Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vista Antivirus Pro 2010


  • This topic is locked This topic is locked
18 replies to this topic

#1 Lars Tore

Lars Tore

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 08 February 2010 - 05:17 AM

Hi all,

I have a pesky malware that I cannot remove with ordinary programs like Malwarebytes and SuperAntiSpyware (Both updated with latest definitions).
Vista Antivirus Pro 2010 (aw.exe) keeps popping up, even though I remove it with the programs mentioned above. It starts to fake a scan, and urges me to buy a software to remove the alledged viruses on my computer.
I haven't tried combofix yet. I have used this with other problems in the past with great result. But this time I thought I'd see what you guys think smile.gif

Here is my dds log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by FILAHOYD at 9:54:14,13 on 08.02.2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1044.18.3070.1532 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\USBDLM\USBDLM.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\CCM\CcmExec.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft Application Virtualization Client\sftdcc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Cobian Backup 9\Cobian.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DisplayFusion\DisplayFusion.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Citrix\ICA Client\PNAMAIN.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Cobian Backup 9\cbInterface.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\filahoyd\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://finn.no
uDefault_Page_URL = hxxp://finn.no
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,"c:\program files\microsoft application virtualization client\sftdcc.exe",
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DebugBar BHO: {69fc0024-10eb-480a-bbf2-3bf4e78e17b1} - c:\program files\core services\debugbar\DebugInfoBar.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: ClueIEAddin: {c14aa221-bae1-45f6-b0b3-90c23f2daa7d} - c:\clue\adxloader.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: DebugBar: {3e1201f4-1707-409f-bb45-a5f192381da0} - c:\program files\core services\debugbar\DebugToolBar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
EB: DebugBar: {947e34e9-1d85-43cb-9cbf-5c492118fdd5} - c:\program files\core services\debugbar\DebugInfoBar.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [DisplayFusion] "c:\program files\displayfusion\DisplayFusion.exe"
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SoftGridTray] "c:\program files\microsoft application virtualization client\SFTTray.exe" /autostart
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Cobian Backup 9] "c:\program files\cobian backup 9\Cobian.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbamlt.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\citrix~1.lnk - c:\windows\installer\{388c130b-0079-46b4-a0d5-dc2dd7a89a7b}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: RestrictWelcomeCenter = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: ForceRunOnStartMenu = 1 (0x1)
uPolicies-explorer: NoStartMenuMyGames = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoInplaceSharing = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 1 (0x1)
mPolicies-system: winx86NTPatch32 = 11 (0xb)
mPolicies-system: DisableStartupSound = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fyll felt - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: line6.net
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\filahoyd\appdata\roaming\mozilla\firefox\profiles\0t96rgdc.default\
FF - prefs.js: browser.startup.homepage - hxxp://intranett.finn.no/user/login?destination=frontpage
FF - component: c:\users\filahoyd\appdata\roaming\mozilla\firefox\profiles\0t96rgdc.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\users\filahoyd\appdata\roaming\mozilla\firefox\profiles\0t96rgdc.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\users\filahoyd\appdata\roaming\mozilla\firefox\profiles\0t96rgdc.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2009-9-3 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [2009-7-19 4446752]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2008-8-17 431640]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-12 240232]
R2 USBDLM;USBDLM;c:\usbdlm\USBDLM.exe [2008-12-3 157184]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-10-22 223232]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-10-2 69616]
R3 sftfs;sftfs;c:\program files\microsoft application virtualization client\drivers\SftFSlh.sys [2008-8-17 469016]
R3 sftplay;sftplay;c:\program files\microsoft application virtualization client\drivers\sftplaylh.sys [2008-8-17 187928]
R3 sftvol;sftvol;c:\program files\microsoft application virtualization client\drivers\SftVollh.sys [2008-8-17 15896]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2008-8-17 189976]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 dc21x4vm;dc21x4VM Based Network Adapter Driver;c:\windows\system32\drivers\dc21x4vm.sys [2006-11-2 52224]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2008-3-27 224384]
S3 FontCache;Windows skriftbuffertjeneste;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 PeerDistSvc;BranchCache;c:\windows\system32\svchost.exe -k PeerDist [2008-1-21 21504]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 VIRTUALAUDIO;Service for Microsoft Virtual Machine Audio Device Driver (WDM);c:\windows\system32\drivers\VIRTUALAUDIO.sys [2007-12-7 40448]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2009-1-8 11696]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2009-1-8 63024]
S3 vpc-s3;vpc-s3;c:\windows\system32\drivers\vpc-s3.sys [2007-12-7 67584]

=============== Created Last 30 ================

2010-02-05 09:17:27 0 d-----w- c:\program files\iPod
2010-01-27 11:54:22 0 d-----w- c:\program files\Aniosoft iPod to Computer
2010-01-27 11:54:02 0 d-----w- c:\users\filahoyd\appdata\roaming\GetRightToGo
2010-01-26 21:02:41 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-01-26 21:02:28 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-01-26 21:02:24 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-01-26 21:02:24 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-01-26 11:01:18 0 d-----w- c:\program files\LastPass
2010-01-22 13:10:13 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-01-22 13:09:09 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-22 13:09:08 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-22 13:09:08 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-01-22 13:07:33 243712 ----a-w- c:\windows\system32\rastls.dll
2010-01-22 13:06:29 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-22 13:06:29 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-18 13:31:34 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-01-11 15:23:20 0 d-----w- C:\$RECYCLE.BIN
2010-01-11 15:08:23 77312 ----a-w- c:\windows\MBR.exe
2010-01-11 15:08:22 98816 ----a-w- c:\windows\sed.exe
2010-01-11 15:08:22 261632 ----a-w- c:\windows\PEV.exe
2010-01-11 15:08:22 161792 ----a-w- c:\windows\SWREG.exe
2010-01-11 15:08:19 0 d-----w- C:\ComboFixtest
2010-01-11 12:31:03 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-11 12:30:43 244 ---ha-w- C:\sqmnoopt00.sqm
2010-01-11 12:30:43 232 ---ha-w- C:\sqmdata00.sqm
2010-01-11 12:30:39 0 d-----w- c:\users\filahoyd\appdata\roaming\SUPERAntiSpyware.com
2010-01-11 12:30:39 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-11 12:29:41 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-11 12:03:14 0 d-----w- c:\users\filahoyd\appdata\roaming\Malware Defense

==================== Find3M ====================

2010-02-08 08:18:09 97264 ----a-w- c:\windows\system32\perfc014.dat
2010-02-08 08:18:09 507946 ----a-w- c:\windows\system32\perfh014.dat
2010-02-08 08:09:16 109538 ----a-w- c:\programdata\nvModes.dat
2010-01-14 10:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 15:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-27 14:37:02 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-27 14:37:02 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-27 14:37:02 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-27 14:37:02 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-01-13 12:20:02 35166 ----a-w- c:\windows\inf\perflib\0414\perfd.dat
2009-01-13 12:20:02 35166 ----a-w- c:\windows\inf\perflib\0414\perfc.dat
2009-01-13 12:20:02 294254 ----a-w- c:\windows\inf\perflib\0414\perfi.dat
2009-01-13 12:20:02 294254 ----a-w- c:\windows\inf\perflib\0414\perfh.dat
2008-01-21 02:42:50 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:09 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:09 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:09 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:09 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-07 15:43:32 16384 --sha-w- c:\windows\system32\migwiz\%appdata%\microsoft\windows\ietldcache\index.dat

============= FINISH: 9:54:55,26 ===============

In advance, thank you for checking out my post!

-Lars-

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:38 AM

Posted 10 February 2010 - 01:36 PM


Hello Lars Tore smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.




Let's go ahead and let ComboFix take a look, see what it can find:


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.


When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.






Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Lars Tore

Lars Tore
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 11 February 2010 - 05:33 AM

Hi TheWall!

Thank you for taking the time to help me out. Sorry about the delay in my answer! I blaim the time-difference between USA and Norway ;)

I couldn't just sit around and wait for an answer here, no offence, so I tried cleaning it up my self. Combofix did little to improve the situation, and I needed to go into the register and delete strings manually.
That seemed to prevent the "Vista Antivirus" from running when .exe files was running. But the program was still there, even though it didn't trigger like it used to.

BUT:
The tip about disabling the firewall and antivirus when running Combofix was a good one..Because it seems as though Combofix managed to delete the av.exe smile.gif
I hope this is it for now. I'm tired of fighting malware etc tongue.gif

Here is my Combofix log:

ComboFix 10-02-10.04 - filahoyd 11.02.2010 9:24.4.2 - x86
Microsoft® Windows Vistaâ„¢ Enterprise 6.0.6002.2.1252.1.1044.18.3070.1745 [GMT 1:00]
Running from: c:\combofixtest\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\filahoyd\AppData\Local\av.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-11 to 2010-02-11 )))))))))))))))))))))))))))))))
.

2010-02-11 08:30 . 2010-02-11 08:30 -------- d-----w- c:\users\filahoyd\AppData\Local\temp
2010-02-11 08:30 . 2010-02-11 08:30 -------- d-----w- c:\users\xitmaskret\AppData\Local\temp
2010-02-11 08:30 . 2010-02-11 08:30 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-11 08:30 . 2010-02-11 08:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-11 08:30 . 2010-02-11 08:30 -------- d-----w- c:\users\ADMINI~1\AppData\Local\temp
2010-02-10 09:31 . 2010-02-10 09:59 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-10 09:31 . 2010-02-10 09:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-09 13:37 . 2010-02-09 13:37 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-09 13:34 . 2010-02-09 13:51 -------- d-----w- c:\users\filahoyd\AppData\Roaming\QuickScan
2010-02-09 13:34 . 2010-01-11 16:33 789320 ----a-w- c:\users\filahoyd\AppData\Roaming\Mozilla\Firefox\Profiles\0t96rgdc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-02-09 13:34 . 2010-01-11 16:32 698184 ----a-w- c:\users\filahoyd\AppData\Roaming\Mozilla\Firefox\Profiles\0t96rgdc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2010-02-08 10:51 . 2010-02-08 15:00 -------- d-----w- c:\users\filahoyd\malware
2010-02-05 09:17 . 2010-02-05 09:17 -------- d-----w- c:\program files\iPod
2010-02-05 09:15 . 2010-02-05 09:16 -------- d-----w- c:\program files\QuickTime
2010-02-05 09:14 . 2010-02-05 09:14 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-27 11:54 . 2010-01-27 11:54 -------- d-----w- c:\program files\Aniosoft iPod to Computer
2010-01-27 11:54 . 2010-01-27 11:54 -------- d-----w- c:\users\filahoyd\AppData\Roaming\GetRightToGo
2010-01-26 21:02 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-01-26 21:02 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2010-01-26 21:02 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2010-01-26 21:02 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-01-26 21:02 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2010-01-26 21:02 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2010-01-26 21:02 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-01-26 21:02 . 2009-08-06 18:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-01-26 21:02 . 2009-08-06 17:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-01-26 11:01 . 2010-01-26 11:01 635392 ----a-w- c:\users\filahoyd\AppData\Roaming\Mozilla\Firefox\Profiles\0t96rgdc.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
2010-01-26 11:01 . 2010-01-26 11:01 -------- d-----w- c:\program files\LastPass
2010-01-22 13:10 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-01-22 13:09 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-22 13:09 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-01-22 13:09 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-22 13:07 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2010-01-22 13:06 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-22 13:06 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-18 13:31 . 2009-08-19 22:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-11 08:20 . 2009-01-14 07:17 97264 ----a-w- c:\windows\system32\perfc014.dat
2010-02-11 08:20 . 2009-01-14 07:17 507946 ----a-w- c:\windows\system32\perfh014.dat
2010-02-11 08:14 . 2009-10-13 12:07 -------- d-----w- c:\users\filahoyd\AppData\Roaming\DisplayFusion
2010-02-11 08:11 . 2009-10-08 08:23 109538 ----a-w- c:\programdata\nvModes.dat
2010-02-11 08:10 . 2009-10-02 11:30 -------- d-----w- c:\programdata\NVIDIA
2010-02-10 15:01 . 2009-02-10 13:49 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-10 15:01 . 2009-10-07 15:27 -------- d-----w- c:\users\filahoyd\AppData\Roaming\SoftGrid Client
2010-02-10 14:29 . 2009-10-09 11:00 -------- d-----w- c:\users\filahoyd\AppData\Roaming\Spotify
2010-02-09 11:36 . 2010-01-11 12:32 117760 ----a-w- c:\users\filahoyd\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-05 09:18 . 2009-11-10 07:44 -------- d-----w- c:\program files\iTunes
2010-02-05 09:17 . 2009-10-08 14:00 -------- d-----w- c:\program files\Common Files\Apple
2010-02-05 09:15 . 2010-01-11 12:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-27 13:51 . 2009-11-10 14:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-25 08:26 . 2009-01-07 15:47 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-25 08:25 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-22 13:10 . 2009-01-08 20:51 -------- d-----w- c:\programdata\Microsoft Help
2010-01-22 13:10 . 2009-10-07 15:49 -------- d-----w- c:\program files\Microsoft Office Communicator
2010-01-14 10:12 . 2009-10-02 11:43 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-11 13:47 . 2009-10-08 13:27 -------- d-----w- c:\program files\SmartFTP Client
2010-01-11 12:32 . 2010-01-11 12:32 52224 ----a-w- c:\users\filahoyd\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-11 12:31 . 2010-01-11 12:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-11 12:30 . 2010-01-11 12:30 -------- d-----w- c:\users\filahoyd\AppData\Roaming\SUPERAntiSpyware.com
2010-01-11 12:29 . 2010-01-11 12:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-11 12:03 . 2010-01-11 12:03 -------- d-----w- c:\users\filahoyd\AppData\Roaming\Malware Defense
2010-01-07 15:07 . 2009-11-10 14:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07 . 2009-11-10 14:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 06:38 . 2010-01-22 13:02 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 13:02 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 13:02 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 13:02 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-29 11:58 . 2009-11-13 08:54 -------- d-----w- c:\users\filahoyd\AppData\Roaming\vlc
2009-12-07 07:03 . 2009-12-01 08:24 680 ----a-w- c:\users\filahoyd\AppData\Local\d3d9caps.dat
2009-11-27 14:37 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
.

((((((((((((((((((((((((((((( SnapShot_2010-02-08_16.17.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:57 . 2010-02-11 08:13 39456 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:04 . 2010-02-11 08:13 69380 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-13 07:54 . 2010-02-11 08:18 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-13 07:54 . 2010-02-08 16:04 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-13 07:54 . 2010-02-08 16:04 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-13 07:54 . 2010-02-11 08:18 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-13 07:54 . 2010-02-11 08:18 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-13 07:54 . 2010-02-08 16:04 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-11 08:18 . 2010-02-11 08:18 11296 c:\windows\SoftwareDistribution\EventCache\{FAD9C329-3175-46C9-9580-B165A7DBC97D}.bin
+ 2009-10-07 16:07 . 2010-02-11 08:13 3416 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2095401915-1002599317-1998214792-29672_UserData.bin
- 2009-10-07 16:07 . 2010-02-08 10:49 3416 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2095401915-1002599317-1998214792-29672_UserData.bin
- 2010-02-08 10:47 . 2010-02-08 10:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-02-11 08:10 . 2010-02-11 08:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-02-11 08:10 . 2010-02-11 08:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-02-08 10:47 . 2010-02-08 10:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2010-02-11 08:20 655492 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-02-08 12:20 655492 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-02-08 12:20 121402 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-02-11 08:20 121402 c:\windows\System32\perfc009.dat
- 2009-07-29 14:35 . 2010-02-08 16:04 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-29 14:35 . 2010-02-11 08:18 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-10-08 5724184]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoftGridTray"="c:\program files\Microsoft Application Virtualization Client\SFTTray.exe" [2008-08-17 781848]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Cobian Backup 9"="c:\program files\Cobian Backup 9\Cobian.exe" [2009-01-22 579584]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-10-21 5073744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2009-09-03 1033584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Citrix XenApp.lnk - c:\windows\Installer\{388C130B-0079-46B4-A0D5-DC2DD7A89A7B}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2009-10-2 73728]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-8 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 1 (0x1)
"winx86NTPatch32"= 11 (0xb)
"DisableStartupSound"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictWelcomeCenter"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"ForceRunOnStartMenu"= 1 (0x1)
"NoStartMenuMyGames"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoInplaceSharing"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 00:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator]
2009-10-21 00:48 5073744 ----a-w- c:\program files\Microsoft Office Communicator\communicator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 22:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2009-01-13 18:23 6711840 ------w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-21 09:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 08:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:27,b3,40,0c,7b,0f,ca,01

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05.01.2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05.01.2010 07:56 74480]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [03.09.2009 15:06 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [06.04.2007 03:12 73120]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [21.07.2005 10:14 134656]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [19.07.2009 22:55 4446752]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [17.08.2008 22:43 431640]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [12.09.2009 16:06 240232]
R2 USBDLM;USBDLM;c:\usbdlm\USBDLM.exe [03.12.2008 18:38 157184]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [22.10.2008 18:41 223232]
R3 sftfs;sftfs;c:\program files\Microsoft Application Virtualization Client\drivers\SftFSlh.sys [17.08.2008 22:43 469016]
R3 sftplay;sftplay;c:\program files\Microsoft Application Virtualization Client\drivers\sftplaylh.sys [17.08.2008 22:43 187928]
R3 sftvol;sftvol;c:\program files\Microsoft Application Virtualization Client\drivers\SftVollh.sys [17.08.2008 22:40 15896]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [17.08.2008 22:41 189976]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15.08.2008 05:46 284016]
S3 dc21x4vm;dc21x4VM Based Network Adapter Driver;c:\windows\System32\drivers\dc21x4vm.sys [02.11.2006 11:25 52224]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\System32\drivers\e1y6032.sys [27.03.2008 11:39 224384]
S3 FontCache;Windows skriftbuffertjeneste;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [21.01.2008 03:23 21504]
S3 PeerDistSvc;BranchCache;c:\windows\System32\svchost.exe -k PeerDist [21.01.2008 03:23 21504]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05.01.2010 07:56 7408]
S3 VIRTUALAUDIO;Service for Microsoft Virtual Machine Audio Device Driver (WDM);c:\windows\System32\drivers\VIRTUALAUDIO.sys [07.12.2007 00:02 40448]
S3 vmmouse;VMware Pointing Device;c:\windows\System32\drivers\vmmouse.sys [08.01.2009 21:28 11696]
S3 vmx_svga;vmx_svga;c:\windows\System32\drivers\vmx_svga.sys [08.01.2009 21:28 63024]
S3 vpc-s3;vpc-s3;c:\windows\System32\drivers\vpc-s3.sys [07.12.2007 00:02 67584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
PeerDist REG_MULTI_SZ PeerDistSvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranett.finn.no
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fyll felt - file://c:\program files\LastPass\context.html?cmd=fillforms
Trusted Zone: line6.net
FF - ProfilePath - c:\users\filahoyd\AppData\Roaming\Mozilla\Firefox\Profiles\0t96rgdc.default\
FF - prefs.js: browser.startup.homepage - hxxp://intranett.finn.no/user/login?destination=frontpage
FF - component: c:\users\filahoyd\AppData\Roaming\Mozilla\Firefox\Profiles\0t96rgdc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\users\filahoyd\AppData\Roaming\Mozilla\Firefox\Profiles\0t96rgdc.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\filahoyd\AppData\Roaming\Mozilla\Firefox\Profiles\0t96rgdc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\filahoyd\AppData\Roaming\Mozilla\Firefox\Profiles\0t96rgdc.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\users\filahoyd\AppData\Roaming\Mozilla\Firefox\Profiles\0t96rgdc.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DisplayFusion - c:\program files\DisplayFusion\DisplayFusion.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-11 09:30
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1452)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(736)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-02-11 09:32:23
ComboFix-quarantined-files.txt 2010-02-11 08:32
ComboFix2.txt 2010-02-08 16:28
ComboFix3.txt 2010-02-08 16:20
ComboFix4.txt 2010-01-11 15:26

Pre-Run: 181 367 607 296 byte ledig
Post-Run: 181 337 251 840 byte ledig

- - End Of File - - 2817CB37DB8ACD784F8E0BE946767C4D

Edited by Lars Tore, 11 February 2010 - 05:34 AM.


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:38 AM

Posted 11 February 2010 - 11:33 AM

Some questions:

1) Was ComboFix already on your system or did you download it again?

2) Your log shows it has been run 4 times, was this recently?

3) Are you still having symptoms?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Lars Tore

Lars Tore
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 11 February 2010 - 11:42 AM

Hi again,

1) I downloaded a new one a few days ago, when the spyware blossomed again. The one I used the last time I had a problem was deleted.

2) I have run it a few times, and probably three times the last week. The first time, I didn't notice any difference, so I tried a couple of other programs, then tried Combofix again.
And of course, today smile.gif

3) I have no symptoms now actually. The symptoms disappered after I manually deleted strings in the registry yesterday. I just hope the Combofix today with your guidance got rid of the program itself smile.gif



#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:38 AM

Posted 11 February 2010 - 12:07 PM

Thanks, I would like to take a look at the first run if you don't mind. You can find it at the following location:


C:\ComboFix.txt
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Lars Tore

Lars Tore
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 11 February 2010 - 12:15 PM

I have four attachments I think you should see.
Or should I just paste everything in here? It's alot of text.

The Combofix4.txt is from 11th of January, but you can see that in the log itself smile.gif

Attached Files



#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:38 AM

Posted 11 February 2010 - 12:27 PM

Thanks, I'll need some time to go over them and then I will get back with you.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:38 AM

Posted 11 February 2010 - 01:07 PM

Let's run a Kaspersky scan and see if anything left it can find:



It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 Lars Tore

Lars Tore
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 12 February 2010 - 05:57 AM

Hi again,

Here is my log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, February 12, 2010
Operating system: Microsoft Windows Vista Enterprise Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, February 11, 2010 18:53:44
Records in database: 3480749
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - Folder:
C:\

Scan statistics:
Objects scanned: 193018
Threats found: 3
Infected objects found: 7
Suspicious objects found: 0
Scan duration: 01:56:13


File name / Threat / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Qoobox\Quarantine\C\Users\filahoyd\AppData\Local\av.exe.vir Infected: Trojan-Ransom.Win32.Digitala.gr 1
C:\Users\filahoyd\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\60fa4d8c-54ba86bd Infected: Exploit.OSX.Smid.b 1
C:\Users\filahoyd\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\16295f9e-6dc1635c Infected: Exploit.OSX.Smid.b 1
C:\Users\filahoyd\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\2bae4f1e-25f162d6 Infected: Exploit.OSX.Smid.b 1
C:\Users\filahoyd\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\50f9b644-51875681 Infected: Exploit.OSX.Smid.b 1
C:\Users\filahoyd\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\1862f8ee-3cd902af Infected: Exploit.OSX.Smid.b 1

Selected area has been scanned.


#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:38 AM

Posted 12 February 2010 - 05:09 PM

One of those is a remote administrator which is usually used for legitimate reasons but they identify it anyway.

The Qoobox entry will be gone when we uninstall ComboFix.


You are a few version behind on your Java, we'll update it:



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 18 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 18 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:38 AM

Posted 17 February 2010 - 11:10 PM

Are you still there?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 Lars Tore

Lars Tore
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 18 February 2010 - 08:34 AM

Hi Thewall,

I am so sorry for the absence. Work has been so intense these last few days sad.gif
And the problem is with my work-pc, so I have no way of doing this except when I'm at work.
But thank you for following up on me!

It's amazing.. Today the Vista Antivirus program was back. And I have NO clue where it comes from :/
I'll update the Java version right away.

Again, thanks for sticking with me smile.gif

-Lars-

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:38 AM

Posted 18 February 2010 - 01:06 PM

That's OK, let me know how the computer is running too if you would.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Lars Tore

Lars Tore
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 18 February 2010 - 01:09 PM

Hi:)

I ran Malwarebytes and deleted strings in regedit manually. Now I'm symptom free again. And I've updated Java.. Maybe It'll keep out this time?

Last log:

alwarebytes' Anti-Malware 1.44
Databaseversjon: 3755
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

18.02.2010 16:14:26
mbam-log-2010-02-18 (16-14-26).txt

Skanntype: Rask Skann
Objekter skannet: 121219
Tid tilbakelagt: 4 minute(s), 38 second(s)

Minneprosesser infisert: 0
Minnemoduler infisert: 0
Registernøkler infisert: 0
Registerverdier infisert: 0
Registerfiler infisert: 0
Mapper infisert: 0
Filer infisert: 1

Minneprosesser infisert:
(Ingen mistenkelige filer funnet)

Minnemoduler infisert:
(Ingen mistenkelige filer funnet)

Registernøkler infisert:
(Ingen mistenkelige filer funnet)

Registerverdier infisert:
(Ingen mistenkelige filer funnet)

Registerfiler infisert:
(Ingen mistenkelige filer funnet)

Mapper infisert:
(Ingen mistenkelige filer funnet)

Filer infisert:
C:\Users\filahoyd\AppData\Local\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users