Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Huge "bsod" Problems! Help Wanted Fast!


  • This topic is locked This topic is locked
18 replies to this topic

#1 Plan.Element

Plan.Element

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 21 November 2006 - 03:39 PM

Greetings.

I just 10min ago wrote this long post here about my problem when the "BSOD" (Blue Screen Of Death) happened again :S

So i dont know how much im into writing a long post. Ill save it every 30seconds to a .txt file on my desktop :D

Ok continuing:

I've been having some popup problems, mostly with "w00t pick us, we can clean your system from you 100000 errors for free!" popups and taskbar icons.

I searched on this forum and found some programs and tips on how to remove them, so i got rid of the major ones.

Now something much worse and terrible has happened.

Im getting the "BSOD" quite often. Like every 15min. Its mostly when i've been around on the internet for bout 5-10min or so, or when i update my windows.

It just flashes and then reboots.

I also got 3 other problems:

1:
I sometimes get the: "explorer.exe have encountered an error, and needs to close"
where you can pick "don't send" or "send".

I normally just minimize it cause that lets me continue playing or whatever i am doing, without further problems. But still, its anoying and obviously a bug/virus.
Will get you guys a log file for this as soon as it happens again.

2:
Also i've been getting "Microsoft Windows have encountered an error, and needs to close".
also where you can do the "send/don't send" thingy.
It says that around 4-5 times on each startup. I jsut say "don't send" on all and move on without problems.

I found it odd and thought it maybe would help if i posted the log file for that error:

C:\DOCUME~1\BJRNO~1\LOKALE~1\Temp\WERdef4.dir00\Mini112106-18.dmp
C:\DOCUME~1\BJRNO~1\LOKALE~1\Temp\WERdef4.dir00\sysdata.xml

Dont know if you guys know anything about it, but would be cool if you did :D

3:
Last i got some problems with the dreaded "errorsafe" oh noes! :D
You know the one where it asks if you want to scan and you say "hell no" but still it opens a website.

Ive got some logs from Hijackthis and my other anti-adware/anti-virus programs that you might want to look at:

Hijackthis: (ran this page while scanning)

Logfile of HijackThis v1.99.1
Scan saved at 16:27:57, on 21-11-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\Programmer\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Norton Internet Security\ISSVC.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmer\Winamp\winampa.exe
C:\Programmer\DAEMON Tools\daemon.exe
C:\Programmer\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Windows Defender\MSASCui.exe
C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\$NtUninstallKB5468129$\kavss.exe
C:\Documents and Settings\Bjørno\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lokes-list.dk/forum/portal.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {84AA9CD5-504F-21EB-1C08-5EF00FCC3B9E} - C:\WINDOWS\system32\tozxeolc.dll (file missing)
R3 - URLSearchHook: (no name) - {03BE7BB3-E675-94DF-2858-BECE1DB8EC94} - C:\WINDOWS\system32\acvzyco.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "C:\Programmer\Fælles filer\Microsoft Shared\Web Folders\ibm00001.exe"
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmer\Fælles filer\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmer\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Programmer\Fælles filer\Logitech\KhalShared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programmer\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Programmer\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programmer\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmer\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Programmer\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmer\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programmer\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Programmer\GetRight\GRdownload.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmer\GetRight\GRbrowse.htm
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmer\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmer\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\ziobxhx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - Unknown owner - C:\WINDOWS\ATKKBService.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmer\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programmer\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmer\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FLLESF~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programmer\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Hijackthis, startuplist.txt

StartupList report, 21-11-2006, 17:10:08
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Bjørno\Skrivebord\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\Programmer\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Programmer\Fælles filer\Symantec Shared\ccProxy.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Norton Internet Security\ISSVC.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmer\Winamp\winampa.exe
C:\Programmer\DAEMON Tools\daemon.exe
C:\Programmer\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Windows Defender\MSASCui.exe
C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\$NtUninstallKB5468129$\kavss.exe
C:\Documents and Settings\Bjørno\Skrivebord\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Bjørno\Menuen Start\Programmer\Start]
Adobe Gamma.lnk = ?

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menuen Start\Programmer\Start]
Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
ATIPTA = C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE
LogitechVideoRepair = C:\Programmer\Logitech\Video\ISStart.exe
WinampAgent = C:\Programmer\Winamp\winampa.exe
Logitech Hardware Abstraction Layer = "C:\Programmer\Fælles filer\Logitech\KhalShared\KHALMNPR.EXE"
DAEMON Tools = "C:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
ICQ Lite = "C:\Programmer\ICQLite\ICQLite.exe" -minimize
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
Kernel and Hardware Abstraction Layer = KHALMNPR.EXE
SunJavaUpdateSched = "C:\Programmer\Java\jre1.5.0_08\bin\jusched.exe"
ccApp = "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
IS CfgWiz = C:\Programmer\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
URLLSTCK.exe = C:\Programmer\Norton Internet Security\UrlLstCk.exe
Windows Defender = "C:\Programmer\Windows Defender\MSASCui.exe" -hide

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
LogitechSoftwareUpdate = C:\Programmer\Logitech\Video\ManifestEngine.exe boot
H/PC Connection Agent = "C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE"
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
TuneUp MemOptimizer = "C:\Programmer\TuneUp Utilities 2006\MemOptimizer.exe" autostart

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ICQ Lite = C:\Programmer\ICQLite\ICQLite.exe -trayboot

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe "C:\Programmer\Fælles filer\Microsoft Shared\Web Folders\ibm00001.exe"
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

1-Click Maintenance.job
MP Scheduled Scan.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[ImageShack Toolbar]
InProcServer32 = C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
CODEBASE = http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
OSD = C:\WINDOWS\Downloaded Program Files\ImageShackToolbar.osd

[Image Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader4.ocx
CODEBASE = http://www.putfile.com/includes/ImageUploader4.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
DCOM Server 2240: C:\WINDOWS\system32\ziobxhx.dll

--------------------------------------------------
End of report, 7.178 bytes
Report generated in 0,063 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


A-Sqaured last scan:

a-squared Anti-Malware - Version 2.1

Scan settings:

Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Programmer
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 21-11-2006 19:39:31

C:\Programmer\Fælles filer\totem shared detected: Trace.Directory.ISTbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\mssetup --> Disk detected: Trace.Registry.MSN Track Monitor
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\MSTTK --> MaxLogSize detected: Trace.Registry.MSN Track Monitor
Value: HKEY_CLASSES_ROOT\CLSID\{944AD531-B09D-11CE-B59C-00AA006CB37D}\InProcServer32 --> ThreadingModel detected: Trace.Registry.IMMonitor AIM Spy
Value: HKEY_CLASSES_ROOT\CLSID\{D413C502-3FAA-11D0-B254-444553540000}\LocalServer32 --> ThreadingModel detected: Trace.Registry.IMMonitor AIM Spy
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{944AD531-B09D-11CE-B59C-00AA006CB37D}\InProcServer32 --> ThreadingModel detected: Trace.Registry.IMMonitor AIM Spy
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D413C502-3FAA-11D0-B254-444553540000}\LocalServer32 --> ThreadingModel detected: Trace.Registry.IMMonitor AIM Spy
C:\WINDOWS\system32\acqohbjp.dll detected: Trojan.Win32.BHO.g
C:\WINDOWS\system32\acvzyco.dll detected: Adware.Win32.PurityScan.ak
C:\WINDOWS\system32\ivrqplfo.dll detected: Trojan-Spy.Win32.VBStat.h
C:\WINDOWS\system32\opwdamcm.exe detected: Adware.Win32.Agent.at
C:\WINDOWS\system32\pywrrspy.dll detected: Trojan-Spy.Win32.VBStat.h
C:\WINDOWS\system32\vtustus.dll detected: Adware.Win32.Virtumonde.dr
C:\Programmer\Fælles filer\Yazzle1162OinAdmin.exe detected: Trojan-Downloader.Win32.PurityScan.dc
C:\Programmer\Fælles filer\{9080B1EF-0711-1030-1130-04020105002d}\system.dll detected: Adware.Win32.Softomate.u
C:\Programmer\Fælles filer\{9080B1EF-0711-1030-1130-04020105002d}\Update.exe detected: Adware.Win32.Softomate.u

Scanned

Files: 38160
Traces: 82776
Cookies: 1
Processes: 13

Found

Files: 9
Traces: 7
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 21-11-2006 20:08:53
Scan time: 00:29:22

C:\Programmer\Fælles filer\{9080B1EF-0711-1030-1130-04020105002d}\system.dll Deleted Adware.Win32.Softomate.u
C:\Programmer\Fælles filer\{9080B1EF-0711-1030-1130-04020105002d}\Update.exe Deleted Adware.Win32.Softomate.u
C:\Programmer\Fælles filer\Yazzle1162OinAdmin.exe Deleted Trojan-Downloader.Win32.PurityScan.dc
C:\WINDOWS\system32\vtustus.dll Deleted Adware.Win32.Virtumonde.dr
C:\WINDOWS\system32\opwdamcm.exe Deleted Adware.Win32.Agent.at
C:\WINDOWS\system32\ivrqplfo.dll Deleted Trojan-Spy.Win32.VBStat.h
C:\WINDOWS\system32\pywrrspy.dll Deleted Trojan-Spy.Win32.VBStat.h
C:\WINDOWS\system32\acvzyco.dll Deleted Adware.Win32.PurityScan.ak
C:\WINDOWS\system32\acqohbjp.dll Deleted Trojan.Win32.BHO.g
Value: HKEY_CLASSES_ROOT\CLSID\{944AD531-B09D-11CE-B59C-00AA006CB37D}\InProcServer32 --> ThreadingModel Deleted Trace.Registry.IMMonitor AIM Spy
Value: HKEY_CLASSES_ROOT\CLSID\{D413C502-3FAA-11D0-B254-444553540000}\LocalServer32 --> ThreadingModel Deleted Trace.Registry.IMMonitor AIM Spy
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{944AD531-B09D-11CE-B59C-00AA006CB37D}\InProcServer32 --> ThreadingModel Deleted Trace.Registry.IMMonitor AIM Spy
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D413C502-3FAA-11D0-B254-444553540000}\LocalServer32 --> ThreadingModel Deleted Trace.Registry.IMMonitor AIM Spy
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\mssetup --> Disk Deleted Trace.Registry.MSN Track Monitor
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\MSTTK --> MaxLogSize Deleted Trace.Registry.MSN Track Monitor
C:\Programmer\Fælles filer\totem shared Deleted Trace.Directory.ISTbar

Deleted

Files: 9
Traces: 7
Cookies: 0

Ad-ware, Lavasoft: (Last Scan)

ArchiveData(auto-quarantine- 2006-11-21 21-09-05.bckp)
Referencefile : Se1R134 20.11.2006
======================================================

ADWARE.SAFETYBAR
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=RegValue : S-1-5-21-1214440339-484763869-839522115-1004\software\microsoft\internet explorer\toolbar\Webbrowser "{052b12f7-86fa-4921-8482-26c42316b522}"
obj[2]=Regkey : S-1-5-21-1214440339-484763869-839522115-1004\software\microsoft\windows\currentversion\ext\stats\{052b12f7-86fa-4921-8482-26c42316b522}

ADWARE.MYTOOLBAR
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[1]=Regkey : S-1-5-21-1214440339-484763869-839522115-1004\software\microsoft\windows\currentversion\ext\stats\{c004dec2-2623-438e-9ca2-c9043ab28508}

WIN32.TROJAN.DOWNLOADER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[3]=Regkey : software\microsoft\windows\currentversion\policies\activedesktop
obj[5]=Process : C:\WINDOWS\system32\ziobxhx.dll

WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[4]=RegData : software\microsoft\windows nt\currentversion\winlogon "Shell"

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[6]=IECache Entry : C:\Documents and Settings\Bjørno\Cookies\bjørno@rambler[2].txt

REDIRECTED HOSTFILE ENTRY
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[7]=Hosts file : 127.0.0.1 www.trendmicro.com
obj[8]=Hosts file : 127.0.0.1 rads.mcafee.com
obj[9]=Hosts file : 127.0.0.1 customer.symantec.com
obj[10]=Hosts file : 127.0.0.1 liveupdate.symantec.com
obj[11]=Hosts file : 127.0.0.1 us.mcafee.com
obj[12]=Hosts file : 127.0.0.1 updates.symantec.com
obj[13]=Hosts file : 127.0.0.1 www.nai.com
obj[14]=Hosts file : 127.0.0.1 secure.nai.com
obj[15]=Hosts file : 127.0.0.1 dispatch.mcafee.com
obj[16]=Hosts file : 127.0.0.1 download.mcafee.com
obj[17]=Hosts file : 127.0.0.1 www.my-etrust.com
obj[18]=Hosts file : 127.0.0.1 mast.mcafee.com
obj[19]=Hosts file : 127.0.0.1 ca.com
obj[20]=Hosts file : 127.0.0.1 www.ca.com
obj[21]=Hosts file : 127.0.0.1 networkassociates.com
obj[22]=Hosts file : 127.0.0.1 www.networkassociates.com
obj[23]=Hosts file : 127.0.0.1 avp.com
obj[24]=Hosts file : 127.0.0.1 www.kaspersky.com
obj[25]=Hosts file : 127.0.0.1 www.avp.com
obj[26]=Hosts file : 127.0.0.1 downloads4.kaspersky-labs.com
obj[27]=Hosts file : 127.0.0.1 downloads3.kaspersky-labs.com
obj[28]=Hosts file : 127.0.0.1 downloads2.kaspersky-labs.com
obj[29]=Hosts file : 127.0.0.1 downloads1.kaspersky-labs.com
obj[30]=Hosts file : 127.0.0.1 www.f-secure.com
obj[31]=Hosts file : 127.0.0.1 viruslist.com
obj[32]=Hosts file : 127.0.0.1 www.viruslist.com
obj[33]=Hosts file : 127.0.0.1 liveupdate.symantecliveupdate.com
obj[34]=Hosts file : 127.0.0.1 www.mcafee.com
obj[35]=Hosts file : 127.0.0.1 sophos.com
obj[36]=Hosts file : 127.0.0.1 www.sophos.com
obj[37]=Hosts file : 127.0.0.1 securityresponse.symantec.com
obj[38]=Hosts file : 127.0.0.1 www.symantec.com

Im going to do a "Spybot - S&D" scan soon. Ill edit and update this topic with the info soon.

Hope you guys can help

-P.E

Edited by Plan.Element, 21 November 2006 - 03:49 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 AM

Posted 21 November 2006 - 06:36 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
You've definitely got some infections there. I'm not sure that they are completely the cause of your BSOD's, but let's get rid of the junk and then we'll see where we are.

We'll start with this tool.

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Plan.Element

Plan.Element
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 22 November 2006 - 01:06 PM

Hey sam :D
Thanks for taking your time to help me out here.

I finally downloaded the program (after lots of BSOD's). But as i ran it BSOD's kept popping up :D So i used the good'ol "Safe mode".

I ran the program and it found some infections (ill show you log, read on).

I rebooted to get into this forum and reply. But now that i logged into my user from the log on screen its like theres no explorer.exe Oo

Theres only a plain background. Good thing that i know a little about computers so i took the "ctrl + alt + delete" and did a "new task" and found this again.

The "Joblist" is frozen now though :thumbsup:

Anyway. Ill try to reboot and get the log. Hang on..

EDIT:

Rebooted and everything is back to normal (dont know if thats good :D)

Combofix log

Bj›rno - 06-11-22 18:48:14,70 Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Bj›rno\Skrivebord"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wapisu.exe
C:\WINDOWS\system32\components
C:\Programmer\F‘lles filer\{9080B1EF-0711-1030-1130-04020105002d}
C:\Programmer\F‘lles filer\{9080B1EF-0712-1030-1130-04020105002d}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\PPPATC~1
C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\SMANTE~1
C:\QooBox\Purity\WINDOWS\SMANTE~1\cmd.exe
C:\QooBox\Purity\WINDOWS\SMANTE~1\S?mantec


((((((((((((((((((((((((((((((( Files Created from 2006-10-22 to 2006-11-22 ))))))))))))))))))))))))))))))))))


2006-11-21 22:59 <DIR> d--hs---- C:\Config.Msi
2006-11-21 22:56 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Sun
2006-11-21 22:16 59,392 --a------ C:\WINDOWS\system32\drvbob.dll
2006-11-21 22:15 40,973 ---hs---- C:\WINDOWS\system32\ddccaax.dll
2006-11-21 21:56 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-11-21 21:56 <DIR> d-------- C:\Programmer\Zone Labs
2006-11-21 21:55 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-11-21 21:00 <DIR> d-------- C:\Programmer\Lavasoft
2006-11-21 21:00 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Lavasoft
2006-11-21 20:36 <DIR> d-------- C:\Programmer\SpywareBlaster
2006-11-21 19:15 <DIR> d-------- C:\Temp
2006-11-21 17:48 <DIR> d-------- C:\Programmer\a-squared Anti-Malware
2006-11-21 16:50 21,312 --a------ C:\WINDOWS\choice.exe
2006-11-21 16:48 <DIR> d-------- C:\ie-spyad
2006-11-20 14:51 584,262 ---hs---- C:\WINDOWS\system32\klkkj.bak2
2006-11-19 09:41 <DIR> d-------- C:\WINDOWS\pss
2006-11-19 09:30 692,276 ---hs---- C:\WINDOWS\system32\jkklk.dll
2006-11-19 09:30 584,257 ---hs---- C:\WINDOWS\system32\klkkj.bak1
2006-11-19 09:30 <DIR> d-------- C:\Programmer\VSAdd-in
2006-11-19 09:24 15,872 --a------ C:\WINDOWS\system32\winmfu32.dll
2006-11-19 09:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2006-11-19 02:48 <DIR> d-------- C:\Programmer\Norton Internet Security
2006-11-19 02:46 83,168 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-11-19 02:46 104,144 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-11-19 02:21 <DIR> d-------- C:\Documents and Settings\Bjorno\Incomplete
2006-11-19 02:11 <DIR> d-------- C:\Documents and Settings\Bjorno\.limewire
2006-11-18 21:39 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Help
2006-11-18 18:16 <DIR> d-------- C:\WINDOWS\Private World of Warcraft Server
2006-11-15 13:29 <DIR> d-------- C:\Programmer\GetRight
2006-11-15 13:28 <DIR> d-------- C:\Downloads
2006-11-14 22:32 15,440 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-11-14 22:32 <DIR> d-------- C:\Programmer\Hamachi
2006-11-14 22:32 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Hamachi
2006-11-14 21:59 <DIR> d-------- C:\Programmer\World of Warcraft
2006-11-13 20:50 <DIR> d-------- C:\Programmer\PremiumSoft
2006-11-13 20:42 <DIR> d-------- C:\Programmer\MySQL
2006-11-12 00:50 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\DivX
2006-11-11 22:05 <DIR> d-------- C:\WINDOWS\Minidump
2006-10-30 15:39 <DIR> d-------- C:\Programmer\MSN Messenger
2006-10-30 15:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2006-10-28 09:01 <DIR> d-------- C:\Programmer\netmeeting
2006-10-23 13:24 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\AdobeUM


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-11-22 18:48 -------- d-------- C:\Programmer\F‘lles filer
2006-11-22 18:40 -------- d-------- C:\Programmer\F‘lles filer\Symantec Shared
2006-11-21 22:48 -------- d-------- C:\Programmer\Warcraft III
2006-11-21 20:52 -------- d-------- C:\Programmer\Internet Explorer
2006-11-21 20:28 -------- d-------- C:\Programmer\Spybot - Search & Destroy
2006-11-21 19:52 -------- d-------- C:\Programmer\Counter-Strike 1.6
2006-11-21 19:51 -------- d--h----- C:\Programmer\InstallShield Installation Information
2006-11-21 16:36 -------- d-------- C:\Programmer\KnightOnline
2006-11-21 16:36 -------- d-------- C:\Programmer\IncrediMail
2006-11-21 16:34 -------- d-------- C:\Programmer\PFConfig
2006-11-19 09:39 -------- d-------- C:\Programmer\Grisoft
2006-11-19 09:16 -------- d-------- C:\Programmer\Mozilla Firefox
2006-11-19 09:15 -------- d-------- C:\Programmer\Logitech
2006-11-19 09:14 -------- d-------- C:\Programmer\DivX
2006-11-19 02:49 -------- d-------- C:\Programmer\Symantec
2006-11-19 02:23 -------- d-------- C:\Programmer\BitLord
2006-11-15 18:53 -------- d-------- C:\Programmer\IDM Computer Solutions
2006-11-15 16:13 -------- d-------- C:\Programmer\Installationer
2006-11-15 13:29 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\GetRightToGo
2006-11-12 09:49 -------- d-------- C:\Programmer\Warcraft III (Ingen Battlenet)
2006-11-06 16:10 27344 --a------ C:\Documents and Settings\Bjorno\Application Data\GDIPFONTCACHEV1.DAT
2006-10-30 15:39 -------- d-------- C:\Programmer\F‘lles filer\Microsoft Shared
2006-10-20 20:26 -------- d-------- C:\Programmer\Valve
2006-10-20 20:05 -------- d-------- C:\Programmer\THQ
2006-10-20 20:03 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\InstallShield
2006-10-20 19:17 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-10-19 20:42 160768 --a------ C:\WINDOWS\system32\xcdf.dll
2006-10-19 20:42 -------- d---s---- C:\Documents and Settings\Bjorno\Application Data\Microsoft
2006-10-19 17:40 4 --a------ C:\WINDOWS\info147.sys
2006-10-19 16:43 157184 --a------ C:\WINDOWS\system32\pkmeqo.dll
2006-10-18 09:24 -------- d-------- C:\Programmer\Wolfenstein - Enemy Territory
2006-10-16 20:40 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\Adobe
2006-10-16 20:38 869 --a------ C:\Documents and Settings\Bjorno\Application Data\AdobeDLM.log
2006-10-16 20:38 0 --a------ C:\Documents and Settings\Bjorno\Application Data\dm.ini
2006-10-16 20:38 -------- d-------- C:\Programmer\Adobe
2006-10-16 20:33 -------- d-------- C:\Programmer\F‘lles filer\Adobe
2006-10-14 17:17 -------- d-------- C:\Programmer\Blitzkrieg 2
2006-10-14 11:56 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\Talkback
2006-10-13 20:19 -------- d-------- C:\Programmer\Soldat
2006-10-11 20:43 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\IDMComp
2006-10-09 20:08 -------- d-------- C:\Programmer\F‘lles filer\Ahead
2006-10-09 20:07 -------- d-------- C:\Programmer\Ahead
2006-10-09 13:17 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\çasks
2006-10-02 20:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 20:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 20:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 20:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-10-01 15:59 -------- d-------- C:\Programmer\F‘lles filer\Blizzard Entertainment
2006-09-25 15:12 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\Opera
2006-09-24 20:19 -------- d-------- C:\Programmer\ICQLite
2006-09-23 14:18 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\ICQLite
2006-09-21 18:59 60416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2006-09-13 06:06 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-09 13:25 2321664 --a------ C:\WINDOWS\system32\TUKernel.exe
2006-09-01 09:23 69632 --a------ C:\WINDOWS\system32\KemXML.dll
2006-09-01 09:22 155648 --a------ C:\WINDOWS\system32\kemutb.dll
2006-09-01 09:21 110592 --a------ C:\WINDOWS\system32\KemWnd.dll
2006-09-01 09:20 131072 --a------ C:\WINDOWS\system32\KemUtil.dll
2006-08-25 16:51 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-17 17:25 62 --ahs---- C:\Documents and Settings\Bjorno\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"LogitechSoftwareUpdate"="C:\\Programmer\\Logitech\\Video\\ManifestEngine.exe boot"
"H/PC Connection Agent"="\"C:\\Programmer\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TuneUp MemOptimizer"="\"C:\\Programmer\\TuneUp Utilities 2006\\MemOptimizer.exe\" autostart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Programmer\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Programmer\\Logitech\\Video\\ISStart.exe "
"Logitech Hardware Abstraction Layer"="\"C:\\Programmer\\Fælles filer\\Logitech\\KhalShared\\KHALMNPR.EXE\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"ccApp"="\"C:\\Programmer\\Fælles filer\\Symantec Shared\\ccApp.exe\""
"IS CfgWiz"="C:\\Programmer\\Norton Internet Security\\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE \"REBOOT\""
"URLLSTCK.exe"="C:\\Programmer\\Norton Internet Security\\UrlLstCk.exe"
"a-squared"="\"C:\\Programmer\\a-squared Anti-Malware\\a2guard.exe\""
"Zone Labs Client"="\"C:\\Programmer\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvbob.dll,startup"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoExpandedNewMenu"=dword:00000000
"GreyMSIAds"=dword:00000001
"NoUserNameInStartMenu"=dword:00000001
"StartMenuLogOff"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{9080B1EF-0711-1030-1130-04020105002d}"="\"C:\\Programmer\\Fælles filer\\{9080B1EF-0711-1030-1130-04020105002d}\\Update.exe\" mc-110-12-0000272"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="\"C:\\Programmer\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="\"C:\\Programmer\\DAEMON Tools\\daemon.exe\" -lang 1033"
"ICQ Lite"="\"C:\\Programmer\\ICQLite\\ICQLite.exe\" -minimize"
"WinampAgent"="C:\\Programmer\\Winamp\\winampa.exe"
"Windows Defender"="\"C:\\Programmer\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ibm00001"
"hkey"="HKCU"
"command"="\"C:\\Programmer\\Fælles filer\\Microsoft Shared\\Web Folders\\ibm00001.exe\""
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmfu32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-22 18:49:02.95
C:\ComboFix.txt ... 06-11-22 18:49

Go for it Sammy :D

-P.E

Edited by Plan.Element, 22 November 2006 - 01:09 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 AM

Posted 22 November 2006 - 03:23 PM

We've got our hands full here, but we'll plug away at it and get there.


Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CTDrive"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shell]
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.


=============


For this next step you need to move Combofix.exe to your desktop.


Click Start -> Run
Copy the command below and paste it into the Run box and click Ok.

"%userprofile%\desktop\combofix.exe" /v ddccaax drvbob jkklk winmfu32

When it's done running it will produce a log for you. Please post that log in your next reply.


=============


Click Start -> Run -> eventvwr.msc

Look in SYSTEM and APPLICATIONS for anything in the last day around the time when you are getting the BSOD's.
Double click on anything you see with a red X, press the Copy button, and then paste it here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Plan.Element

Plan.Element
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 22 November 2006 - 05:42 PM

Hello again Sam and thanks for the fast reply.

Im having some trouble with this step:

For this next step you need to move Combofix.exe to your desktop.


Click Start -> Run
Copy the command below and paste it into the Run box and click Ok.

"%userprofile%\desktop\combofix.exe" /v ddccaax drvbob jkklk winmfu32

When it's done running it will produce a log for you. Please post that log in your next reply.


First of all im running the danish version of windows wich means i have to change the name "desktop" to "skrivebord".

But when i then run it and press the "Y" it loads for some time saying "Performing scan of your computer"

And then it says "Den angivne sti blev ikke fundet" wich is danish and would be translated into something like "the given path was not found" and then it exits the program.

Also:

I did what you said and heres ALL the error messages:

(lal i posted like 1mil but i just read that it was the ones around the time of my BSOD :D)

Theres an error here that looks more suspicious than the others around the time, but that might just be because i put my comp in "safe mode"

Hændelsestype: Fejl
Hændelseskilde: Service Control Manager
Hændelseskategori: Ingen
Hændelses-id: 7026
Dato: 06-11-22
Klokkeslæt: 18:49
Bruger: Ikke tilgængelig
Computer: STENEREN
Beskrivelse:
Følgende boot-start- eller system-start-driver kunne ikke indlæses:
AFD
AmdK8
aslm75
asuskbnt
Fips
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SCDEmu
SYMTDI
Tcpip
vsdatant

Yderligere oplysninger finder du under Hjælp og support på http://go.microsoft.com/fwlink/events.asp.

But as i recall i put it in safemode because i had a BSOD right before it. Heres some errors from before this one:


Hændelsestype: Fejl
Hændelseskilde: System Error
Hændelseskategori: (102)
Hændelses-id: 1003
Dato: 06-11-22
Klokkeslæt: 18:41
Bruger: Ikke tilgængelig
Computer: STENEREN
Beskrivelse:
Fejlkode 1000008e, parameter 1 c0000005, parameter 2 b2fef9fe, parameter 3 af2a0a20, parameter 4 00000000.

Yderligere oplysninger finder du under Hjælp og support på http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 38 1000008
0020: 65 20 20 50 61 72 61 6d e Param
0028: 65 74 65 72 73 20 63 30 eters c0
0030: 30 30 30 30 30 35 2c 20 000005,
0038: 62 32 66 65 66 39 66 65 b2fef9fe
0040: 2c 20 61 66 32 61 30 61 , af2a0a
0048: 32 30 2c 20 30 30 30 30 20, 0000
0050: 30 30 30 30 0000

And right before it here:


Hændelsestype: Fejl
Hændelseskilde: System Error
Hændelseskategori: (102)
Hændelses-id: 1003
Dato: 06-11-22
Klokkeslæt: 18:41
Bruger: Ikke tilgængelig
Computer: STENEREN
Beskrivelse:
Fejlkode 1000008e, parameter 1 c0000005, parameter 2 b2fef9fe, parameter 3 b0494a20, parameter 4 00000000.

Yderligere oplysninger finder du under Hjælp og support på http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 38 1000008
0020: 65 20 20 50 61 72 61 6d e Param
0028: 65 74 65 72 73 20 63 30 eters c0
0030: 30 30 30 30 30 35 2c 20 000005,
0038: 62 32 66 65 66 39 66 65 b2fef9fe
0040: 2c 20 62 30 34 39 34 61 , b0494a
0048: 32 30 2c 20 30 30 30 30 20, 0000
0050: 30 30 30 30 0000

=========================================

And theres alot more on that exact time 18:37.

Not sure if this was what you wanted but just write in your next reply what you want me to do next and ill do it in a jiffy :D

-P.E

Edited by Plan.Element, 22 November 2006 - 05:53 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 AM

Posted 22 November 2006 - 06:06 PM

Just another hurdle for us to get past. That's ok. We can be flexible.

You may want to print out these instructions as you will have to boot into safe mode and won't be able to access the internet.


Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.
Please make sure that you can View Hidden Files
  • Click Start -> My Computer
  • Select Tools -> Folder options
  • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
  • Also make sure that 'Display the contents of system folders' is checked.
  • Make sure "Hide extensions for known file types" is unchecked
  • Make sure "Hide protected operating system files (recommended)" is unchecked
  • For more info on how to show hidden files click here.
Locate and delete these files:

C:\WINDOWS\system32\drvbob.dll
C:\WINDOWS\system32\ddccaax.dll
C:\WINDOWS\system32\klkkj.bak2
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\klkkj.bak1
C:\Programmer\VSAdd-in <-- delete this entire folder
C:\WINDOWS\system32\winmfu32.dll



Click Start -> Run -> services.msc
Double click on Messenger to bring up the Properties window.
If the service is started, stop it. Then set Startup type to Disabled.




Reboot back into normal mode and post a new hijackthis log.
Also post a new log from Combofix(no need to move it this time).
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Plan.Element

Plan.Element
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 23 November 2006 - 03:56 AM

Hello again sam, and again thanks for the fast reply.

I did what you told me to do (Booted in safe mode) and started to delete the files.

There were 2 files i couldnt delete though:

C:\WINDOWS\system32\winmfu32.dll
C:\WINDOWS\system32\jkklk.dll


"Can't delete this file, its being used by another process" (or program)

=======================================

Also when i did this:

Click Start -> Run -> services.msc
Double click on Messenger to bring up the Properties window.
If the service is started, stop it. Then set Startup type to Disabled.


The process already were stopped and the startup type already were "Disabled" Dont know if thats a good thing or a complicated thing?

=======================================

Also, i cant get my "HijackThis" to save a log for me.
Normally when i opened the program it would ask me if i wanted to scan and save a log or Scan only or None of the above and so on.
It dosnt show that screen anymore. It proceeds directly to the scanning window (the one with Scan, Config, Info on selected item, and so on)

And then i ofcourse press the "Scan" button and it scans.
But when i do the "Save Log" It just exits the program and i cant find a log anywhere on my computer.

I tried to delete the HijackThis.exe file and the log file, and then reinstall but its the same as if i never deleted it...

=======================================

Good news is that my computer started up alot faster than usual (normally stuck at the "Welcome" screen in the startup).

=======================================

Now that you told me about the "Messenger.exe" i remember one of my other problems i've had for a looong time.

C:\Programmer\netmeeting That folder i cant delete. "Can't delete this file, Its being used by another process" (or program)

Some time ago it were filled with stuff that if i deleted it, it would just reinstall itself in a matter of seconds, that problem seems to be gone now though...

=======================================

EDIT:
Didn't read that you wanted a combofix.exe log.

Here:

Bj›rno - 06-11-23 9:56:56.36 Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Bj›rno\Skrivebord"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\PPPATC~1
C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\SMANTE~1
C:\QooBox\Purity\WINDOWS\SMANTE~1\cmd.exe
C:\QooBox\Purity\WINDOWS\SMANTE~1\S?mantec


((((((((((((((((((((((((((((((( Files Created from 2006-10-22 to 2006-11-22 ))))))))))))))))))))))))))))))))))


2006-11-22 23:18 588,117 ---hs---- C:\WINDOWS\system32\klkkj.ini2
2006-11-22 19:50 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-11-21 22:59 <DIR> d--hs---- C:\Config.Msi
2006-11-21 22:56 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Sun
2006-11-21 21:55 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-11-21 21:00 <DIR> d-------- C:\Programmer\Lavasoft
2006-11-21 21:00 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Lavasoft
2006-11-21 20:36 <DIR> d-------- C:\Programmer\SpywareBlaster
2006-11-21 19:15 <DIR> d-------- C:\Temp
2006-11-21 17:48 <DIR> d-------- C:\Programmer\a-squared Anti-Malware
2006-11-21 16:50 21,312 --a------ C:\WINDOWS\choice.exe
2006-11-21 16:48 <DIR> d-------- C:\ie-spyad
2006-11-19 09:41 <DIR> d-------- C:\WINDOWS\pss
2006-11-19 09:30 692,276 ---h----- C:\WINDOWS\system32\jkklk.dll
2006-11-19 09:24 15,872 --a------ C:\WINDOWS\system32\winmfu32.dll
2006-11-19 09:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2006-11-19 02:48 <DIR> d-------- C:\Programmer\Norton Internet Security
2006-11-19 02:46 83,168 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-11-19 02:46 104,144 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-11-19 02:21 <DIR> d-------- C:\Documents and Settings\Bjorno\Incomplete
2006-11-19 02:11 <DIR> d-------- C:\Documents and Settings\Bjorno\.limewire
2006-11-18 21:39 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Help
2006-11-18 18:16 <DIR> d-------- C:\WINDOWS\Private World of Warcraft Server
2006-11-15 13:29 <DIR> d-------- C:\Programmer\GetRight
2006-11-15 13:28 <DIR> d-------- C:\Downloads
2006-11-14 22:32 15,440 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-11-14 22:32 <DIR> d-------- C:\Programmer\Hamachi
2006-11-14 22:32 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Hamachi
2006-11-14 21:59 <DIR> d-------- C:\Programmer\World of Warcraft
2006-11-13 20:50 <DIR> d-------- C:\Programmer\PremiumSoft
2006-11-13 20:42 <DIR> d-------- C:\Programmer\MySQL
2006-11-12 00:50 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\DivX
2006-11-11 22:05 <DIR> d-------- C:\WINDOWS\Minidump
2006-10-30 15:39 <DIR> d-------- C:\Programmer\MSN Messenger
2006-10-30 15:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2006-10-28 09:01 <DIR> d-------- C:\Programmer\netmeeting
2006-10-23 13:24 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\AdobeUM


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-11-23 09:33 -------- d-------- C:\Programmer\F‘lles filer\Symantec Shared
2006-11-22 22:31 -------- d-------- C:\Programmer\Warcraft III
2006-11-22 18:48 -------- d-------- C:\Programmer\F‘lles filer
2006-11-21 20:52 -------- d-------- C:\Programmer\Internet Explorer
2006-11-21 20:28 -------- d-------- C:\Programmer\Spybot - Search & Destroy
2006-11-21 19:52 -------- d-------- C:\Programmer\Counter-Strike 1.6
2006-11-21 19:51 -------- d--h----- C:\Programmer\InstallShield Installation Information
2006-11-21 16:36 -------- d-------- C:\Programmer\KnightOnline
2006-11-21 16:36 -------- d-------- C:\Programmer\IncrediMail
2006-11-21 16:34 -------- d-------- C:\Programmer\PFConfig
2006-11-19 09:39 -------- d-------- C:\Programmer\Grisoft
2006-11-19 09:16 -------- d-------- C:\Programmer\Mozilla Firefox
2006-11-19 09:15 -------- d-------- C:\Programmer\Logitech
2006-11-19 09:14 -------- d-------- C:\Programmer\DivX
2006-11-19 02:49 -------- d-------- C:\Programmer\Symantec
2006-11-19 02:23 -------- d-------- C:\Programmer\BitLord
2006-11-15 18:53 -------- d-------- C:\Programmer\IDM Computer Solutions
2006-11-15 16:13 -------- d-------- C:\Programmer\Installationer
2006-11-15 13:29 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\GetRightToGo
2006-11-12 09:49 -------- d-------- C:\Programmer\Warcraft III (Ingen Battlenet)
2006-11-06 16:10 27344 --a------ C:\Documents and Settings\Bjorno\Application Data\GDIPFONTCACHEV1.DAT
2006-10-30 15:39 -------- d-------- C:\Programmer\F‘lles filer\Microsoft Shared
2006-10-20 20:26 -------- d-------- C:\Programmer\Valve
2006-10-20 20:05 -------- d-------- C:\Programmer\THQ
2006-10-20 20:03 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\InstallShield
2006-10-20 19:17 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-10-19 20:42 160768 --a------ C:\WINDOWS\system32\xcdf.dll
2006-10-19 20:42 -------- d---s---- C:\Documents and Settings\Bjorno\Application Data\Microsoft
2006-10-19 17:40 4 --a------ C:\WINDOWS\info147.sys
2006-10-19 16:43 157184 --a------ C:\WINDOWS\system32\pkmeqo.dll
2006-10-18 09:24 -------- d-------- C:\Programmer\Wolfenstein - Enemy Territory
2006-10-16 20:40 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\Adobe
2006-10-16 20:38 869 --a------ C:\Documents and Settings\Bjorno\Application Data\AdobeDLM.log
2006-10-16 20:38 0 --a------ C:\Documents and Settings\Bjorno\Application Data\dm.ini
2006-10-16 20:38 -------- d-------- C:\Programmer\Adobe
2006-10-16 20:33 -------- d-------- C:\Programmer\F‘lles filer\Adobe
2006-10-14 17:17 -------- d-------- C:\Programmer\Blitzkrieg 2
2006-10-14 11:56 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\Talkback
2006-10-13 20:19 -------- d-------- C:\Programmer\Soldat
2006-10-13 13:39 142848 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-11 20:43 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\IDMComp
2006-10-09 20:08 -------- d-------- C:\Programmer\F‘lles filer\Ahead
2006-10-09 20:07 -------- d-------- C:\Programmer\Ahead
2006-10-09 13:17 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\çasks
2006-10-02 20:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 20:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 20:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 20:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-10-01 15:59 -------- d-------- C:\Programmer\F‘lles filer\Blizzard Entertainment
2006-09-25 15:12 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\Opera
2006-09-24 20:19 -------- d-------- C:\Programmer\ICQLite
2006-09-23 14:18 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\ICQLite
2006-09-21 18:59 60416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2006-09-13 06:06 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-09 13:25 2321664 --a------ C:\WINDOWS\system32\TUKernel.exe
2006-09-01 09:23 69632 --a------ C:\WINDOWS\system32\KemXML.dll
2006-09-01 09:22 155648 --a------ C:\WINDOWS\system32\kemutb.dll
2006-09-01 09:21 110592 --a------ C:\WINDOWS\system32\KemWnd.dll
2006-09-01 09:20 131072 --a------ C:\WINDOWS\system32\KemUtil.dll
2006-08-25 16:51 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-17 17:25 62 --ahs---- C:\Documents and Settings\Bjorno\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"LogitechSoftwareUpdate"="C:\\Programmer\\Logitech\\Video\\ManifestEngine.exe boot"
"H/PC Connection Agent"="\"C:\\Programmer\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TuneUp MemOptimizer"="\"C:\\Programmer\\TuneUp Utilities 2006\\MemOptimizer.exe\" autostart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Programmer\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Programmer\\Logitech\\Video\\ISStart.exe "
"Logitech Hardware Abstraction Layer"="\"C:\\Programmer\\Fælles filer\\Logitech\\KhalShared\\KHALMNPR.EXE\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"ccApp"="\"C:\\Programmer\\Fælles filer\\Symantec Shared\\ccApp.exe\""
"IS CfgWiz"="C:\\Programmer\\Norton Internet Security\\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE \"REBOOT\""
"URLLSTCK.exe"="C:\\Programmer\\Norton Internet Security\\UrlLstCk.exe"
"a-squared"="\"C:\\Programmer\\a-squared Anti-Malware\\a2guard.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoExpandedNewMenu"=dword:00000000
"GreyMSIAds"=dword:00000001
"NoUserNameInStartMenu"=dword:00000001
"StartMenuLogOff"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="\"C:\\Programmer\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="\"C:\\Programmer\\DAEMON Tools\\daemon.exe\" -lang 1033"
"ICQ Lite"="\"C:\\Programmer\\ICQLite\\ICQLite.exe\" -minimize"
"WinampAgent"="C:\\Programmer\\Winamp\\winampa.exe"
"Windows Defender"="\"C:\\Programmer\\Windows Defender\\MSASCui.exe\" -hide"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmfu32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-23 9:57:45.76
C:\ComboFix.txt ... 06-11-23 09:57
C:\ComboFix2.txt ... 06-11-22 23:28
C:\ComboFix3.txt ... 06-11-22 23:28

It did the "Given path was not found" but this time it made me a log instead of exiting :D

=======================================

Hoping to hear from you soon Sam.

-P.E

Edited by Plan.Element, 23 November 2006 - 04:02 AM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 AM

Posted 23 November 2006 - 10:15 AM

We're going to have to get some new tools.


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Delete Temp Files
    • Click Tools -> Delete Temp Files
    • Place a check mark in all locations that aren't greyed out. By default they should already be checked.
    • Click Delete Selected Temp Files
  • Once that completes, select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\klkkj.ini2
    C:\WINDOWS\system32\jkklk.dll
    C:\WINDOWS\system32\winmfu32.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
===============


Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop and start GMER.exe
Click the Rootkit tab and click the Scan button.

Warning! Please do not select the "Show all" checkbox during the scan.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results here in your next reply.

If you're having problems with running GMER.exe, try it in safe mode. This tool works in safe mode. Most other rootkit revealers don't.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Plan.Element

Plan.Element
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 23 November 2006 - 02:59 PM

Hello again Sam.

I think we are in big trouble.
While scanning with the "GMER.exe" my comp gives me a BSOD.
So ofcourse i reboot and do it in safemode.
This time it does the exact same thing. Althought it dosnt give me a blue screen, it just reboots.

Since its the only BSOD ive had today i was able to find the specific error in the "eventvwr" window.

Here it is (Translated it as best as i could):

Actiontype: Error
Actionsource: sfsync02
Actioncategory: none
Action-ID: 12
Date: 23-11-2006
Time: 20:41:35
User: Not Reachable
Computer: STENEREN
Description:
Description for action-id ( 12 ) in source ( sfsync02 ) was not found. The local computer might not have the neccesary information in the registrationdatabase or DLL-messagefiles to show messages from a remotecomputer. You can possibly use "flaget" (i dont know how to translate that) /AUXSOURCE= to show this description. Look in Help and support for more information.
Following message is a part of the action: .

Data:
0000: 00 00 08 00 01 00 5a 00 ......Z.
0008: 00 00 00 00 0c 00 04 c0 .......À
0010: 04 00 01 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 02 00 07 00 05 00 00 00 ........


===============

Good news is that killbox worked fine, gave me the "PendingFileRenameOperations" error though.
Heres the log:

Pocket Killbox version 2.0.0.881
Running on Windows XP as Bjørno(Administrator)
was started @ torsdag, november 23, 2006, 8:26 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\klkkj.ini2


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\jkklk.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\winmfu32.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:28:11 PM
Killbox Closed(Exit) @ 8:28:30 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Bjørno(Administrator)
was started @ torsdag, november 23, 2006, 8:32 PM

Pocket Killbox version 2.0.0.881
Running on Windows XP as Bjørno(Administrator)
was started @ torsdag, november 23, 2006, 8:42 PM


===============

Like i told you i couldnt get GMER.exe to work, so i just pressed the copy cause it seemed it could only find one error before it did the BSOD.

Here:

EDIT: Removed the log from this post due to max letters in a post.

===============

Hoping to hear from you soon Sam.

-P.E

Edited by Plan.Element, 23 November 2006 - 05:43 PM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 AM

Posted 23 November 2006 - 05:43 PM

Download and run the Starforce driver removal tool from here.
http://www.onlinesecurity-on.com/protect.phtml?c=55

That should take care of some of your BSOD's.


============


Once you've done that, proceed with this next step.

Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Plan.Element

Plan.Element
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 23 November 2006 - 05:44 PM

Hey Sam.

You must be getting tired of me soon :thumbsup:
We've ran into new problems, hehe.

The Starforce seemed like it did something to my computer which means it worked which is a good thing, and a thing im very happy with.

============


Now the Rustbfix.exe is a problem.
It said alot of error thingys after the 2 reboots, and only opened 1 log:

Heres the log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yvmyegpi

*******************


Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

Could not open script file! Status: 0xc0000034 Abort!

Seems bad to me :flowers:

============

HijackThis log

EDIT:
As said before i cant create logs with the program anymore :S

Hope you aren't angry with me, cause i really appreciate that youre helping me (and thinking of making a donation too ^^)
-P.E

Edited by Plan.Element, 23 November 2006 - 05:57 PM.


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 AM

Posted 23 November 2006 - 06:04 PM

You're doing fine. It can be difficult working with a sick computer. We'll get there.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
pe386



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh log from Combofix by using Add/Reply
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Plan.Element

Plan.Element
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 24 November 2006 - 08:50 AM

Hello there Sam.

Log of Avenger.txt:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vdsqhbhd

*******************

Script file located at: hpkshnvr

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

===========

Log of Combofix.exe:

Bj›rno - 06-11-24 14:48:29,20 Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Bj›rno\Skrivebord"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\PPPATC~1
C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\SMANTE~1
C:\QooBox\Purity\WINDOWS\SMANTE~1\cmd.exe
C:\QooBox\Purity\WINDOWS\SMANTE~1\S?mantec


((((((((((((((((((((((((((((((( Files Created from 2006-10-24 to 2006-11-24 ))))))))))))))))))))))))))))))))))


2006-11-24 14:35 96 --a------ C:\avexport.bat
2006-11-24 14:35 60,416 --a------ C:\WINDOWS\system32\drivers\bvufobiu.sys
2006-11-24 14:35 336 --a------ C:\reboot.bat
2006-11-24 14:35 19,814 --a------ C:\reboot.exe
2006-11-24 14:35 126,976 --a------ C:\zip.exe
2006-11-24 14:35 1,080 --a------ C:\byskrkfw.bat
2006-11-23 23:46 60,436 --a------ C:\WINDOWS\system32\pdmrqsve.dll
2006-11-23 23:46 <DIR> d-------- C:\avenger
2006-11-23 23:43 16 --a------ C:\chdir.bat
2006-11-23 23:43 <DIR> d-------- C:\Rustbfix
2006-11-23 22:54 587,877 ---hs---- C:\WINDOWS\system32\klkkj.bak2
2006-11-23 22:54 38,420 --a------ C:\WINDOWS\system32\ittjknur.dll
2006-11-23 20:33 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-23 20:30 126,996 --a------ C:\WINDOWS\system32\vtoluywx.dll
2006-11-23 20:26 <DIR> d-------- C:\!KillBox
2006-11-23 10:07 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2006-11-22 23:18 587,313 ---hs---- C:\WINDOWS\system32\klkkj.ini2
2006-11-22 19:50 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-11-21 22:59 <DIR> d--hs---- C:\Config.Msi
2006-11-21 22:56 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Sun
2006-11-21 21:55 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-11-21 21:00 <DIR> d-------- C:\Programmer\Lavasoft
2006-11-21 21:00 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Lavasoft
2006-11-21 20:36 <DIR> d-------- C:\Programmer\SpywareBlaster
2006-11-21 19:15 <DIR> d-------- C:\Temp
2006-11-21 17:48 <DIR> d-------- C:\Programmer\a-squared Anti-Malware
2006-11-21 16:50 21,312 --a------ C:\WINDOWS\choice.exe
2006-11-21 16:48 <DIR> d-------- C:\ie-spyad
2006-11-19 09:41 <DIR> d-------- C:\WINDOWS\pss
2006-11-19 09:30 692,276 --------- C:\WINDOWS\system32\jkklk.dll
2006-11-19 09:24 15,872 --------- C:\WINDOWS\system32\winmfu32.dll
2006-11-19 09:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2006-11-19 02:48 <DIR> d-------- C:\Programmer\Norton Internet Security
2006-11-19 02:46 83,168 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-11-19 02:46 104,144 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-11-19 02:21 <DIR> d-------- C:\Documents and Settings\Bjorno\Incomplete
2006-11-19 02:11 <DIR> d-------- C:\Documents and Settings\Bjorno\.limewire
2006-11-18 21:39 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Help
2006-11-18 18:16 <DIR> d-------- C:\WINDOWS\Private World of Warcraft Server
2006-11-15 13:29 <DIR> d-------- C:\Programmer\GetRight
2006-11-15 13:28 <DIR> d-------- C:\Downloads
2006-11-14 22:32 15,440 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-11-14 22:32 <DIR> d-------- C:\Programmer\Hamachi
2006-11-14 22:32 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Hamachi
2006-11-14 21:59 <DIR> d-------- C:\Programmer\World of Warcraft
2006-11-13 20:50 <DIR> d-------- C:\Programmer\PremiumSoft
2006-11-13 20:42 <DIR> d-------- C:\Programmer\MySQL
2006-11-12 00:50 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\DivX
2006-11-11 22:05 <DIR> d-------- C:\WINDOWS\Minidump
2006-10-30 15:39 <DIR> d-------- C:\Programmer\MSN Messenger
2006-10-30 15:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2006-10-28 09:01 <DIR> d-------- C:\Programmer\netmeeting


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-24 14:42 -------- d-------- C:\Programmer\F‘lles filer\Symantec Shared
2006-11-23 23:31 -------- d-------- C:\Programmer\Warcraft III
2006-11-23 10:07 -------- d-------- C:\Programmer\Winamp
2006-11-22 18:48 -------- d-------- C:\Programmer\F‘lles filer
2006-11-21 20:52 -------- d-------- C:\Programmer\Internet Explorer
2006-11-21 20:28 -------- d-------- C:\Programmer\Spybot - Search & Destroy
2006-11-21 19:52 -------- d-------- C:\Programmer\Counter-Strike 1.6
2006-11-21 19:51 -------- d--h----- C:\Programmer\InstallShield Installation Information
2006-11-21 16:36 -------- d-------- C:\Programmer\KnightOnline
2006-11-21 16:36 -------- d-------- C:\Programmer\IncrediMail
2006-11-21 16:34 -------- d-------- C:\Programmer\PFConfig
2006-11-19 09:39 -------- d-------- C:\Programmer\Grisoft
2006-11-19 09:16 -------- d-------- C:\Programmer\Mozilla Firefox
2006-11-19 09:15 -------- d-------- C:\Programmer\Logitech
2006-11-19 09:14 -------- d-------- C:\Programmer\DivX
2006-11-19 02:49 -------- d-------- C:\Programmer\Symantec
2006-11-19 02:23 -------- d-------- C:\Programmer\BitLord
2006-11-15 18:53 -------- d-------- C:\Programmer\IDM Computer Solutions
2006-11-15 16:13 -------- d-------- C:\Programmer\Installationer
2006-11-15 13:29 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\GetRightToGo
2006-11-12 09:49 -------- d-------- C:\Programmer\Warcraft III (Ingen Battlenet)
2006-11-06 16:10 27344 --a------ C:\Documents and Settings\Bjorno\Application Data\GDIPFONTCACHEV1.DAT
2006-10-30 15:39 -------- d-------- C:\Programmer\F‘lles filer\Microsoft Shared
2006-10-23 13:24 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\AdobeUM
2006-10-20 20:26 -------- d-------- C:\Programmer\Valve
2006-10-20 20:05 -------- d-------- C:\Programmer\THQ
2006-10-20 20:03 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\InstallShield
2006-10-20 19:17 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-10-19 20:42 160768 --a------ C:\WINDOWS\system32\xcdf.dll
2006-10-19 20:42 -------- d---s---- C:\Documents and Settings\Bjorno\Application Data\Microsoft
2006-10-19 17:40 4 --a------ C:\WINDOWS\info147.sys
2006-10-19 16:43 157184 --a------ C:\WINDOWS\system32\pkmeqo.dll
2006-10-18 09:24 -------- d-------- C:\Programmer\Wolfenstein - Enemy Territory
2006-10-16 20:40 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\Adobe
2006-10-16 20:38 869 --a------ C:\Documents and Settings\Bjorno\Application Data\AdobeDLM.log
2006-10-16 20:38 0 --a------ C:\Documents and Settings\Bjorno\Application Data\dm.ini
2006-10-16 20:38 -------- d-------- C:\Programmer\Adobe
2006-10-16 20:33 -------- d-------- C:\Programmer\F‘lles filer\Adobe
2006-10-14 17:17 -------- d-------- C:\Programmer\Blitzkrieg 2
2006-10-14 11:56 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\Talkback
2006-10-13 20:19 -------- d-------- C:\Programmer\Soldat
2006-10-13 13:39 142848 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-11 20:43 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\IDMComp
2006-10-09 20:08 -------- d-------- C:\Programmer\F‘lles filer\Ahead
2006-10-09 20:07 -------- d-------- C:\Programmer\Ahead
2006-10-09 13:17 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\çasks
2006-10-02 20:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 20:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 20:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 20:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-10-01 15:59 -------- d-------- C:\Programmer\F‘lles filer\Blizzard Entertainment
2006-09-25 15:12 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\Opera
2006-09-24 20:19 -------- d-------- C:\Programmer\ICQLite
2006-09-21 18:59 60416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2006-09-13 06:06 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-09 13:25 2321664 --a------ C:\WINDOWS\system32\TUKernel.exe
2006-09-01 09:23 69632 --a------ C:\WINDOWS\system32\KemXML.dll
2006-09-01 09:22 155648 --a------ C:\WINDOWS\system32\kemutb.dll
2006-09-01 09:21 110592 --a------ C:\WINDOWS\system32\KemWnd.dll
2006-09-01 09:20 131072 --a------ C:\WINDOWS\system32\KemUtil.dll
2006-08-25 16:51 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-25 04:47 115880 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-08-17 17:25 62 --ahs---- C:\Documents and Settings\Bjorno\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"LogitechSoftwareUpdate"="C:\\Programmer\\Logitech\\Video\\ManifestEngine.exe boot"
"H/PC Connection Agent"="\"C:\\Programmer\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TuneUp MemOptimizer"="\"C:\\Programmer\\TuneUp Utilities 2006\\MemOptimizer.exe\" autostart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Programmer\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Programmer\\Logitech\\Video\\ISStart.exe "
"Logitech Hardware Abstraction Layer"="\"C:\\Programmer\\Fælles filer\\Logitech\\KhalShared\\KHALMNPR.EXE\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"ccApp"="\"C:\\Programmer\\Fælles filer\\Symantec Shared\\ccApp.exe\""
"IS CfgWiz"="C:\\Programmer\\Norton Internet Security\\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE \"REBOOT\""
"URLLSTCK.exe"="C:\\Programmer\\Norton Internet Security\\UrlLstCk.exe"
"a-squared"="\"C:\\Programmer\\a-squared Anti-Malware\\a2guard.exe\""
"WinampAgent"="C:\\Programmer\\Winamp\\winampa.exe"
"vknmlnde"="C:\\byskrkfw.bat"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoExpandedNewMenu"=dword:00000000
"GreyMSIAds"=dword:00000001
"NoUserNameInStartMenu"=dword:00000001
"StartMenuLogOff"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="\"C:\\Programmer\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="\"C:\\Programmer\\DAEMON Tools\\daemon.exe\" -lang 1033"
"ICQ Lite"="\"C:\\Programmer\\ICQLite\\ICQLite.exe\" -minimize"
"WinampAgent"="C:\\Programmer\\Winamp\\winampa.exe"
"Windows Defender"="\"C:\\Programmer\\Windows Defender\\MSASCui.exe\" -hide"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmfu32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-24 14:49:19.67
C:\ComboFix.txt ... 06-11-24 14:49
C:\ComboFix2.txt ... 06-11-23 09:57
C:\ComboFix3.txt ... 06-11-22 23:28

Have it with ya :thumbsup:

-P.E

Edited by Plan.Element, 24 November 2006 - 08:52 AM.


#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:22 AM

Posted 24 November 2006 - 05:03 PM

Run this script through Avenger just like you did with the other one. Make sure you include the phrase "Files to delete" or it won't work properly.

Files to delete:

C:\WINDOWS\system32\drivers\bvufobiu.sys
C:\byskrkfw.bat
C:\WINDOWS\system32\pdmrqsve.dll
C:\WINDOWS\system32\klkkj.bak2
C:\WINDOWS\system32\ittjknur.dll
C:\WINDOWS\system32\vtoluywx.dll
C:\WINDOWS\system32\pxafs.dll
C:\WINDOWS\system32\klkkj.ini2
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\winmfu32.dll
C:\WINDOWS\system32\xcdf.dll
C:\WINDOWS\system32\pkmeqo.dll


Please post the log from Avenger and a new log from Combofix.
Can you get a log from Hijackthis now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Plan.Element

Plan.Element
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 25 November 2006 - 12:30 PM

I have gooood news for you Sam :D

I think we finally have some progress ;)

Avenger.txt

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\muvrwvuj

*******************

Script file located at: \??\C:\Program Files\kbinodlp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\drivers\bvufobiu.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\bvufobiu.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\bvufobiu.sys
Status: 0xc0000034



File C:\byskrkfw.bat not found!
Deletion of file C:\byskrkfw.bat failed!

Could not process line:
C:\byskrkfw.bat
Status: 0xc0000034

File C:\WINDOWS\system32\pdmrqsve.dll deleted successfully.
File C:\WINDOWS\system32\klkkj.bak2 deleted successfully.
File C:\WINDOWS\system32\ittjknur.dll deleted successfully.
File C:\WINDOWS\system32\vtoluywx.dll deleted successfully.
File C:\WINDOWS\system32\pxafs.dll deleted successfully.
File C:\WINDOWS\system32\klkkj.ini2 deleted successfully.
File C:\WINDOWS\system32\jkklk.dll deleted successfully.
File C:\WINDOWS\system32\winmfu32.dll deleted successfully.
File C:\WINDOWS\system32\xcdf.dll deleted successfully.
File C:\WINDOWS\system32\pkmeqo.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

============

Combofix.exe:


Bj›rno - 06-11-25 18:22:20,79 Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Bj›rno\Skrivebord"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\PPPATC~1
C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\SMANTE~1
C:\QooBox\Purity\WINDOWS\SMANTE~1\cmd.exe
C:\QooBox\Purity\WINDOWS\SMANTE~1\S?mantec


((((((((((((((((((((((((((((((( Files Created from 2006-10-25 to 2006-11-25 ))))))))))))))))))))))))))))))))))


2006-11-25 18:18 <DIR> d-------- C:\avenger
2006-11-23 23:43 16 --a------ C:\chdir.bat
2006-11-23 23:43 <DIR> d-------- C:\Rustbfix
2006-11-23 20:33 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-23 20:26 <DIR> d-------- C:\!KillBox
2006-11-22 19:50 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-11-21 22:59 <DIR> d--hs---- C:\Config.Msi
2006-11-21 22:56 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Sun
2006-11-21 21:55 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-11-21 21:00 <DIR> d-------- C:\Programmer\Lavasoft
2006-11-21 21:00 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Lavasoft
2006-11-21 20:36 <DIR> d-------- C:\Programmer\SpywareBlaster
2006-11-21 19:15 <DIR> d-------- C:\Temp
2006-11-21 17:48 <DIR> d-------- C:\Programmer\a-squared Anti-Malware
2006-11-21 16:50 21,312 --a------ C:\WINDOWS\choice.exe
2006-11-21 16:48 <DIR> d-------- C:\ie-spyad
2006-11-19 09:41 <DIR> d-------- C:\WINDOWS\pss
2006-11-19 09:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2006-11-19 02:48 <DIR> d-------- C:\Programmer\Norton Internet Security
2006-11-19 02:46 83,168 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-11-19 02:46 104,144 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-11-19 02:21 <DIR> d-------- C:\Documents and Settings\Bjorno\Incomplete
2006-11-19 02:11 <DIR> d-------- C:\Documents and Settings\Bjorno\.limewire
2006-11-18 21:39 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Help
2006-11-18 18:16 <DIR> d-------- C:\WINDOWS\Private World of Warcraft Server
2006-11-15 13:29 <DIR> d-------- C:\Programmer\GetRight
2006-11-15 13:28 <DIR> d-------- C:\Downloads
2006-11-14 22:32 15,440 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-11-14 22:32 <DIR> d-------- C:\Programmer\Hamachi
2006-11-14 22:32 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\Hamachi
2006-11-14 21:59 <DIR> d-------- C:\Programmer\World of Warcraft
2006-11-13 20:50 <DIR> d-------- C:\Programmer\PremiumSoft
2006-11-13 20:42 <DIR> d-------- C:\Programmer\MySQL
2006-11-12 00:50 <DIR> d-------- C:\Documents and Settings\Bjorno\Application Data\DivX
2006-11-11 22:05 <DIR> d-------- C:\WINDOWS\Minidump
2006-10-30 15:39 <DIR> d-------- C:\Programmer\MSN Messenger
2006-10-30 15:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2006-10-28 09:01 <DIR> d-------- C:\Programmer\netmeeting


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-25 18:18 -------- d-------- C:\Programmer\F‘lles filer\Symantec Shared
2006-11-24 15:05 -------- d-------- C:\Programmer\Warcraft III
2006-11-23 10:07 -------- d-------- C:\Programmer\Winamp
2006-11-22 18:48 -------- d-------- C:\Programmer\F‘lles filer
2006-11-21 20:52 -------- d-------- C:\Programmer\Internet Explorer
2006-11-21 20:28 -------- d-------- C:\Programmer\Spybot - Search & Destroy
2006-11-21 19:52 -------- d-------- C:\Programmer\Counter-Strike 1.6
2006-11-21 19:51 -------- d--h----- C:\Programmer\InstallShield Installation Information
2006-11-21 16:36 -------- d-------- C:\Programmer\KnightOnline
2006-11-21 16:36 -------- d-------- C:\Programmer\IncrediMail
2006-11-21 16:34 -------- d-------- C:\Programmer\PFConfig
2006-11-19 09:39 -------- d-------- C:\Programmer\Grisoft
2006-11-19 09:16 -------- d-------- C:\Programmer\Mozilla Firefox
2006-11-19 09:15 -------- d-------- C:\Programmer\Logitech
2006-11-19 09:14 -------- d-------- C:\Programmer\DivX
2006-11-19 02:49 -------- d-------- C:\Programmer\Symantec
2006-11-19 02:23 -------- d-------- C:\Programmer\BitLord
2006-11-15 18:53 -------- d-------- C:\Programmer\IDM Computer Solutions
2006-11-15 16:13 -------- d-------- C:\Programmer\Installationer
2006-11-15 13:29 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\GetRightToGo
2006-11-12 09:49 -------- d-------- C:\Programmer\Warcraft III (Ingen Battlenet)
2006-11-06 16:10 27344 --a------ C:\Documents and Settings\Bjorno\Application Data\GDIPFONTCACHEV1.DAT
2006-10-30 15:39 -------- d-------- C:\Programmer\F‘lles filer\Microsoft Shared
2006-10-23 13:24 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\AdobeUM
2006-10-20 20:26 -------- d-------- C:\Programmer\Valve
2006-10-20 20:05 -------- d-------- C:\Programmer\THQ
2006-10-20 20:03 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\InstallShield
2006-10-20 19:17 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-10-19 20:42 -------- d---s---- C:\Documents and Settings\Bjorno\Application Data\Microsoft
2006-10-19 17:40 4 --a------ C:\WINDOWS\info147.sys
2006-10-18 09:24 -------- d-------- C:\Programmer\Wolfenstein - Enemy Territory
2006-10-16 20:40 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\Adobe
2006-10-16 20:38 869 --a------ C:\Documents and Settings\Bjorno\Application Data\AdobeDLM.log
2006-10-16 20:38 0 --a------ C:\Documents and Settings\Bjorno\Application Data\dm.ini
2006-10-16 20:38 -------- d-------- C:\Programmer\Adobe
2006-10-16 20:33 -------- d-------- C:\Programmer\F‘lles filer\Adobe
2006-10-14 17:17 -------- d-------- C:\Programmer\Blitzkrieg 2
2006-10-14 11:56 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\Talkback
2006-10-13 20:19 -------- d-------- C:\Programmer\Soldat
2006-10-13 13:39 142848 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-11 20:43 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\IDMComp
2006-10-09 20:08 -------- d-------- C:\Programmer\F‘lles filer\Ahead
2006-10-09 20:07 -------- d-------- C:\Programmer\Ahead
2006-10-09 13:17 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\çasks
2006-10-02 20:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 20:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 20:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 20:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-10-01 15:59 -------- d-------- C:\Programmer\F‘lles filer\Blizzard Entertainment
2006-09-25 15:12 -------- d-------- C:\Documents and Settings\Bjorno\Application Data\Opera
2006-09-21 18:59 60416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2006-09-13 06:06 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-09 13:25 2321664 --a------ C:\WINDOWS\system32\TUKernel.exe
2006-09-01 09:23 69632 --a------ C:\WINDOWS\system32\KemXML.dll
2006-09-01 09:22 155648 --a------ C:\WINDOWS\system32\kemutb.dll
2006-09-01 09:21 110592 --a------ C:\WINDOWS\system32\KemWnd.dll
2006-09-01 09:20 131072 --a------ C:\WINDOWS\system32\KemUtil.dll
2006-08-25 16:51 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-25 04:47 115880 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-08-17 17:25 62 --ahs---- C:\Documents and Settings\Bjorno\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"LogitechSoftwareUpdate"="C:\\Programmer\\Logitech\\Video\\ManifestEngine.exe boot"
"H/PC Connection Agent"="\"C:\\Programmer\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TuneUp MemOptimizer"="\"C:\\Programmer\\TuneUp Utilities 2006\\MemOptimizer.exe\" autostart"
"msnmsgr"="\"C:\\Programmer\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Programmer\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Programmer\\Logitech\\Video\\ISStart.exe "
"Logitech Hardware Abstraction Layer"="\"C:\\Programmer\\Fælles filer\\Logitech\\KhalShared\\KHALMNPR.EXE\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"ccApp"="\"C:\\Programmer\\Fælles filer\\Symantec Shared\\ccApp.exe\""
"IS CfgWiz"="C:\\Programmer\\Norton Internet Security\\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE \"REBOOT\""
"URLLSTCK.exe"="C:\\Programmer\\Norton Internet Security\\UrlLstCk.exe"
"a-squared"="\"C:\\Programmer\\a-squared Anti-Malware\\a2guard.exe\""
"WinampAgent"="C:\\Programmer\\Winamp\\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoExpandedNewMenu"=dword:00000000
"GreyMSIAds"=dword:00000001
"NoUserNameInStartMenu"=dword:00000001
"StartMenuLogOff"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="\"C:\\Programmer\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="\"C:\\Programmer\\DAEMON Tools\\daemon.exe\" -lang 1033"
"ICQ Lite"="\"C:\\Programmer\\ICQLite\\ICQLite.exe\" -minimize"
"WinampAgent"="C:\\Programmer\\Winamp\\winampa.exe"
"Windows Defender"="\"C:\\Programmer\\Windows Defender\\MSASCui.exe\" -hide"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmfu32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-25 18:23:23.84
C:\ComboFix.txt ... 06-11-25 18:23
C:\ComboFix2.txt ... 06-11-24 14:49
C:\ComboFix3.txt ... 06-11-23 09:57

And the HijackThis (Lets see if it works :D) log:

Still cant get that bleeping log out of it.. NO WAIT!...

ITS WORKING! :D We are making progress :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 18:27:07, on 25-11-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccProxy.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Norton Internet Security\ISSVC.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmer\a-squared Anti-Malware\a2guard.exe
C:\Programmer\Winamp\winampa.exe
C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Bjørno\Skrivebord\Spyware - AntiVirus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lokes-list.dk/forum/portal.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {84AA9CD5-504F-21EB-1C08-5EF00FCC3B9E} - C:\WINDOWS\system32\tozxeolc.dll (file missing)
R3 - URLSearchHook: (no name) - {03BE7BB3-E675-94DF-2858-BECE1DB8EC94} - C:\WINDOWS\system32\acvzyco.dll (file missing)
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\ittjknur.dll (file missing)
O2 - BHO: (no name) - {03BE7BB3-E675-94DF-2858-BECE1DB8EC94} - C:\WINDOWS\system32\acvzyco.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programmer\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {84AA9CD5-504F-21EB-1C08-5EF00FCC3B9E} - C:\WINDOWS\system32\tozxeolc.dll (file missing)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmer\Fælles filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E6652336-8E9F-4724-8864-68703EA9A0D7} - C:\WINDOWS\system32\jkklk.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\pdmrqsve.dll (file missing)
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmer\Fælles filer\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmer\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Programmer\Fælles filer\Logitech\KhalShared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Programmer\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programmer\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [a-squared] "C:\Programmer\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmer\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmer\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programmer\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Programmer\GetRight\GRdownload.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmer\GetRight\GRbrowse.htm
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmer\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmer\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmer\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jkklk - C:\WINDOWS\system32\jkklk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - Unknown owner - C:\WINDOWS\ATKKBService.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmer\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programmer\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmer\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FLLESF~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programmer\TuneUp Utilities 2006\WinStylerThemeSvc.exe

===========

Well :flowers: Be have it with ya.

-P.E

Edited by Plan.Element, 25 November 2006 - 12:31 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users