KAT> d--h----- C:\Documents and Settings\Barnen\Lokala inställningar
2008-01-16 16:40 . 2008-01-17 16:10 <KAT> dr------- C:\Documents and Settings\Barnen\Favoriter
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> dr------- C:\Documents and Settings\Administratör\Start-meny
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> dr------- C:\Documents and Settings\Administratör\Start-meny
2008-01-15 22:44 . 2006-12-27 19:09 <KAT> d-------- C:\Documents and Settings\Administratör\Skrivbord
2008-01-15 22:44 . 2006-12-27 19:09 <KAT> d-------- C:\Documents and Settings\Administratör\Skrivbord
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Administratör\Skrivare
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Administratör\Skrivare
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Administratör\Nätverket
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d--h----- C:\Documents and Settings\Administratör\Nätverket
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d-------- C:\Documents and Settings\Administratör\Mina dokument
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d-------- C:\Documents and Settings\Administratör\Mina dokument
2008-01-15 22:44 . 2006-12-27 19:04 <KAT> d--h----- C:\Documents and Settings\Administratör\Mallar
2008-01-15 22:44 . 2006-12-27 19:04 <KAT> d--h----- C:\Documents and Settings\Administratör\Mallar
2008-01-15 22:44 . 2008-01-18 22:15 <KAT> d--h----- C:\Documents and Settings\Administratör\Lokala inställningar
2008-01-15 22:44 . 2008-01-18 22:15 <KAT> d--h----- C:\Documents and Settings\Administratör\Lokala inställningar
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d-------- C:\Documents and Settings\Administratör\Favoriter
2008-01-15 22:44 . 2006-12-27 19:57 <KAT> d-------- C:\Documents and Settings\Administratör\Favoriter
2008-01-15 22:22 . 2008-01-15 22:33 6,144 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-15 19:02 . 2008-01-15 19:02 <KAT> d-------- C:\Documents and Settings\Master\Application Data\Grisoft
2008-01-14 00:00 . 2008-01-14 00:00 <KAT> d-------- C:\Documents and Settings\Hannes & Petra\Application Data\Grisoft
2008-01-14 00:00 . 2008-01-14 00:00 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-14 00:00 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-11 10:32 . 2008-01-11 10:32 <KAT> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-11 10:32 . 2008-01-11 10:32 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 09:47 . 2008-01-11 09:47 <KAT> d-------- C:\Program\Trend Micro
2008-01-10 22:37 . 2007-05-25 14:09 58,128 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-01-10 22:37 . 2007-05-25 14:09 37,008 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-01-10 16:23 . 2008-01-11 10:30 367 --a------ C:\WINDOWS\wininit.ini
2008-01-10 15:43 . 2008-01-11 12:00 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-10 11:51 . 2008-01-10 22:48 268 --a------ C:\WINDOWS\system32\CTSTATUS.FCS
2008-01-10 11:31 . 2008-01-15 23:06 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-01-10 09:37 . 2008-01-10 09:37 212,992 --a------ C:\Updater .exe
2008-01-09 21:52 . 2008-01-09 21:55 <KAT> d-------- C:\Documents and Settings\Hannes & Petra\Dolly Parton - The Very Best Of Vol.2 (2007) - Country
2008-01-06 10:54 . 2008-01-06 10:54 <KAT> d-------- C:\Documents and Settings\Master\Application Data\Teleca
2008-01-06 10:50 . 2008-01-06 10:50 <KAT> d-------- C:\Documents and Settings\Master\Application Data\Sony Ericsson
2007-12-30 14:19 . 2007-12-30 14:19 <KAT> d-------- C:\Program\Lavasoft
2007-12-24 18:47 . 2001-07-03 16:36 241,664 --a------ C:\WINDOWS\system32\DartSnmp2.dll
2007-12-24 18:47 . 2000-12-03 23:22 163,840 --a------ C:\WINDOWS\system32\DartSnmp.dll
2007-12-24 18:47 . 2000-10-03 23:54 159,744 --a------ C:\WINDOWS\system32\DartSock.dll
2007-12-24 18:47 . 2001-07-03 16:31 77,824 --a------ C:\WINDOWS\system32\DartService.dll
2007-12-24 18:47 . 2000-10-03 23:54 49,152 --a------ C:\WINDOWS\system32\DartObjects.dll
2007-12-24 18:47 . 2001-01-08 09:37 27,640 --a------ C:\WINDOWS\system32\drivers\Me102man.sys
2007-12-24 18:47 . 2002-08-02 16:32 15,360 --a------ C:\WINDOWS\system32\drivers\Me102rb.sys
2007-12-24 18:47 . 2000-11-08 21:26 39 --a------ C:\WINDOWS\SNMPmanager.ini
2007-12-24 18:27 . 2007-12-24 18:27 <KAT> d-------- C:\Program\NETGEAR
2007-12-24 18:27 . 1998-06-24 00:00 166,200 --a------ C:\WINDOWS\system32\MSMASK32.OCX
2007-12-24 18:22 . 2007-12-24 18:44 <KAT> d-------- C:\Netgear trådlöst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 19:39 --------- d-----w C:\Program\Pettson2
2008-01-16 23:54 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\ZipGenius
2008-01-15 22:12 --------- d-----w C:\Program\F-Secure Internet Security
2008-01-15 20:11 --------- d-----w C:\Program\The_Pirate_Bay
2008-01-15 19:59 --------- d-----w C:\Program\GameShadow
2008-01-10 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2008-01-10 18:29 --------- d-----w C:\Program\Delade filer\Wise Installation Wizard
2008-01-10 17:24 --------- d-----w C:\Program\ZipGenius 6
2008-01-10 17:24 --------- d-----w C:\Program\XviD
2008-01-10 17:24 --------- d-----w C:\Program\Windows Media Connect 2
2008-01-10 09:04 --------- d-----w C:\Program\MSN Messenger
2008-01-10 09:03 --------- d-----w C:\Program\QuickTime
2008-01-10 09:03 --------- d-----w C:\Program\iTunes
2008-01-10 08:50 --------- d-----w C:\Program\PowerISO
2008-01-10 08:34 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\uTorrent
2008-01-08 18:45 --------- d-----w C:\Program\Windows Live Toolbar
2008-01-08 18:45 --------- d-----w C:\Program\TPlayer
2008-01-08 18:45 --------- d-----w C:\Program\Reasonable NoClone 2007 Enterprise
2008-01-08 18:45 --------- d-----w C:\Program\Real Alternative
2008-01-08 18:45 --------- d-----w C:\Program\MagicISO
2008-01-08 18:45 --------- d-----w C:\Program\Halvan
2007-12-24 17:47 --------- d--h--w C:\Program\InstallShield Installation Information
2007-12-22 15:34 --------- d-----w C:\Program\sixteen tons entertainment
2007-12-14 22:20 --------- d-----w C:\Program\uTorrent
2007-12-14 16:12 --------- d-----w C:\Program\Azureus
2007-12-14 16:11 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\Azureus
2007-12-14 16:00 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\.BitTornado
2007-12-12 06:13 --------- d-----w C:\Program\Sony
2007-12-12 06:12 --------- d-----w C:\Program\Sony Setup
2007-12-11 21:29 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\Viewpoint
2007-12-11 21:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-10 20:40 --------- d-----w C:\Program\Ubisoft
2007-12-10 20:35 --------- d-----w C:\Program\Winamp
2007-12-09 16:05 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\InstallShield
2007-12-09 10:37 --------- d-----w C:\Program\Fox
2007-12-06 20:50 --------- d-----w C:\Program\PAN Vision
2007-11-26 19:20 --------- d-----w C:\Program\MSECache
2007-11-21 22:58 --------- d-----w C:\Program\MSXML 4.0
2007-11-20 20:59 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\Teleca
2007-11-20 20:55 --------- d-----w C:\Program\Delade filer\Teleca Shared
2007-11-20 20:54 --------- d-----w C:\Documents and Settings\Hannes & Petra\Application Data\Sony Ericsson
2007-11-20 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-11-20 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-11-20 20:53 --------- d-----w C:\Program\Sony Ericsson
2007-11-20 20:53 --------- d-----w C:\Program\Delade filer\Sony Ericsson Shared
2007-11-07 09:29 722,432 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:45 1,289,728 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2004-08-04 12:00 94,816 --sh--w C:\WINDOWS\twain.dll
2004-08-04 12:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 12:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 12:00 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 12:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 12:00 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:30 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 12:00 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 12:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

Code:

<pre>
----a-w           212,992 2008-01-10 08:37:10  C:\Updater .exe
----a-w            63,712 2008-01-10 08:37:12  C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w            39,792 2008-01-10 08:37:14  C:\Program\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w           183,208 2008-01-10 21:41:49  C:\Program\F-Secure Internet Security\Common\FSM32 .EXE
----a-w           740,208 2008-01-10 21:41:53  C:\Program\F-Secure Internet Security\FSGUI\TNBUtil .exe
----a-w           700,416 2008-01-10 08:37:09  C:\Program\F-Secure Internet Security\TNB\TNBUtil .exe
----a-w            68,856 2008-01-10 08:37:24  C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           132,496 2008-01-10 08:37:06  C:\Program\Java\jre1.6.0_03\bin\jusched .exe
----a-w         5,674,352 2008-01-10 08:37:30  C:\Program\MSN Messenger\MsnMsgr .Exe
----a-w           528,384 2008-01-10 08:37:19  C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-18_22.13.55,65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-17 21:04:31 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 12:46:48 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-17 21:04:31 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 12:46:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-17 21:04:31 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 12:46:48 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-17 21:04:31 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 12:46:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-17 21:04:32 11,120,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-20 12:46:48 1,028,096 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-17 21:04:32 442,368 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 12:46:48 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 12:46:48 11,120,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000007\NTUSER.DAT
+ 2008-01-20 12:46:48 442,368 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000008\UsrClass.dat
+ 2008-01-20 08:16:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_380.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38CF2AB0-5342-4E53-B998-C2A502A24B53}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{ACECC8E8-45A5-41EC-A82A-B3363103E293}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

[HKEY_CLASSES_ROOT\clsid\{acecc8e8-45a5-41ec-a82a-b3363103e293}]
[HKEY_CLASSES_ROOT\NE.NeToolBar]
[HKEY_CLASSES_ROOT\TypeLib\{37686C62-D497-42E3-BAAB-78D89A74E151}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"SoundMan"="SOUNDMAN.EXE" [2004-10-27 14:49 73728 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\ATI-CPanel\atiptaxx.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"QuickTime Task"="C:\Program\QuickTime\QTTask .exe" [ ]
"Sony Ericsson PC Suite"="C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [ ]
"F-Secure Manager"="C:\Program\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 14:12 183208]
"F-Secure TNB"="C:\Program\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 14:11 740208]
"!AVG Anti-Spyware"="C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Gamma Loader.lnk.disabled [2007-01-19 17:03:26]
HPAiODevice(hp psc 900 series) - 1.lnk - C:\Program\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe [2002-07-23 09:49:32]
Microsoft Office.lnk.disabled [2007-01-03 09:08:59]
NE s”kverktyg 2.0.lnk.disabled [2007-02-07 16:34:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe
"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.Exe" /background
"swg"=C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Uniblue Registry Booster2"=C:\Program\Uniblue\RegistryBooster2\RegistryBooster.exe /S
"updateMgr"=C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iRiver Updater"=\Updater.exe
"ISUSPM"="C:\Program\Delade filer\InstallShield\UpdateService\isuspm .exe" -scheduler
"Adobe Photo Downloader"="C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe"

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-05-25 14:09]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program\F-Secure Internet Security\HIPS\fshs.sys [2007-05-25 14:12]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2007-05-25 14:08]
S2 ME102MAN;NETGEAR ME102 Access Point;C:\WINDOWS\system32\Drivers\ME102MAN.sys [2001-01-08 09:37]
S3 s716bus;Sony Ericsson Device 716 driver (WDM);C:\WINDOWS\system32\DRIVERS\s716bus.sys [2007-04-04 12:43]
S3 s716mdfl;Sony Ericsson Device 716 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s716mdfl.sys [2007-04-04 12:43]
S3 s716mdm;Sony Ericsson Device 716 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s716mdm.sys [2007-04-04 12:43]
S3 s716mgmt;Sony Ericsson Device 716 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s716mgmt.sys [2007-04-04 12:43]
S3 s716nd5;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (NDIS);C:\WINDOWS\system32\DRIVERS\s716nd5.sys [2007-04-04 12:43]
S3 s716obex;Sony Ericsson Device 716 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s716obex.sys [2007-04-04 12:43]
S3 s716unic;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (WDM);C:\WINDOWS\system32\DRIVERS\s716unic.sys [2007-04-04 12:43]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\z530bus.sys [2006-02-17 20:26]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 14:09]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2007-05-25 14:09]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 09:58:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program\Apple Software Update\SoftwareUpdate.exe
"2008-01-20 12:25:00 C:\WINDOWS\Tasks\Kontrollera uppdateringar för Windows Live Toolbar.job"
- C:\Program\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-20 08:18:28 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\Program\F-SECU~1\ANTI-V~1\fsav.exeP /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\Program\F-SECU~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 13:55:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 13:57:21
ComboFix-quarantined-files.txt 2008-01-20 12:57:10
ComboFix2.txt 2008-01-18 21:15:16
.
2008-01-08 21:06:06 --- E O F ---

habe81 · Jan 19, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:33:03, on 2008-01-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program\SMART Board Software\SMARTBoardService.exe
C:\Program\F-Secure Internet Security\Common\FCH32.EXE
C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program\Canon\CAL\CALMAIN.exe
C:\Program\F-Secure Internet Security\FSPC\fspc.exe
C:\Program\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\F-Secure Internet Security\Common\FSM32.EXE
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38CF2AB0-5342-4E53-B998-C2A502A24B53} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program\SMART Board Software\NotebookPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7A082521-DFCC-487C-A9E9-C184E88C090F} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A1C77420-D2AF-4A94-88DA-77CE0C551BED} - (no file)
O2 - BHO: (no name) - {A7CFDAF0-5987-4DFD-AFC7-0FCB959FE444} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O3 - Toolbar: Sök i NE - {ACECC8E8-45A5-41ec-A82A-B3363103E293} - C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: NE sökverktyg 2.0.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sök i NE - res://C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll/NeSearch.html
O8 - Extra context menu item: Översätt i NE - res://C:\Program\Nationalencyklopedin\NE_sokverktyg_20\NeToolbar.dll/NeTranslate.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Föräldra-... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Föräldra-... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {358DFA15-D48C-4296-8D16-7405F918333B} (Fronter OES2 release 20) - http://fronter.com/lund/links/Fronter_oes_prj.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168555682343
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.ne.se/sokverktyg/installation/setup.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O20 - Winlogon Notify: cbxuvvw - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: SMART Board-tjänsten (SMART Board Service) - SMART Technologies Inc. - C:\Program\SMART Board Software\SMARTBoardService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 10545 bytes

Shaba · Jan 19, 2008

Hi

Did you create CFScript file and dragged & dropped it into ComboFix as I instructed?

Just doubleclicking ComboFix.exe in order to start it is not enough.

Shaba · Jan 24, 2008

Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.

Problems with Virtumonde & trojan-dropper.win32.agent.dgo

habe81

New member

habe81

New member

habe81

New member

habe81

New member

Shaba

Security Expert: Emeritus

habe81

New member

habe81

New member

Shaba

Security Expert: Emeritus

habe81

New member

habe81

New member

Shaba

Security Expert: Emeritus

Shaba

Security Expert: Emeritus