run in with braviax

Hello Shaba. I did one thing wrong :oops: I stopped the avast scans, but forgot to close zonelarm. So I had to manually allow a dozen prosesses. I hope this didn't interfere with the fix.

ComboFix 09-08-10.06 - HP_Ägaren 2009-08-18 16:36.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.46.1053.18.2046.1416 [GMT 2:00]
Running from: c:\documents and settings\HP_Ägaren\Skrivbord\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090817-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Ägaren\Application Data\Microsoft\Internet Explorer\Quick Launch\avast! Antivirus.lnk
c:\recycler\S-1-5-21-1597953560-603657994-931953664-1008
c:\windows\Blissly2 .jpg
c:\windows\Installer\108f718.msi
c:\windows\Installer\1b9451.msi
c:\windows\Installer\2c474.msi
c:\windows\Installer\35dfa3.msi
c:\windows\Installer\402df.msi
c:\windows\Installer\44ee6f.msi
c:\windows\Installer\6a233.msi
c:\windows\Installer\84f6c4.msi
c:\windows\Installer\ec5a4.msp
c:\windows\Installer\fbb30c.msi
c:\windows\system32\drivers\downld

Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys


.
((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-14 18:03 . 2009-08-14 18:03 -------- d-----w- c:\program\Trend Micro
2009-08-14 17:52 . 2009-08-14 17:52 -------- d-----w- c:\program\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 15:12 . 2007-11-04 12:01 -------- d-----w- c:\program\Accessdiver
2009-08-14 13:13 . 2006-01-15 10:41 -------- d-----w- c:\program\Spybot - Search & Destroy
2009-08-14 13:11 . 2006-11-11 19:13 4212 -c-ha-w- c:\windows\system32\zllictbl.dat
2009-07-05 16:54 . 2009-07-05 17:15 4552192 ----a-w- c:\windows\Internet Logs\xDB9D.tmp
2009-07-05 16:54 . 2009-07-05 17:15 5445120 ----a-w- c:\windows\Internet Logs\xDB9E.tmp
2009-02-13 13:31 . 2009-04-30 17:23 187904 ----a-w- c:\program\A-Patch143b2_WLM9.exe
2007-01-30 00:06 . 2007-07-28 07:04 280116 -c--a-w- c:\program\messpatch-g5-81178.exe
2006-11-01 12:07 . 2006-12-19 13:49 3623736 -c--a-w- c:\program\procexp.exe
2006-01-29 08:14 . 2006-01-29 00:14 22 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program\TGTSoft\StyleXP\StyleXP.exe" [2006-04-04 1368064]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program\Delade filer\Ahead\lib\NMBgMonitor.exe" [2008-01-22 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-08 344064]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"avast!"="c:\program\Alwil Software\Avast4\ashDisp.exe" [2009-02-05 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"ZoneAlarm Client"="c:\program\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-28 1626112]

c:\documents and settings\All Users\Start-meny\Program\Autostart\
Adobe Gamma Loader.lnk - c:\program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2006-1-15 113664]
Rainmeter.lnk - c:\program\Rainmeter\Rainmeter.exe [2006-1-21 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Ägaren^Start-meny^Program^Autostart^ikowin32.exe]
path=c:\documents and settings\HP_Ägaren\Start-meny\Program\Autostart\ikowin32.exe
backup=c:\windows\pss\ikowin32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program\\Google\\Google Talk\\googletalk.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-03 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-03 20560]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program\Delade filer\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-POINTER - point32.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 203.162.2.137:80
IE: E&xport to Microsoft Excel - c:\program\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\z3gfs696.default\
FF - plugin: c:\program\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 16:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1168)
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSSV.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program\TGTSoft\StyleXP\StyleXPService.exe
c:\program\Alwil Software\Avast4\aswUpdSv.exe
c:\program\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program\Java\jre6\bin\jqs.exe
c:\program\Delade filer\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program\Microsoft Hardware\Mouse\point32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program\Alwil Software\Avast4\ashMaiSv.exe
c:\program\Alwil Software\Avast4\ashWebSv.exe
c:\program\Delade filer\Ahead\Lib\NMIndexingService.exe
c:\program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-08-18 16:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 14:50

Pre-Run: 39*043*575*808 byte ledigt
Post-Run: 42*865*586*176 byte ledigt

161
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:51:31, on 2009-08-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\Delade filer\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\Mixer.exe
C:\Program\Alwil Software\Avast4\ashDisp.exe
C:\Program\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\TGTSoft\StyleXP\StyleXP.exe
C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Rainmeter\Rainmeter.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe
C:\Program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.162.2.137:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avast!] C:\Program\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Rainmeter.lnk = C:\Program\Rainmeter\Rainmeter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\program\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236795793015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236795781484
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6557 bytes
 
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\Documents and Settings\HP_Ägaren\hgoescxl.fsy
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN1.tmp 
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN4.tmp 
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN5.tmp 
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN6.tmp 
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN7.tmp 
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN8.tmp 
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BN9.tmp 
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BNA.tmp 
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BNB.tmp 
C:\Documents and Settings\HP_Ägaren\Lokala inställningar\Temp\BNC.tmp 
C:\RECYCLER\S-1-5-21-2482541705-948042526-3326623907-1008\Dc2.ngm I
C:\WINDOWS\Temp\wpv891250109698.exe
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScriptB-4.gif

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
 
ComboFix 09-08-10.06 - HP_Ägaren 2009-08-18 20:12.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.46.1053.18.2046.1479 [GMT 2:00]
Running from: c:\documents and settings\HP_Ägaren\Skrivbord\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Ägaren\Skrivbord\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090817-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\documents and settings\HP_Ägaren\hgoescxl.fsy"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN1.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN4.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN5.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN6.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN7.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN8.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BN9.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BNA.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BNB.tmp"
"c:\documents and settings\HP_Ägaren\Lokala inställningar\Temp\BNC.tmp"
"c:\recycler\S-1-5-21-2482541705-948042526-3326623907-1008\Dc2.ngm I"
"c:\windows\Temp\wpv891250109698.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Ägaren\hgoescxl.fsy


.
((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-14 18:03 . 2009-08-14 18:03 -------- d-----w- c:\program\Trend Micro
2009-08-14 17:52 . 2009-08-14 17:52 -------- d-----w- c:\program\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 15:12 . 2007-11-04 12:01 -------- d-----w- c:\program\Accessdiver
2009-08-14 13:13 . 2006-01-15 10:41 -------- d-----w- c:\program\Spybot - Search & Destroy
2009-08-14 13:11 . 2006-11-11 19:13 4212 -c-ha-w- c:\windows\system32\zllictbl.dat
2009-07-05 16:54 . 2009-07-05 17:15 4552192 ----a-w- c:\windows\Internet Logs\xDB9D.tmp
2009-07-05 16:54 . 2009-07-05 17:15 5445120 ----a-w- c:\windows\Internet Logs\xDB9E.tmp
2009-02-13 13:31 . 2009-04-30 17:23 187904 ----a-w- c:\program\A-Patch143b2_WLM9.exe
2007-01-30 00:06 . 2007-07-28 07:04 280116 -c--a-w- c:\program\messpatch-g5-81178.exe
2006-11-01 12:07 . 2006-12-19 13:49 3623736 -c--a-w- c:\program\procexp.exe
2006-01-29 08:14 . 2006-01-29 00:14 22 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program\TGTSoft\StyleXP\StyleXP.exe" [2006-04-04 1368064]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program\Delade filer\Ahead\lib\NMBgMonitor.exe" [2008-01-22 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-08 344064]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"avast!"="c:\program\Alwil Software\Avast4\ashDisp.exe" [2009-02-05 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"ZoneAlarm Client"="c:\program\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-28 1626112]

c:\documents and settings\All Users\Start-meny\Program\Autostart\
Adobe Gamma Loader.lnk - c:\program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2006-1-15 113664]
Rainmeter.lnk - c:\program\Rainmeter\Rainmeter.exe [2006-1-21 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Ägaren^Start-meny^Program^Autostart^ikowin32.exe]
path=c:\documents and settings\HP_Ägaren\Start-meny\Program\Autostart\ikowin32.exe
backup=c:\windows\pss\ikowin32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program\\Google\\Google Talk\\googletalk.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-03 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-03 20560]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program\Delade filer\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 203.162.2.137:80
IE: E&xport to Microsoft Excel - c:\program\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\z3gfs696.default\
FF - plugin: c:\program\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 20:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-18 20:17
ComboFix-quarantined-files.txt 2009-08-18 18:16
ComboFix2.txt 2009-08-18 14:50

Pre-Run: 42*521*108*480 byte ledigt
Post-Run: 42*505*687*040 byte ledigt

134
 
I don't have avast, firefox or tea-timer running? :red:

Can I restart computer, turn them on, and check that things work fine?
 
Looks fine. It has moved the mouse buttons back to default. I will change that. :) Two old problems that I dont think are malware related, but just checking. Some scripts won't load for me on firefox. Like the world map at http://www.speedtest.net/ Not a real problem, I use explorer for those and it might be fixed by uninstalling and re-installing firefox.
As I said in my first post some windows updates cant be installed. I will try again when we have finished, but when I investigated a year ago it was a known problem according to microsoft website. So I just have to stay safer until I buy a new computer :)
 
Yes I suggest reinstalling Firefox.

Some other issues or are you ready for final instructions?
 
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
    You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

    Malwarebytes' Anti-Malware Setup Guide

    Malwarebytes' Anti-Malware Scanning Guide

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :bigthumb:
 
Got as far as explorer settings. Left to do are Anti-Maleware and SpywareBlaster. They will not be in conflict with Avast and ZoneAlarm?

The clean-up did not remove the tools. I have ERUNT, erunt-setup, HijackThis, HJITInstall.exe, and NTREGOPT on my desktop. What should I do with them?

Thank you for your time and your help!! :laugh:
 
No they won't.

It is up to you if you like to keep erunt-setup, HijackThis, HJITInstall.exe.

I would definitely keep ERUNT and don't recommend to use NTREGOPT.
 
OK. Thank you. I will have a late dinner now, and then rest. I'll do what's left tomorrow, and try the windows updates. You can close this thread. Thank you again! :)
 
One file was left. c:\windows\system 32\dllcache\ntfs.sys Infection Win32:Cutwail-W (Trj). Moved succesfully to chest.

This was after a quick scan. Am I clear now? Any new instruction?
 
Spybot also found a problem. :sad: I allowed it to fit it.


--- Search result list ---
Hupigon13: [SBI $D5A7DCB6] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe


Full report is too long to post.
 
You must log in or register to reply here.
Back
Top