Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help To Remove Early Stage Of Smitfraud Virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 Auroron

Auroron

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 04 July 2008 - 01:02 PM

Ok, here's the problem. My dad managed to download a two virsus that appeared in the icon tray and gave me fake balloon tip. By terminating iebtm.exe and iebtmm.exe I could delete the virus, but one of the icons still persists and giving me fake balloon tip. If I click the tip I get redirected to the homepage of AntiSpycheck, which I know is a virus.
Please help, how do I remove this icon?
Here's and example of my problem: (Only that I never downloaded what the link gives me! I just have the icon!)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:52:04, on 04.07.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Telenor\ecc\ecc.exe
C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.no/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.no/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programfiler\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programfiler\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B8301AF7-D00E-4EA4-87C1-5FF4644FBBA1} - C:\Programfiler\Web Technologies\iebt.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\Msdxm6.ocx
O3 - Toolbar: Internet Service - {85BDD81D-31FD-4A6B-A73C-3955B128D2EC} - C:\Programfiler\Web Technologies\iebr.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [start_forbruksmåler] "C:\Programfiler\Telenor" Plus\Forbruksmåler\Forbruksmåler.exe C:\Programfiler\Telenor Plus\Forbruksmåler
O4 - HKLM\..\Run: [ecc] C:\Programfiler\Telenor\ecc\ecc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Programfiler\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Programfiler\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [BearShare] "C:\Programfiler\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Programfiler\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Geir Moe Ellefsen\Lokale innstillinger\Programdata\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Geir Moe Ellefsen\Lokale innstillinger\Programdata\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all links using BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorergate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorergate.com/redirect.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.online.no/
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/luncher/GamesCampus.cab
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab?
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145907190296
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab27571.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8724140E-A8DB-4BC9-9341-C44D9411FB83}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: ddsntdll - ddsntdll.d (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12172 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:49 PM

Posted 04 July 2008 - 01:50 PM

Hi,

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\WINDOWS\system32\Msdxm6.ocx

Select it and click ok:
Then click the Send File button below.

Then * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Auroron

Auroron
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 04 July 2008 - 02:57 PM

Everything went smooth, and the icon seems to be gone now, here's the reports:

COMBOFIX

ComboFix 08-07-04.1 - Geir Moe Ellefsen 2008-07-04 21:44:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.446 [GMT 2:00]
Running from: C:\Documents and Settings\Geir Moe Ellefsen\Skrivebord\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\igfxhk(3).dll
C:\WINDOWS\system32\launcher.exe
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\zlib.dll
C:\WINDOWS\WINDOWS
C:\WINDOWS\WINDOWS\system32\drivers\etc\hosts

.
((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-04 19:38 . 2008-07-04 19:38 <DIR> d-------- C:\Deckard
2008-07-01 20:34 . 2008-07-01 20:34 <DIR> d-------- C:\Programfiler\Trend Micro
2008-07-01 20:22 . 2008-07-01 20:22 2,926 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-01 20:21 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-01 20:21 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-01 20:21 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-01 20:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-01 20:21 . 2008-06-23 23:34 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-01 20:21 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-01 20:21 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-01 20:21 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-01 20:21 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-01 19:03 . 2008-07-01 19:10 <DIR> d-------- C:\Programfiler\Panda Security
2008-06-30 18:03 . 2008-07-01 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft
2008-06-23 20:51 . 2008-07-03 21:34 <DIR> dr-h----- C:\Documents and Settings\Geir Moe Ellefsen\Siste

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 17:27 --------- d-----w C:\Documents and Settings\Geir Moe Ellefsen\Programdata\WTablet
2008-07-03 15:02 --------- d-----w C:\Documents and Settings\LocalService\Programdata\WTablet
2008-07-01 16:50 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard
2008-07-01 12:27 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP
2008-06-30 16:03 --------- d-----w C:\Programfiler\Lavasoft
2008-06-26 17:20 --------- d-----w C:\Programfiler\Direct WAV MP3 Splitter
2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-25 19:17 49,824 ----a-w C:\Documents and Settings\Geir Moe Ellefsen\Programdata\GDIPFONTCACHEV1.DAT
2008-05-25 19:10 --------- d-----w C:\Programfiler\MSECache
2008-05-22 17:39 --------- d-----w C:\Documents and Settings\Geir Moe Ellefsen\Programdata\Canon
2008-05-21 08:45 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-17 18:12 --------- d-----w C:\Programfiler\World of Warcraft
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 13:13 --------- d-----w C:\Programfiler\CONEXANT
2008-05-07 05:16 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 658,944 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-13 01:43 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2005-04-18 15:09 40,096 -c--a-w C:\Documents and Settings\Lars Moe Ellefsen\Programdata\GDIPFONTCACHEV1.DAT
2007-04-14 16:07 56 -csh--r C:\WINDOWS\system32\ACF8E26F19.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360]
"DAEMON Tools"="C:\Programfiler\DAEMON Tools\daemon.exe" [2007-11-17 13:53 171464]
"Google Update"="C:\Documents and Settings\Geir Moe Ellefsen\Lokale innstillinger\Programdata\Google\Update\1.1.25.0\GoogleUpdate.exe" [2008-03-29 12:48 51184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19 155648]
"start_forbruksmåler"="C:\Programfiler\Telenor Plus\Forbruksmåler\Forbruksmåler.exe" [2004-03-18 22:52 323584]
"ecc"="C:\Programfiler\Telenor\ecc\ecc.exe" [2004-05-15 11:25 278528]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2003-09-10 11:07 155648]
"WildTangent CDA"="C:\Programfiler\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-29 03:24 28616]
"BearShare"="C:\Programfiler\BearShare\BearShare.exe" [2006-07-26 14:48 3305472]
"HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"SpySweeper"="C:\Programfiler\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-11-01 17:17 4806144]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2008-04-28 15:36 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:03 15360]

C:\Documents and Settings\Geir Moe Ellefsen\Start-meny\Programmer\Oppstart\
YouTube Uploader.lnk - C:\Documents and Settings\Geir Moe Ellefsen\Lokale innstillinger\Programdata\YouTube\Uploader\youtubeuploader.exe [2007-11-09 14:33:08 71152]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
HP Digital Imaging Monitor.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]
Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\twpR32.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\twpR64.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programfiler\\BearShare\\BearShare.exe"=
"C:\\Programfiler\\Windows Media Player\\wmplayer.exe"=
"C:\\Programfiler\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enGB-downloader.exe"=
"C:\\Programfiler\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enGB-downloader.exe"=
"C:\\Programfiler\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enGB-downloader.exe"=
"C:\\Programfiler\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enGB-downloader.exe"=
"C:\\Programfiler\\World of Warcraft\\WoW-1.7.0-enGB-downloader.exe"=
"C:\\Programfiler\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard downloader

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 21:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 20:30]
S0 twpR64;twpR64 TCP;C:\WINDOWS\system32\twpR64.sys []
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);"c:\Programfiler\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSONY_MEDIAMGR2 []
S3 XDva005;XDva005;C:\WINDOWS\system32\XDva005.sys []
S3 XDva006;XDva006;C:\WINDOWS\system32\XDva006.sys []
S3 XDva042;XDva042;C:\WINDOWS\system32\XDva042.sys []

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

BHO-{B8301AF7-D00E-4EA4-87C1-5FF4644FBBA1} - C:\Programfiler\Web Technologies\iebt.dll
Toolbar-{85BDD81D-31FD-4A6B-A73C-3955B128D2EC} - C:\Programfiler\Web Technologies\iebr.dll
WebBrowser-{2E110353-7A5F-44E9-B86D-3AD87A2007D0} - (no file)
WebBrowser-{85BDD81D-31FD-4A6B-A73C-3955B128D2EC} - C:\Programfiler\Web Technologies\iebr.dll
HKU-Default-Run-ALUAlert - C:\Programfiler\Symantec\LiveUpdate\ALUNotify.exe
Notify-ddsntdll - ddsntdll.d


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 21:50:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-04 21:54:17
ComboFix-quarantined-files.txt 2008-07-04 19:53:11

Pre-Run: 6,337,867,776 byte ledig
Post-Run: 7,243,075,584 byte ledig

137 --- E O F --- 2008-06-21 00:24:14




HiJackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:57:12, on 04.07.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\Programfiler\Telenor\ecc\ecc.exe
C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programfiler\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programfiler\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B8301AF7-D00E-4EA4-87C1-5FF4644FBBA1} - C:\Programfiler\Web Technologies\iebt.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\Msdxm6.ocx
O3 - Toolbar: (no name) - {85BDD81D-31FD-4A6B-A73C-3955B128D2EC} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [start_forbruksmåler] "C:\Programfiler\Telenor" Plus\Forbruksmåler\Forbruksmåler.exe C:\Programfiler\Telenor Plus\Forbruksmåler
O4 - HKLM\..\Run: [ecc] C:\Programfiler\Telenor\ecc\ecc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Programfiler\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Programfiler\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [BearShare] "C:\Programfiler\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Programfiler\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Geir Moe Ellefsen\Lokale innstillinger\Programdata\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Geir Moe Ellefsen\Lokale innstillinger\Programdata\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all links using BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorergate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorergate.com/redirect.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.online.no/
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/luncher/GamesCampus.cab
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab?
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145907190296
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab27571.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8724140E-A8DB-4BC9-9341-C44D9411FB83}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11665 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:49 PM

Posted 04 July 2008 - 03:17 PM

Hi,

We're not finished yet..

I see you were dealing with Haxdoor previously. As far as I can see, that infection is gone, but we'll going to run an extra tool afterwards to make sure.
This infection collects your passwords, so make sure you change all your passwords once we are done with this thread.

Also, the first step required before you run Combofix it is to install the Recovery Console as I already posted in my previous post.
Read here how to do this with Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Also, I see Bearshare installed. In case you didn't pay for it, I strongly recommend you uninstall it -- because the free version is bundled with spyware.


Then...

Please disable your Spysweeper and leave it disabled while running the tools, because it interferes with them and replaces the entries we deleted back again.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Driver::
XDva042
XDva006
XDva005
twpR64
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\twpR32.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\twpR64.sys]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8301AF7-D00E-4EA4-87C1-5FF4644FBBA1}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{85BDD81D-31FD-4A6B-A73C-3955B128D2EC}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WildTangent CDA"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{3A7FE611-1994-4EF1-A09F-99456752289D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 04 July 2008 - 03:18 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Auroron

Auroron
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 04 July 2008 - 03:24 PM

ok, small question before I do this. The reasion I didn't install recovery console was that I used a cd, and it said that the cd was san older version, so installing it may cause some problems and such. Can't I boot from cd if something goes wrong?

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:49 PM

Posted 04 July 2008 - 03:26 PM

Hi,

Did you read the instructions how to install the Recovery Console on the Combofix page?
That's what it says there...

If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:...

Then read from there how to install the Recovery Console with the use of Combofix.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Auroron

Auroron
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 04 July 2008 - 04:40 PM

okay, i'm back again with the results. I had some problems at the start, but it worked after a while. I could not completely turn off Spysweeper, I deactivated ALL the shield and ended from the icon in the tray, but the Spysweeper.exe still remains as a process. I tried to kill it with process explorer, but it said it had no entry. There is no "diable" button anywhere, so I am completely stumped on that part.
And about bearshare, I don't use it, but my father does. A lot. is it really that dangerous?
Anyways, here's the logs:

ComboFix 08-07-04.1 - Geir Moe Ellefsen 2008-07-04 23:15:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.459 [GMT 2:00]
Running from: C:\Documents and Settings\Geir Moe Ellefsen\Skrivebord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Geir Moe Ellefsen\Skrivebord\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TWPR64
-------\Legacy_XDVA005
-------\Legacy_XDVA006
-------\Legacy_XDVA042
-------\Service_twpR64
-------\Service_XDva005
-------\Service_XDva006
-------\Service_XDva042


((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-04 19:38 . 2008-07-04 19:38 <DIR> d-------- C:\Deckard
2008-07-01 20:34 . 2008-07-01 20:34 <DIR> d-------- C:\Programfiler\Trend Micro
2008-07-01 20:22 . 2008-07-01 20:22 2,926 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-01 20:21 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-01 20:21 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-01 20:21 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-01 20:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-01 20:21 . 2008-06-23 23:34 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-01 20:21 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-01 20:21 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-01 20:21 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-01 20:21 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-01 19:03 . 2008-07-01 19:10 <DIR> d-------- C:\Programfiler\Panda Security
2008-06-30 18:03 . 2008-07-01 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft
2008-06-23 20:51 . 2008-07-04 23:14 <DIR> dr-h----- C:\Documents and Settings\Geir Moe Ellefsen\Siste

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 21:21 --------- d-----w C:\Documents and Settings\Geir Moe Ellefsen\Programdata\WTablet
2008-07-03 15:02 --------- d-----w C:\Documents and Settings\LocalService\Programdata\WTablet
2008-07-01 16:50 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard
2008-07-01 12:27 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP
2008-06-30 16:03 --------- d-----w C:\Programfiler\Lavasoft
2008-06-26 17:20 --------- d-----w C:\Programfiler\Direct WAV MP3 Splitter
2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-25 19:17 49,824 ----a-w C:\Documents and Settings\Geir Moe Ellefsen\Programdata\GDIPFONTCACHEV1.DAT
2008-05-25 19:10 --------- d-----w C:\Programfiler\MSECache
2008-05-22 17:39 --------- d-----w C:\Documents and Settings\Geir Moe Ellefsen\Programdata\Canon
2008-05-17 18:12 --------- d-----w C:\Programfiler\World of Warcraft
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 13:13 --------- d-----w C:\Programfiler\CONEXANT
2005-04-18 15:09 40,096 -c--a-w C:\Documents and Settings\Lars Moe Ellefsen\Programdata\GDIPFONTCACHEV1.DAT
2007-04-14 16:07 56 -csh--r C:\WINDOWS\system32\ACF8E26F19.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-04_21.52.42,26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-04 17:26:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-04 21:21:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-05-21 08:45:38 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
+ 2008-07-04 20:02:37 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
- 2008-05-06 17:21:46 89,190 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-04 20:47:48 89,190 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-06 17:21:47 97,766 ----a-w C:\WINDOWS\system32\perfc014.dat
+ 2008-07-04 20:47:48 97,766 ----a-w C:\WINDOWS\system32\perfc014.dat
- 2008-05-06 17:21:47 488,332 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-04 20:47:48 488,332 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-05-06 17:21:47 491,192 ----a-w C:\WINDOWS\system32\perfh014.dat
+ 2008-07-04 20:47:48 491,192 ----a-w C:\WINDOWS\system32\perfh014.dat
+ 2008-07-04 21:21:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8301AF7-D00E-4EA4-87C1-5FF4644FBBA1}]
C:\Programfiler\Web Technologies\iebt.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360]
"DAEMON Tools"="C:\Programfiler\DAEMON Tools\daemon.exe" [2007-11-17 13:53 171464]
"Google Update"="C:\Documents and Settings\Geir Moe Ellefsen\Lokale innstillinger\Programdata\Google\Update\1.1.25.0\GoogleUpdate.exe" [2008-03-29 12:48 51184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19 155648]
"ecc"="C:\Programfiler\Telenor\ecc\ecc.exe" [2004-05-15 11:25 278528]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2003-09-10 11:07 155648]
"BearShare"="C:\Programfiler\BearShare\BearShare.exe" [2006-07-26 14:48 3305472]
"HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"SpySweeper"="C:\Programfiler\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-11-01 17:17 4806144]
"TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" [2008-04-28 15:36 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:03 15360]

C:\Documents and Settings\Geir Moe Ellefsen\Start-meny\Programmer\Oppstart\
YouTube Uploader.lnk - C:\Documents and Settings\Geir Moe Ellefsen\Lokale innstillinger\Programdata\YouTube\Uploader\youtubeuploader.exe [2007-11-09 14:33:08 71152]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
HP Digital Imaging Monitor.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]
Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programfiler\\BearShare\\BearShare.exe"=
"C:\\Programfiler\\Windows Media Player\\wmplayer.exe"=
"C:\\Programfiler\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enGB-downloader.exe"=
"C:\\Programfiler\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enGB-downloader.exe"=
"C:\\Programfiler\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enGB-downloader.exe"=
"C:\\Programfiler\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enGB-downloader.exe"=
"C:\\Programfiler\\World of Warcraft\\WoW-1.7.0-enGB-downloader.exe"=
"C:\\Programfiler\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard downloader

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 21:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 20:30]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);"c:\Programfiler\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSONY_MEDIAMGR2 []

.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{2E110353-7A5F-44E9-B86D-3AD87A2007D0} - (no file)
WebBrowser-{85BDD81D-31FD-4A6B-A73C-3955B128D2EC} - (no file)
HKLM-Run-start_forbruksmåler - C:\Programfiler\Telenor Plus\Forbruksmåler\Forbruksmåler.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 23:22:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\Programfiler\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\Tablet.exe
C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\Programfiler\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2008-07-04 23:34:22 - machine was rebooted [Geir Moe Ellefsen]
ComboFix-quarantined-files.txt 2008-07-04 21:34:11
ComboFix2.txt 2008-07-04 19:54:19

Pre-Run: 8,259,940,352 byte ledig
Post-Run: 8,485,249,024 byte ledig

159 --- E O F --- 2008-06-21 00:24:14






HIJACKTHIS:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:39:08, on 04.07.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\Programfiler\Telenor\ecc\ecc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programfiler\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programfiler\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B8301AF7-D00E-4EA4-87C1-5FF4644FBBA1} - C:\Programfiler\Web Technologies\iebt.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\Msdxm6.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ecc] C:\Programfiler\Telenor\ecc\ecc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [BearShare] "C:\Programfiler\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Programfiler\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Geir Moe Ellefsen\Lokale innstillinger\Programdata\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Geir Moe Ellefsen\Lokale innstillinger\Programdata\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all links using BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.online.no/
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/luncher/GamesCampus.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145907190296
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab27571.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8724140E-A8DB-4BC9-9341-C44D9411FB83}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10218 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:49 PM

Posted 05 July 2008 - 04:52 PM

Hi,

Bearshare is bundled with Spyware if you didn't purchase it. P2P programs are ALWAYS dangerous, because you never know what exactly you download. Most malware is spread via P2P programs such as bearshare, limewire etc etc.. Don't think that your Antivirus may protect you, because a lot of malware being spread there is still undetected.

Anyway..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {B8301AF7-D00E-4EA4-87C1-5FF4644FBBA1} - C:\Programfiler\Web Technologies\iebt.dll (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:49 PM

Posted 11 July 2008 - 02:53 AM

Let me know in your next reply how things are now.

Still with us?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:49 PM

Posted 16 July 2008 - 02:18 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users