Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! I Think I Have Destroyed My Girlfriends Computer!


  • Please log in to reply
20 replies to this topic

#1 Calle

Calle

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 20 November 2006 - 03:39 AM

Hi! I think I have destroyed my girlfriends computer with spyware, does anyone know how to get rid of it?

Since last week I have just got more and more spywares for every day, it´s Smitfraud, Error Safe, Avenue A, Double Click and several security warning things wich pretends to be from microsoft and want to scan my computer. Right now the computer works (I scan the system about 5 times a day) but it have had a few crashes because of all advertising stuff.

I have scanned the computer with Spybot, Adaware and Norton several times in the last hour and everytime it seems to fix the discovered problems, but they are still found the next time I scan.

Im not very good at all fixing computers, so I do not dare to erase things in Hijack This without help from here.

If anyone could help me with this I would be really grateful!!!



Here is my last Hijack This Log:


Logfile of HijackThis v1.99.1
Scan saved at 09:32:56, on 2006-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
C:\Program\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Launch Manager\LaunchAp.exe
C:\Program\Launch Manager\PowerKey.exe
C:\Program\Launch Manager\HotkeyApp.exe
C:\Program\Launch Manager\OSDCtrl.exe
C:\Program\Launch Manager\Wbutton.exe
C:\Program Files\Arcade\PCMService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\Java\jre1.5.0_07\bin\jusched.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tilde\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 66.98.136.25 auto.search.msn.com
O1 - Hosts: 66.98.136.25 auto.search.msn.es
O1 - Hosts: 66.98.136.25 auto.search.msn.com
O1 - Hosts: 66.98.136.25 auto.search.msn.es
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] "C:\Program\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsab.dll,startup
O4 - HKCU\..\Run: [SsAAD.exe] C:\Program\Sony\SONICS~1\SsAAD.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:04 PM

Posted 20 November 2006 - 07:20 AM

Hi Calle, :thumbsup:

We're studying your log right now and wil be back a.s.a.p.

Thanks for your patience. :flowers:

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:04 PM

Posted 20 November 2006 - 06:06 PM

Hi Calle, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

Im not very good at all fixing computers, so I do not dare to erase things in Hijack This without help from here.


To begin with: compliments with that decision; we'll do our best to help you out.

1. Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

2. Go to your Hijackthis folder present in your Program Files and rename Hijackthis.exe to Analyse.exe and than reboot.
After reboot, run Analyse.exe (which is hijackthis of course) and post the log it creates in your next reply.

3. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 5.0 Update 9). Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here: Java Runtime Environment (JRE) 5.0 Update 9
4. Unfortunately I see no firewall in your runing processes which probably means that you have none. I urge you to install one since it's your first defense against malware. There are several good but for free programmes available like:

Sygate
Kerio
Zone alarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

Please post the Smitfraud report along with a fresh HijackThis log.

#4 Calle

Calle
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 21 November 2006 - 01:37 AM

Hello Falu!
:thumbsup: First of all I really want to thank you for helping me with this, I thought that Adaware was the only chance to remove theese things, and if that failed, the computer would be lost...

I have tried to do exactly what you told me, except from the firewall installation, because I thought that the windows firewall did the job? Maby I should try to install one of the programs you recommended anyway.

Here is my Smitfraud Fix report:


SmitFraudFix v2.123

Scan done at 7:00:06,15, 2006-11-21
Run from C:\Documents and Settings\Tilde\Skrivbord\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\drvsab.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tilde


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tilde\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\START-~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\START-~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\TILDE\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End







And here's the new HijackThis (Analyse.exe) report:


Logfile of HijackThis v1.99.1
Scan saved at 07:14:25, on 2006-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
C:\Program\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Launch Manager\LaunchAp.exe
C:\Program\Launch Manager\PowerKey.exe
C:\Program\Launch Manager\HotkeyApp.exe
C:\Program\Launch Manager\OSDCtrl.exe
C:\Program\Launch Manager\Wbutton.exe
C:\Program Files\Arcade\PCMService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Java\jre1.5.0_09\bin\jusched.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tilde\Skrivbord\Analyse.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 66.98.136.25 auto.search.msn.com
O1 - Hosts: 66.98.136.25 auto.search.msn.es
O1 - Hosts: 66.98.136.25 auto.search.msn.com
O1 - Hosts: 66.98.136.25 auto.search.msn.es
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\vturpqr.dll
O2 - BHO: (no name) - {E738F16F-C709-47FE-8F6D-1D3E8486BD6C} - C:\WINDOWS\system32\ddccb.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\yuivexkm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] "C:\Program\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsab.dll,startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\Program\Sony\SONICS~1\SsAAD.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google-sökning - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Översätt engelskt ord - res://C:\Program\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Bakåtlänkar - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lagrad bild på sida - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Liknande sidor - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll
O20 - Winlogon Notify: vturpqr - C:\WINDOWS\SYSTEM32\vturpqr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe




Thanks again!
/Calle

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:04 PM

Posted 21 November 2006 - 11:42 AM

Hi Calle, :thumbsup:

First of all I really want to thank you for helping me with this


You're very welcome.

except from the firewall installation, because I thought that the windows firewall did the job? Maby I should try to install one of the programs you recommended anyway.


I recommend to install a 3rd party firewall which will also block "outgoing" attempts to access the net. The Windows version only blocks "incoming".

1. You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

2. Download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

3. Finally do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post the C:\rapport.txt along with the C:\vundofix.txt and the Kaspersky report and a new HijackThis log.

#6 Calle

Calle
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 22 November 2006 - 02:55 AM

OK, here's the reports:

:thumbsup: SmitfraudFix Report:

SmitFraudFix v2.123

Scan done at 7:30:38,56, 2006-11-22
Run from C:\Documents and Settings\Tilde\Skrivbord\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\drvsab.dll Deleted
C:\DOCUME~1\ALLUSE~1\START-~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\START-~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



:flowers: VundoFix Report:

VundoFix V6.2.11

Checking Java version...

Sun Java not detected
Scan started at 07:40:01 2006-11-22

Listing files found while scanning....

C:\WINDOWS\system32\bccdd.ini
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\bccdd.bak2
C:\WINDOWS\system32\bccdd.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\ddccb.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\bccdd.ini
C:\WINDOWS\system32\bccdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\bccdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bccdd.bak2
C:\WINDOWS\system32\bccdd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\bccdd.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\ddccb.dll Has been deleted!

Performing Repairs to the registry.
Done!




:huh: Kaspersky Report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 22, 2006 8:38:11 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 22/11/2006
Kaspersky Anti-Virus database records: 243772
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 75325
Number of viruses found: 17
Number of infected objects: 69 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:44:03

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\drivers\sptd2781.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\paqdcxhi.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\WINDOWS\system32\khfdbxy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dr skipped
C:\WINDOWS\system32\vturpqr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dr skipped
C:\WINDOWS\system32\drvpog.dll Infected: not-virus:Hoax.Win32.Renos.fw skipped
C:\WINDOWS\system32\pmnmnop.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dr skipped
C:\WINDOWS\system32\drvjil.dll Infected: not-virus:Hoax.Win32.Renos.fw skipped
C:\WINDOWS\system32\piklwmtn.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\WINDOWS\system32\vtyiqccb.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\WINDOWS\system32\byxxwxx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dr skipped
C:\WINDOWS\system32\drvpod.dll Infected: not-virus:Hoax.Win32.Renos.fw skipped
C:\WINDOWS\system32\vtuvspo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dr skipped
C:\WINDOWS\Temp\win29C.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\mst38.tmp Infected: not-virus:Hoax.Win32.Renos.fw skipped
C:\WINDOWS\Temp\win41.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\mst74.tmp Infected: not-virus:Hoax.Win32.Renos.fw skipped
C:\WINDOWS\Temp\win70.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\win6E.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\win72.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\win77.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\win7B.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\mstA1.tmp Infected: not-virus:Hoax.Win32.Renos.fw skipped
C:\WINDOWS\Temp\win9B.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\win9D.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\win9F.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\mstAD.tmp Infected: not-virus:Hoax.Win32.Renos.fw skipped
C:\WINDOWS\Temp\winB4.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\winB5.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\winB7.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\winB8.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\winBF.tmp.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\WINDOWS\Temp\ZLT011af.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT07f9c.TMP Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\ACER-188B83FC28.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-11-22_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\9327B13E.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\6C1DDFFC.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tilde\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tilde\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tilde\Lokala inställningar\Temp\~DFAA78.tmp Object is locked skipped
C:\Documents and Settings\Tilde\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tilde\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tilde\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tilde\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tilde\Skrivbord\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Tilde\Skrivbord\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Tilde\Skrivbord\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Tilde\Cookies\index.dat Object is locked skipped
C:\Program\Delade filer\Symantec Shared\eengine\EPERSIST.DAT Object is locked skipped
C:\Program\Delade filer\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program\Delade filer\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program\Delade filer\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program\Delade filer\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program\Delade filer\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program\Delade filer\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program\Delade filer\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program\Norton AntiVirus\AVError.log Object is locked skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0016747.exe Infected: Trojan-Downloader.Win32.Zlob.awm skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0017513.dll Infected: not-virus:Hoax.Win32.Renos.ap skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0017542.exe Infected: Trojan-Downloader.Win32.Zlob.awm skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0017561.dll Infected: Trojan-Downloader.Win32.Zlob.akg skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0017563.dll Infected: not-virus:Hoax.Win32.Renos.fa skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0017572.exe Infected: Trojan-Downloader.Win32.Zlob.awm skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP209\A0017631.dll Infected: not-virus:Hoax.Win32.Renos.ap skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP209\A0017975.exe Infected: Trojan-Downloader.Win32.Zlob.awm skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP209\A0018027.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP209\A0018029.DLL Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP209\A0018032.EXE Infected: Trojan-Downloader.Win32.Zlob.aes skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP209\A0018033.EXE Infected: Trojan-Downloader.Win32.Zlob.awm skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP209\A0018036.exe Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0018057.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0018058.exe Infected: Trojan.Win32.Dialer.qs skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0018059.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0018061.exe Infected: Trojan-Downloader.Win32.Zlob.awm skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0018090.exe Infected: Trojan-Downloader.Win32.Zlob.awm skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0018099.EXE Infected: Trojan-Downloader.Win32.Zlob.awm skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019113.dll Infected: not-virus:Hoax.Win32.Renos.fa skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019114.dll Infected: not-virus:Hoax.Win32.Renos.ap skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019115.dll Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019116.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019134.exe Infected: Trojan-Downloader.Win32.Zlob.awm skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019141.exe Infected: Trojan-Downloader.Win32.Zlob.awm skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019152.EXE Infected: Trojan-Downloader.Win32.Zlob.awm skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019168.exe Infected: Trojan-Downloader.Win32.Zlob.awm skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019175.exe Infected: Trojan-Downloader.Win32.Zlob.awx skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019184.exe Infected: Trojan-Downloader.Win32.Zlob.awx skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP211\A0019206.DLL Infected: Trojan.Win32.Agent.vg skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP211\A0019243.exe Infected: Trojan-Downloader.Win32.Zlob.awx skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP211\A0019246.DLL Infected: Trojan.Win32.Agent.vg skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP211\A0019252.exe Infected: Trojan-Downloader.Win32.Zlob.awx skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP215\A0021619.exe Infected: not-a-virus:FraudTool.Win32.VirusBurst.c skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP219\A0023223.exe Infected: Trojan-Downloader.Win32.Zlob.awx skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP219\A0023226.dll Infected: not-virus:Hoax.Win32.Renos.fw skipped
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP219\change.log Object is locked skipped

Scan process completed.



:huh: HijackThis Report of the day:

Logfile of HijackThis v1.99.1
Scan saved at 08:39:02, on 2006-11-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
C:\Program\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Launch Manager\LaunchAp.exe
C:\Program\Launch Manager\PowerKey.exe
C:\Program\Launch Manager\HotkeyApp.exe
C:\Program\Launch Manager\OSDCtrl.exe
C:\Program\Launch Manager\Wbutton.exe
C:\Program Files\Arcade\PCMService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Java\jre1.5.0_09\bin\jusched.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tilde\Skrivbord\Analyse.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 66.98.136.25 auto.search.msn.com
O1 - Hosts: 66.98.136.25 auto.search.msn.es
O1 - Hosts: 66.98.136.25 auto.search.msn.com
O1 - Hosts: 66.98.136.25 auto.search.msn.es
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {844DF4E6-F822-42DF-9CE6-B6BEDFE9E7D8} - C:\WINDOWS\system32\mlljj.dll
O2 - BHO: (no name) - {8D1C0EE1-87E8-489C-9BBA-A0FE4BC74404} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] "C:\Program\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\Program\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#7 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:04 PM

Posted 23 November 2006 - 01:05 PM

Hi Calle, :thumbsup:

Together with the tools you did a great job but we still have some work to do. I recommend to print these instructions so you have them at hand.

1. Download, install, and update AVG Anti-Spyware 7.5

1. Save the installer to desktop
2. Double click the installer, select your language, and then select OK
3. Click NEXT>>Do or don't read the "User License Agreement"
Select I Agree>>>NEXT>>>INSTALL
4. AVG will now install and afterwards click FINISH
5. AVG Anti-Spyware 7.5 should now Load
6. Click the Update tab at the top. Under Manual Update click Start update.
7. After the update finishes (the status bar at the bottom will display "Update successful")
8. Close AVG Anti-Spyware 7.5. Do not run it yet.

2. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

3. Run Vundofix once more while in safe mode.

4. When Vundofix has finished reboot into Safe mode again.

5. Run HijackThis, click Scan and checkmark the following entries:

O1 - Hosts: 66.98.136.25 auto.search.msn.com
O1 - Hosts: 66.98.136.25 auto.search.msn.es
O1 - Hosts: 66.98.136.25 auto.search.msn.com
O1 - Hosts: 66.98.136.25 auto.search.msn.es
O2 - BHO: (no name) - {844DF4E6-F822-42DF-9CE6-B6BEDFE9E7D8} - C:\WINDOWS\system32\mlljj.dll
O2 - BHO: (no name) - {8D1C0EE1-87E8-489C-9BBA-A0FE4BC74404} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - (no file)
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll
O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

6. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following folders in bold if listed:

C:\WINDOWS\Temp

.......... and files in bold if listed:

C:\WINDOWS\system32\paqdcxhi.dll
C:\WINDOWS\system32\khfdbxy.dll
C:\WINDOWS\system32\vturpqr.dll
C:\WINDOWS\system32\drvpog.dll
C:\WINDOWS\system32\pmnmnop.dll
C:\WINDOWS\system32\drvjil.dll
C:\WINDOWS\system32\piklwmtn.dll
C:\WINDOWS\system32\vtyiqccb.dll
C:\WINDOWS\system32\byxxwxx.dll
C:\WINDOWS\system32\drvpod.dll
C:\WINDOWS\system32\vtuvspo.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\winjyg32.dll

7. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

8. Run AVG Anti-Spyware 7.5 and click on the Scanner tab at the top
  • Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected and
    Uncheck "Only if Threats are found"
  • Click back to the "Scan" tab and then click on Complete System Scan.
    This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware 7.5 will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware 7.5 will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Please reboot to go back into Normal mode and post the AVG report along with the Vundofix report and a new HijackThis log.

#8 Calle

Calle
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 28 November 2006 - 03:53 AM

Hi! I succeed doing most of those things, but not to delete the file mljj.dll, it seems to be used by another person or program. This is the reports:

HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 06:50:08, on 2006-11-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Tilde\Skrivbord\Analyse.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\tepqraln.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program\VSAdd-in\VSAdd-in.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O2 - BHO: (no name) - {EB032870-B49D-45C6-8F5C-832E1899F983} - C:\WINDOWS\system32\mlljj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] "C:\Program\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Tilde\Skrivbord\vundofix.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\Program\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 09:25:21 2006-11-28

+ Scan result:


C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019115.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019116.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP222\A0027096.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP222\A0027097.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP222\A0027098.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP222\A0027099.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP222\A0027100.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP215\A0021619.exe -> Adware.VirusBurst.c : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0017320.exe -> Adware.VirusBursters : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0017551.exe -> Adware.VirusBursters : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP209\A0018036.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP209\A0018032.EXE -> Downloader.Zlob.aes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0017561.dll -> Downloader.Zlob.akg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0016747.exe -> Downloader.Zlob.awm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0017542.exe -> Downloader.Zlob.awm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0017572.exe -> Downloader.Zlob.awm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP209\A0017975.exe -> Downloader.Zlob.awm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP209\A0018033.EXE -> Downloader.Zlob.awm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0018061.exe -> Downloader.Zlob.awm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0018090.exe -> Downloader.Zlob.awm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0018099.EXE -> Downloader.Zlob.awm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019134.exe -> Downloader.Zlob.awm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019141.exe -> Downloader.Zlob.awm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019152.EXE -> Downloader.Zlob.awm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019168.exe -> Downloader.Zlob.awm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019175.exe -> Downloader.Zlob.awx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019184.exe -> Downloader.Zlob.awx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP211\A0019243.exe -> Downloader.Zlob.awx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP211\A0019252.exe -> Downloader.Zlob.awx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP219\A0023223.exe -> Downloader.Zlob.awx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0017513.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019114.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP208\A0017563.dll -> Not-A-Virus.Hoax.Win32.Renos.fa : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0019113.dll -> Not-A-Virus.Hoax.Win32.Renos.fa : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP219\A0023226.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP222\A0026649.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP222\A0026650.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP222\A0026651.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP211\A0019206.DLL -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP211\A0019246.DLL -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP209\A0018029.DLL -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0018057.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP209\A0018027.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5645957-700C-4BB8-9F9B-0D47998845F0}\RP210\A0018058.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).


::Report end




Vundo Fix:

VundoFix V6.2.11

Checking Java version...

Sun Java not detected
Scan started at 09:30:00 2006-11-26

Listing files found while scanning....

C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\jjllm.bak2

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\jjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjllm.bak2
C:\WINDOWS\system32\jjllm.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.11

Checking Java version...

Sun Java not detected
Scan started at 09:34:01 2006-11-26

Listing files found while scanning....

C:\WINDOWS\system32\jjllm.ini

VundoFix V6.2.11

Checking Java version...

Sun Java not detected
Scan started at 09:41:03 2006-11-26

Listing files found while scanning....

C:\WINDOWS\system32\jjllm.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.11

Checking Java version...

Sun Java not detected
Scan started at 06:42:19 2006-11-28

Listing files found while scanning....

C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjllm.bak2
C:\WINDOWS\system32\jjllm.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini Has been deleted!

Performing Repairs to the registry.
Done!

#9 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:04 PM

Posted 29 November 2006 - 04:01 PM

Hi Calle, :thumbsup:

1. Reboot, to go into Safe mode and run VundoFix once more please.

2. Run HijackThis, click Scan and checkmark the following entries:

O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\tepqraln.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program\VSAdd-in\VSAdd-in.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program\VSAdd-in\VSAdd-in.dll


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

3. Using Windows Explorer, please delete the following folder in bold if listed:

C:\Program\VSAdd-in

.......... and file in bold if listed:

C:\WINDOWS\system32\tepqraln.dll

Let me know if you had problems with this step.

4. Perform an onlinescan with Panda: Panda Online

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a few minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together a fresh HijackThis log

Reboot and post the panda report along with the Vundo report and a fresh HijackThis log.

#10 Calle

Calle
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 30 November 2006 - 02:07 AM

ok, here's the new reports:

Panda:


Incident Status Location

Adware:adware/whenusearch Not disinfected c:\program\delade filer\WhenU
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nncybhmc.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\hjntimtm.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fwvedoag.dll
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\iqoiqqnb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hrykjxdh.dll
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Tilde\Lokala inställningar\Temp\Cookies\tilde@drivecleaner[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Tilde\Lokala inställningar\Temp\Cookies\tilde@www.drivecleaner[2].txt
Adware:Adware/WebSearch Not disinfected C:\Documents and Settings\Tilde\Skrivbord\backups\backup-20061130-071114-147.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Tilde\Skrivbord\backups\backup-20061130-071114-293.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Tilde\Skrivbord\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Tilde\Skrivbord\SmitfraudFix\Process.exe
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@advertising[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@drivecleaner[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@com[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@mediaplex[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@tradedoubler[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@errorsafe[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@fastclick[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@www.drivecleaner[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@adrevolver[1].txt
Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@research-int[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@doubleclick[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@statse.webtrendslive[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@stats.drivecleaner[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@www.winantivirus[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@www.errorsafe[2].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@bfast[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@burstnet[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@se.errorsafe[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@hitbox[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@maxserving[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@atdmt[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@adrevolver[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@trafficmp[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@server.iad.liveperson[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@casalemedia[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Tilde\Cookies\tilde@winantivirus[1].txt
Possible Virus. Not disinfected C:\VundoFix Backups\ddccb.dll.bad
Possible Virus. Not disinfected C:\VundoFix Backups\mlljj.dll.bad



VundoFix:

VundoFix V6.2.11

Checking Java version...

Sun Java not detected
Scan started at 09:30:00 2006-11-26

Listing files found while scanning....

C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\jjllm.bak2

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\jjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjllm.bak2
C:\WINDOWS\system32\jjllm.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.11

Checking Java version...

Sun Java not detected
Scan started at 09:34:01 2006-11-26

Listing files found while scanning....

C:\WINDOWS\system32\jjllm.ini

VundoFix V6.2.11

Checking Java version...

Sun Java not detected
Scan started at 09:41:03 2006-11-26

Listing files found while scanning....

C:\WINDOWS\system32\jjllm.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.11

Checking Java version...

Sun Java not detected
Scan started at 06:42:19 2006-11-28

Listing files found while scanning....

C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjllm.bak2
C:\WINDOWS\system32\jjllm.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.11

Checking Java version...

Sun Java not detected
Scan started at 07:05:56 2006-11-30

Listing files found while scanning....

C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\jjllm.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\jjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjllm.bak2
C:\WINDOWS\system32\jjllm.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...


HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 07:59:04, on 2006-11-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
C:\Program\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Launch Manager\LaunchAp.exe
C:\Program\Launch Manager\PowerKey.exe
C:\Program\Launch Manager\HotkeyApp.exe
C:\Program\Launch Manager\OSDCtrl.exe
C:\Program\Launch Manager\Wbutton.exe
C:\Program Files\Arcade\PCMService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Java\jre1.5.0_09\bin\jusched.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Tilde\Skrivbord\Analyse.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\wxptaljd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O2 - BHO: (no name) - {B362F0AE-0D0A-4C82-A535-2EE3C18B0C97} - C:\WINDOWS\system32\mlljj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] "C:\Program\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\Program\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe







Have a nice day Falu!/c

#11 Calle

Calle
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 01 December 2006 - 05:23 AM

Since a couple of days there is some new problems with this computer, theres buffer overrun crashes almost every 20 minutes when im on the internet, wich somtimes make the bar at the bottom on the screen (start-buttom mm), and all files at the desktop dissapear. Ihave also problems with internet pages wich demands login, for example hotmail; i do not remain logged in for a long time, sometimes i can just see my inbox, and if opening a message links me to login page. Wrong cookie-settings? One more starange thing is that everytime when i click on a link or browsing a webadress, the browser seems to be like "not responding" for a couple of seconds, the buttoms and tools are dissapeared, and the screen is blank. Then everything comes back (including the webpage i first had open), and first after that the page changes to the requested adress. Not a big problem, but annoying and very slow internet access.

If you have any solutions on that, please write to me!

I dont know if I think any of the spy and malware are gone, maby its just changed for another advertisement.

Calle

#12 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:04 PM

Posted 02 December 2006 - 07:06 AM

Hi Calle, :thumbsup:

1. Download this file - combofix.exe and place it on your desktop.

Now go to Start > Run and copy/paste the following in the dialog box:

"%userprofile%\desktop\combofix.exe" /v mlljj

When finished, it shall produce a log for you. Save it and post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

2. Run HijackThis, click Scan and checkmark the following entries:

O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\wxptaljd.dll
O2 - BHO: (no name) - {B362F0AE-0D0A-4C82-A535-2EE3C18B0C97} - C:\WINDOWS\system32\mlljj.dll
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

3. Download KillBox from here: KillBox

Unzip (right-click and choose Extract all) the folder to your desktop.

* Start Killbox.exe
* Select the Delete on Reboot option.
* Click on the All Files button.
* Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

c:\program\delade filer\WhenU
C:\WINDOWS\system32\nncybhmc.dll
C:\WINDOWS\system32\hjntimtm.exe
C:\WINDOWS\system32\fwvedoag.dll
C:\WINDOWS\system32\iqoiqqnb.dll
C:\WINDOWS\system32\hrykjxdh.dll
C:\WINDOWS\system32\wxptaljd.dll
C:\WINDOWS\system32\mlljj.dll


* Go to the File menu of Killbox, and choose Paste from Clipboard.
NOTE: You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
* Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please post the Combofix report along with a fresh HijackThis log and let me know how things are running now.

#13 Calle

Calle
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 04 December 2006 - 06:00 AM

Hi! There were no entries in Hijack this with the names:

O2 - BHO: (no name) - {B362F0AE-0D0A-4C82-A535-2EE3C18B0C97} - C:\WINDOWS\system32\mlljj.dll
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll

The other things you told me to do went all well.

ComboFixReport

Tilde - 06-12-04 11:20:10,60 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Tilde\Skrivbord"
Command switches used :: /v mlljj

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.bak2


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components


((((((((((((((((((((((((((((((( Files Created from 2006-11-04 to 2006-12-04 ))))))))))))))))))))))))))))))))))


2006-12-03 21:38 <KAT> d-a------ C:\Program\Furnish Pro
2006-12-03 21:38 <KAT> d-------- C:\Program\Pixie
2006-11-30 07:58 42,516 --a------ C:\WINDOWS\system32\wxptaljd.dll
2006-11-30 07:24 <KAT> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-28 09:45 126,996 --a------ C:\WINDOWS\system32\hrykjxdh.dll
2006-11-28 09:29 <KAT> d-------- C:\WINDOWS\TEMP
2006-11-27 22:45 88,340 --a------ C:\WINDOWS\system32\hjntimtm.exe
2006-11-27 22:45 <KAT> d-------- C:\Documents and Settings\Tilde\Application Data\SearchToolbarCorp
2006-11-26 22:45 126,996 --a------ C:\WINDOWS\system32\nncybhmc.dll
2006-11-26 09:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-26 09:00 <KAT> d-------- C:\Program\Grisoft
2006-11-25 21:40 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2006-11-25 21:40 <KAT> d-------- C:\Program\VstPlugins
2006-11-25 21:38 <KAT> d-------- C:\Program\Image-Line
2006-11-24 23:10 126,996 --a------ C:\WINDOWS\system32\fwvedoag.dll
2006-11-24 22:04 <KAT> d--hs---- C:\FOUND.002
2006-11-24 10:05 38,420 --a------ C:\WINDOWS\system32\iqoiqqnb.dll
2006-11-22 08:04 22,016 --a------ C:\WINDOWS\system32\drivers\MSIRCOMM.sys
2006-11-22 07:49 <KAT> d-------- C:\WINDOWS\system32\Kaspersky Lab
2006-11-22 07:40 <KAT> d-------- C:\VundoFix Backups
2006-11-21 09:38 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Macromedia
2006-11-21 08:01 <KAT> d-------- C:\WINDOWS\system32\ZoneLabs
2006-11-21 08:01 <KAT> d-------- C:\Program\Zone Labs
2006-11-21 08:00 <KAT> d-------- C:\WINDOWS\Internet Logs
2006-11-21 07:09 <KAT> d-------- C:\Program\Java
2006-11-21 07:09 <KAT> d-------- C:\Program\Delade filer\Java
2006-11-19 20:10 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2006-11-19 20:10 <KAT> d-------- C:\WINDOWS\system32\Adobe
2006-11-18 12:56 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-11-18 00:39 <KAT> d-------- C:\Program\MSXML 4.0
2006-11-18 00:38 <KAT> d-------- C:\9503f165e5f88478fb0b431acfe7
2006-11-16 22:56 <KAT> d-------- C:\Program\XoftSpySE
2006-11-16 22:36 <KAT> d--hs---- C:\FOUND.001
2006-11-16 22:26 <KAT> d--hs---- C:\FOUND.000
2006-11-14 22:21 <KAT> d-------- C:\Documents and Settings\Tilde\cbt
2006-11-12 22:58 <KAT> d-------- C:\Program\Spybot - Search & Destroy
2006-11-12 22:58 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-12 22:50 <KAT> d-------- C:\Program\Norton AntiVirus
2006-11-12 20:11 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2006-11-08 20:51 <KAT> d-------- C:\Program\SanDisk
2006-11-06 16:03 275,576 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2006-11-06 16:03 245,880 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2006-11-06 16:03 24,184 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2006-11-05 23:41 22,528 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2006-11-05 23:41 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2006-11-05 23:41 <KAT> d-------- C:\Program\4Musics MP3 Bitrate Changer
2006-11-05 13:41 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 14:10 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-17 16:33 48768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-11-17 16:33 110952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-10-13 13:41 141824 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-09-13 07:07 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SsAAD.exe"="C:\\Program\\Sony\\SONICS~1\\SsAAD.exe"
"swg"="C:\\Program\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"preload"="C:\\Windows\\RUNXMLPL.exe"
"SynTPLpr"="C:\\Program\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program\\Synaptics\\SynTP\\SynTPEnh.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"ATIPTA"="C:\\Program\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"LaunchAp"="\"C:\\Program\\Launch Manager\\LaunchAp.exe\""
"PowerKey"="\"C:\\Program\\Launch Manager\\PowerKey.exe\""
"LManager"="\"C:\\Program\\Launch Manager\\HotkeyApp.exe\""
"CtrlVol"="\"C:\\Program\\Launch Manager\\CtrlVol.exe\""
"LMgrOSD"="\"C:\\Program\\Launch Manager\\OSDCtrl.exe\""
"Wbutton"="\"C:\\Program\\Launch Manager\\Wbutton.exe\""
"PCMService"="\"C:\\Program Files\\Arcade\\PCMService.exe\""
"SoundMan"="SOUNDMAN.EXE"
"eRecoveryService"="C:\\Acer\\Empowering Technology\\eRecovery\\Monitor.exe"
"DAEMON Tools"="\"C:\\Program\\DAEMON Tools\\daemon.exe\" -lang 1033"
"HP Software Update"="C:\\Program\\HP\\HP Software Update\\HPWuSchd2.exe"
"iTunesHelper"="\"C:\\Program\\iTunes\\iTunesHelper.exe\""
"ccApp"="\"C:\\Program\\Delade filer\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program\\Norton AntiVirus\\osCheck.exe\""
"SunJavaUpdateSched"="\"C:\\Program\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"Zone Labs Client"="\"C:\\Program\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Tilde.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 06-12-04 11:25:30.42
C:\ComboFix.txt ... 06-12-04 11:25







Hijack This log
Logfile of HijackThis v1.99.1
Scan saved at 11:56:47, on 2006-12-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
C:\Program\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Launch Manager\LaunchAp.exe
C:\Program\Launch Manager\PowerKey.exe
C:\Program\Launch Manager\HotkeyApp.exe
C:\Program\Launch Manager\OSDCtrl.exe
C:\Program\Launch Manager\Wbutton.exe
C:\Program Files\Arcade\PCMService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Java\jre1.5.0_09\bin\jusched.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tilde\Skrivbord\Analyse.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchAp] "C:\Program\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\Program\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#14 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:04 PM

Posted 05 December 2006 - 07:39 AM

Hi Calle, :thumbsup:

HijackTHis log loks clean wich is good news.

1. Make sure you can view all files. Click Start >My Computer > Tools > Folder Options >View. Check "Show hidden files and folders", uncheck "Hide protected operating system files" and "Hide extensions for known file types". Click "Apply to all folders" >Apply then OK.

2. Using Windows Explorer, please delete the following folders in bold if listed:

C:\Documents and Settings\Tilde\Application Data\SearchToolbarCorp

.......... and files in bold if listed:

C:\WINDOWS\system32\wxptaljd.dll
C:\WINDOWS\system32\hrykjxdh.dll
C:\WINDOWS\system32\hjntimtm.exe
C:\WINDOWS\system32\nncybhmc.dll
C:\WINDOWS\system32\fwvedoag.dll
C:\WINDOWS\system32\iqoiqqnb.dll

Go to your C-drive and check what's inside this folder please. Do you know what's in there? If not delete this folder as well:

C:\9503f165e5f88478fb0b431acfe7

As can be seen here XoftSpy was once on the list of rogue spyware. For that reason it's considered optional. If you decide you want to get rid of it delete the following folder and file as well:

C:\Program\XoftSpySE
C:\WINDOWS\tasks\XoftSpySE.job

Let me know if you had problems with this step.

3. It's a dynamic world so you have to update Java once more! (latest version is Java Runtime Environment (JRE) 5.0 Update 10). Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

    Java Runtime Environment (JRE) 5.0 Update 10
4. Next run Combofix once more to check the changes.

Please post the new Combofix report.

#15 Calle

Calle
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 06 December 2006 - 03:27 AM

Hello! Since last time the computer works really great! :thumbsup: Thanks!

Here's the Combi Fix Report:


Tilde - 06-12-06 9:18:00,06 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Tilde\Skrivbord"

((((((((((((((((((((((((((((((( Files Created from 2006-11-06 to 2006-12-06 ))))))))))))))))))))))))))))))))))


2006-12-06 09:06 <KAT> d-------- C:\Program\Java
2006-12-06 09:05 <KAT> d-------- C:\Program\Delade filer\Java
2006-12-05 10:10 <KAT> d-------- C:\WINDOWS\A6W_DATA
2006-12-05 07:06 <KAT> d-------- C:\Program\TPTEST5
2006-12-04 11:46 <KAT> d-------- C:\!KillBox
2006-12-03 21:38 <KAT> d-a------ C:\Program\Furnish Pro
2006-12-03 21:38 <KAT> d-------- C:\Program\Pixie
2006-11-30 07:24 <KAT> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-28 09:29 <KAT> d-------- C:\WINDOWS\TEMP
2006-11-27 22:45 <KAT> d-------- C:\Documents and Settings\Tilde\Application Data\SearchToolbarCorp
2006-11-26 09:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-26 09:00 <KAT> d-------- C:\Program\Grisoft
2006-11-25 21:40 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2006-11-25 21:40 <KAT> d-------- C:\Program\VstPlugins
2006-11-25 21:38 <KAT> d-------- C:\Program\Image-Line
2006-11-24 22:04 <KAT> d--hs---- C:\FOUND.002
2006-11-22 08:04 22,016 --a------ C:\WINDOWS\system32\drivers\MSIRCOMM.sys
2006-11-22 07:49 <KAT> d-------- C:\WINDOWS\system32\Kaspersky Lab
2006-11-22 07:40 <KAT> d-------- C:\VundoFix Backups
2006-11-21 09:38 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Macromedia
2006-11-21 08:01 <KAT> d-------- C:\WINDOWS\system32\ZoneLabs
2006-11-21 08:01 <KAT> d-------- C:\Program\Zone Labs
2006-11-21 08:00 <KAT> d-------- C:\WINDOWS\Internet Logs
2006-11-19 20:10 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2006-11-19 20:10 <KAT> d-------- C:\WINDOWS\system32\Adobe
2006-11-18 12:56 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-11-18 00:39 <KAT> d-------- C:\Program\MSXML 4.0
2006-11-16 22:36 <KAT> d--hs---- C:\FOUND.001
2006-11-16 22:26 <KAT> d--hs---- C:\FOUND.000
2006-11-14 22:21 <KAT> d-------- C:\Documents and Settings\Tilde\cbt
2006-11-12 22:58 <KAT> d-------- C:\Program\Spybot - Search & Destroy
2006-11-12 22:58 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-12 22:50 <KAT> d-------- C:\Program\Norton AntiVirus
2006-11-12 20:11 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2006-11-08 20:51 <KAT> d-------- C:\Program\SanDisk
2006-11-06 16:03 275,576 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2006-11-06 16:03 245,880 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2006-11-06 16:03 24,184 --a------ C:\WINDOWS\system32\drivers\srtspx.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-17 16:33 48768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-11-17 16:33 110952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 14:10 82432 --a------ C:\WINDOWS\system32\msxml4r.dll
2006-10-13 13:41 141824 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-09-13 07:07 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SsAAD.exe"="C:\\Program\\Sony\\SONICS~1\\SsAAD.exe"
"swg"="C:\\Program\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"preload"="C:\\Windows\\RUNXMLPL.exe"
"SynTPLpr"="C:\\Program\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program\\Synaptics\\SynTP\\SynTPEnh.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"ATIPTA"="C:\\Program\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"LaunchAp"="\"C:\\Program\\Launch Manager\\LaunchAp.exe\""
"PowerKey"="\"C:\\Program\\Launch Manager\\PowerKey.exe\""
"LManager"="\"C:\\Program\\Launch Manager\\HotkeyApp.exe\""
"CtrlVol"="\"C:\\Program\\Launch Manager\\CtrlVol.exe\""
"LMgrOSD"="\"C:\\Program\\Launch Manager\\OSDCtrl.exe\""
"Wbutton"="\"C:\\Program\\Launch Manager\\Wbutton.exe\""
"PCMService"="\"C:\\Program Files\\Arcade\\PCMService.exe\""
"SoundMan"="SOUNDMAN.EXE"
"eRecoveryService"="C:\\Acer\\Empowering Technology\\eRecovery\\Monitor.exe"
"DAEMON Tools"="\"C:\\Program\\DAEMON Tools\\daemon.exe\" -lang 1033"
"HP Software Update"="C:\\Program\\HP\\HP Software Update\\HPWuSchd2.exe"
"iTunesHelper"="\"C:\\Program\\iTunes\\iTunesHelper.exe\""
"ccApp"="\"C:\\Program\\Delade filer\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program\\Norton AntiVirus\\osCheck.exe\""
"Zone Labs Client"="\"C:\\Program\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="\"C:\\Program\\Java\\jre1.5.0_10\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Tilde.job

Completion time: 06-12-06 9:20:26.32
C:\ComboFix.txt ... 06-12-06 09:20




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users