Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/malware "S.M.A.R.T. Repair"


  • This topic is locked This topic is locked
24 replies to this topic

#1 Enva

Enva

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 29 April 2012 - 02:07 PM

Greetings, I found your forum after a quick search on google and I've seen that you've helped a guy with a problem similiar to mine (http://www.bleepingcomputer.com/forums/topic448360.html).

I sincerly hope that you'll be able to help me out, as my problem seems to be similiar with the one in the topic which I copied abvove.

Short description: all of my icons except the trash bin and "my computer" are hidden, and a window called "Data Recovery" with the following text appears on the screen: "S.M.A.R.T. Repair Hard drives diagnostic report. Your computer is in critical state. Hard disk error detected."

EDIT: There are multiple identical "windows" popping up with the following text: "!System Message - Write Fault control", where the text is; "A write command during the test has failed to complete. This may be due to a media or read/write error. The system generates an exception error when using a reference to an invalid system memory address"
The there are the following options; "Cancel" - "Try again" - "Continue"

Is it safe for me to copy my files(pictures, documents) from this infected pc to my USB stick / external HD?
What is the first step I need to do in order to resolve this problem and remove this malware from my pc?

What must I do in order to post my DDS log, how do I get it on my pc, so I can post it here on the forums? My OS is Windows Vista 32 bit


Looking forward to your reply, thanks in advance - regards from Europe!
Enva

Edited by Enva, 29 April 2012 - 02:14 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:14 PM

Posted 29 April 2012 - 05:13 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step. Then proceed to run aswMbr.exe as noted below.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Note:
If you are unable to run a Gmer scan due the fact you are running a 64bit machine please run the following tool and post its log.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Enva

Enva
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 30 April 2012 - 05:48 AM

Hello again, thank you for the reply.
I use Windows Vista 32bit, It's genuine and I have the recovery on my pc, not on a CD/DVD.

Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Cibo at 12:08:48 on 2012-04-30
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.47.1044.18.2045.690 [GMT 2:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Norman Security Suite *Enabled/Updated* {D038CA80-26F3-90BF-94AA-03C4D945E661}
SP: Norman Security Suite *Enabled/Updated* {6B592B64-00C9-9F31-AE1A-38B6A2C2ACDC}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Norman\Npm\bin\ELOGSVC.EXE
C:\Program Files\Norman\Ngs\Bin\Nnf.exe
C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Norman\Npm\Bin\Zlh.exe
C:\Program Files\Telio Backup Manager\VaultClientTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\Windows\system32\NLSSRV32.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\Telio Backup Manager\VaultClientSRV.exe
C:\Program Files\Telio Backup Manager\VaultClientUpgrade.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Norman\Npm\Bin\Njeeves.exe
C:\Program Files\Norman\Npm\Bin\scheduler.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Norman\nse\bin\NSESVC.EXE
C:\Program Files\Norman\Nvc\bin\nvcoas.exe
C:\Program Files\Norman\Nvc\Bin\cclaw.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.no/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_bho.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\cibo\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [YDdRtmhilFNORa.exe] c:\programdata\YDdRtmhilFNORa.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Norman ZANDA] "c:\program files\norman\npm\bin\ZLH.EXE" /LOAD /SPLASH
mRun: [TrayStartup] c:\program files\telio backup manager\VaultClientTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{16B07147-3C67-4390-92B5-954D3BD5B94A} : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 AFS;AFS;c:\windows\system32\drivers\AFS.SYS [2010-4-6 77004]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-3-7 64512]
R1 NGS;Norman General Security Driver;c:\program files\norman\ngs\bin\ngs.sys [2010-3-25 26744]
R1 NPROSEC;Norman Security driver;c:\program files\norman\ngs\bin\nprosec.sys [2010-3-25 74144]
R2 FontCache;Windows skriftbuffertjeneste;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-12-1 21504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-4 2152152]
R2 Ndiskio;Ndiskio;c:\program files\norman\nse\bin\Ndiskio.sys [2009-10-15 22880]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2011-3-21 196928]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-3-21 68928]
R2 NNFSVC;Norman Network Filtering service;c:\program files\norman\ngs\bin\nnf.exe [2010-6-29 223000]
R2 Norman ZANDA;Norman ZANDA;c:\program files\norman\npm\bin\Zanda.exe [2008-11-29 428912]
R2 NPROSECSVC;Norman Security service;c:\program files\norman\ngs\bin\nprosec.exe [2010-3-25 90144]
R2 nregsec;Norman Registry Security driver;c:\program files\norman\ngs\bin\nregsec.sys [2010-3-25 40384]
R2 NVOY;Norman Resource Provider;c:\program files\norman\npm\bin\nvoy.exe [2009-5-19 100336]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2011-10-24 2025336]
R2 VaultClientSRV;Telio Backup Manager Service;c:\program files\telio backup manager\VaultClientSRV.exe [2008-10-3 982064]
R2 VaultClientUpgrade;Backup Manager Upgrade Service;c:\program files\telio backup manager\VaultClientUpgrade.exe [2008-10-3 56368]
R3 nsesvc;Norman Scanner Engine Service;c:\program files\norman\nse\bin\Nsesvc.exe [2010-12-8 288072]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcv32mf.sys [2009-2-19 24688]
R3 nvcoas;Norman Virus Control on-access component;c:\program files\norman\nvc\bin\Nvcoas.exe [2010-8-17 198168]
R3 Scheduler;Norman Scheduler Service;c:\program files\norman\npm\bin\scheduler.exe [2009-5-19 99312]
S1 vbghftjw;vbghftjw;c:\windows\system32\drivers\vbghftjw.sys [2012-4-30 42960]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Googles oppdateringstjeneste (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-10 253088]
S3 gupdatem;Google-oppdatering-tjenesten (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-3-4 15232]
S3 NVCScheduler;Norman Virus Control Scheduler;c:\program files\norman\nvc\bin\nvcsched.exe --> c:\program files\norman\nvc\bin\NVCSCHED.EXE [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-30 10:07:23 42960 ----a-w- c:\windows\system32\drivers\vbghftjw.sys
2012-04-30 10:01:40 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{788c0dff-390b-441c-9dc5-6fbd15bf5093}\offreg.dll
2012-04-29 04:06:24 221696 ---ha-w- c:\programdata\faP0R0go5C2SMi.exe
2012-04-29 03:41:49 301056 ---ha-w- c:\programdata\YDdRtmhilFNORa.exe
2012-04-27 23:37:17 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{788c0dff-390b-441c-9dc5-6fbd15bf5093}\mpengine.dll
2012-04-19 15:39:43 -------- d--h--w- c:\users\cibo\appdata\roaming\Runningball Sports Information
2012-04-19 15:38:49 -------- d-----w- c:\program files\Runningball Sports Information
2012-04-11 22:27:39 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 22:27:39 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 22:27:39 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 22:27:39 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 22:27:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-11 22:27:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:20:42 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-04-10 09:44:06 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-04-14 17:53:13 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-09 06:57:10 545 ----a-w- c:\windows\UC.PIF
2012-03-09 06:57:10 545 ----a-w- c:\windows\RAR.PIF
2012-03-09 06:57:10 545 ----a-w- c:\windows\PKZIP.PIF
2012-03-09 06:57:10 545 ----a-w- c:\windows\PKUNZIP.PIF
2012-03-09 06:57:10 545 ----a-w- c:\windows\NOCLOSE.PIF
2012-03-09 06:57:10 545 ----a-w- c:\windows\LHA.PIF
2012-03-09 06:57:10 545 ----a-w- c:\windows\ARJ.PIF
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 08:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-14 15:45:30 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45:30 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-13 14:12:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47:57 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44:40 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-07 09:02:40 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-02 15:16:25 2044416 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 12:10:43,42 ===============

#4 Enva

Enva
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 30 April 2012 - 07:04 AM

Hello again, I've attached my ark.txt after I scaned with GMER Log. Here's a copy of it here as well:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-30 13:57:38
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST332062 rev.3.AD
Running: gmer.exe; Driver: C:\Users\Cibo\AppData\Local\Temp\pxldqpog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwCreateEvent [0x82B919B0]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwCreateFile [0x82B913CE]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwCreateProcess [0x82B90854]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwCreateProcessEx [0x82B90884]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwCreateThread [0x82B908B4]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwSetSystemInformation [0x82B914D8]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwTerminateProcess [0x82B910DA]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwWriteVirtualMemory [0x82B911CC]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwCreateThreadEx [0x82B90B6E]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys ZwCreateUserProcess [0x82B90542]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 1D1 81CAC954 4 Bytes [B0, 19, B9, 82]
.text ntkrnlpa.exe!KeSetEvent + 1D9 81CAC95C 4 Bytes [CE, 13, B9, 82]
.text ntkrnlpa.exe!KeSetEvent + 209 81CAC98C 8 Bytes [54, 08, B9, 82, 84, 08, B9, ...]
.text ntkrnlpa.exe!KeSetEvent + 221 81CAC9A4 4 Bytes [B4, 08, B9, 82]
.text ntkrnlpa.exe!KeSetEvent + 5DD 81CACD60 4 Bytes [D8, 14, B9, 82]
.text ...
? C:\Users\Cibo\AppData\Local\Temp\mbr.sys Systemet finner ikke angitt fil. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!EnableWindow 7748CD8B 5 Bytes JMP 70E29A14 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!DialogBoxParamW 774B10B0 5 Bytes JMP 70D8170B C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!DialogBoxIndirectParamW 774B2EF5 5 Bytes JMP 70F7640E C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!DialogBoxParamA 774C8152 5 Bytes JMP 70F763A9 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!DialogBoxIndirectParamA 774C847D 5 Bytes JMP 70F76473 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!MessageBoxIndirectA 774DD4D9 5 Bytes JMP 70F76330 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!MessageBoxIndirectW 774DD5D3 5 Bytes JMP 70F762B7 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!MessageBoxExA 774DD639 5 Bytes JMP 70F76253 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!MessageBoxExW 774DD65D 5 Bytes JMP 70F761EF C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] kernel32.dll!CreateThread 76E9CB2E 5 Bytes JMP 70DE72FB C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!CreateDialogParamW 774872A2 5 Bytes JMP 70F76778 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!GetAsyncKeyState 7748863C 5 Bytes JMP 70DCDD9D C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!SetWindowsHookExW 774887AD 5 Bytes JMP 70E22194 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!CallNextHookEx 77488E3B 5 Bytes JMP 70E47BB7 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!UnhookWindowsHookEx 774898DB 5 Bytes JMP 70E6EB10 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!EnableWindow 7748CD8B 5 Bytes JMP 70E29A14 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!DefWindowProcA 7748DB88 7 Bytes JMP 70DE9525 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!CreateWindowExA 7748DC2A 5 Bytes JMP 70DF335B C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!CreateWindowExW 77491305 5 Bytes JMP 70E4FF8F C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!GetKeyState 77498CB1 5 Bytes JMP 70DCDC73 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!DefWindowProcW 774A03B4 7 Bytes JMP 70E47C1A C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!IsDialogMessageW 774A0745 5 Bytes JMP 70F76EDD C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!CreateDialogParamA 774A17AA 5 Bytes JMP 70F76740 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!IsDialogMessage 774A1847 5 Bytes JMP 70F76EB5 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!CreateDialogIndirectParamA 774A26F1 5 Bytes JMP 70F767B0 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!CreateDialogIndirectParamW 774A9A62 5 Bytes JMP 70F767E8 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!SetKeyboardState 774B0987 5 Bytes JMP 70F777A5 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!DialogBoxParamW 774B10B0 5 Bytes JMP 70D8170B C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!DialogBoxIndirectParamW 774B2EF5 5 Bytes JMP 70F7640E C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!SendInput 774B2F75 5 Bytes JMP 70F7774D C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!EndDialog 774B326E 5 Bytes JMP 70F77189 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!SetCursorPos 774C6FB2 5 Bytes JMP 70F77826 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!DialogBoxParamA 774C8152 5 Bytes JMP 70F763A9 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!DialogBoxIndirectParamA 774C847D 5 Bytes JMP 70F76473 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!MessageBoxIndirectA 774DD4D9 5 Bytes JMP 70F76330 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!MessageBoxIndirectW 774DD5D3 5 Bytes JMP 70F762B7 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!MessageBoxExA 774DD639 5 Bytes JMP 70F76253 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!MessageBoxExW 774DD65D 5 Bytes JMP 70F761EF C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] USER32.dll!keybd_event 774DD972 5 Bytes JMP 70F7770A C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] SHELL32.dll!SHRestricted + D95 762D89A8 4 Bytes [CF, 01, B9, 6B]
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] SHELL32.dll!SHRestricted + D9D 762D89B0 8 Bytes [E0, 61, B8, 6B, 79, F7, B8, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[4164] ole32.dll!OleLoadFromStream 76111E80 5 Bytes JMP 70F76BE7 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] kernel32.dll!CreateThread 76E9CB2E 5 Bytes JMP 70DE72FB C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!CreateDialogParamW 774872A2 5 Bytes JMP 70F76778 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!GetAsyncKeyState 7748863C 5 Bytes JMP 70DCDD9D C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!SetWindowsHookExW 774887AD 5 Bytes JMP 70E22194 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!CallNextHookEx 77488E3B 5 Bytes JMP 70E47BB7 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!UnhookWindowsHookEx 774898DB 5 Bytes JMP 70E6EB10 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!EnableWindow 7748CD8B 5 Bytes JMP 70E29A14 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!DefWindowProcA 7748DB88 7 Bytes JMP 70DE9525 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!CreateWindowExA 7748DC2A 5 Bytes JMP 70DF335B C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!CreateWindowExW 77491305 5 Bytes JMP 70E4FF8F C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!GetKeyState 77498CB1 5 Bytes JMP 70DCDC73 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!DefWindowProcW 774A03B4 7 Bytes JMP 70E47C1A C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!IsDialogMessageW 774A0745 5 Bytes JMP 70F76EDD C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!CreateDialogParamA 774A17AA 5 Bytes JMP 70F76740 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!IsDialogMessage 774A1847 5 Bytes JMP 70F76EB5 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!CreateDialogIndirectParamA 774A26F1 5 Bytes JMP 70F767B0 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!CreateDialogIndirectParamW 774A9A62 5 Bytes JMP 70F767E8 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!SetKeyboardState 774B0987 5 Bytes JMP 70F777A5 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!DialogBoxParamW 774B10B0 5 Bytes JMP 70D8170B C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!DialogBoxIndirectParamW 774B2EF5 5 Bytes JMP 70F7640E C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!SendInput 774B2F75 5 Bytes JMP 70F7774D C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!EndDialog 774B326E 5 Bytes JMP 70F77189 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!SetCursorPos 774C6FB2 5 Bytes JMP 70F77826 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!DialogBoxParamA 774C8152 5 Bytes JMP 70F763A9 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!DialogBoxIndirectParamA 774C847D 5 Bytes JMP 70F76473 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!MessageBoxIndirectA 774DD4D9 5 Bytes JMP 70F76330 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!MessageBoxIndirectW 774DD5D3 5 Bytes JMP 70F762B7 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!MessageBoxExA 774DD639 5 Bytes JMP 70F76253 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!MessageBoxExW 774DD65D 5 Bytes JMP 70F761EF C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] USER32.dll!keybd_event 774DD972 5 Bytes JMP 70F7770A C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] SHELL32.dll!SHRestricted + D95 762D89A8 4 Bytes [CF, 01, B9, 6B]
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] SHELL32.dll!SHRestricted + D9D 762D89B0 8 Bytes [E0, 61, B8, 6B, 79, F7, B8, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[4356] ole32.dll!OleLoadFromStream 76111E80 5 Bytes JMP 70F76BE7 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] kernel32.dll!CreateThread 76E9CB2E 5 Bytes JMP 70DE72FB C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!CreateDialogParamW 774872A2 5 Bytes JMP 70F76778 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!GetAsyncKeyState 7748863C 5 Bytes JMP 70DCDD9D C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!SetWindowsHookExW 774887AD 5 Bytes JMP 70E22194 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!CallNextHookEx 77488E3B 5 Bytes JMP 70E47BB7 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!UnhookWindowsHookEx 774898DB 5 Bytes JMP 70E6EB10 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!EnableWindow 7748CD8B 5 Bytes JMP 70E29A14 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!DefWindowProcA 7748DB88 7 Bytes JMP 70DE9525 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!CreateWindowExA 7748DC2A 5 Bytes JMP 70DF335B C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!CreateWindowExW 77491305 5 Bytes JMP 70E4FF8F C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!GetKeyState 77498CB1 5 Bytes JMP 70DCDC73 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!DefWindowProcW 774A03B4 7 Bytes JMP 70E47C1A C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!IsDialogMessageW 774A0745 5 Bytes JMP 70F76EDD C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!CreateDialogParamA 774A17AA 5 Bytes JMP 70F76740 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!IsDialogMessage 774A1847 5 Bytes JMP 70F76EB5 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!CreateDialogIndirectParamA 774A26F1 5 Bytes JMP 70F767B0 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!CreateDialogIndirectParamW 774A9A62 5 Bytes JMP 70F767E8 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!SetKeyboardState 774B0987 5 Bytes JMP 70F777A5 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!DialogBoxParamW 774B10B0 5 Bytes JMP 70D8170B C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!DialogBoxIndirectParamW 774B2EF5 5 Bytes JMP 70F7640E C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!SendInput 774B2F75 5 Bytes JMP 70F7774D C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!EndDialog 774B326E 5 Bytes JMP 70F77189 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!SetCursorPos 774C6FB2 5 Bytes JMP 70F77826 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!DialogBoxParamA 774C8152 5 Bytes JMP 70F763A9 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!DialogBoxIndirectParamA 774C847D 5 Bytes JMP 70F76473 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!MessageBoxIndirectA 774DD4D9 5 Bytes JMP 70F76330 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!MessageBoxIndirectW 774DD5D3 5 Bytes JMP 70F762B7 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!MessageBoxExA 774DD639 5 Bytes JMP 70F76253 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!MessageBoxExW 774DD65D 5 Bytes JMP 70F761EF C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] USER32.dll!keybd_event 774DD972 5 Bytes JMP 70F7770A C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] SHELL32.dll!SHRestricted + D95 762D89A8 4 Bytes [CF, 01, B9, 6B]
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] SHELL32.dll!SHRestricted + D9D 762D89B0 8 Bytes [E0, 61, B8, 6B, 79, F7, B8, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[5084] ole32.dll!OleLoadFromStream 76111E80 5 Bytes JMP 70F76BE7 C:\Windows\system32\IEFRAME.dll (Internett-leser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Filterbehandling for Microsoft filsystem/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  ark.txt   25.09KB   0 downloads


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:14 PM

Posted 30 April 2012 - 12:10 PM

Hello Enva,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDSSKIller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 Enva

Enva
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 30 April 2012 - 03:04 PM

Hello again and thanks for the fast reply fireman4it!

I've attached the GMER Log file, please see attached file.Attached File  GMER Log.log   25.09KB   2 downloads

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:14 PM

Posted 30 April 2012 - 04:34 PM

Hello,


I need the TDssKiller and Combofix logs. :whistle:

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 Enva

Enva
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 30 April 2012 - 04:59 PM

Hello again, I can't find the ComboFix log, I tried to find it C:\ComboFix.txt. I tried to find it on C: but couldn't find it, the ComboFix scan itself took about 10min.

I tried to find it like this as well;
•push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)

•please copy and past the following into the box

C:\ComboFix.txt

•click ok

But it does not exist. Where/how can I find it?

However, I have 2 TDssKiller logs, please see attached files.
There are no differences, it's still the same status regarding the pc.
EDIT: Before I installed ComboFix I closed all these multiple identical "windows" popping up with the following text: "!System Message - Write Fault control", and they didn't show up again. But now, after installing ComboFix, they pop up again some minutes after I've closed them all. That's the only difference for now.


Here are the 2 files which my Norman SecuritySuite detected and placed in quarantine yesterday when I got the virus;

qcdtogojzqsgkqmmwfukiflut.exe W32/Kryptik.BMP 2012-04-29 05:39:43
jar_cache4335474207715381894.tmp W32/Karagany.QN 2012-04-29 05:39:46

What to do next?
Thanks for the help so far

Attached Files


Edited by Enva, 30 April 2012 - 05:23 PM.


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:14 PM

Posted 30 April 2012 - 06:47 PM

Please delete the copy of combofix you have and do the following. Please run COmbofix in Safemode with Networking.



Download and Rename Combofix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below. You must rename it 1234.scr before saving it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.

    Now reboot into Safe Mode with Networking.
    This can be done tapping the F8 key as soon as you start your computer
    You will be brought to a menu where you can choose to boot into safe mode.
    Make sure you choose the option with networking support.
    Please see here for additional details.

  • Double click on 1234.scr & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 Enva

Enva
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 30 April 2012 - 07:43 PM

Hello,

I have now re-installed Combofix and renamed it to 1234.scr and rebooted into safe mode through msconfig.
When I got into safe mode I tried to open the 1234.scr file on my desktop by double clicking, and it did not work.

I also tried by right click ---> install / run / configure and none of these worked either, the windows asked me wether I was sure if I would continue and I clicked YES and nothing happened after that.

So, what do I do now?
Best regards, Enva

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:14 PM

Posted 30 April 2012 - 09:42 PM

  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    c:\windows\*. /SL
    c:\windows\*. /RP 
    netsvcs
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav 
    %systemroot%\system32\drivers\*.sys /90
    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 Enva

Enva
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 01 May 2012 - 05:24 AM

Hello again, here are the 2 reports you requested:

OTL.txt

OTL logfile created on: 01.05.2012 11:53:02 - Run 1
OTL by OldTimer - Version 3.2.42.2 Folder = C:\Users\Cibo\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000414 | Country: Norge | Language: NOR | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 0,80 Gb Available Physical Memory | 40,01% Memory free
4,24 Gb Paging File | 2,95 Gb Available in Paging File | 69,59% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288,04 Gb Total Space | 183,84 Gb Free Space | 63,83% Space Free | Partition Type: NTFS
Drive D: | 10,00 Gb Total Space | 7,08 Gb Free Space | 70,80% Space Free | Partition Type: NTFS

Computer Name: CIBO-PC | User Name: Cibo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012.05.01 11:51:51 | 000,595,456 | -H-- | M] (OldTimer Tools) -- C:\Users\Cibo\Desktop\OTL.exe
PRC - [2012.04.29 06:06:24 | 000,221,696 | -H-- | M] () -- C:\ProgramData\faP0R0go5C2SMi.exe
PRC - [2012.04.29 05:39:43 | 000,301,056 | -H-- | M] () -- C:\ProgramData\YDdRtmhilFNORa.exe
PRC - [2012.04.14 18:53:13 | 000,353,440 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.exe
PRC - [2011.11.03 02:48:18 | 000,428,912 | ---- | M] (Norman ASA) -- C:\Programfiler\Norman\Npm\Bin\Zanda.exe
PRC - [2011.09.30 08:51:08 | 000,090,144 | ---- | M] (Norman ASA) -- C:\Programfiler\Norman\Ngs\Bin\nprosec.exe
PRC - [2011.07.07 17:06:03 | 000,748,336 | ---- | M] (Microsoft Corporation) -- C:\Programfiler\Internet Explorer\iexplore.exe
PRC - [2011.03.22 16:15:39 | 000,189,824 | ---- | M] (Norman ASA) -- C:\Programfiler\Norman\Npm\Bin\Zlh.exe
PRC - [2011.03.21 11:17:56 | 000,068,928 | ---- | M] (Nalpeiron Ltd.) -- C:\Windows\System32\NLSSRV32.EXE
PRC - [2011.03.21 11:17:44 | 000,196,928 | ---- | M] (Nitro PDF Software) -- C:\Programfiler\Nitro PDF\Professional\NitroPDFDriverService.exe
PRC - [2011.03.17 18:35:23 | 002,025,336 | ---- | M] (TeamViewer GmbH) -- C:\Programfiler\TeamViewer\Version5\TeamViewer_Service.exe
PRC - [2010.12.17 16:22:48 | 000,288,072 | ---- | M] (Norman ASA) -- C:\Programfiler\Norman\Nse\Bin\Nsesvc.exe
PRC - [2010.11.11 13:43:28 | 000,075,104 | ---- | M] (Norman ASA) -- C:\Programfiler\Norman\Npm\Bin\elogsvc.exe
PRC - [2010.11.10 14:48:32 | 000,223,000 | ---- | M] (Norman ASA) -- C:\Programfiler\Norman\Ngs\Bin\nnf.exe
PRC - [2010.11.08 18:02:27 | 000,111,912 | ---- | M] () -- C:\Programfiler\Norman\Npm\Bin\Njeeves.exe
PRC - [2010.11.08 18:02:27 | 000,099,312 | ---- | M] (Norman ASA) -- C:\Programfiler\Norman\Npm\Bin\scheduler.exe
PRC - [2010.11.08 17:56:34 | 000,198,168 | ---- | M] (Norman ASA) -- C:\Programfiler\Norman\NVC\bin\Nvcoas.exe
PRC - [2010.11.08 17:56:34 | 000,100,336 | ---- | M] (Norman ASA) -- C:\Programfiler\Norman\Npm\Bin\nvoy.exe
PRC - [2010.11.08 17:56:34 | 000,074,592 | ---- | M] (Norman ASA) -- C:\Programfiler\Norman\NVC\bin\CClaw.exe
PRC - [2010.09.21 15:03:14 | 001,710,464 | ---- | M] (Microsoft Corp.) -- C:\Programfiler\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2010.09.21 15:03:14 | 000,193,408 | ---- | M] (Microsoft Corp.) -- C:\Programfiler\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2009.11.07 19:33:14 | 000,122,368 | ---- | M] (Google Inc.) -- C:\Programfiler\Google\Quick Search Box\GoogleQuickSearchBox.exe
PRC - [2009.05.10 06:57:51 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Programfiler\Common Files\Real\Update_OB\realsched.exe
PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009.04.11 08:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe
PRC - [2008.10.03 19:04:28 | 000,056,368 | ---- | M] (TELIO) -- C:\Programfiler\Telio Backup Manager\VaultClientUpgrade.exe
PRC - [2008.10.03 19:04:26 | 000,982,064 | ---- | M] (TELIO) -- C:\Programfiler\Telio Backup Manager\VaultClientSRV.exe
PRC - [2008.10.03 19:04:24 | 000,224,304 | ---- | M] (TELIO) -- C:\Programfiler\Telio Backup Manager\VaultClientTray.exe
PRC - [2008.01.19 09:33:39 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programfiler\Windows Media Player\wmpnetwk.exe
PRC - [2008.01.19 09:33:39 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programfiler\Windows Media Player\wmpnscfg.exe
PRC - [2006.11.02 11:44:50 | 000,016,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\attrib.exe


========== Modules (No Company Name) ==========

MOD - [2012.04.29 06:06:24 | 000,221,696 | -H-- | M] () -- C:\ProgramData\faP0R0go5C2SMi.exe
MOD - [2012.04.29 05:39:43 | 000,301,056 | -H-- | M] () -- C:\ProgramData\YDdRtmhilFNORa.exe
MOD - [2011.11.30 19:34:38 | 000,103,424 | ---- | M] () -- C:\Programfiler\Google\Quick Search Box\bin\1.2.1151.245\rlz.dll
MOD - [2010.11.09 14:23:47 | 000,150,312 | ---- | M] () -- C:\Programfiler\Norman\NVC\bin\Ndlg.dll
MOD - [2010.11.08 17:56:34 | 000,234,760 | ---- | M] () -- C:\Programfiler\Norman\Npm\Bin\Noemrc.dll
MOD - [2009.09.05 01:54:38 | 000,180,224 | ---- | M] () -- C:\Programfiler\QuickTime\QTSystem\QTCF.dll
MOD - [2009.09.04 23:15:06 | 000,067,872 | ---- | M] () -- C:\Programfiler\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2009.09.04 23:14:56 | 000,120,096 | ---- | M] () -- C:\Programfiler\Common Files\Apple\Apple Application Support\objc.dll
MOD - [2009.09.04 23:14:44 | 000,039,712 | ---- | M] () -- C:\Programfiler\Common Files\Apple\Apple Application Support\ASL.dll
MOD - [2009.05.10 06:58:04 | 000,008,704 | ---- | M] () -- C:\Programfiler\Real\RealPlayer\rpchromebrowserrecordhelper.dll
MOD - [2008.10.03 19:00:40 | 000,147,456 | ---- | M] () -- C:\Programfiler\Telio Backup Manager\libexpat.dll
MOD - [2006.11.02 11:46:02 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE -- (NVCScheduler)
SRV - [2012.04.14 19:53:13 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.02.29 08:50:48 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Programfiler\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011.11.03 02:48:18 | 000,428,912 | ---- | M] (Norman ASA) [Auto | Running] -- C:\Programfiler\Norman\Npm\Bin\Zanda.exe -- (Norman ZANDA)
SRV - [2011.09.30 08:51:08 | 000,090,144 | ---- | M] (Norman ASA) [Auto | Running] -- C:\Programfiler\Norman\Ngs\Bin\nprosec.exe -- (NPROSECSVC)
SRV - [2011.09.02 15:29:30 | 002,152,152 | ---- | M] (Lavasoft Limited) [On_Demand | Stopped] -- C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011.07.20 06:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programfiler\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2011.03.21 11:17:56 | 000,068,928 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\Windows\System32\NLSSRV32.EXE -- (nlsX86cc)
SRV - [2011.03.21 11:17:44 | 000,196,928 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Programfiler\Nitro PDF\Professional\NitroPDFDriverService.exe -- (NitroDriverReadSpool)
SRV - [2011.03.17 18:35:23 | 002,025,336 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Programfiler\TeamViewer\Version5\TeamViewer_Service.exe -- (TeamViewer5)
SRV - [2010.12.17 16:22:48 | 000,288,072 | ---- | M] (Norman ASA) [On_Demand | Running] -- C:\Programfiler\Norman\Nse\Bin\Nsesvc.exe -- (nsesvc)
SRV - [2010.11.11 13:43:28 | 000,075,104 | ---- | M] (Norman ASA) [Auto | Running] -- C:\Programfiler\Norman\Npm\Bin\elogsvc.exe -- (eLoggerSvc6)
SRV - [2010.11.10 14:48:32 | 000,223,000 | ---- | M] (Norman ASA) [Auto | Running] -- C:\Programfiler\Norman\Ngs\Bin\nnf.exe -- (NNFSVC)
SRV - [2010.11.08 18:02:27 | 000,111,912 | ---- | M] () [On_Demand | Running] -- C:\Programfiler\Norman\Npm\Bin\Njeeves.exe -- (Norman NJeeves)
SRV - [2010.11.08 18:02:27 | 000,099,312 | ---- | M] (Norman ASA) [On_Demand | Running] -- C:\Programfiler\Norman\Npm\Bin\scheduler.exe -- (Scheduler)
SRV - [2010.11.08 17:56:34 | 000,198,168 | ---- | M] (Norman ASA) [On_Demand | Running] -- C:\Programfiler\Norman\NVC\bin\Nvcoas.exe -- (nvcoas)
SRV - [2010.11.08 17:56:34 | 000,100,336 | ---- | M] (Norman ASA) [Auto | Running] -- C:\Programfiler\Norman\Npm\Bin\nvoy.exe -- (NVOY)
SRV - [2010.09.21 15:03:14 | 001,710,464 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Programfiler\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2008.10.03 19:04:28 | 000,056,368 | ---- | M] (TELIO) [Auto | Running] -- C:\Programfiler\Telio Backup Manager\VaultClientUpgrade.exe -- (VaultClientUpgrade)
SRV - [2008.10.03 19:04:26 | 000,982,064 | ---- | M] (TELIO) [Auto | Running] -- C:\Programfiler\Telio Backup Manager\VaultClientSRV.exe -- (VaultClientSRV)
SRV - [2008.01.19 09:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programfiler\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008.01.19 09:33:39 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programfiler\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programfiler\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\vbghftjw.sys -- (vbghftjw)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Cibo\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2011.09.30 08:51:08 | 000,074,144 | ---- | M] (Norman ASA) [Kernel | System | Running] -- C:\Programfiler\Norman\Ngs\Bin\nprosec.sys -- (NPROSEC)
DRV - [2011.03.04 10:20:24 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\System32\drivers\Lbd.sys -- (Lbd)
DRV - [2011.03.04 10:20:23 | 000,015,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Programfiler\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010.11.11 14:01:40 | 000,024,688 | ---- | M] (Norman ASA) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\nvcv32mf.sys -- (NvcMFlt)
DRV - [2010.11.10 15:48:11 | 000,040,384 | ---- | M] (Norman ASA) [Kernel | Auto | Running] -- C:\Programfiler\Norman\Ngs\Bin\nregsec.sys -- (nregsec)
DRV - [2010.04.06 23:00:47 | 000,077,004 | ---- | M] (Oak Technology Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AFS.SYS -- (AFS)
DRV - [2010.01.04 15:44:43 | 000,026,744 | ---- | M] (Norman ASA) [Kernel | System | Running] -- c:\Programfiler\Norman\Ngs\Bin\ngs.sys -- (NGS)
DRV - [2009.10.09 14:24:40 | 000,022,880 | ---- | M] (Norman ASA) [Kernel | Auto | Running] -- C:\Programfiler\Norman\Nse\Bin\Ndiskio.sys -- (Ndiskio)
DRV - [2009.04.11 06:38:59 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbccid.sys -- (USBCCID)
DRV - [2008.01.19 06:25:05 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2006.11.02 09:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2004.04.27 00:31:04 | 000,474,304 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\lvcd.sys -- (QCDonner) Logitech QuickCam Express(PID_0840)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.no/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GZEF_no
IE - HKCU\..\SearchScopes\{CD82B5EC-0A40-47C2-9924-33BCA7FEEDB3}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=BADD09BB-6588-466C-8655-2D75CB1E0426&apn_sauid=E193CE8D-FBAB-485F-A31C-00BA277A3DB5&
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/wpi,version=1.0: C:\Program Files\Microsoft\Web Platform Installer\\npwpidetector.dll ()
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.69: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Cibo\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Cibo\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009.05.10 06:58:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.04.06 23:49:30 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.04.06 23:49:30 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Cibo\AppData\Local\Google\Chrome\Application\18.0.1025.162\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Cibo\AppData\Local\Google\Chrome\Application\18.0.1025.162\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Cibo\AppData\Local\Google\Chrome\Application\18.0.1025.162\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll
CHR - plugin: Skype Toolbars (Enabled) = C:\Users\Cibo\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8442_0\npSkypeChromePlugin.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: WPI Detector 1.1 (Enabled) = C:\Program Files\Microsoft\Web Platform Installer\\npwpidetector.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: Skype Click to Call = C:\Users\Cibo\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8442_0\

O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,736 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: ::1 localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programfiler\Hewlett-Packard\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Programfiler\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programfiler\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Programfiler\Hewlett-Packard\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [Norman ZANDA] C:\Program Files\Norman\Npm\Bin\ZLH.EXE (Norman ASA)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TrayStartup] C:\Programfiler\Telio Backup Manager\VaultClientTray.exe (TELIO)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [WMPNSCFG] C:\Programfiler\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - HKCU..\Run: [YDdRtmhilFNORa.exe] C:\ProgramData\YDdRtmhilFNORa.exe ()
O8 - Extra context menu item: E&ksporter til Microsoft Excel - C:\Programfiler\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html File not found
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programfiler\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programfiler\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programfiler\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Vis eller skjul HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Programfiler\Hewlett-Packard\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programfiler\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{16B07147-3C67-4390-92B5-954D3BD5B94A}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programfiler\Windows Live\Messenger\msgrapp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programfiler\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programfiler\Windows Live\Messenger\msgrapp.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programfiler\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programfiler\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programfiler\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Cibo\AppData\Roaming\Microsoft\Windows Photo Gallery\Bakgrunn for Windows Fotogalleri.jpg
O24 - Desktop BackupWallPaper: C:\Users\Cibo\AppData\Roaming\Microsoft\Windows Photo Gallery\Bakgrunn for Windows Fotogalleri.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {9BB89DE4-8A0F-4194-B64B-22FB00479AE3} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\Windows\System32\lvcodec2.dll (Logitech Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012.05.01 11:57:46 | 000,000,000 | ---D | C] -- C:\3fa910153dfe16caff02c5067845d1e0
[2012.05.01 11:51:49 | 000,595,456 | -H-- | C] (OldTimer Tools) -- C:\Users\Cibo\Desktop\OTL.exe
[2012.05.01 02:33:09 | 000,000,000 | ---D | C] -- C:\1234103421
[2012.05.01 02:30:19 | 000,000,000 | ---D | C] -- C:\1234155791
[2012.05.01 02:27:55 | 000,000,000 | ---D | C] -- C:\1234238691
[2012.05.01 02:26:44 | 000,000,000 | ---D | C] -- C:\1234193101
[2012.05.01 02:24:59 | 000,000,000 | ---D | C] -- C:\1234157981
[2012.05.01 02:23:01 | 000,000,000 | ---D | C] -- C:\1234
[2012.05.01 02:19:24 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012.05.01 02:03:36 | 004,479,582 | RH-- | C] (Swearware) -- C:\Users\Cibo\Desktop\1234.scr
[2012.04.30 23:06:13 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012.04.30 23:06:13 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012.04.30 23:06:13 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012.04.30 23:06:04 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012.04.30 23:05:58 | 000,000,000 | -H-D | C] -- C:\Qoobox
[2012.04.30 23:05:42 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2012.04.30 22:05:10 | 002,074,160 | -H-- | C] (Kaspersky Lab ZAO) -- C:\Users\Cibo\Desktop\tdsskiller.exe
[2012.04.30 12:52:48 | 000,000,000 | -H-D | C] -- C:\Users\Cibo\Desktop\gmer
[2012.04.30 12:08:25 | 000,607,260 | RH-- | C] (Swearware) -- C:\Users\Cibo\Desktop\DDS.scr
[2012.04.29 12:49:02 | 000,000,000 | -H-D | C] -- C:\Users\Cibo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Recovery
[2012.04.25 17:59:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2012.04.25 17:59:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2012.04.19 17:39:43 | 000,000,000 | -H-D | C] -- C:\Users\Cibo\AppData\Roaming\Runningball Sports Information
[2012.04.19 17:38:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Runningball Sports Information
[2012.04.19 17:38:49 | 000,000,000 | ---D | C] -- C:\Program Files\Runningball Sports Information
[2 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012.05.01 11:53:20 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.05.01 11:51:51 | 000,595,456 | -H-- | M] (OldTimer Tools) -- C:\Users\Cibo\Desktop\OTL.exe
[2012.05.01 11:43:15 | 000,000,980 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012.05.01 11:43:03 | 000,003,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012.05.01 11:43:03 | 000,003,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012.05.01 11:43:01 | 000,000,976 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012.05.01 11:42:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.05.01 11:42:43 | 2145,300,480 | -HS- | M] () -- C:\hiberfil.sys
[2012.05.01 02:11:15 | 000,000,998 | -H-- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4209040378-1275523580-292988294-1000UA.job
[2012.05.01 02:03:36 | 004,479,582 | RH-- | M] (Swearware) -- C:\Users\Cibo\Desktop\1234.scr
[2012.04.30 23:19:29 | 422,559,053 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012.04.30 22:05:12 | 002,074,160 | -H-- | M] (Kaspersky Lab ZAO) -- C:\Users\Cibo\Desktop\tdsskiller.exe
[2012.04.30 21:21:27 | 000,595,798 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.04.30 21:21:27 | 000,460,630 | ---- | M] () -- C:\Windows\System32\perfh014.dat
[2012.04.30 21:21:27 | 000,103,872 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.04.30 21:21:27 | 000,079,366 | ---- | M] () -- C:\Windows\System32\perfc014.dat
[2012.04.30 19:11:00 | 000,000,946 | -H-- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4209040378-1275523580-292988294-1000Core.job
[2012.04.30 17:43:30 | 000,000,064 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
[2012.04.30 17:43:30 | 000,000,044 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
[2012.04.30 12:51:21 | 000,294,216 | -H-- | M] () -- C:\Users\Cibo\Desktop\gmer.zip
[2012.04.30 12:34:35 | 000,000,000 | -H-- | M] () -- C:\Users\Cibo\defogger_reenable
[2012.04.30 12:33:53 | 000,022,256 | -H-- | M] () -- C:\Users\Cibo\Desktop\defogger.htm
[2012.04.30 12:08:43 | 000,607,260 | RH-- | M] (Swearware) -- C:\Users\Cibo\Desktop\DDS.scr
[2012.04.29 12:54:55 | 000,000,184 | -H-- | M] () -- C:\ProgramData\-faP0R0go5C2SMir
[2012.04.29 12:54:55 | 000,000,000 | -H-- | M] () -- C:\ProgramData\-faP0R0go5C2SMi
[2012.04.29 12:54:39 | 000,000,256 | -H-- | M] () -- C:\ProgramData\faP0R0go5C2SMi
[2012.04.29 12:49:05 | 000,000,609 | -H-- | M] () -- C:\Users\Cibo\Desktop\Data_Recovery.lnk
[2012.04.29 06:06:24 | 000,221,696 | -H-- | M] () -- C:\ProgramData\faP0R0go5C2SMi.exe
[2012.04.29 05:39:43 | 000,301,056 | -H-- | M] () -- C:\ProgramData\YDdRtmhilFNORa.exe
[2012.04.25 18:32:20 | 000,113,810 | -H-- | M] () -- C:\Users\Cibo\Desktop\Scan - Adresse.jpg
[2012.04.15 01:13:59 | 000,002,039 | -H-- | M] () -- C:\Users\Cibo\Desktop\Google Chrome.lnk
[2012.04.14 00:00:30 | 000,010,119 | -H-- | M] () -- C:\Users\Cibo\Desktop\catic.jpg
[2012.04.13 23:48:55 | 000,011,647 | -H-- | M] () -- C:\Users\Cibo\Desktop\catic-podolski-dzeko.jpg
[2012.04.13 23:47:07 | 000,029,097 | -H-- | M] () -- C:\Users\Cibo\Desktop\WPA World Chamption Adnan Catic (Felix Sturm) Srebrenica Genocide 2.jpg
[2012.04.03 23:43:54 | 000,087,051 | -H-- | M] () -- C:\Users\Cibo\Desktop\ran.jpg
[2012.04.03 21:41:17 | 000,293,170 | -H-- | M] () -- C:\Users\Cibo\Desktop\sergiolasimulaoriginal.jpg
[2012.04.03 21:40:33 | 000,041,753 | -H-- | M] () -- C:\Users\Cibo\Desktop\sergio-busquets.jpg
[2 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012.05.01 02:36:50 | 2145,300,480 | -HS- | C] () -- C:\hiberfil.sys
[2012.04.30 23:19:29 | 422,559,053 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012.04.30 23:06:13 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012.04.30 23:06:13 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012.04.30 23:06:13 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012.04.30 23:06:13 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012.04.30 23:06:13 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012.04.30 12:51:21 | 000,294,216 | -H-- | C] () -- C:\Users\Cibo\Desktop\gmer.zip
[2012.04.30 12:34:35 | 000,000,000 | -H-- | C] () -- C:\Users\Cibo\defogger_reenable
[2012.04.30 12:33:49 | 000,022,256 | -H-- | C] () -- C:\Users\Cibo\Desktop\defogger.htm
[2012.04.29 12:49:07 | 000,000,184 | -H-- | C] () -- C:\ProgramData\-faP0R0go5C2SMir
[2012.04.29 12:49:07 | 000,000,000 | -H-- | C] () -- C:\ProgramData\-faP0R0go5C2SMi
[2012.04.29 12:49:05 | 000,000,609 | -H-- | C] () -- C:\Users\Cibo\Desktop\Data_Recovery.lnk
[2012.04.29 12:48:54 | 000,000,256 | -H-- | C] () -- C:\ProgramData\faP0R0go5C2SMi
[2012.04.29 06:06:24 | 000,221,696 | -H-- | C] () -- C:\ProgramData\faP0R0go5C2SMi.exe
[2012.04.29 05:41:49 | 000,301,056 | -H-- | C] () -- C:\ProgramData\YDdRtmhilFNORa.exe
[2012.04.25 18:33:05 | 000,113,810 | -H-- | C] () -- C:\Users\Cibo\Desktop\Scan - Adresse.jpg
[2012.04.25 18:29:39 | 000,141,286 | -H-- | C] () -- C:\Users\Cibo\Desktop\ID_AlmirCibo_Norway.jpg
[2012.04.14 00:00:44 | 000,010,119 | -H-- | C] () -- C:\Users\Cibo\Desktop\catic.jpg
[2012.04.13 23:52:05 | 000,029,097 | -H-- | C] () -- C:\Users\Cibo\Desktop\WPA World Chamption Adnan Catic (Felix Sturm) Srebrenica Genocide 2.jpg
[2012.04.13 23:51:50 | 000,011,647 | -H-- | C] () -- C:\Users\Cibo\Desktop\catic-podolski-dzeko.jpg
[2012.04.10 11:44:21 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.04.03 23:44:17 | 000,087,051 | -H-- | C] () -- C:\Users\Cibo\Desktop\ran.jpg
[2012.04.03 21:41:27 | 000,293,170 | -H-- | C] () -- C:\Users\Cibo\Desktop\sergiolasimulaoriginal.jpg
[2012.04.03 21:40:44 | 000,041,753 | -H-- | C] () -- C:\Users\Cibo\Desktop\sergio-busquets.jpg
[2011.10.24 23:05:40 | 000,000,600 | -H-- | C] () -- C:\Users\Cibo\AppData\Roaming\winscp.rnd
[2011.04.25 17:42:45 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2011.04.25 17:42:45 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2011.01.23 00:46:51 | 000,000,282 | ---- | C] () -- C:\Windows\{E294AF27-9286-4418-A25B-2DF11A6C1253}_WiseFW.ini
[2010.12.24 00:48:45 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat

========== LOP Check ==========

[2011.09.28 16:40:50 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Downloaded Installations
[2012.03.13 00:52:45 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\GHISLER
[2009.06.08 22:57:18 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Leadertech
[2011.11.01 23:20:58 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Nitro PDF
[2012.04.19 17:39:43 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Runningball Sports Information
[2009.06.19 23:05:53 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Spotify
[2011.01.23 06:10:15 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\SYSteam CAB
[2010.09.20 16:04:19 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\TeamViewer
[2010.04.20 20:07:39 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Uniblue
[2012.05.01 02:44:38 | 000,032,634 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========

< c:\windows\*. /SL >

< c:\windows\*. /RP >

< %ALLUSERSPROFILE%\Application Data\*. >

< %ALLUSERSPROFILE%\Application Data\*.exe /s >

< %APPDATA%\*. >
[2008.12.05 00:01:32 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Adobe
[2009.09.16 19:55:13 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Apple Computer
[2010.04.22 19:26:39 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\AVS4YOU
[2011.09.28 16:40:50 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Downloaded Installations
[2011.02.06 23:01:07 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\dvdcss
[2012.03.13 00:52:45 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\GHISLER
[2009.11.07 19:33:52 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Google
[2008.11.29 22:34:15 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Identities
[2008.11.29 22:41:42 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\InstallShield
[2009.06.08 22:57:18 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Leadertech
[2008.11.30 01:43:11 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Macromedia
[2012.01.26 01:10:59 | 000,000,000 | --SD | M] -- C:\Users\Cibo\AppData\Roaming\Microsoft
[2011.11.01 23:20:58 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Nitro PDF
[2009.06.17 22:01:53 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Real
[2012.04.19 17:39:43 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Runningball Sports Information
[2012.04.25 18:49:30 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Skype
[2011.10.24 22:15:29 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\skypePM
[2009.06.19 23:05:53 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Spotify
[2011.01.23 06:10:15 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\SYSteam CAB
[2010.09.20 16:04:19 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\TeamViewer
[2010.04.20 20:07:39 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\Uniblue
[2009.08.30 19:40:52 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\vlc
[2008.12.24 09:00:51 | 000,000,000 | -H-D | M] -- C:\Users\Cibo\AppData\Roaming\WinRAR

< %APPDATA%\*.exe /s >
[2011.01.23 00:47:03 | 000,016,896 | RH-- | M] () -- C:\Users\Cibo\AppData\Roaming\Microsoft\Installer\{E294AF27-9286-4418-A25B-2DF11A6C1253}\IconE294AF27.exe
[2009.06.04 00:19:01 | 000,094,257 | -H-- | M] () -- C:\Users\Cibo\AppData\Roaming\Real\RealPlayer\Temp\~Upg0\RNMOREINFO\rnmoreinfo.exe
[2009.07.20 11:07:55 | 000,390,664 | -H-- | M] (RealNetworks, Inc.) -- C:\Users\Cibo\AppData\Roaming\Real\RealPlayer\Update\realplayer11gold.exe
[2010.01.19 17:47:59 | 000,439,816 | -H-- | M] (RealNetworks, Inc.) -- C:\Users\Cibo\AppData\Roaming\Real\Update\setup3.09\setup.exe
[2009.06.17 22:01:57 | 000,390,664 | -H-- | M] (RealNetworks, Inc.) -- C:\Users\Cibo\AppData\Roaming\Real\Update\temp\~Upg0\realplayer11gold.exe
[2009.06.26 22:02:15 | 000,390,664 | -H-- | M] (RealNetworks, Inc.) -- C:\Users\Cibo\AppData\Roaming\Real\Update\temp\~Upg1\realplayer11gold.exe
[2009.07.08 00:20:02 | 000,390,664 | -H-- | M] (RealNetworks, Inc.) -- C:\Users\Cibo\AppData\Roaming\Real\Update\temp\~Upg2\realplayer11gold.exe
[2009.07.20 11:07:55 | 000,390,664 | -H-- | M] (RealNetworks, Inc.) -- C:\Users\Cibo\AppData\Roaming\Real\Update\temp\~Upg3\realplayer11gold.exe

< %SYSTEMDRIVE%\*.exe >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006.11.02 12:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006.11.02 12:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006.11.02 12:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006.11.02 12:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006.11.02 12:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >
[2012.02.29 15:32:37 | 000,012,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\drivers\fs_rec.sys

< End of report >

Extras.txt

OTL Extras logfile created on: 01.05.2012 11:53:02 - Run 1
OTL by OldTimer - Version 3.2.42.2 Folder = C:\Users\Cibo\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000414 | Country: Norge | Language: NOR | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 0,80 Gb Available Physical Memory | 40,01% Memory free
4,24 Gb Paging File | 2,95 Gb Available in Paging File | 69,59% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288,04 Gb Total Space | 183,84 Gb Free Space | 63,83% Space Free | Partition Type: NTFS
Drive D: | 10,00 Gb Total Space | 7,08 Gb Free Space | 70,80% Space Free | Partition Type: NTFS

Computer Name: CIBO-PC | User Name: Cibo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{04535CC4-4DD2-4E74-9CB3-0884CB080A6D}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{11BB39CF-2EFA-4B98-B197-7D65ADF46B61}" = lport=2869 | protocol=6 | dir=in | app=system |
"{33B5D1C4-CDEE-46E2-8C58-5F011918D487}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{B803D7E7-8C61-4FBF-9424-8ABD08B561E1}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{DF0B498B-DF2F-4261-8DBA-E7B4F3FECAEF}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02AB939D-FF26-49CC-8F0B-1F43738E643A}" = protocol=17 | dir=in | app=c:\program files\thq\company of heroes\reliccoh.exe |
"{05728B90-15B6-4079-878A-BFE2AC0A9493}" = protocol=6 | dir=in | app=c:\program files\thq\company of heroes\reliccoh.exe |
"{21C459C1-3F80-4D89-B95B-04B8F988777B}" = protocol=6 | dir=in | app=c:\program files\teamviewer\version5\teamviewer_service.exe |
"{24E8200C-6BD2-4F23-8C8D-491EE829507F}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{403AD508-C3C8-4CC9-9AE9-C59292254CB4}" = protocol=17 | dir=in | app=c:\program files\teamviewer\version5\teamviewer.exe |
"{4E3EA9DF-E2FD-495D-9D05-0AA672264C1D}" = protocol=17 | dir=in | app=c:\program files\teamviewer\version5\teamviewer_service.exe |
"{65F930E3-FB60-4D68-8E0C-D4CF5F9C51BE}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{6BEDB56D-AF99-47A4-92B1-CABBEE1C7E02}" = protocol=6 | dir=in | app=c:\program files\teamviewer\version5\teamviewer.exe |
"{6C8A855E-C5C1-40ED-B353-5626D2085D0D}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{715D082A-4B87-4940-B9EC-55EB621A80CE}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{9BD78ECB-59D5-4ABD-91B4-BDDDA43466A3}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{C5C75DCA-453C-4B66-9AE6-D443CAEB1113}" = protocol=6 | dir=in | app=c:\program files\systeam cab\epoq\kitchen planner 4.0\epoq.exe |
"{D5FFBFE6-299C-4D8D-8EE5-17B456351838}" = dir=in | app=c:\program files\hewlett-packard\digital imaging\smart web printing\smartwebprintexe.exe |
"{DD409FA8-8FD9-439B-B9F3-A321220C755D}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{E16FAFDE-FCFB-427F-9866-B25ED505644E}" = dir=in | app=c:\program files\hewlett-packard\digital imaging\bin\hpqkygrp.exe |
"{E21DE90B-6727-485C-BC35-734E1B962531}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{E97A9878-DBFA-4FFE-9A3F-B07537CE6715}" = dir=in | app=c:\program files\hewlett-packard\digital imaging\bin\hpqscnvw.exe |
"{F34D8C7A-4341-485C-816B-CB8EC2CB7F2C}" = protocol=17 | dir=in | app=c:\program files\systeam cab\epoq\kitchen planner 4.0\epoq.exe |
"TCP Query User{00B8CCDF-E809-436C-AFF4-4F0C34A7982B}C:\program files\real\realplayer\realplay.exe" = protocol=6 | dir=in | app=c:\program files\real\realplayer\realplay.exe |
"TCP Query User{0401FC61-BAEB-4A18-BEA0-57F31F3DF9D2}E:\d-link.exe" = protocol=6 | dir=in | app=e:\d-link.exe |
"TCP Query User{169B550F-0503-494A-80A9-41CBCDC23F91}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{3E013B03-DFFF-4067-8765-EF87B1586280}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{439A6045-5705-4268-9588-35F6232A844C}E:\d-link.exe" = protocol=6 | dir=in | app=e:\d-link.exe |
"TCP Query User{70EB21D8-1561-41A7-BE7A-EDC97AD38B57}C:\program files\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\program files\spotify\spotify.exe |
"TCP Query User{784633EB-1453-4071-976F-E3FA351BF0CF}C:\program files\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"TCP Query User{8560F993-B945-403F-9805-AB9D24E57A35}C:\program files\msn messenger\msnmsgr.exe" = protocol=6 | dir=in | app=c:\program files\msn messenger\msnmsgr.exe |
"TCP Query User{B8367686-C93F-4393-B087-34D188223F8C}C:\program files\real\realplayer\recordingmanager.exe" = protocol=6 | dir=in | app=c:\program files\real\realplayer\recordingmanager.exe |
"TCP Query User{DD8D8205-3FC3-4405-9C77-FF3E4E4D5B3A}C:\totalcmd\totalcmd.exe" = protocol=6 | dir=in | app=c:\totalcmd\totalcmd.exe |
"UDP Query User{1CC26258-496C-4541-8C64-AAA666239BE8}C:\totalcmd\totalcmd.exe" = protocol=17 | dir=in | app=c:\totalcmd\totalcmd.exe |
"UDP Query User{22CC8EA2-58F9-4FE0-904C-893F10107EFC}C:\program files\real\realplayer\realplay.exe" = protocol=17 | dir=in | app=c:\program files\real\realplayer\realplay.exe |
"UDP Query User{2CF27BDE-E843-4523-9887-6B5147899A01}C:\program files\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"UDP Query User{338B2D2A-D74A-4F9F-AD55-7633AC6DC499}C:\program files\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\program files\spotify\spotify.exe |
"UDP Query User{651683F6-EC4E-4EE1-954B-A9CE0F78D01A}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{6A8A35CB-332E-405E-9B70-AB6232959E63}C:\program files\real\realplayer\recordingmanager.exe" = protocol=17 | dir=in | app=c:\program files\real\realplayer\recordingmanager.exe |
"UDP Query User{8D13D9C7-7568-4010-847D-3D145283FBDF}E:\d-link.exe" = protocol=17 | dir=in | app=e:\d-link.exe |
"UDP Query User{C9428DF0-3D30-4F6F-B70D-0893D21CDFA9}C:\program files\msn messenger\msnmsgr.exe" = protocol=17 | dir=in | app=c:\program files\msn messenger\msnmsgr.exe |
"UDP Query User{D0D21A07-8DBE-4E47-9FAA-2870BE61098C}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{F0919B13-CFCC-4042-976C-DDC509826D2F}E:\d-link.exe" = protocol=17 | dir=in | app=e:\d-link.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{011B89D2-1FFE-4D24-B94B-9A4C4249981E}" = Runningball TV Client
"{0125DB4D-98A0-4DBF-B68A-23BF08FFA6A3}" = Windows Live Messenger
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{14574B7F-75D1-4718-B7F2-EBF6E2862A35}" = Company of Heroes - FAKEMSI
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{199E6632-EB28-4F73-AECB-3E192EB92D18}" = Company of Heroes - FAKEMSI
"{1C71DC57-1388-4C1C-AB2F-2B9C0EF83409}" = Windows Live UX Platform Language Pack
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{25724802-CC14-4B90-9F3B-3D6955EE27B1}" = Company of Heroes - FAKEMSI
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 29
"{2ADD2892-255C-34C2-AE90-5EF603273DFF}" = Microsoft .NET Framework 3.5 Language Pack SP1 - nor
"{32C4A4EB-C97D-414E-99C5-38F8DFD31D5D}" = Company of Heroes - FAKEMSI
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{45AB1603-3EBD-4F78-9A0B-392FC8C23B7A}" = Norman Virus Control
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{50193078-F553-4EBA-AA77-64C9FAA12F98}" = Company of Heroes - FAKEMSI
"{51D718D1-DA81-4FAD-919F-5C1CE3C33379}" = Company of Heroes - FAKEMSI
"{59996900-0E6C-45B7-8C39-C64CB98462E4}" = Microsoft Web Platform Installer 2.0
"{5CDF6674-78CA-4B1F-A3CA-BA7EAC6E4E0B}" = Nitro PDF Professional
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
"{66F78C51-D108-4F0C-A93C-1CBE74CE338F}" = Company of Heroes - FAKEMSI
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Foto og bildebehandling 2.0 - All-in-One drivere
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7ADFA72D-2A9F-4DEC-80A5-2FAA27E23F0F}" = Windows Live Photo Common
"{7F4B1592-222F-4E5F-A100-E5AFD61A0BB3}" = Company of Heroes - FAKEMSI
"{80D03817-7943-4839-8E96-B9F924C5E67D}" = Company of Heroes - FAKEMSI
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90120000-0016-0414-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Norwegian (Bokmål)) 2007
"{90120000-0016-0414-0000-0000000FF1CE}_STANDARDR_{45D06784-F685-4736-8143-AAEB4969932C}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0414-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Norwegian (Bokmål)) 2007
"{90120000-0018-0414-0000-0000000FF1CE}_STANDARDR_{45D06784-F685-4736-8143-AAEB4969932C}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0414-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Norwegian (Bokmål)) 2007
"{90120000-001A-0414-0000-0000000FF1CE}_STANDARDR_{45D06784-F685-4736-8143-AAEB4969932C}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0414-0000-0000000FF1CE}" = Microsoft Office Word MUI (Norwegian (Bokmål)) 2007
"{90120000-001B-0414-0000-0000000FF1CE}_STANDARDR_{45D06784-F685-4736-8143-AAEB4969932C}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_STANDARDR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARDR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0414-0000-0000000FF1CE}" = Microsoft Office Proof (Norwegian (Bokmål)) 2007
"{90120000-001F-0414-0000-0000000FF1CE}_STANDARDR_{F47DC432-9E71-4DC4-A488-9842D767DDDB}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0814-0000-0000000FF1CE}" = Microsoft Office Proof (Norwegian (Nynorsk)) 2007
"{90120000-001F-0814-0000-0000000FF1CE}_STANDARDR_{67BED6C1-5AE1-45CD-8060-BFFD37ED0DDD}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0414-0000-0000000FF1CE}" = Microsoft Office Proofing (Norwegian (Bokmål)) 2007
"{90120000-006E-0414-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Norwegian (Bokmål)) 2007
"{90120000-006E-0414-0000-0000000FF1CE}_STANDARDR_{F12E93BA-172F-4875-A3C6-FE271A461AA1}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97E5205F-EA4F-438F-B211-F1846419F1C1}" = Company of Heroes - FAKEMSI
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Foto og bildebehandling 2.0 - All-in-One
"{99A7722D-9ACB-43F3-A222-ABC7133F159E}" = Company of Heroes - FAKEMSI
"{A3499A41-41EA-3567-977C-29E9E226A360}" = Microsoft .NET Framework 4 Client Profile NOR Language Pack
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.1
"{AC76BA86-7AD7-2447-0000-900000000003}" = Chinese Simplified Fonts Support For Adobe Reader 9
"{AC76BA86-7AD7-2448-0000-900000000003}" = Chinese Traditional Fonts Support For Adobe Reader 9
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AC76BA86-7AD7-5670-0000-900000000003}" = Korean Fonts Support For Adobe Reader 9
"{AC76BA86-7AD7-5676-5A64-900000000003}" = Adobe Reader Extended Language Support Font Pack
"{AC76BA86-7AD7-5760-0000-900000000003}" = Japanese Fonts Support For Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Minnedisk
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{BA801B94-C28D-46EE-B806-E1E021A3D519}" = Company of Heroes - FAKEMSI
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D4D244D1-05E0-4D24-86A2-B2433C435671}" = Company of Heroes - FAKEMSI
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E294AF27-9286-4418-A25B-2DF11A6C1253}" = Epoq Kitchen Planner 4.0
"{EAF636A9-F664-4703-A659-85A894DA264F}" = Company of Heroes - FAKEMSI
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EC2A8F27-4FBF-4E41-B27B-FE822511B761}" = iTunes
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8
"{F0F9505B-3ACF-4158-9311-D0285136AA00}" = Windows Live Essentials
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"AVS Update Manager_is1" = AVS Update Manager 1.0
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Company of Heroes" = Company of Heroes - Opposing Fronts
"Free PDF to Word Doc Converter_is1" = Free PDF to Word Doc Converter v1.1
"HP Photo Creations" = HP Photo Creations
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"Microsoft .NET Framework 3.5 Language Pack SP1 - nor" = Språkpakke for Microsoft .NET Framework 3.5 SP1 - NOR
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile NOR Language Pack" = Microsoft .NET Framework 4 Client Profile NOR Language Pack
"Quick Search Box" = Googles hurtigsøkfelt
"RealPlayer 6.0" = RealPlayer
"Spotify" = Spotify
"STANDARDR" = Microsoft Office Standard 2007
"TeamViewer 5" = TeamViewer 5
"Totalcmd" = Total Commander (Remove or Repair)
"Vault" = Telio Backup Manager
"VLC media player" = VideoLAN VLC media player 0.8.5
"WinLiveSuite" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GeoGebra 4" = GeoGebra 4
"GeoGebraPrim" = GeoGebraPrim
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 14.11.2010 00:19:54 | Computer Name = Cibo-PC | Source = NormanNPT | ID = 131073
Description = Norman Message [2010/11/14 05:19:54] --------------------------------------------------------
Application:
NVC On-access Scanner Node address: 192.168.0.197 --------------------------------------------------------

Warning
message: Virus missing: Virus name: 'JS/Agent.HB' File infected: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/1UIU1GXB/php1[1].js File quarantined: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/1UIU1GXB/php1[1].js Login information: User 'SYSTEM'
on host 'CIBO-PC'.

Error - 14.11.2010 00:20:00 | Computer Name = Cibo-PC | Source = NormanNPT | ID = 131073
Description = Norman Message [2010/11/14 05:20:00] --------------------------------------------------------
Application:
NVC On-access Scanner Node address: 192.168.0.197 --------------------------------------------------------

Warning
message: Virus missing: Virus name: 'JS/Agent.HB' File infected: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/JW1823OR/php1[1].js File quarantined: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/JW1823OR/php1[1].js Login information: User 'SYSTEM'
on host 'CIBO-PC'.

Error - 14.11.2010 00:20:08 | Computer Name = Cibo-PC | Source = NormanNPT | ID = 131073
Description = Norman Message [2010/11/14 05:20:08] --------------------------------------------------------
Application:
NVC On-access Scanner Node address: 192.168.0.197 --------------------------------------------------------

Warning
message: Virus missing: Virus name: 'JS/Agent.HB' File infected: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/TQX94PKG/php1[1].js File quarantined: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/TQX94PKG/php1[1].js Login information: User 'SYSTEM'
on host 'CIBO-PC'.

Error - 14.11.2010 00:20:12 | Computer Name = Cibo-PC | Source = NormanNPT | ID = 131073
Description = Norman Message [2010/11/14 05:20:12] --------------------------------------------------------
Application:
NVC On-access Scanner Node address: 192.168.0.197 --------------------------------------------------------

Warning
message: Virus missing: Virus name: 'JS/Agent.HB' File infected: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/JW1823OR/php1[1].js File quarantined: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/JW1823OR/php1[1].js Login information: User 'SYSTEM'
on host 'CIBO-PC'.

Error - 14.11.2010 00:20:52 | Computer Name = Cibo-PC | Source = NormanNPT | ID = 131073
Description = Norman Message [2010/11/14 05:20:52] --------------------------------------------------------
Application:
NVC On-access Scanner Node address: 192.168.0.197 --------------------------------------------------------

Warning
message: Virus missing: Virus name: 'JS/Agent.HB' File infected: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/1UIU1GXB/php1[1].js File quarantined: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/1UIU1GXB/php1[1].js Login information: User 'SYSTEM'
on host 'CIBO-PC'.

Error - 14.11.2010 00:22:28 | Computer Name = Cibo-PC | Source = NormanNPT | ID = 131073
Description = Norman Message [2010/11/14 05:22:28] --------------------------------------------------------
Application:
NVC On-access Scanner Node address: 192.168.0.197 --------------------------------------------------------

Warning
message: Virus missing: Virus name: 'JS/Agent.HB' File infected: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/MEDFUV41/php1[1].js File quarantined: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/MEDFUV41/php1[1].js Login information: User 'SYSTEM'
on host 'CIBO-PC'.

Error - 14.11.2010 00:23:00 | Computer Name = Cibo-PC | Source = NormanNPT | ID = 131073
Description = Norman Message [2010/11/14 05:23:00] --------------------------------------------------------
Application:
NVC On-access Scanner Node address: 192.168.0.197 --------------------------------------------------------

Warning
message: Virus missing: Virus name: 'JS/Agent.HB' File infected: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/1UIU1GXB/php1[1].js File quarantined: C:/Users/Cibo/AppData/Local/Microsoft/Windows/Temporary
Internet Files/Low/Content.IE5/1UIU1GXB/php1[1].js Login information: User 'SYSTEM'
on host 'CIBO-PC'.

Error - 14.11.2010 02:02:23 | Computer Name = Cibo-PC | Source = Application Hang | ID = 1002
Description = Programmet RecordingManager.exe versjon 1.0.1.68 sluttet å samhandle
med Windows og ble lukket. Hvis du vil se om det finnes mer informasjon tilgjengelig
om problemet, ser du i problemhistorikken i kontrollpanelet for Problemrapportering
og -løsninger. Prosess-ID: f1c Starttidspunkt: 01cb83c13f089ef8 Avslutningstidspunkt:
26

Error - 20.11.2010 16:01:49 | Computer Name = Cibo-PC | Source = Application Error | ID = 1000
Description = Program med feil iexplore.exe, versjon 8.0.6001.18975, tidsangivelse
0x4c8710a6, modul med feil kernel32.dll, versjon 6.0.6002.18005, tidsangivelse
0x49e037dd, unntakskode 0xc06d007e, feilforskyvning 0x0003fbae, prosess-ID 0xa98,
starttid for program 0x01cb88e5c8226061.

Error - 21.11.2010 08:10:30 | Computer Name = Cibo-PC | Source = Application Error | ID = 1000
Description = Program med feil iexplore.exe, versjon 8.0.6001.18975, tidsangivelse
0x4c8710a6, modul med feil Flash10e.ocx, versjon 10.0.45.2, tidsangivelse 0x4b5f8faa,
unntakskode 0xc0000005, feilforskyvning 0x0012c71c, prosess-ID 0xd84, starttid for
program 0x01cb89750d6cd303.

[ System Events ]
Error - 30.04.2012 20:22:33 | Computer Name = Cibo-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 30.04.2012 20:22:33 | Computer Name = Cibo-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 30.04.2012 20:22:33 | Computer Name = Cibo-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 30.04.2012 20:22:33 | Computer Name = Cibo-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 30.04.2012 20:22:33 | Computer Name = Cibo-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 30.04.2012 20:36:44 | Computer Name = Cibo-PC | Source = volmgr | ID = 262189
Description = Kan ikke laste inn krasjdumpfil.

Error - 30.04.2012 20:42:59 | Computer Name = Cibo-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 01.05.2012 05:42:37 | Computer Name = Cibo-PC | Source = volmgr | ID = 262189
Description = Kan ikke laste inn krasjdumpfil.

Error - 01.05.2012 05:49:09 | Computer Name = Cibo-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 01.05.2012 06:07:20 | Computer Name = Cibo-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =


< End of report >

#13 Enva

Enva
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 01 May 2012 - 05:38 AM

Yellow Icon with exclamation mark poping up in the right bottom corner on my pc regularly, with following text:

Critical Error
"Hard drive controller failure"

Critical Error
"Drive sector not found error"

Critical Error
"Seek Error - Sector not found"

"Serious Disk Error Writing Drive C:\"

"This device cannot find enough free resources that it can use"

"Device initialization failed"

"Data Error reading drive C:\"



I'm not sure wether these 'notifications' are a part of Windows warnings or the virus itself, hopefully you know what they represent.
Best Regards

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:14 PM

Posted 01 May 2012 - 10:41 AM

1.
We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :Otl
    PRC - [2012.04.29 06:06:24 | 000,221,696 | -H-- | M] () -- C:\ProgramData\faP0R0go5C2SMi.exe
    PRC - [2012.04.29 05:39:43 | 000,301,056 | -H-- | M] () -- C:\ProgramData\YDdRtmhilFNORa.exe
    MOD - [2012.04.29 06:06:24 | 000,221,696 | -H-- | M] () -- C:\ProgramData\faP0R0go5C2SMi.exe
    MOD - [2012.04.29 05:39:43 | 000,301,056 | -H-- | M] () -- C:\ProgramData\YDdRtmhilFNORa.exe
    IE - HKCU\..\SearchScopes\{CD82B5EC-0A40-47C2-9924-33BCA7FEEDB3}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=BADD09BB-6588-466C-8655-2D75CB1E0426&apn_sauid=E193CE8D-FBAB-485F-A31C-00BA277A3DB5&
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
    O4 - HKCU..\Run: [YDdRtmhilFNORa.exe] C:\ProgramData\YDdRtmhilFNORa.exe ()
    [2012.04.29 12:54:55 | 000,000,184 | -H-- | M] () -- C:\ProgramData\-faP0R0go5C2SMir
    [2012.04.29 12:54:55 | 000,000,000 | -H-- | M] () -- C:\ProgramData\-faP0R0go5C2SMi
    [2012.04.29 12:54:39 | 000,000,256 | -H-- | M] () -- C:\ProgramData\faP0R0go5C2SMi
    [2012.04.29 12:49:05 | 000,000,609 | -H-- | M] () -- C:\Users\Cibo\Desktop\Data_Recovery.lnk
    [2012.04.29 06:06:24 | 000,221,696 | -H-- | M] () -- C:\ProgramData\faP0R0go5C2SMi.exe
    [2012.04.29 05:39:43 | 000,301,056 | -H-- | M] () -- C:\ProgramData\YDdRtmhilFNORa.exe
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.


    2.
    Try and run Combofix again.


    3.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Scan
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again


Things to include in your next reply::
OTL fix txt
Combofix.txt
Roguekiller log
How is your machine running now?

Edited by fireman4it, 01 May 2012 - 10:47 AM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 Enva

Enva
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 01 May 2012 - 11:54 AM

OTL Report:


========== OTL ==========
Process faP0R0go5C2SMi.exe killed successfully!
Process YDdRtmhilFNORa.exe killed successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CD82B5EC-0A40-47C2-9924-33BCA7FEEDB3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD82B5EC-0A40-47C2-9924-33BCA7FEEDB3}\ not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\YDdRtmhilFNORa.exe deleted successfully.
C:\ProgramData\YDdRtmhilFNORa.exe moved successfully.
FastUserSwitchingCompatibility removed from NetSvcs value successfully!
Nla removed from NetSvcs value successfully!
Ntmssvc removed from NetSvcs value successfully!
NWCWorkstation removed from NetSvcs value successfully!
Nwsapagent removed from NetSvcs value successfully!
SRService removed from NetSvcs value successfully!
WmdmPmSp removed from NetSvcs value successfully!
LogonHours removed from NetSvcs value successfully!
PCAudit removed from NetSvcs value successfully!
helpsvc removed from NetSvcs value successfully!
uploadmgr removed from NetSvcs value successfully!
C:\ProgramData\-faP0R0go5C2SMir moved successfully.
C:\ProgramData\-faP0R0go5C2SMi moved successfully.
C:\ProgramData\faP0R0go5C2SMi moved successfully.
C:\Users\Cibo\Desktop\Data_Recovery.lnk moved successfully.
C:\ProgramData\faP0R0go5C2SMi.exe moved successfully.
File C:\ProgramData\YDdRtmhilFNORa.exe not found.

OTL by OldTimer - Version 3.2.42.2 log created on 05012012_174731


ComboFix report/log:

ComboFix 12-04-31.02 - Cibo 01.05.2012 17:55:58.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.47.1044.18.2045.962 [GMT 2:00]
Kjører fra: c:\users\Cibo\Desktop\1234.scr
Command switches brukt :: /S
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Norman Security Suite *Disabled/Updated* {D038CA80-26F3-90BF-94AA-03C4D945E661}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Norman Security Suite *Disabled/Updated* {6B592B64-00C9-9F31-AE1A-38B6A2C2ACDC}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\DFRA95C.tmp
C:\DFRC4B9.tmp
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\hpoddt01.exe.lnk
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
.
Infisert kopi av c:\windows\system32\userinit.exe ble funnet og desinfisert
Gjenopprettet kopi fra - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
.
.
((((((((((((((((((((((((((( Filer Opprettet Fra 2012-04-01 til 2012-05-01 )))))))))))))))))))))))))))))))))
.
.
2012-05-01 16:06 . 2012-05-01 16:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-01 15:47 . 2012-05-01 15:47 -------- d-----w- C:\_OTL
2012-05-01 10:07 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4D300290-F2C3-47CA-BF0B-942FE8DBD4C7}\mpengine.dll
2012-05-01 00:23 . 2012-05-01 00:23 -------- d-----w- C:\1234
2012-04-25 15:59 . 2012-04-25 15:59 -------- d-----w- c:\program files\Common Files\Skype
2012-04-19 15:39 . 2012-04-19 15:39 -------- d--h--w- c:\users\Cibo\AppData\Roaming\Runningball Sports Information
2012-04-19 15:38 . 2012-04-19 15:38 -------- d-----w- c:\program files\Runningball Sports Information
2012-04-11 22:27 . 2012-02-29 15:11 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 22:27 . 2012-02-29 15:11 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 22:27 . 2012-02-29 15:09 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 22:27 . 2012-02-29 13:32 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 22:27 . 2012-03-06 06:39 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-11 22:27 . 2012-03-06 06:39 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:20 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-04-10 09:44 . 2012-04-14 17:53 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-14 17:53 . 2011-06-27 16:23 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-09 06:57 . 2012-03-12 00:24 545 ----a-w- c:\windows\UC.PIF
2012-03-09 06:57 . 2012-03-12 00:24 545 ----a-w- c:\windows\RAR.PIF
2012-03-09 06:57 . 2012-03-12 00:24 545 ----a-w- c:\windows\NOCLOSE.PIF
2012-03-09 06:57 . 2012-03-12 00:24 545 ----a-w- c:\windows\LHA.PIF
2012-03-09 06:57 . 2012-03-12 00:24 545 ----a-w- c:\windows\ARJ.PIF
2012-02-23 08:18 . 2009-10-03 14:24 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-14 15:45 . 2012-03-14 18:01 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45 . 2012-03-14 18:01 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-13 14:12 . 2012-03-14 18:01 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47 . 2012-03-14 18:01 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44 . 2012-03-14 18:01 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-07 09:02 . 2012-02-07 09:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-02 15:16 . 2012-03-14 18:01 2044416 ----a-w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2008-10-03 17:04 495616 ----a-w- c:\program files\Telio Backup Manager\VaultClientMenu.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon2]
@="{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}"
[HKEY_CLASSES_ROOT\CLSID\{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}]
2008-10-03 17:04 491520 ----a-w- c:\program files\Telio Backup Manager\VaultClientIcon.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-07 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norman ZANDA"="c:\program files\Norman\Npm\Bin\ZLH.EXE" [2011-03-22 189824]
"TrayStartup"="c:\program files\Telio Backup Manager\VaultClientTray.exe" [2008-10-03 224304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-10 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-07 122368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 253088]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
NETSVCS MÅ REPARERES - Nåværende oppføringer vises
aelookupsvc
wercplsupport
themes
certpropsvc
scpolicysvc
lanmanserver
gpsvc
ikeext
audiosrv
ias
irmon
rasauto
rasman
remoteaccess
sens
sharedaccess
tapisrv
wmi
termservice
wuauserv
bits
shellhwdetection
iphlpsvc
seclogon
appinfo
msiscsi
mmcss
profsvc
eaphost
winmgmt
schedule
sessionenv
browser
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)
.
2012-05-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 17:53]
.
2012-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 18:42]
.
2012-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 18:42]
.
2012-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4209040378-1275523580-292988294-1000Core.job
- c:\users\Cibo\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-01 22:57]
.
2012-05-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4209040378-1275523580-292988294-1000UA.job
- c:\users\Cibo\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-01 22:57]
.
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://google.no/
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-01 18:12
Windows 6.0.6002 Service Pack 2 NTFS
.
skanner skjulte prosesser ...
.
skanner skjulte autostart-oppføringer ...
.
skanner skjulte filer ...
.
skanning vellykket
skjulte filer: 0
.
**************************************************************************
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------
.
- - - - - - - > 'Explorer.exe'(1224)
c:\program files\Telio Backup Manager\VaultClientMenu.dll
c:\program files\Telio Backup Manager\LIBEXPAT.dll
c:\program files\Telio Backup Manager\VaultClientCOM.dll
c:\program files\Telio Backup Manager\VaultClientIcon.dll
.
------------------------ Andre Kjørende Prosesser ------------------------
.
c:\program files\Norman\Npm\bin\ELOGSVC.EXE
c:\program files\Norman\Ngs\Bin\Nnf.exe
c:\program files\Norman\Ngs\Bin\Nprosec.exe
c:\program files\Norman\Npm\Bin\Zanda.exe
c:\program files\Norman\npm\bin\nvoy.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe
c:\windows\system32\NLSSRV32.EXE
c:\program files\TeamViewer\Version5\TeamViewer_Service.exe
c:\program files\Telio Backup Manager\VaultClientSRV.exe
c:\program files\Telio Backup Manager\VaultClientUpgrade.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
c:\program files\Norman\Npm\Bin\scheduler.exe
c:\program files\Norman\Npm\Bin\Njeeves.exe
c:\program files\Norman\nse\bin\NSESVC.EXE
c:\program files\Norman\Nvc\bin\nvcoas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2012-05-01 18:46:30 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt 2012-05-01 16:45
.
Pre-Run: 198 883 274 752 byte ledig
Post-Run: 198 855 790 592 byte ledig
.
- - End Of File - - C325CCB4B118F07C3AA6353BB649681A

RogueKiller:

RogueKiller won't run, I tried renaming it winlogon.exe and winlogon.com but it won't run.
What to do next?

Several icons have returned back on my desktop, the computer itself works the same way like it did when I first contacted you. Internet runs slower then before.

Regards, Enva

Edited by Enva, 01 May 2012 - 12:08 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users