Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.bb Infection - Impossible One?!?


  • This topic is locked This topic is locked
10 replies to this topic

#1 Snickarius

Snickarius

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 17 February 2008 - 04:08 PM

Dear bleeping computer team!

I got infected by Vundo.BB trojan once I foolishly tried to install a key generator... having said that I´m stuck with this Vundo.BB thingy! My Antivirus & Security Suite tells me continuously that c:\windows\system32\efebb.dll is a trojan called Vundo.BB. I tried Ad-aware, Spybot S & D, Spywarefighter, Norman malware remover, CCleaner, Registry Mechanics, Vundofix and probably some other things I have already forgotten to remove it... but when I reboot it - it always comes back. I scan the computer with all these programs BOTH in secure mode and normal mode but its always the same story. My Windows has the latest updates. I´m clueless! So now I want your help!

Here is my Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:05:41, on 2008-02-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program\Norman\Npm\bin\ELOGSVC.EXE
C:\Program\Norman\Ngs\bin\NPROSEC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Norman\Npm\Bin\Zanda.exe
C:\Program\Norman\npm\bin\nvoy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program\Canon\DIAS\CnxDIAS.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Norman\Npm\bin\NVCSCHED.EXE
C:\Program\Norman\Npm\bin\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program\Norman\Npm\bin\ZLH.EXE
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\Microsoft ActiveSync\wcescomm.exe
C:\Program\MICROS~4\rapimgr.exe
C:\Program\Norman\npf\bin\npfuser.exe
C:\Program\Huawei technologies\Mobile Connect\Mobile Connect.exe
C:\Program\MSN Messenger\usnsvc.exe
C:\Program\Skype\Phone\Skype.exe
C:\Program\Skype\Plugin Manager\SkypePM.exe
C:\Program\Norman\Nvc\BIN\NIP.EXE
C:\Program\Norman\Nvc\bin\nvcoas.exe
C:\Program\Norman\Nvc\bin\cclaw.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Marius\Skrivbord\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/2Q00CPT/041D/bF8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...rch&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/2Q00CPT/041D/bF7.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {00EC4B17-7C5A-472F-A57E-C4E3D799ABC3} - C:\WINDOWS\system32\efebb.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {5c8fac9f-45a1-cf79-81e4-174c441754b1} - {1b457144-c471-4e18-97fc-1a54f9caf8c5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {DB0B918E-A0A8-482B-8D75-A682816B0C7B} - (no file)
O4 - HKLM\..\Run: [QT4HPOT] C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {096DCF31-53FA-4BA6-A729-D85D29FC0D70} (Detect Class) - https://installer.id.ee/IDInstaller.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119895922501
O16 - DPF: {E8EB147D-ABEF-4228-A603-AAA845D1B2C1} (esteidTool Class) - http://www.sk.ee/id-kontroll/20070223.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{AAC0FA4C-1D9B-4CCB-9E66-3CB9A75EA271}: NameServer = 130.244.127.161 130.244.127.169
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: pmnklii - pmnklii.dll (file missing)
O20 - Winlogon Notify: winzbr32 - winzbr32.dll (file missing)
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program\Canon\DIAS\CnxDIAS.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program\Delade filer\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: NBService - Nero AG - C:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Program\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Program\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Program\Norman\Ngs\bin\NPROSEC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program\Norman\Npm\bin\NVCSCHED.EXE
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Program\Norman\npm\bin\nvoy.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Marius/LOKALA~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8972 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:27 AM

Posted 17 February 2008 - 04:34 PM

Hello Snickarius,

Welcome to Bleeping Computer :thumbsup:

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Snickarius

Snickarius
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 18 February 2008 - 04:50 AM

Hmm... I followed your instructions. Combofix runned twice on my computer without producing a log! At the startup there seem to some errors related to combofix... there was a pop-up window telling something about some error to fail to write or something. Then my Norman security suite gladly notified me about the Vundo.BB infection again...
Should I run combofix in secure mode or something?

Anyway here is my fresh Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43, on 2008-02-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program\Norman\Npm\bin\ELOGSVC.EXE
C:\Program\Norman\Ngs\bin\NPROSEC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Norman\Npm\Bin\Zanda.exe
C:\Program\Norman\npm\bin\nvoy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program\Canon\DIAS\CnxDIAS.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Norman\Npm\bin\NVCSCHED.EXE
C:\Program\Norman\Npm\bin\NJEEVES.EXE
C:\Program\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program\Norman\Npm\bin\ZLH.EXE
C:\Program\Norman\Nvc\BIN\NIP.EXE
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program\Norman\Nvc\bin\cclaw.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Microsoft ActiveSync\wcescomm.exe
C:\Program\MICROS~4\rapimgr.exe
C:\Program\Huawei technologies\Mobile Connect\Mobile Connect.exe
C:\Documents and Settings\Marius\Skrivbord\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...rch&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/2Q00CPT/041D/bF7.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {5c8fac9f-45a1-cf79-81e4-174c441754b1} - {1b457144-c471-4e18-97fc-1a54f9caf8c5} - (no file)
O2 - BHO: (no name) - {4824FA21-156F-41BA-BBF3-538C64C59467} - C:\WINDOWS\system32\efebb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [QT4HPOT] C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {096DCF31-53FA-4BA6-A729-D85D29FC0D70} (Detect Class) - https://installer.id.ee/IDInstaller.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119895922501
O16 - DPF: {E8EB147D-ABEF-4228-A603-AAA845D1B2C1} (esteidTool Class) - http://www.sk.ee/id-kontroll/20070223.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: pmnklii - pmnklii.dll (file missing)
O20 - Winlogon Notify: winzbr32 - winzbr32.dll (file missing)
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program\Canon\DIAS\CnxDIAS.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program\Delade filer\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: NBService - Nero AG - C:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Program\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Program\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Program\Norman\Ngs\bin\NPROSEC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program\Norman\Npm\bin\NVCSCHED.EXE
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Program\Norman\npm\bin\nvoy.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

--
End of file - 8532 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:27 AM

Posted 19 February 2008 - 12:11 AM

Hello,

Okay, let's do it this way. A lot of protection programs scream about ComboFix. They don't understand that ComboFix is trying to help you! So......I want you to go completely offline, then disable ALL of your protection programs and try to run ComboFix. PLEASE be sure, when it's done running, to re enable everything before you come back online. I guess I'll know how you came out if I see a ComboFix log or not. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Snickarius

Snickarius
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 19 February 2008 - 07:05 AM

Thanks! Now we´re talking! I followed your instructions and during the combofix fixings suddenly a hidden zipfolder named "catchme" appeared on my desktop. Its history now! So far everything looks good... I got to wait some time before I start to celebrate... anyway here are the log from combofix and hijack:

ComboFix 08-02-18.1 - Marius 2008-02-19 11:37:34.4 - NTFSx86
Running from: C:\Documents and Settings\Marius\Skrivbord\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\efebb.dll
C:\WINDOWS\system32\bbefe.ini
C:\WINDOWS\system32\bbefe.ini2
C:\WINDOWS\system32\efebb.dll
.
---- Previous Run -------
.
C:\Program\Helper
C:\WINDOWS\system32\bbefe.ini
C:\WINDOWS\system32\bbefe.ini2
C:\WINDOWS\system32\drvpimr.dll
C:\WINDOWS\system32\efebb.dll
C:\WINDOWS\system32\einvleup.ini
C:\WINDOWS\system32\hadmygrd.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\teltuqle.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\npf








((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-18 08:52 . 2008-02-18 09:29 <KAT> d-------- C:\ComboFix(2)
2008-02-15 00:22 . 2008-01-24 11:23 79,752 --a------ C:\WINDOWS\system32\drivers\ndis_rd.sys
2008-02-15 00:22 . 2007-05-14 10:51 72,320 --a------ C:\WINDOWS\system32\drivers\tdi_rd.sys
2008-02-15 00:22 . 2008-01-23 15:01 42,552 --a------ C:\WINDOWS\system32\drivers\ale_nf.sys
2008-02-15 00:05 . 2007-09-17 15:24 212,024 --a------ C:\WINDOWS\system32\nscrnsav.scr
2008-02-08 22:57 . 2008-02-08 22:57 34 --a------ C:\WINDOWS\system32\6fdd4894
2008-02-03 00:00 . 2008-02-03 00:00 <KAT> d-------- C:\Documents and Settings\Marius\Application Data\TrojanHunter
2008-02-02 23:44 . 2008-02-04 22:23 <KAT> d-------- C:\Program\TrojanHunter 5.0
2008-02-02 23:18 . 2008-02-02 23:18 <KAT> d-------- C:\Program\Safer Networking
2008-01-30 23:06 . 2008-01-30 23:08 <KAT> d-------- C:\Documents and Settings\Marius\Application Data\AdwareAlert
2008-01-30 23:04 . 2008-02-01 10:08 <KAT> d-------- C:\Program\AdwareAlert
2008-01-24 22:23 . 2008-01-24 22:24 48,640 --a------ C:\Documents and Settings\Marius\timeseal.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 10:45 --------- d-----w C:\Program\Norman
2008-02-19 10:12 --------- d-----w C:\Documents and Settings\Marius\Application Data\Skype
2008-02-19 09:54 --------- d-----w C:\Documents and Settings\Marius\Application Data\skypePM
2008-02-18 09:04 --------- d-----w C:\Program\Spybot
2008-02-17 20:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 20:27 --------- d-----w C:\Program\AdAware
2008-02-17 20:27 --------- d-----w C:\Documents and Settings\Marius\Application Data\Lavasoft
2008-02-12 16:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-01 20:50 --------- d-----w C:\Program\e-Sword
2008-02-01 09:09 --------- d-----w C:\Program\Microsoft ActiveSync
2008-01-11 20:49 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-11 20:47 --------- d-----w C:\Program\Skype
2008-01-11 20:47 --------- d-----w C:\Program\Delade filer\Skype
2008-01-11 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-01-11 19:16 --------- d-----w C:\Program\Delade filer\InstallShield Shared
2008-01-08 17:43 --------- d-----w C:\Program\Windows Live Safety Center
2008-01-01 22:38 --------- d-----w C:\Program\Microsoft.NET
2007-12-26 11:49 --------- d-----w C:\Program\Pocket e-Sword
2007-12-23 21:39 --------- d-----w C:\Program\Enigma Software Group
2007-12-22 21:23 --------- d-----w C:\Program\Skype for Pocket PC
2007-12-20 17:13 --------- d-----w C:\Program\CCleaner
2007-02-26 06:44 37,016 ----a-w C:\Documents and Settings\Brothers\Application Data\GDIPFONTCACHEV1.DAT
2006-11-28 10:46 37,016 -c--a-w C:\Documents and Settings\Marius\Application Data\GDIPFONTCACHEV1.DAT
2005-06-12 20:41 1,531,149 -c--a-w C:\Program\winscp230setup.exe
2005-06-12 20:40 3,751,021 -c--a-w C:\Program\vlc-0.6.0-win32.exe
2005-06-12 20:38 8,479,928 -c--a-w C:\Program\RealOnePlayerV2GOLD.exe
2005-06-12 20:36 21,654,229 -c--a-w C:\Program\nero60015.exe
2005-06-12 20:35 1,216,000 -c--a-w C:\Program\mirc603.exe
2005-06-12 20:34 1,054,616 -c--a-w C:\Program\dos622.exe
2005-06-12 20:33 3,328,641 -c--a-w C:\Program\DivX505Bundle.exe
2005-06-12 20:32 2,424,692 -c--a-w C:\Program\audacity-win-1.2.2.exe
2005-06-12 20:19 746,982 -c--a-w C:\Program\DivX-Ac3-Codec.rar
2004-03-12 13:33 212,992 -c--a-w C:\WINDOWS\inf\MA521\CopyWHQLDriver.exe
2003-07-30 13:18 172,416 -c--a-w C:\WINDOWS\inf\MA521\MA521nd5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:34 15360]
"H/PC Connection Agent"="C:\Program\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QT4HPOT"="C:\Program\HPQ\ONE-TO~1\OneTouch.EXE" [2002-10-14 18:57 98304]
"Norman ZANDA"="C:\Program\Norman\Npm\bin\ZLH.exe" [2007-12-17 14:37 273520]
"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [2006-01-27 18:22 155648]
"TkBellExe"="C:\Program\Delade filer\Real\Update_OB\realsched.exe" [2006-11-13 21:33 185896]
"Adobe Reader Speed Launcher"="C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:34 15360]
"DWQueuedReporting"="C:\Program\DELADE~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnklii]
pmnklii.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzbr32]
winzbr32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^MA521 Configuration Utility.lnk]
backup=C:\WINDOWS\pss\MA521 Configuration Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2002-08-15 23:18 28672 C:\WINDOWS\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2002-08-14 17:29 290816 C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-09-13 11:12 139264 C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6cee6986]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
--a------ 2003-05-21 14:35 4608 C:\WINDOWS\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2002-10-23 13:19 176197 C:\Program\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 09:34 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Display Settings]
--a------ 2002-08-15 06:26 45056 C:\Program\HPQ\Notebook Utilities\hptasks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EstEID AIP switch]
C:\Program\IT Arendus\ID-kaart\\aipswitch 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norman ZANDA]
--a------ 2007-12-17 14:37 273520 C:\Program\Norman\Npm\bin\ZLH.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
--a------ 2001-12-12 07:05 36864 c:\hp\drivers\printers\photosmart\hphprld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-27 18:22 155648 C:\Program\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 22:34 36864 C:\Cpqs\Scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 02:00 132496 C:\Program\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2002-09-09 23:41 557056 C:\Program\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2002-09-09 23:42 126976 C:\Program\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-13 21:33 185896 C:\Program\Delade filer\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program\Windows Defender\MSASCui.exe

Paused2 NPFSvc32;Norman Personal Firewall Service;"C:\Program\Norman\npf\bin\npfsvc32.exe" [2008-01-28 10:21]
R0 NDIS_RD;Norman Firewall NDIS driver;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2008-01-24 11:23]
R1 NPROSEC;Norman Security driver;C:\Program\Norman\Ngs\bin\nprosec.sys [2007-09-06 08:37]
R1 TDI_RD;Norman Firewall TDI driver;C:\WINDOWS\system32\drivers\TDI_RD.SYS [2007-05-14 10:51]
R1 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\Oreans.sys [2007-08-06 09:53]
R2 Ndiskio;Ndiskio;C:\Program\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55]
R2 NPROSECSVC;Norman Security service;"C:\Program\Norman\Ngs\bin\NPROSEC.EXE" [2007-11-27 15:13]
R2 NVOY;Norman's Very Own supplY of resources;"C:\Program\Norman\npm\bin\nvoy.exe" [2008-01-22 15:04]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys [2002-11-05 14:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2002-11-05 16:04]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2002-08-29 01:00]
R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2007-09-06 09:45]
R3 nvcoas;Norman Virus Control on-access component;"C:\Program\Norman\Nvc\bin\nvcoas.exe" [2007-12-10 14:36]
R3 NVCScheduler;Norman Virus Control Scheduler;"C:\Program\Norman\Npm\bin\NVCSCHED.EXE" [2007-09-18 11:41]
S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys [2001-12-17 12:54]
S3 cxbu0wdm;CardMan 1021;C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys [2007-02-28 06:38]
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;C:\WINDOWS\system32\DRIVERS\Express.sys [2002-10-17 02:00]
S3 ntportio;ntportio;C:\DOCUME~1\Marius\LOKALA~1\Temp\u\1186400086\ntportio.sys []
S3 nvcfsr;nvcfsr;C:\Program\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 15:25]
S3 nvcoafl51;nvcoafl51;C:\Program\Norman\Nvc\bin\nvcoafl51.sys [2007-01-09 15:25]
S3 nvcoaft51;nvcoaft51;C:\Program\Norman\Nvc\bin\nvcoaft51.sys [2007-01-09 15:25]
S3 nvcoarc51;nvcoarc51;C:\Program\Norman\Nvc\bin\nvcoarc51.sys [2007-01-09 15:25]
S3 rtl8180;NETGEAR MA521 802.11b Wireless PC Card;C:\WINDOWS\system32\DRIVERS\MA521nd5.SYS [2003-07-30 15:18]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2003-12-16 19:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b4bfbc0-3111-11db-9035-000bcd5556b7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL NETSVCS.EXE
\Shell\é_†™\command - NETSVCS.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c7b5583-9f35-11dc-9165-000bcd5556b7}]
\Shell\AutoRun\command - F:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 02:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program\AdwareAlert\AdwareAlert.ex
- C:\Program\AdwareAlert.MariusWRuns AdwareAlert to scan your computer for malicious and potenially unwanted programs.
"2008-02-19 10:48:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 12:36:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program\Norman\Npm\bin\ELOGSVC.EXE
C:\Program\Windows Defender\MsMpEng.exe
C:\Program\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program\Canon\DIAS\CnxDIAS.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program\Norman\Npm\bin\NJEEVES.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Norman\npf\bin\npfuser.exe
C:\Program\Norman\Nvc\BIN\NIP.EXE
C:\Program\Norman\Nvc\bin\cclaw.exe
C:\Program\MICROS~4\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-02-19 12:45:59 - machine was rebooted [Marius]
ComboFix-quarantined-files.txt 2008-02-19 11:45:47
.
2008-02-17 18:44:27 --- E O F ---


Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:00:00, on 2008-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program\Norman\Npm\bin\ELOGSVC.EXE
C:\Program\Norman\Ngs\bin\NPROSEC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Norman\Npm\Bin\Zanda.exe
C:\Program\Norman\npm\bin\nvoy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program\Canon\DIAS\CnxDIAS.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Norman\Npm\bin\NVCSCHED.EXE
C:\Program\Norman\Npm\bin\NJEEVES.EXE
C:\Program\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program\Norman\Npm\bin\ZLH.EXE
C:\Program\Norman\Nvc\BIN\NIP.EXE
C:\Program\Norman\Nvc\bin\cclaw.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Huawei technologies\Mobile Connect\Mobile Connect.exe
C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Microsoft ActiveSync\wcescomm.exe
C:\Program\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Marius\Skrivbord\HiJackThis.exe
C:\Program\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program\MSN Messenger\usnsvc.exe
C:\Program\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...rch&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/2Q00CPT/041D/bF7.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [QT4HPOT] C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {096DCF31-53FA-4BA6-A729-D85D29FC0D70} (Detect Class) - https://installer.id.ee/IDInstaller.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119895922501
O16 - DPF: {E8EB147D-ABEF-4228-A603-AAA845D1B2C1} (esteidTool Class) - http://www.sk.ee/id-kontroll/20070223.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{AAC0FA4C-1D9B-4CCB-9E66-3CB9A75EA271}: NameServer = 130.244.127.161 130.244.127.169
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: pmnklii - pmnklii.dll (file missing)
O20 - Winlogon Notify: winzbr32 - winzbr32.dll (file missing)
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program\Canon\DIAS\CnxDIAS.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program\Delade filer\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: NBService - Nero AG - C:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Program\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Program\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Program\Norman\Ngs\bin\NPROSEC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program\Norman\Npm\bin\NVCSCHED.EXE
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Program\Norman\npm\bin\nvoy.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

--
End of file - 8453 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:27 AM

Posted 19 February 2008 - 09:14 AM

Yay!! :wacko: Looks better too! Still some to do though.

suddenly a hidden zipfolder named "catchme" appeared on my desktop.

Heh, that's part of ComboFix. :thumbsup: If you look down at the last part of the ComboFix log you'll see the output for catchme. No biggie though, we'll be deleting all that when we're done anyway.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\6fdd4894

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnklii]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzbr32]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. Still running all right? :blink:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Snickarius

Snickarius
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 19 February 2008 - 01:05 PM

Hmm... I thought we were done?! Anyway I followed your instructions again. Strangely I always have to try combofix twice before it starts running. It kind of runs the first time but then nothing happens and then I dragged the script to it again and it started working. Anyway here is fresh Hijack and Combofix logs (I can´t believe you actually have patience to go through it every time :thumbsup:

Combofix:

ComboFix 08-02-18.1 - Marius 2008-02-19 18:34:41.5 - NTFSx86
Running from: C:\Documents and Settings\Marius\Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marius\Skrivbord\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\6fdd4894
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\6fdd4894

.
((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-19 17:52 . 2008-02-19 17:52 <KAT> d-------- C:\Program\omnikey_cardreader
2008-02-19 17:48 . 2008-02-19 17:48 <KAT> d-------- C:\WINDOWS\LastGood
2008-02-19 12:46 . 2008-02-19 12:46 <KAT> d-------- C:\WINDOWS\system32\config\systemprofile\Lokala instõllningar
2008-02-19 12:46 . 2008-02-19 12:46 <KAT> d-------- C:\Documents and Settings\NetworkService\Lokala instõllningar
2008-02-19 12:46 . 2008-02-19 12:46 <KAT> d-------- C:\Documents and Settings\Marius\Lokala instõllningar
2008-02-19 12:46 . 2008-02-19 12:46 <KAT> d-------- C:\Documents and Settings\LocalService\Lokala instõllningar
2008-02-19 12:46 . 2008-02-19 12:46 <KAT> d-------- C:\Documents and Settings\Brothers\Lokala instõllningar
2008-02-18 08:52 . 2008-02-18 09:29 <KAT> d-------- C:\ComboFix(2)
2008-02-15 00:22 . 2008-01-24 11:23 79,752 --a------ C:\WINDOWS\system32\drivers\ndis_rd.sys
2008-02-15 00:22 . 2007-05-14 10:51 72,320 --a------ C:\WINDOWS\system32\drivers\tdi_rd.sys
2008-02-15 00:22 . 2008-01-23 15:01 42,552 --a------ C:\WINDOWS\system32\drivers\ale_nf.sys
2008-02-15 00:05 . 2007-09-17 15:24 212,024 --a------ C:\WINDOWS\system32\nscrnsav.scr
2008-02-03 00:00 . 2008-02-03 00:00 <KAT> d-------- C:\Documents and Settings\Marius\Application Data\TrojanHunter
2008-02-02 23:44 . 2008-02-04 22:23 <KAT> d-------- C:\Program\TrojanHunter 5.0
2008-02-02 23:18 . 2008-02-02 23:18 <KAT> d-------- C:\Program\Safer Networking
2008-01-30 23:06 . 2008-01-30 23:08 <KAT> d-------- C:\Documents and Settings\Marius\Application Data\AdwareAlert
2008-01-30 23:04 . 2008-02-01 10:08 <KAT> d-------- C:\Program\AdwareAlert
2008-01-24 22:23 . 2008-01-24 22:24 48,640 --a------ C:\Documents and Settings\Marius\timeseal.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 17:29 --------- d-----w C:\Documents and Settings\Marius\Application Data\Skype
2008-02-19 16:46 --------- d-----w C:\Documents and Settings\Marius\Application Data\skypePM
2008-02-19 16:36 --------- d-----w C:\Program\Norman
2008-02-18 09:04 --------- d-----w C:\Program\Spybot
2008-02-17 20:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 20:27 --------- d-----w C:\Program\AdAware
2008-02-17 20:27 --------- d-----w C:\Documents and Settings\Marius\Application Data\Lavasoft
2008-02-12 16:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-01 20:50 --------- d-----w C:\Program\e-Sword
2008-02-01 09:09 --------- d-----w C:\Program\Microsoft ActiveSync
2008-01-15 11:39 97,792 ----a-w C:\WINDOWS\system32\drivers\cxbu0wdm.sys
2008-01-11 20:49 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-11 20:47 --------- d-----w C:\Program\Skype
2008-01-11 20:47 --------- d-----w C:\Program\Delade filer\Skype
2008-01-11 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-01-11 19:16 --------- d-----w C:\Program\Delade filer\InstallShield Shared
2008-01-11 05:52 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-08 17:43 --------- d-----w C:\Program\Windows Live Safety Center
2008-01-01 22:38 --------- d-----w C:\Program\Microsoft.NET
2007-12-26 11:49 --------- d-----w C:\Program\Pocket e-Sword
2007-12-23 21:39 --------- d-----w C:\Program\Enigma Software Group
2007-12-22 21:23 --------- d-----w C:\Program\Skype for Pocket PC
2007-12-20 17:13 --------- d-----w C:\Program\CCleaner
2007-12-19 22:57 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:14 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:07 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:07 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:42 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:42 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-02-26 06:44 37,016 ----a-w C:\Documents and Settings\Brothers\Application Data\GDIPFONTCACHEV1.DAT
2006-11-28 10:46 37,016 -c--a-w C:\Documents and Settings\Marius\Application Data\GDIPFONTCACHEV1.DAT
2005-10-30 21:25 1,126,912 -c--a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2005-10-30 19:43 31,232 -c--a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2005-10-04 17:56 179,712 -c--a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2005-09-26 16:11 1,124,864 -c--a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2005-08-02 16:17 96,768 -c--a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2005-08-02 16:17 1,116,160 -c--a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2005-08-01 16:02 14,371,170 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_08_01_17_59_40.dmp.zip
2005-08-01 07:00 14,336 -c--a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2005-08-01 06:58 1,072,128 -c--a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2005-08-01 06:54 16,384 -c--a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2005-08-01 06:54 1,072,128 -c--a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2005-07-30 17:06 14,398,857 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_07_30_19_02_29.dmp.zip
2005-07-30 07:17 16,384 -c--a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2005-07-30 07:17 1,072,128 -c--a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2005-07-29 05:49 32,768 -c--a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2005-07-29 05:49 1,072,128 -c--a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2005-07-20 12:38 14,848 -c--a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2005-07-20 12:38 1,010,688 -c--a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2005-07-05 21:34 13,312 -c--a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2005-07-05 21:32 1,010,688 -c--a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2005-07-05 19:13 61,440 -c--a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2005-07-05 19:13 1,013,760 -c--a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2005-07-03 12:10 98,816 -c--a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2005-07-03 12:10 973,824 -c--a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2005-06-12 20:41 1,531,149 -c--a-w C:\Program\winscp230setup.exe
2005-06-12 20:40 3,751,021 -c--a-w C:\Program\vlc-0.6.0-win32.exe
2005-06-12 20:38 8,479,928 -c--a-w C:\Program\RealOnePlayerV2GOLD.exe
2005-06-12 20:36 21,654,229 -c--a-w C:\Program\nero60015.exe
2005-06-12 20:35 1,216,000 -c--a-w C:\Program\mirc603.exe
2005-06-12 20:34 1,054,616 -c--a-w C:\Program\dos622.exe
2005-06-12 20:33 3,328,641 -c--a-w C:\Program\DivX505Bundle.exe
2005-06-12 20:32 2,424,692 -c--a-w C:\Program\audacity-win-1.2.2.exe
2005-06-12 20:19 746,982 -c--a-w C:\Program\DivX-Ac3-Codec.rar
2004-03-12 13:33 212,992 -c--a-w C:\WINDOWS\inf\MA521\CopyWHQLDriver.exe
2003-07-30 13:18 172,416 -c--a-w C:\WINDOWS\inf\MA521\MA521nd5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:34 15360]
"H/PC Connection Agent"="C:\Program\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QT4HPOT"="C:\Program\HPQ\ONE-TO~1\OneTouch.EXE" [2002-10-14 18:57 98304]
"Norman ZANDA"="C:\Program\Norman\Npm\bin\ZLH.exe" [2007-12-17 14:37 273520]
"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [2006-01-27 18:22 155648]
"TkBellExe"="C:\Program\Delade filer\Real\Update_OB\realsched.exe" [2006-11-13 21:33 185896]
"Adobe Reader Speed Launcher"="C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:34 15360]
"DWQueuedReporting"="C:\Program\DELADE~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^MA521 Configuration Utility.lnk]
backup=C:\WINDOWS\pss\MA521 Configuration Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2002-08-15 23:18 28672 C:\WINDOWS\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2002-08-14 17:29 290816 C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-09-13 11:12 139264 C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6cee6986]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
--a------ 2003-05-21 14:35 4608 C:\WINDOWS\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2002-10-23 13:19 176197 C:\Program\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 09:34 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Display Settings]
--a------ 2002-08-15 06:26 45056 C:\Program\HPQ\Notebook Utilities\hptasks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EstEID AIP switch]
C:\Program\IT Arendus\ID-kaart\\aipswitch 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norman ZANDA]
--a------ 2007-12-17 14:37 273520 C:\Program\Norman\Npm\bin\ZLH.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
--a------ 2001-12-12 07:05 36864 c:\hp\drivers\printers\photosmart\hphprld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-27 18:22 155648 C:\Program\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 22:34 36864 C:\Cpqs\Scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 02:00 132496 C:\Program\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2002-09-09 23:41 557056 C:\Program\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2002-09-09 23:42 126976 C:\Program\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-13 21:33 185896 C:\Program\Delade filer\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program\Windows Defender\MSASCui.exe

Paused2 NPFSvc32;Norman Personal Firewall Service;"C:\Program\Norman\npf\bin\npfsvc32.exe" [2008-01-28 10:21]
R0 NDIS_RD;Norman Firewall NDIS driver;C:\WINDOWS\system32\drivers\NDIS_RD.sys [2008-01-24 11:23]
R1 NPROSEC;Norman Security driver;C:\Program\Norman\Ngs\bin\nprosec.sys [2007-09-06 08:37]
R1 TDI_RD;Norman Firewall TDI driver;C:\WINDOWS\system32\drivers\TDI_RD.SYS [2007-05-14 10:51]
R1 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\Oreans.sys [2007-08-06 09:53]
R2 Ndiskio;Ndiskio;C:\Program\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55]
R2 NPROSECSVC;Norman Security service;"C:\Program\Norman\Ngs\bin\NPROSEC.EXE" [2007-11-27 15:13]
R2 NVOY;Norman's Very Own supplY of resources;"C:\Program\Norman\npm\bin\nvoy.exe" [2008-01-22 15:04]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys [2002-11-05 14:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2002-11-05 16:04]
R3 cxbu0wdm;CardMan 1021;C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys [2008-01-15 12:39]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2002-08-29 01:00]
R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2007-09-06 09:45]
R3 nvcoas;Norman Virus Control on-access component;"C:\Program\Norman\Nvc\bin\nvcoas.exe" [2007-12-10 14:36]
R3 NVCScheduler;Norman Virus Control Scheduler;"C:\Program\Norman\Npm\bin\NVCSCHED.EXE" [2007-09-18 11:41]
R3 rtl8180;NETGEAR MA521 802.11b Wireless PC Card;C:\WINDOWS\system32\DRIVERS\MA521nd5.SYS [2003-07-30 15:18]
S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys [2001-12-17 12:54]
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;C:\WINDOWS\system32\DRIVERS\Express.sys [2002-10-17 02:00]
S3 ntportio;ntportio;C:\DOCUME~1\Marius\LOKALA~1\Temp\u\1186400086\ntportio.sys []
S3 nvcfsr;nvcfsr;C:\Program\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 15:25]
S3 nvcoafl51;nvcoafl51;C:\Program\Norman\Nvc\bin\nvcoafl51.sys [2007-01-09 15:25]
S3 nvcoaft51;nvcoaft51;C:\Program\Norman\Nvc\bin\nvcoaft51.sys [2007-01-09 15:25]
S3 nvcoarc51;nvcoarc51;C:\Program\Norman\Nvc\bin\nvcoarc51.sys [2007-01-09 15:25]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2003-12-16 19:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b4bfbc0-3111-11db-9035-000bcd5556b7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL NETSVCS.EXE
\Shell\é_†™\command - NETSVCS.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c7b5583-9f35-11dc-9165-000bcd5556b7}]
\Shell\AutoRun\command - F:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 02:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program\AdwareAlert\AdwareAlert.exe
- C:\Program\AdwareAlert
"2008-02-19 16:41:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 18:41:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-19 18:47:00
ComboFix-quarantined-files.txt 2008-02-19 17:46:50
ComboFix2.txt 2008-02-19 11:46:01
.
2008-02-17 18:44:27 --- E O F ---


Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:57:20, on 2008-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program\Norman\Npm\bin\ELOGSVC.EXE
C:\Program\Norman\Ngs\bin\NPROSEC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Norman\Npm\Bin\Zanda.exe
C:\Program\Norman\npm\bin\nvoy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program\Canon\DIAS\CnxDIAS.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Norman\Npm\bin\NVCSCHED.EXE
C:\Program\Norman\Npm\bin\NJEEVES.EXE
C:\Program\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program\Norman\Npm\bin\ZLH.EXE
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Microsoft ActiveSync\wcescomm.exe
C:\Program\MICROS~4\rapimgr.exe
C:\Program\Norman\Nvc\BIN\NIP.EXE
C:\Program\Norman\Nvc\bin\cclaw.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Marius\Skrivbord\HiJackThis.exe
C:\Program\Huawei technologies\Mobile Connect\Mobile Connect.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...rch&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/2Q00CPT/041D/bF7.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [QT4HPOT] C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {096DCF31-53FA-4BA6-A729-D85D29FC0D70} (Detect Class) - https://installer.id.ee/IDInstaller.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119895922501
O16 - DPF: {E8EB147D-ABEF-4228-A603-AAA845D1B2C1} (esteidTool Class) - http://www.sk.ee/id-kontroll/20070223.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program\Canon\DIAS\CnxDIAS.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program\Delade filer\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: NBService - Nero AG - C:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Program\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Program\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Program\Norman\Ngs\bin\NPROSEC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program\Norman\Npm\bin\NVCSCHED.EXE
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Program\Norman\npm\bin\nvoy.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

--
End of file - 8085 bytes

Whats next? Thanks for everything so far... the infection notification has not reappeared yet - looks good to me!


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:27 AM

Posted 19 February 2008 - 07:41 PM

Hello,

And looks good to me too. :thumbsup: One thing I have to ask though : Did you uninstall your ZA Firewall?

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

It is very important to maintain your Firewall.
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Snickarius

Snickarius
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 20 February 2008 - 06:08 PM

Hi Teacup... I deleted what needed to be deleted and rebooted the computer. Everything looks nice and stable and there are no alert messages from Norman Security Suite. I pretty much follow all other instruction which you also reminded of, it just it was my own fault to try to install a key gen from a underground site that turned out to be a trojan (from now on I´ll pay for my software). I also run Firefox instead of IE. You asked me about if I uninstalled ZA which I did not. I had a folder from before containing the ZA installation files... what I have understood the firewall (ZA?) is today integrated into windows hence it is no longer installed separately... am I wrong? Anyways I just went offline and disabled the firewall to get combofix running.

What can I say, thank you very much. I´m really happy :blink:

THANK YOU!

PS. I´ll get back to you with a reward soon :thumbsup:

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:27 AM

Posted 20 February 2008 - 06:24 PM

Hello,

Windows Firewall is much different than ZA. Windows firewall only watches what comes IN to your computer, not what goes out. So it isn't as efficient. If you like ZA, then keep using it. If you'd like some alternatives, than I have those as well. :blink: Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

I'm glad you're happy, and you're most welcome. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:27 AM

Posted 25 February 2008 - 07:37 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users