Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remaining problems after an Olmarik Trojan


  • This topic is locked This topic is locked
9 replies to this topic

#1 Doxbox

Doxbox

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 13 January 2010 - 12:38 PM

As the title say I was infected with an Olmarik Trojan, I removed it with MBAM but now symantec says that I have 100~ infected files with random names ending in .tmp. Symantec also says that those files are "Packed.Generic.277".
It's my dad's computer and he pays his bills with it so he really wants it to be clean. Can you guys help me? smile.gif


DDS (Ver_09-12-01.01) - NTFSx86
Run by Roger Persson at 16:50:10,10 on 2010-01-13
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.3063.2032 [GMT 1:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program\HP\HP Software Update\HPWuSchd.exe
C:\Program\HP\hpcoretech\hpcmpmgr.exe
C:\Program\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program\ekort\ekort.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Office Backup Service\bin\SystemTray.exe
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\OBroker.exe
C:\Documents and Settings\Roger Persson\Application Data\Dropbox\bin\Dropbox.exe
svchost.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Office Backup Service\aua\bin\AuaObm.exe
C:\Program\Office Backup Service\aua\jvm\bin\AuaObmJW.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program\Office Backup Service\bin\Scheduler.exe
C:\Program\Office Backup Service\jvm\bin\SchedulerOBM.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program\Tibia\tibia2.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Microsoft IntelliType Pro\itype.exe
C:\Documents and Settings\Roger Persson\Mina dokument\Hämtade filer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.leta.se/
uInternet Settings,ProxyOverride = *.local
BHO: Länkhjälp till Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program\java\jre1.5.0_06\bin\ssv.dll
BHO: e-kort Helper Class: {9065e913-4f23-4b47-9b5d-b055d32db1f3} - c:\program\ekort\EKortHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program\google\google toolbar\GoogleToolbar.dll
TB: e-kort Toolbar: {8db2b2e8-579f-48a8-a496-18fefcf8f4df} - c:\program\ekort\EKortToolbar.dll
uRun: [MSMSGS] "c:\program\messenger\msmsgs.exe" /background
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SetRefresh] c:\program\compaq\setrefresh\SetRefresh.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [QuickTime Task] "c:\program\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [itype] "c:\program\microsoft intellitype pro\itype.exe"
mRun: [iTunesHelper] "c:\program\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program\microsoft intellipoint\ipoint.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HP Software Update] "c:\program\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Genväg till egenskapssida för High Definition Audio] HDAShCut.exe
mRun: [egui] "c:\program\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [e-kort] c:\program\ekort\ekort.exe /dontopenmycards /Autostart
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [ccApp] "c:\program\delade filer\symantec shared\ccApp.exe"
mRun: [AhsayBackupManager] c:\program\office backup service\bin\SystemTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program\adobe\reader 8.0\reader\Reader_sl.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program\tibia\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\rogerp~1\start-~1\program\autost~1\dropbox.lnk - c:\documents and settings\roger persson\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\hpdigi~1.lnk - c:\program\hp\digital imaging\bin\hpqtra08.exe
IE: &Google-sökning - c:\program\google\GoogleToolbar1.dll/cmsearch.html
IE: &Översätt engelskt ord - c:\program\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Bakåtlänkar - c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
IE: E&xportera till Microsoft Excel - c:\program\micros~2\office12\EXCEL.EXE/3000
IE: Lagrad bild på sida - c:\program\google\GoogleToolbar1.dll/cmcache.html
IE: Liknande sidor - c:\program\google\GoogleToolbar1.dll/cmsimilar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program\micros~2\office11\REFIEBAR.DLL
DPF: {1E81B1B9-0245-4E6F-AAA7-0BCA975F7B4C} - hxxp://service.hyundai-motor.com/Namo/NamoWec.cab
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://scmotors.se/vdesk/terminal/InstallerControl.cab#version=6020,2008,0514,2345
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169641755750
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://scmotors.se/vdesk/terminal/urTermProxy.cab#version=6020,2008,0514,2337
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169641739281
DPF: {77AB1CE3-41B3-49B5-8836-1FBC07FE452D} - hxxp://service.hyundai-motor.com/ocx/mlreport.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8D558E41-D24F-441D-A7C9-75B278C326FD} - hxxp://service.hyundai-motor.com/OCX/Knowledge.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} - hxxps://scmotors.se/vdesk/terminal/ur5250x.cab#version=6020,2008,0514,2336
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://scmotors.se/vdesk/terminal/urxhost.cab#version=6020,2008,0514,2340
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rogerp~1\applic~1\mozilla\firefox\profiles\vowkkbo9.default\
FF - component: c:\program\ekort\components\SlimOrbAddonEkort.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-11-16 96408]
R2 AutoUpdateAgentOBM;AutoUpdateAgent;c:\program\office backup service\aua\bin\AuaObm.exe [2007-3-22 45056]
R2 ccEvtMgr;Symantec Event Manager;c:\program\delade filer\symantec shared\ccSvcHst.exe [2007-8-6 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program\delade filer\symantec shared\ccSvcHst.exe [2007-8-6 108392]
R2 ekrn;ESET Service;c:\program\eset\eset nod32 antivirus\ekrn.exe [2009-11-16 735960]
R2 MicroGuard;MicroGuard Copy Protection;c:\windows\system32\drivers\mgnt.sys [2007-2-27 40480]
R2 OnlineBackupScheduler;Online Backup Scheduler;c:\program\office backup service\bin\Scheduler.exe [2007-2-27 45056]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program\symantec\symantec endpoint protection\Rtvscan.exe [2007-9-6 2177464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program\delade filer\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-1 102448]
R3 NAVENG;NAVENG;c:\program\delade~1\symant~1\virusd~1\20100112.005\NAVENG.SYS [2010-1-12 84912]
R3 NAVEX15;NAVEX15;c:\program\delade~1\symant~1\virusd~1\20100112.005\NAVEX15.SYS [2010-1-12 1323568]
S?4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-27 38224]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2009-12-28 16:20:27 0 d-----w- c:\windows\pss
2009-12-28 16:18:53 5872 ----a-w- c:\windows\_detmp.1
2009-12-28 16:18:53 53248 ----a-w- c:\windows\_detmp.2
2009-12-27 20:21:28 0 d-----w- c:\docume~1\rogerp~1\applic~1\Malwarebytes
2009-12-27 20:09:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 20:09:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-27 20:09:16 0 d-----w- c:\program\Tibia
2009-12-27 20:09:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-27 19:47:18 0 d-----w- c:\program\ESET
2009-12-27 18:39:44 200 ----a-w- c:\windows\system32\srcr.dat
2009-12-27 18:39:43 205 ----a-w- c:\windows\system32\H8SRTpbrbitqlrr.dat

==================== Find3M ====================

2010-01-13 15:24:53 84506 ----a-w- c:\windows\system32\perfc01D.dat
2010-01-13 15:24:53 446784 ----a-w- c:\windows\system32\perfh01D.dat
2009-12-27 10:28:53 44752 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-16 08:06:50 96408 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-11-16 08:03:36 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 07:56:12 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-10-30 21:38:12 10472 ----a-w- c:\windows\fonts\SM.TTF
2009-10-30 21:35:34 23192 ----a-w- c:\windows\fonts\SUPET___.TTF
2009-10-30 21:35:34 23004 ----a-w- c:\windows\fonts\SUPERG__.TTF
2009-10-30 21:35:34 23004 ----a-w- c:\windows\fonts\SUPEB___.TTF
2009-10-30 21:05:30 50968 ----a-w- c:\windows\fonts\Starstrp.ttf
2009-10-30 21:04:50 506660 ----a-w- c:\windows\fonts\Skate or die.ttf
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:40:44 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:40:44 75776 ----a-w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:40:44 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:40:44 25088 ----a-w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys

============= FINISH: 16:50:39,45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Doxbox

Doxbox
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 17 January 2010 - 08:34 AM

Anyone?

#3 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:12 PM

Posted 20 January 2010 - 01:55 AM

Hello and welcome.gif to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

*If you have since resolved the original problem you were having, we would appreciate you letting us know.

*If not please perform the following steps below so we can have a look at the current condition of your machine.

*If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

**If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.
In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

1. Click on the My Controls link at the top of the page to enter your control panel.

2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.

3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.

4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied

The topics you are tracking are shown Here.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.
----------------------------*-------------------------------

We need to see some information about what is happening in your machine.

Please perform the following scan:


  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Kind regards
Net_Surfer

horse.gif

#4 Doxbox

Doxbox
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 20 January 2010 - 01:47 PM

Here comes an updated log.

EDIT: Also I have email subscription now.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Roger Persson at 19:44:33,85 on 2010-01-20
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.3063.2138 [GMT 1:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program\Microsoft IntelliType Pro\itype.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program\HP\HP Software Update\HPWuSchd.exe
C:\Program\HP\hpcoretech\hpcmpmgr.exe
C:\Program\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program\ekort\ekort.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Office Backup Service\bin\SystemTray.exe
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\OBroker.exe
C:\Documents and Settings\Roger Persson\Application Data\Dropbox\bin\Dropbox.exe
svchost.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Office Backup Service\aua\bin\AuaObm.exe
C:\Program\Office Backup Service\aua\jvm\bin\AuaObmJW.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program\Office Backup Service\bin\Scheduler.exe
C:\Program\Office Backup Service\jvm\bin\SchedulerOBM.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Symantec\Symantec Endpoint Protection\DWHWizrd.exe
C:\Program\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Program\Mozilla Firefox\firefox.exe
c:\windows\system32\rundll32.exe
C:\Documents and Settings\Roger Persson\Mina dokument\Hämtade filer\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.leta.se/
uInternet Settings,ProxyOverride = *.local
BHO: Länkhjälp till Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program\java\jre1.5.0_06\bin\ssv.dll
BHO: e-kort Helper Class: {9065e913-4f23-4b47-9b5d-b055d32db1f3} - c:\program\ekort\EKortHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program\google\google toolbar\GoogleToolbar.dll
TB: e-kort Toolbar: {8db2b2e8-579f-48a8-a496-18fefcf8f4df} - c:\program\ekort\EKortToolbar.dll
uRun: [MSMSGS] "c:\program\messenger\msmsgs.exe" /background
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SetRefresh] c:\program\compaq\setrefresh\SetRefresh.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [QuickTime Task] "c:\program\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [itype] "c:\program\microsoft intellitype pro\itype.exe"
mRun: [iTunesHelper] "c:\program\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program\microsoft intellipoint\ipoint.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HP Software Update] "c:\program\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Genväg till egenskapssida för High Definition Audio] HDAShCut.exe
mRun: [egui] "c:\program\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [e-kort] c:\program\ekort\ekort.exe /dontopenmycards /Autostart
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [ccApp] "c:\program\delade filer\symantec shared\ccApp.exe"
mRun: [AhsayBackupManager] c:\program\office backup service\bin\SystemTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\rogerp~1\start-~1\program\autost~1\dropbox.lnk - c:\documents and settings\roger persson\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\hpdigi~1.lnk - c:\program\hp\digital imaging\bin\hpqtra08.exe
IE: &Google-sökning - c:\program\google\GoogleToolbar1.dll/cmsearch.html
IE: &Översätt engelskt ord - c:\program\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Bakåtlänkar - c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
IE: E&xportera till Microsoft Excel - c:\program\micros~2\office12\EXCEL.EXE/3000
IE: Lagrad bild på sida - c:\program\google\GoogleToolbar1.dll/cmcache.html
IE: Liknande sidor - c:\program\google\GoogleToolbar1.dll/cmsimilar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program\micros~2\office11\REFIEBAR.DLL
DPF: {1E81B1B9-0245-4E6F-AAA7-0BCA975F7B4C} - hxxp://service.hyundai-motor.com/Namo/NamoWec.cab
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://scmotors.se/vdesk/terminal/InstallerControl.cab#version=6020,2008,0514,2345
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169641755750
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://scmotors.se/vdesk/terminal/urTermProxy.cab#version=6020,2008,0514,2337
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169641739281
DPF: {77AB1CE3-41B3-49B5-8836-1FBC07FE452D} - hxxp://service.hyundai-motor.com/ocx/mlreport.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8D558E41-D24F-441D-A7C9-75B278C326FD} - hxxp://service.hyundai-motor.com/OCX/Knowledge.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} - hxxps://scmotors.se/vdesk/terminal/ur5250x.cab#version=6020,2008,0514,2336
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://scmotors.se/vdesk/terminal/urxhost.cab#version=6020,2008,0514,2340
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rogerp~1\applic~1\mozilla\firefox\profiles\vowkkbo9.default\
FF - component: c:\program\ekort\components\SlimOrbAddonEkort.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program\java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-11-16 96408]
R2 AutoUpdateAgentOBM;AutoUpdateAgent;c:\program\office backup service\aua\bin\AuaObm.exe [2007-3-22 45056]
R2 ccEvtMgr;Symantec Event Manager;c:\program\delade filer\symantec shared\ccSvcHst.exe [2007-8-6 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program\delade filer\symantec shared\ccSvcHst.exe [2007-8-6 108392]
R2 ekrn;ESET Service;c:\program\eset\eset nod32 antivirus\ekrn.exe [2009-11-16 735960]
R2 MicroGuard;MicroGuard Copy Protection;c:\windows\system32\drivers\mgnt.sys [2007-2-27 40480]
R2 OnlineBackupScheduler;Online Backup Scheduler;c:\program\office backup service\bin\Scheduler.exe [2007-2-27 45056]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program\symantec\symantec endpoint protection\Rtvscan.exe [2007-9-6 2177464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program\delade filer\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-1 102448]
R3 NAVENG;NAVENG;c:\program\delade~1\symant~1\virusd~1\20100118.039\NAVENG.SYS [2010-1-19 84912]
R3 NAVEX15;NAVEX15;c:\program\delade~1\symant~1\virusd~1\20100118.039\NAVEX15.SYS [2010-1-19 1323568]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2010-01-13 15:23:37 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-12-28 16:20:27 0 d-----w- c:\windows\pss
2009-12-28 16:18:53 5872 ----a-w- c:\windows\_detmp.1
2009-12-28 16:18:53 53248 ----a-w- c:\windows\_detmp.2
2009-12-27 20:21:28 0 d-----w- c:\docume~1\rogerp~1\applic~1\Malwarebytes
2009-12-27 20:09:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 20:09:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-27 20:09:16 0 d-----w- c:\program\Tibia
2009-12-27 20:09:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-27 19:47:18 0 d-----w- c:\program\ESET
2009-12-27 18:39:44 200 ----a-w- c:\windows\system32\srcr.dat
2009-12-27 18:39:43 205 ----a-w- c:\windows\system32\H8SRTpbrbitqlrr.dat

==================== Find3M ====================

2010-01-20 18:26:45 84506 ----a-w- c:\windows\system32\perfc01D.dat
2010-01-20 18:26:45 446784 ----a-w- c:\windows\system32\perfh01D.dat
2009-12-27 10:28:53 44752 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-30 21:38:12 10472 ----a-w- c:\windows\fonts\SM.TTF
2009-10-30 21:35:34 23192 ----a-w- c:\windows\fonts\SUPET___.TTF
2009-10-30 21:35:34 23004 ----a-w- c:\windows\fonts\SUPERG__.TTF
2009-10-30 21:35:34 23004 ----a-w- c:\windows\fonts\SUPEB___.TTF
2009-10-30 21:05:30 50968 ----a-w- c:\windows\fonts\Starstrp.ttf
2009-10-30 21:04:50 506660 ----a-w- c:\windows\fonts\Skate or die.ttf
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

============= FINISH: 19:45:21,26 ===============

Attached Files


Edited by Doxbox, 20 January 2010 - 01:49 PM.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:12 AM

Posted 21 January 2010 - 02:09 AM

Hi Doxbox,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either ESET NOD32 Antivirus or Symantec Endpoint Protection.

  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#6 Doxbox

Doxbox
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 21 January 2010 - 12:56 PM

ComboFix 10-01-20.06 - Roger Persson 2010-01-21 18:37:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.3063.2300 [GMT 1:00]
Körs från: c:\documents and settings\Roger Persson\Skrivbord\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\H8SRTpbrbitqlrr.dat
c:\windows\system32\pagefileconfig.vbs
c:\windows\system32\srcr.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_H8SRTd.sys
-------\Service_H8SRTd.sys


(((((((((((((((((((((((( Filer Skapade från 2009-12-21 till 2010-01-21 ))))))))))))))))))))))))))))))
.

2010-01-13 15:35 . 2010-01-13 15:35 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-13 15:23 . 2009-11-21 16:03 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-12-27 20:21 . 2009-12-27 20:21 -------- d-----w- c:\documents and settings\Roger Persson\Application Data\Malwarebytes
2009-12-27 20:09 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 20:09 . 2010-01-13 15:36 -------- d-----w- c:\program\Tibia
2009-12-27 20:09 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-27 20:09 . 2009-12-27 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-27 19:47 . 2009-12-27 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 17:49 . 2009-11-04 19:45 -------- d-----w- c:\documents and settings\Roger Persson\Application Data\Dropbox
2010-01-21 17:29 . 2006-05-04 12:50 84506 ----a-w- c:\windows\system32\perfc01D.dat
2010-01-21 17:29 . 2006-05-04 12:50 446784 ----a-w- c:\windows\system32\perfh01D.dat
2010-01-18 12:46 . 2009-10-10 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-28 16:18 . 2007-01-24 12:14 -------- d-----w- c:\program\Compaq
2009-12-27 10:28 . 2009-10-25 12:19 44752 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-14 07:14 . 2009-12-14 07:14 -------- d-----w- c:\program\Overland
2009-11-28 16:54 . 2009-11-28 16:54 -------- d-----w- c:\program\Windows Media Connect 2
2009-11-25 22:08 . 2009-11-25 22:08 -------- d-----w- c:\program\myphotobook
2009-11-21 16:03 . 2006-03-02 02:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-04 19:46 . 2009-11-04 19:46 89962 ----a-w- c:\documents and settings\Roger Persson\Application Data\Dropbox\bin\Uninstall.exe
2009-11-03 20:25 . 2009-11-03 20:25 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:44 . 2006-03-02 02:00 916480 ----a-w- c:\windows\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Roger Persson\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Roger Persson\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\Roger Persson\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetRefresh"="c:\program\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-04 16250880]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2009-09-05 417792]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"itype"="c:\program\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"iTunesHelper"="c:\program\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"IntelliPoint"="c:\program\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HP Software Update"="c:\program\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"HP Component Manager"="c:\program\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Genväg till egenskapssida för High Definition Audio"="HDAShCut.exe" [2005-01-07 61952]
"e-kort"="c:\program\ekort\ekort.exe" [2008-12-11 377856]
"ccApp"="c:\program\Delade filer\Symantec Shared\ccApp.exe" [2007-08-06 115560]
"AhsayBackupManager"="c:\program\Office Backup Service\bin\SystemTray.exe" [2006-07-04 258048]
"Adobe Reader Speed Launcher"="c:\program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Roger Persson\Start-meny\Program\Autostart\
Dropbox.lnk - c:\documents and settings\Roger Persson\Application Data\Dropbox\bin\Dropbox.exe [2009-10-9 26805255]

c:\documents and settings\All Users\Start-meny\Program\Autostart\
HP Digital Imaging Monitor.lnk - c:\program\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"c:\\Program\\Delade filer\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program\\Bonjour\\mDNSResponder.exe"=
"c:\\Program\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=

R2 AutoUpdateAgentOBM;AutoUpdateAgent;c:\program\Office Backup Service\aua\bin\AuaObm.exe [2007-03-22 45056]
R2 MicroGuard;MicroGuard Copy Protection;c:\windows\system32\drivers\mgnt.sys [2007-02-27 40480]
R2 OnlineBackupScheduler;Online Backup Scheduler;c:\program\Office Backup Service\bin\Scheduler.exe [2007-02-27 45056]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program\Delade filer\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-01 102448]
.
Innehållet i mappen 'Schemalagda aktiviteter':

2010-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-01-21 c:\windows\Tasks\User_Feed_Synchronization-{73931CAF-C1E1-41BD-B14E-34B3EB168DAA}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.leta.se/
uInternet Settings,ProxyOverride = *.local
IE: &Google-sökning - c:\program\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Översätt engelskt ord - c:\program\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Bakåtlänkar - c:\program\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: E&xportera till Microsoft Excel - c:\program\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lagrad bild på sida - c:\program\Google\GoogleToolbar1.dll/cmcache.html
IE: Liknande sidor - c:\program\Google\GoogleToolbar1.dll/cmsimilar.html
DPF: {1E81B1B9-0245-4E6F-AAA7-0BCA975F7B4C} - hxxp://service.hyundai-motor.com/Namo/NamoWec.cab
DPF: {77AB1CE3-41B3-49B5-8836-1FBC07FE452D} - hxxp://service.hyundai-motor.com/ocx/mlreport.cab
DPF: {8D558E41-D24F-441D-A7C9-75B278C326FD} - hxxp://service.hyundai-motor.com/OCX/Knowledge.CAB
DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} - hxxps://scmotors.se/vdesk/terminal/ur5250x.cab#version=6020,2008,0514,2336
FF - ProfilePath - c:\documents and settings\Roger Persson\Application Data\Mozilla\Firefox\Profiles\vowkkbo9.default\
FF - component: c:\program\ekort\components\SlimOrbAddonEkort.dll
FF - plugin: c:\program\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICY ----
c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

HKLM-Run-DXDllRegExe - dxdllreg.exe
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
AddRemove-CD2HD - c:\progra~1\HYUNDA~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-21 18:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ€|˙˙˙˙•€|é•6~*]
"D140AC1900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program\Symantec\Symantec Endpoint Protection\SnacNp.dll

- - - - - - - > 'explorer.exe'(5092)
c:\documents and settings\Roger Persson\Application Data\Dropbox\bin\DropboxExt.3.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andra processer som körs ------------------------
.
c:\program\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program\Delade filer\Symantec Shared\ccSvcHst.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\OBroker.exe
c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program\Office Backup Service\aua\jvm\bin\AuaObmJW.exe
c:\program\Bonjour\mDNSResponder.exe
c:\program\Office Backup Service\jvm\bin\SchedulerOBM.exe
c:\program\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Sluttid: 2010-01-21 18:55:15 - datorn startades om.
ComboFix-quarantined-files.txt 2010-01-21 17:55

Före genomsökningen: 46 913 753 088 byte ledigt
Efter genomsökningen: 47 561 539 584 byte ledigt

WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 74539EB8646DEA8DDFB3325F8302648C


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:12 AM

Posted 21 January 2010 - 02:38 PM

Well done. thumbup2.gif

ComboFix removed the rootkit infection. We are going to make sure no leftover is there.
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.

  2. Please do a scan with Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.


#8 Doxbox

Doxbox
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 22 January 2010 - 10:24 AM

Seems clean? So thank you so much for your help! thumbup.gif

KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, January 22, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, January 21, 2010 20:00:26
Records in database: 3354952
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
E:\
G:\
H:\
I:\
J:\
Scan statistics
Objects scanned 142166
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 02:16:54

No threats found. Scanned area is clean.
Selected area has been scanned.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:12 AM

Posted 22 January 2010 - 10:44 AM

You are welcome. smile.gif

It is important to uninstall ComboFix.

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.


Happy Surfing Doxbox!

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:12 AM

Posted 27 January 2010 - 04:58 PM


This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users