Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfreud, Popup, Vundo? Problem In Ie: Cookies


  • This topic is locked This topic is locked
3 replies to this topic

#1 robbfan

robbfan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 24 June 2008 - 01:00 PM

Hello!

I have a popup problem, with poker sites and celldorado ringphone advertiser in IE.
Many antivirusprograms have scaned the computer but the popup wont go away.
During my work with this infected computer i have ran across Vundo with vundofix witch deleted 4 files, i think i ran across Zlob also, i cant remember anymore. The popup is not very fun, but right now im really pissed that i cant enter (with password/login) any site whatsoever, because my cookies is turned of, allthough IE7 says its on lowest on privacy tab.

Please help me with my popup and this annoying cookieproblem.
Im running Opera webbrowser now just to communicate and open mail now, but i want the copmuter to be nice and clean before i start using somthing other than IE like opera or firefox. Btw i just installed SP3 for winXP also, but the problem is ofcourse still here. Thanks

LOG - MAIN THEN EXTRA:
Deckard's System Scanner v20071014.68
Run by Stig on 2008-06-24 19:43:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-06-24 17:43:29 UTC - RP1 - Systemkontrollpunkt


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-24 19:44:31
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program\Dell\Media Experience\PCMService.exe
C:\Program\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
C:\Program\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Personal\bin\Personal.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Stig\Skrivbord\SmitfraudFix\Policies.exe
C:\WINDOWS\SYSTEM32\msiexec.exe
C:\Program\Opera\opera.exe
C:\Documents and Settings\Stig\Skrivbord\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2EE2D1E8-066B-435D-BF49-5A40254F09CE} - C:\WINDOWS\system32\jkkJbxxw.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\ssqRjjiJ.dll (file missing)
O2 - BHO: (no name) - {B458F039-4A4C-4273-9501-D0399B063198} - C:\WINDOWS\system32\opnolkkK.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O2 - BHO: {7c664f3a-5bed-85ca-5454-29b4b5d66f4d} - {d4f66d5b-4b92-4545-ac58-deb5a3f466c7} - C:\WINDOWS\SYSTEM32\gusiyvmw.dll
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\system32\khfCtrpO.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211820021953
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program\Delade filer\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program\Delade filer\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program\Delade filer\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: gusiyvmw.dll
O20 - Winlogon Notify: khfCtrpO - C:\WINDOWS\system32\khfCtrpO.dll (file missing)
O20 - Winlogon Notify: ssqRjjiJ - C:\WINDOWS\system32\ssqRjjiJ.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashWebSv.exe


--
End of file - 6627 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-24 and 2008-06-24 -----------------------------

2008-06-24 19:39:48 0 d-------- C:\Documents and Settings\Stig\Application Data\Opera
2008-06-24 19:38:57 0 d-------- C:\Program\Opera
2008-06-24 19:35:57 2110 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-24 06:07:53 0 d-------- C:\Documents and Settings\Stig\Application Data\HouseCall 6.6
2008-06-24 03:06:54 0 d-------- C:\WINDOWS\Prefetch
2008-06-23 23:54:43 0 d-------- C:\WINDOWS\system32\sv
2008-06-23 23:54:43 0 d-------- C:\WINDOWS\l2schemas
2008-06-23 23:50:39 0 d-------- C:\WINDOWS\network diagnostic
2008-06-23 21:18:02 0 d-------- C:\VundoFix Backups
2008-06-23 18:16:11 105472 --a------ C:\WINDOWS\system32\gusiyvmw.dll
2008-06-23 18:13:25 81408 --a------ C:\WINDOWS\system32\boupneai.dll
2008-06-22 22:15:57 0 d-------- C:\Documents and Settings\Administratör\Application Data\Macromedia
2008-06-22 22:00:46 0 dr-h----- C:\Documents and Settings\Administratör\SendTo
2008-06-22 22:00:46 0 dr-h----- C:\Documents and Settings\Administratör\Recent
2008-06-22 22:00:46 0 d--h----- C:\Documents and Settings\Administratör\Nätverket
2008-06-22 22:00:46 0 dr------- C:\Documents and Settings\Administratör\Mina dokument
2008-06-22 22:00:46 0 d--h----- C:\Documents and Settings\Administratör\Mallar
2008-06-22 22:00:46 0 d--h----- C:\Documents and Settings\Administratör\Lokala inställningar
2008-06-22 22:00:46 0 dr------- C:\Documents and Settings\Administratör\Favoriter
2008-06-22 22:00:46 0 d--hs---- C:\Documents and Settings\Administratör\Cookies
2008-06-22 22:00:46 0 dr-h----- C:\Documents and Settings\Administratör\Application Data
2008-06-22 22:00:46 0 d-------- C:\Documents and Settings\Administratör\Application Data\Symantec
2008-06-22 22:00:46 0 d-------- C:\Documents and Settings\Administratör\Application Data\Sun
2008-06-22 22:00:46 0 d-------- C:\Documents and Settings\Administratör\Application Data\Sonic
2008-06-22 22:00:46 0 d---s---- C:\Documents and Settings\Administratör\Application Data\Microsoft
2008-06-22 22:00:46 0 d-------- C:\Documents and Settings\Administratör\Application Data\Jasc Software Inc
2008-06-22 22:00:46 0 d-------- C:\Documents and Settings\Administratör\Application Data\Identities
2008-06-22 22:00:45 0 dr------- C:\Documents and Settings\Administratör\Start-meny
2008-06-22 22:00:45 0 d-------- C:\Documents and Settings\Administratör\Skrivbord
2008-06-22 22:00:45 0 d--h----- C:\Documents and Settings\Administratör\Skrivare
2008-06-22 22:00:45 786432 --ah----- C:\Documents and Settings\Administratör\NTUSER.DAT
2008-06-22 21:57:33 90624 --a------ C:\WINDOWS\system32\nnwxfyth.dll
2008-05-27 23:46:21 0 d-------- C:\WINDOWS\pss
2008-05-27 18:07:50 0 d-------- C:\Program\Alwil Software
2008-05-26 19:30:24 0 d-------- C:\WINDOWS\system32\sv-se
2008-05-26 19:05:42 0 d-------- C:\Documents and Settings\Stig\Application Data\Help
2008-05-26 12:27:53 310408 --ahs---- C:\WINDOWS\system32\wxxbJkkj.ini2
2008-05-26 11:22:52 0 d-------- C:\WINDOWS\system32\vntiho01
2008-05-25 22:40:50 0 d-------- C:\Documents and Settings\Stig\Application Data\WinRAR


-- Find3M Report ---------------------------------------------------------------

2008-06-24 03:10:14 0 d-------- C:\Program\MSN Messenger
2008-06-24 03:09:46 321358 --a------ C:\WINDOWS\system32\perfh01D.dat
2008-06-24 03:09:46 50586 --a------ C:\WINDOWS\system32\perfc01D.dat
2008-06-23 23:55:18 0 d-------- C:\Program\Messenger
2008-06-23 23:54:42 0 d-------- C:\Program\Movie Maker
2008-06-23 23:52:11 0 d-------- C:\Program\Windows NT
2008-06-22 21:59:21 0 d-------- C:\Documents and Settings\Stig\Application Data\uTorrent
2008-05-27 21:33:41 0 d-------- C:\Program\F-Secure


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EE2D1E8-066B-435D-BF49-5A40254F09CE}]
C:\WINDOWS\system32\jkkJbxxw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C28EAFB-FF50-4F42-8D39-A006129CC907}]
C:\WINDOWS\system32\ssqRjjiJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B458F039-4A4C-4273-9501-D0399B063198}]
C:\WINDOWS\system32\opnolkkK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4f66d5b-4b92-4545-ac58-deb5a3f466c7}]
2008-06-23 18:16 105472 --a------ C:\WINDOWS\system32\gusiyvmw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}]
C:\WINDOWS\system32\khfCtrpO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]
"SunJavaUpdateSched"="C:\Program\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"PCMService"="C:\Program\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"DVDLauncher"="C:\Program\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 12:43]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04]
"UpdateManager"="C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
"avast!"="C:\Program\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 18:05]
"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55]

C:\Documents and Settings\Stig\Start-meny\Program\Autostart\
DESKTOP.INI [2002-10-01 15:31:46]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
DESKTOP.INI [2002-10-01 15:31:46]
Personal.lnk - C:\Program\Personal\bin\Personal.exe [2007-06-14 21:29:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F9DF827A-8FA7-48A3-B268-CA4DB563EA40}"= C:\WINDOWS\system32\khfCtrpO.dll [ ]
"{9C28EAFB-FF50-4F42-8D39-A006129CC907}"= C:\WINDOWS\system32\ssqRjjiJ.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfCtrpO]
khfCtrpO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRjjiJ]
ssqRjjiJ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=gusiyvmw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnolkkK

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c349c99]
rundll32.exe "C:\WINDOWS\system32\boupneai.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8f07af05]
Rundll32.exe "C:\WINDOWS\system32\nnwxfyth.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

*Newly Created Service* - USNJSVC



-- End of Deckard's System Scanner: finished at 2008-06-24 19:48:44 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: Swedish

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 510 MiB / 223.35 MiB
Pagefile Memory (total/avail): 1248.87 MiB / 910.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1911.48 MiB

C: is Fixed (NTFS) - 74.44 GiB total, 58.69 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800BB-75FJA1 - 74.5 GiB - 2 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installerbart filsystem - 74.44 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Stig\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program\Delade filer
COMPUTERNAME=SKARLUNDA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Stig
LOGONSERVER=\\SKARLUNDA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Stig\LOKALA~1\Temp
TMP=C:\DOCUME~1\Stig\LOKALA~1\Temp
USERDOMAIN=SKARLUNDA
USERNAME=Stig
USERPROFILE=C:\Documents and Settings\Stig
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Stig (admin)
Administratör (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUn041d.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program\Delade filer\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program\Delade filer\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
µTorrent --> "C:\Program\uTorrent\uTorrent.exe" /UNINSTALL
avast! Antivirus --> C:\Program\Alwil Software\Avast4\aswRunDll.exe "C:\Program\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Dell Media Experience --> RunDll32 C:\Program\DELADE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
ffdshow [rev 1058+] [2007-03-22] --> "C:\Program\ffdshow\unins000.exe"
HouseCall 6.6 --> "C:\Documents and Settings\Stig\Application Data\HouseCall 6.6\uninstaller.exe"
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{9113041D-6000-11D3-8CFE-0150048383C9}
MSN Verktygslåda --> C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\mtbs.exe c
OLYMPUS CAMEDIA Master 4.1 --> RunDll32 C:\Program\DELADE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.1
Opera 9.50 --> MsiExec.exe /X{7472B5B4-3FB7-446F-BC78-6BBA506EC473}
Personal 4.5.2 --> "C:\Program\Personal\bin\persinst.exe" -u
PowerDVD 5.1 --> RunDll32 C:\Program\DELADE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Säkerhetsuppdatering för Step by Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Step by Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB950760) --> "C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB950762) --> "C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB951376-v2) --> "C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB951376) --> "C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB951698) --> "C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
TPTEST 5.0.2 --> "C:\Program\TPTEST5\unins000.exe"
Windows Live Messenger --> MsiExec.exe /I{2E55A582-4FFE-4FF2-8D4D-E7D275FF89BD}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type13744 / Success
Event Submitted/Written: 06/24/2008 07:33:25 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type13731 / Warning
Event Submitted/Written: 06/23/2008 11:55:54 PM
Event ID/Source: 63 / WinMgmt
Event Description:
En provider, HiPerfCooker_v1, har registrerats i WMI-namnområdet Root\WMI för att använda kontot Lokalt system. Detta konto har privilegier och providern kan därför orsaka en säkerhetsöverskridning om den inte personifierar användarbegäranden korrekt.

Event Record #/Type13725 / Error
Event Submitted/Written: 06/23/2008 09:54:36 PM
Event ID/Source: 1015 / Winlogon
Event Description:
Den kritiska systemprocessen C:\WINDOWS\system32\lsass.exe, misslyckades med felkod 00000000. Datorn
måste startas om.

Event Record #/Type13714 / Warning
Event Submitted/Written: 06/23/2008 06:47:38 PM
Event ID/Source: 1524 / Userenv
Event Description:
Det går inte att ta bort klassregisterfilen ur minnet eftersom den fortfarande används av andra program eller tjänster. Filen kommer att tas bort från minnet när den inte längre används.

Event Record #/Type13712 / Error
Event Submitted/Written: 06/23/2008 06:16:26 PM
Event ID/Source: 1000 / Application Error
Event Description:
Felaktigt program explorer.exe, version 6.0.2900.3156, felaktig modul unknown, version 0.0.0.0, felaktig adress 0x03f81472.
Mediespecifik händelse behandlas för [explorer.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type37009 / Error
Event Submitted/Written: 06/24/2008 06:34:06 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM fick felet %%1084 vid försök att starta tjänsten EventSystem med argumenten
för att köra servern:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type37008 / Error
Event Submitted/Written: 06/24/2008 05:29:09 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context misslyckades för C:\Documents and Settings\Stig\Application Data\HouseCall 6.6\MFC80U.DLL.
Felmeddelande: Åtgärden har slutförts.
.

Event Record #/Type37007 / Error
Event Submitted/Written: 06/24/2008 05:29:09 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly misslyckades för Microsoft.VC80.MFCLOC.
Felmeddelande: Det refererade paketet är inte installerat på datorn.
.

Event Record #/Type37006 / Error
Event Submitted/Written: 06/24/2008 05:29:09 PM
Event ID/Source: 32 / SideBySide
Event Description:
Det beroende paketet Microsoft.VC80.MFCLOC kan inte hittas. Senaste fel: Det refererade paketet är inte installerat på datorn.
.

Event Record #/Type37003 / Error
Event Submitted/Written: 06/24/2008 05:28:15 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
Följande start- eller systemstartdrivrutin(er) avbröts på grund av fel under start:
Aavmker4
aswSP
Fips
intelppm



-- End of Deckard's System Scanner: finished at 2008-06-24 19:48:44 ------------

BC AdBot (Login to Remove)

 


#2 robbfan

robbfan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 24 June 2008 - 01:13 PM

I did as you told me in the faq, with the dss, but seems everyone else is posting hijjackthis. so here is mine.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:11:40, on 2008-06-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program\Dell\Media Experience\PCMService.exe
C:\Program\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\Personal\bin\Personal.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Stig\Skrivbord\SmitfraudFix\Policies.exe
C:\Program\Opera\opera.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2EE2D1E8-066B-435D-BF49-5A40254F09CE} - C:\WINDOWS\system32\jkkJbxxw.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\ssqRjjiJ.dll (file missing)
O2 - BHO: (no name) - {B458F039-4A4C-4273-9501-D0399B063198} - C:\WINDOWS\system32\opnolkkK.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O2 - BHO: {7c664f3a-5bed-85ca-5454-29b4b5d66f4d} - {d4f66d5b-4b92-4545-ac58-deb5a3f466c7} - C:\WINDOWS\system32\gusiyvmw.dll
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\system32\khfCtrpO.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211820021953
O20 - AppInit_DLLs: gusiyvmw.dll
O20 - Winlogon Notify: khfCtrpO - khfCtrpO.dll (file missing)
O20 - Winlogon Notify: ssqRjjiJ - ssqRjjiJ.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 5864 bytes

#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 28 June 2008 - 11:12 AM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...


Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.



Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 06 July 2008 - 04:47 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users