Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winstall.exe And More ?


  • Please log in to reply
24 replies to this topic

#1 swesold

swesold

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Gothenburg, Sweden
  • Local time:08:29 AM

Posted 26 December 2006 - 09:16 AM

Hello,

I know that I have something called winstall.exe on my computer.

Occasionally ZoneAlarm blocks programs from connecting and they
are called 7813.exe, 38323.exe, 28918.exe and so on.

My Bazooka scanner (from Kephyr.com) detects spyware called
Exploit searchterror.com and Exploit Beehappyy.biz

My Windows is updated with the latest security stuff.

I have done this so far:

* Used Ad-Aware and Spybot S&D: They found nothing
* Virusscan with Avast: It finds nothing
* Followed the instructions in Bazooka: Didn´t work
* Used McAfee Stinger: Didn´t find anything
* Use the SmitFraudFix: Didn´t work

(Yes, I did it exactly as I was instructed to do)

My Hijkackthis log looks like this:


Logfile of HijackThis v1.99.1
Scan saved at 15:10:01, on 2006-12-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe
C:\Program\InterVideo\Common\Bin\WinRemote.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program\Delade filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Bazooka Adware and Spyware Scanner\spywarescanner.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6245CBFA-5421-CBAE-C9F4-088C1A6B1088} - C:\WINDOWS\system32\cpcsnmd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: HP-vy - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] C:\Program\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [CTDVDDET] C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [WINCINEMAMGR] C:\Program\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\Program\DELADE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Error Nuker] C:\Program\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [scagzdh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\scagzdh.dll,jgunfjf
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.gubbklubben.se
O17 - HKLM\System\CCS\Services\Tcpip\..\{D66E0AD6-0A5C-49C7-A724-C98D8A671729}: NameServer = 81.216.65.11,81.216.65.12
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


In you I trust :thumbsup:

/ Lars

BC AdBot (Login to Remove)

 


#2 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:29 AM

Posted 26 December 2006 - 09:21 AM

Your Java Runtime Environment is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Enviroinment (JRE) 6, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop (12.6 MB).
  • Close any programs you may have running - especially any web browsers.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windowsi586.exe to install the newest version.
* First download AVG Anti-Spyware 7.5 from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware 7.5 and update the definition files.
  • Run AVG Anti-Spyware
  • From the main AVG Anti-Spyware screen, click on Update, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
[/list]Close AVG Anti-Spyware 7.5, Do Not run a scan just yet, we will shortly.

* If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.


* Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* Next, run Ad-aware and perform a full scan. Remove everything found.
  • Lauch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware 7.5 will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
* Restart your computer in normal mode.

* Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

* After that, post a new hijackthis log here with the report of AVG anntispyware.
Greets Jürgenv

Donation: Click me.

#3 swesold

swesold
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Gothenburg, Sweden
  • Local time:08:29 AM

Posted 26 December 2006 - 09:58 AM

Wow, an answer in 5 minutes !

I am so grateful. I´ll try this.

THX,
Lars

#4 swesold

swesold
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Gothenburg, Sweden
  • Local time:08:29 AM

Posted 26 December 2006 - 06:07 PM

Ok, done it.

At start-up I noticed that the computer is
working much faster.
While I was trying to log in here ZoneAlarm
warned me that 42543.exe was trying to
connect to Internet. I blocked it and then the
winstall.exe problem started again.

Here are the logs:
Logfile of HijackThis v1.99.1
Scan saved at 00:02:51, on 2006-12-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe
C:\Program\InterVideo\Common\Bin\WinRemote.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program\Delade filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program\Java\jre1.6.0\bin\jusched.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6245CBFA-5421-CBAE-C9F4-088C1A6B1088} - C:\WINDOWS\system32\cpcsnmd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: HP-vy - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] C:\Program\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [CTDVDDET] C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [WINCINEMAMGR] C:\Program\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\Program\DELADE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Error Nuker] C:\Program\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [scagzdh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\scagzdh.dll,jgunfjf
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0\bin\jusched.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.gubbklubben.se
O17 - HKLM\System\CCS\Services\Tcpip\..\{D66E0AD6-0A5C-49C7-A724-C98D8A671729}: NameServer = 81.216.65.11,81.216.65.12
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

And:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:52:06 2006-12-26

+ Scan result:



HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Windows installer -> Adware.PestTrap : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Windows installer -> Adware.PestTrap : Error during cleaning.
C:\Documents and Settings\HP_Ägaren\toanffmx.exe -> Downloader.Busky : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{6F2B2361-1686-4DB2-B7A7-993D820D9C79}\RP2\A0000257.dll -> Downloader.Busky : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{6F2B2361-1686-4DB2-B7A7-993D820D9C79}\RP1\A0000034.exe -> Downloader.Small.cpg : Cleaned with backup (quarantined).
C:\winstall.exe -> Downloader.Small.cpg : Cleaned with backup (quarantined).
:mozilla.84:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Johanna\Cookies\johanna@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.154:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.155:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.119:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.120:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.121:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.122:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.123:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.124:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.125:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.126:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.127:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.128:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.129:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.130:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.131:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.132:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.133:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.134:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.135:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.136:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.137:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.167:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.168:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.169:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.42:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.43:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.44:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.45:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.46:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.47:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.111:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.83:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.7:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.57:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.58:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.52:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.62:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.68:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.69:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.70:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.71:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.11:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.12:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.161:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.85:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.8:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.48:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.49:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.61:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.62:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.63:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.78:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.79:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.91:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.96:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Johanna\Cookies\johanna@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned.
C:\Documents and Settings\Johanna\Cookies\johanna@komtrack[2].txt -> TrackingCookie.Komtrack : Cleaned.
:mozilla.114:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.48:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.39:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.40:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.79:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.80:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.81:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.66:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.9:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.60:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.61:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.60:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.5:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Johanna\Cookies\johanna@php.sales.tfag[1].txt -> TrackingCookie.Tfag : Cleaned.
:mozilla.16:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Tracking101 : Cleaned.
:mozilla.17:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Tracking101 : Cleaned.
:mozilla.24:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.25:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.26:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.27:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.28:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.29:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.30:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.31:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.32:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.32:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.33:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.33:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\2nw2bid6.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.34:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.37:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.38:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.39:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.40:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.41:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.65:C:\Documents and Settings\HP_Ägaren\Application Data\Mozilla\Firefox\Profiles\x7i2139d.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Johanna\Cookies\johanna@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

#5 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:29 AM

Posted 26 December 2006 - 06:10 PM

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Greets Jürgenv

Donation: Click me.

#6 swesold

swesold
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Gothenburg, Sweden
  • Local time:08:29 AM

Posted 26 December 2006 - 06:16 PM

HP_ˇgaren - 06-12-27 0:12:51,96 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\HP_ˇgaren\Skrivbord"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\winstall.exe


((((((((((((((((((((((((((((((( Files Created from 2006-11-27 to 2006-12-27 ))))))))))))))))))))))))))))))))))


2006-12-26 21:27 <KAT> d-------- C:\Program\Java
2006-12-26 21:27 <KAT> d-------- C:\Program\Delade filer\Java
2006-12-26 21:07 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-26 21:07 <KAT> d-------- C:\Program\Grisoft
2006-12-22 17:22 4,650 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-22 16:57 <KAT> d-------- C:\Program\RegCleaner
2006-12-22 10:38 <KAT> d-------- C:\Program\FreeFixer
2006-12-04 04:03 16,896 --a------ C:\WINDOWS\system32\xlibgfl254.dll
2006-12-04 04:03 <KAT> d-------- C:\WINDOWS\system32\ultra
2006-12-04 04:02 71,680 --a------ C:\WINDOWS\system32\cpcsnmd.dll
2006-12-04 03:37 <KAT> d-------- C:\Program\Delade filer\Real
2006-12-04 03:36 <KAT> d-------- C:\Documents and Settings\HP_ˇgaren\Application Data\Real
2006-12-04 03:35 <KAT> d-------- C:\My Downloads


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-27 00:01 29192 --a------ C:\Documents and Settings\HP_ˇgaren\Application Data\__delete_on_reboot__4_2_5_4_3_._e_x_e_
2006-12-26 21:27 -------- d-------- C:\Program\Delade filer
2006-12-14 16:42 -------- d-------- C:\Program\Internet Explorer
2006-12-14 16:41 -------- d-------- C:\Program\Outlook Express
2006-12-14 16:41 -------- d-------- C:\Program\Delade filer\System
2006-12-07 07:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-03 01:56 -------- d-------- C:\Program\HLSW
2006-11-19 11:06 -------- d-------- C:\Program\Sony Ericsson
2006-11-19 11:06 -------- d-------- C:\Program\Delade filer\Teleca Shared
2006-11-19 01:35 -------- d-------- C:\Program\MSXML 4.0
2006-11-18 19:54 -------- d--h----- C:\Program\InstallShield Installation Information
2006-11-18 19:54 -------- d-------- C:\Program\Nokia
2006-11-13 17:18 -------- d-------- C:\Program\AusLogics Disk Defrag
2006-11-08 06:07 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-06 17:18 -------- d-------- C:\Documents and Settings\HP_ˇgaren\Application Data\AdobeUM
2006-11-05 12:59 -------- d-------- C:\Program\eRightSoft
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-20 02:39 712192 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 13:41 141824 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HPHUPD06"="c:\\Program\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Home Theater SchSvr"="\"C:\\Program\\Delade filer\\InterVideo\\SchSvr\\SchSvr.exe\""
"WINREMOTE"="C:\\Program\\InterVideo\\Common\\Bin\\WinRemote.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"AGRSMMSG"="AGRSMMSG.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"CTDVDDET"="C:\\Program\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDet.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"WINCINEMAMGR"="C:\\Program\\InterVideo\\Common\\Bin\\WinRemote.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NWEReboot"=""
"ISUSPM Startup"="C:\\Program\\DELADE~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"Error Nuker"="C:\\Program\\Error Nuker\\bin\\ErrorNuker.exe autostart"
"ISUSScheduler"="\"C:\\Program\\Delade filer\\InstallShield\\UpdateService\\issch.exe\" -start"
"CTHelper"="CTHELPER.EXE"
"CTXFIREG"="CTxfiReg.exe"
"avast!"="C:\\Program\\ALWILS~1\\Avast4\\ashDisp.exe"
"Zone Labs Client"="\"C:\\Program\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"scagzdh.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\scagzdh.dll,jgunfjf"
"!AVG Anti-Spyware"="\"C:\\Program\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"SetDefaultMIDI"="MIDIDef.exe"
"Windows installer"="C:\\winstall.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"="MIDIDEF.EXE"
"StartMS"="\"C:\\Program\\Creative\\Shared Files\\Media Sniffer\\StartMS.EXE\" /s"
"CMSRegOW.exe"="\"C:\\Program\\InstallShield Installation Information\\{56F3E1FF-54FE-4384-A153-6CCABA097814}\\CMSRegOW.exe\" /r"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"SetDefaultMIDI"="MIDIDef.exe"
"Windows installer"="C:\\winstall.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"="MIDIDEF.EXE"
"StartMS"="\"C:\\Program\\Creative\\Shared Files\\Media Sniffer\\StartMS.EXE\" /s"
"CMSRegOW.exe"="\"C:\\Program\\InstallShield Installation Information\\{56F3E1FF-54FE-4384-A153-6CCABA097814}\\CMSRegOW.exe\" /r"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=dword:00000002
"SPTISRV"=dword:00000003
"PACSPTISVR"=dword:00000003
"ose"=dword:00000003
"NetMDSB"=dword:00000003
"LightScribeService"=dword:00000002
"iPodService"=dword:00000003
"Creative Service for CDROM Access"=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll"

Completion time: 06-12-27 0:13:48.56
C:\ComboFix.txt ... 06-12-27 00:13


And:

Logfile of HijackThis v1.99.1
Scan saved at 00:15:56, on 2006-12-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe
C:\Program\InterVideo\Common\Bin\WinRemote.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program\Delade filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program\Java\jre1.6.0\bin\jusched.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6245CBFA-5421-CBAE-C9F4-088C1A6B1088} - C:\WINDOWS\system32\cpcsnmd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: HP-vy - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] C:\Program\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [CTDVDDET] C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [WINCINEMAMGR] C:\Program\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\Program\DELADE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Error Nuker] C:\Program\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [scagzdh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\scagzdh.dll,jgunfjf
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0\bin\jusched.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.gubbklubben.se
O17 - HKLM\System\CCS\Services\Tcpip\..\{D66E0AD6-0A5C-49C7-A724-C98D8A671729}: NameServer = 81.216.65.11,81.216.65.12
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#7 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:29 AM

Posted 26 December 2006 - 06:22 PM

* Please open hijackthis and put a check next to the following:

O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: (no name) - {6245CBFA-5421-CBAE-C9F4-088C1A6B1088} - C:\WINDOWS\system32\cpcsnmd.dll
O4 - HKLM\..\Run: [Error Nuker] C:\Program\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [scagzdh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\scagzdh.dll,jgunfjf


* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\scagzdh.dll
    C:\WINDOWS\system32\cpcsnmd.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

* Go to http://www.virustotal.com/en/indexf.html and upload following file:

C:\WINDOWS\system32\xlibgfl254.dll

* Post the results of Virustotal here with a new hijackthis log.
Greets Jürgenv

Donation: Click me.

#8 swesold

swesold
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Gothenburg, Sweden
  • Local time:08:29 AM

Posted 26 December 2006 - 07:18 PM

I´m sorry but my english isn´t good enough...

I did this:

* Please open hijackthis and put a check next to the following:

O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: (no name) - {6245CBFA-5421-CBAE-C9F4-088C1A6B1088} - C:\WINDOWS\system32\cpcsnmd.dll
O4 - HKLM\..\Run: [Error Nuker] C:\Program\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [scagzdh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\scagzdh.dll,jgunfjf

* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

Please download the Killbox by Option^Explicit.


and this:

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.


But I don´t understand this part:


Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\scagzdh.dll
C:\WINDOWS\system32\cpcsnmd.dll


I don´t know what "clipboard" you mean.
Am I supposed to find the dll-files mentioned in the system32 folder ?
Well, they are no longer there.
Can you please explain what I´m supposed to with the "copy and paste"-part ?

So sorry for this.........

#9 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:29 AM

Posted 26 December 2006 - 07:21 PM

Just highlight those lines and press CTRL + C to copy and CTRL + V to paste. :thumbsup:
Greets Jürgenv

Donation: Click me.

#10 swesold

swesold
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Gothenburg, Sweden
  • Local time:08:29 AM

Posted 26 December 2006 - 07:46 PM

The result from Virustotal:

STATUS: FINISHEDComplete scanning result of "xlibgfl254.dll", received in VirusTotal at 12.27.2006, 01:39:06 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 12.26.2006 TR/Hijack.A.16896.B
Authentium 4.93.8 12.22.2006 no virus found
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.26.2006 no virus found
BitDefender 7.2 12.26.2006 no virus found
CAT-QuickHeal 8.00 12.26.2006 no virus found
ClamAV devel-20060426 12.26.2006 no virus found
DrWeb 4.33 12.26.2006 Trojan.DownLoader.16932
eSafe 7.0.14.0 12.26.2006 no virus found
eTrust-InoculateIT 23.73.98 12.24.2006 no virus found
eTrust-Vet 30.3.3271 12.23.2006 no virus found
Ewido 4.0 12.26.2006 no virus found
Fortinet 2.82.0.0 12.26.2006 no virus found
F-Prot 3.16f 12.22.2006 no virus found
F-Prot4 4.2.1.29 12.22.2006 no virus found
Ikarus T3.1.0.27 12.26.2006 no virus found
Kaspersky 4.0.2.24 12.27.2006 no virus found
McAfee 4926 12.26.2006 no virus found
Microsoft 1.1904 12.26.2006 no virus found
NOD32v2 1939 12.26.2006 no virus found
Norman 5.80.02 12.26.2006 no virus found
Panda 9.0.0.4 12.27.2006 Dialer.IOD
Prevx1 V2 12.27.2006 no virus found
Sophos 4.13.0 12.26.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.136 12.24.2006 no virus found
UNA 1.83 12.26.2006 no virus found
VBA32 3.11.1 12.26.2006 Trojan.DownLoader.16932
VirusBuster 4.3.19:9 12.26.2006 no virus found


And the Hjt-log:

Logfile of HijackThis v1.99.1
Scan saved at 01:42:41, on 2006-12-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\windows\system\hpsysdrv.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe
C:\Program\InterVideo\Common\Bin\WinRemote.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program\Delade filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program\Java\jre1.6.0\bin\jusched.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Ägaren\Application Data\58585.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: HP-vy - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] C:\Program\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [CTDVDDET] C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [WINCINEMAMGR] C:\Program\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\Program\DELADE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0\bin\jusched.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.gubbklubben.se
O17 - HKLM\System\CCS\Services\Tcpip\..\{D66E0AD6-0A5C-49C7-A724-C98D8A671729}: NameServer = 81.216.65.11,81.216.65.12
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

And by the way...AVG alerts that it found malware on my computer: Downloader.Small.cpg
and, of course, ZoneAlarm blocked antoher attempt and the winstall.exe is back.......

#11 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:29 AM

Posted 26 December 2006 - 07:49 PM

Please highlight the following line and paste it in killbox and let killbox delete the file:

C:\WINDOWS\system32\xlibgfl254.dll
Greets Jürgenv

Donation: Click me.

#12 swesold

swesold
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Gothenburg, Sweden
  • Local time:08:29 AM

Posted 26 December 2006 - 07:57 PM

Done.

Am I cured now ?

#13 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:29 AM

Posted 26 December 2006 - 07:59 PM

Post me a new hijackthis log and a new combofix log.
Greets Jürgenv

Donation: Click me.

#14 swesold

swesold
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Gothenburg, Sweden
  • Local time:08:29 AM

Posted 26 December 2006 - 08:03 PM

Logfile of HijackThis v1.99.1
Scan saved at 02:00:31, on 2006-12-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe
C:\Program\InterVideo\Common\Bin\WinRemote.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program\Delade filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program\Java\jre1.6.0\bin\jusched.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: HP-vy - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program\Delade filer\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] C:\Program\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [CTDVDDET] C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [WINCINEMAMGR] C:\Program\InterVideo\Common\Bin\WinRemote.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\Program\DELADE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0\bin\jusched.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.gubbklubben.se
O17 - HKLM\System\CCS\Services\Tcpip\..\{D66E0AD6-0A5C-49C7-A724-C98D8A671729}: NameServer = 81.216.65.11,81.216.65.12
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

---------------------------------------------------------------------------------------------------------------------------

HP_ˇgaren - 06-12-27 2:01:31,32 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\HP_ˇgaren\Skrivbord"

((((((((((((((((((((((((((((((( Files Created from 2006-11-27 to 2006-12-27 ))))))))))))))))))))))))))))))))))


2006-12-27 00:33 <KAT> d-------- C:\!KillBox
2006-12-26 21:27 <KAT> d-------- C:\Program\Java
2006-12-26 21:27 <KAT> d-------- C:\Program\Delade filer\Java
2006-12-26 21:07 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-26 21:07 <KAT> d-------- C:\Program\Grisoft
2006-12-22 17:22 4,650 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-22 16:57 <KAT> d-------- C:\Program\RegCleaner
2006-12-22 10:38 <KAT> d-------- C:\Program\FreeFixer
2006-12-04 04:03 <KAT> d-------- C:\WINDOWS\system32\ultra
2006-12-04 03:37 <KAT> d-------- C:\Program\Delade filer\Real
2006-12-04 03:36 <KAT> d-------- C:\Documents and Settings\HP_ˇgaren\Application Data\Real
2006-12-04 03:35 <KAT> d-------- C:\My Downloads


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-26 21:27 -------- d-------- C:\Program\Delade filer
2006-12-14 16:42 -------- d-------- C:\Program\Internet Explorer
2006-12-14 16:41 -------- d-------- C:\Program\Outlook Express
2006-12-14 16:41 -------- d-------- C:\Program\Delade filer\System
2006-12-07 07:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-03 01:56 -------- d-------- C:\Program\HLSW
2006-11-19 11:06 -------- d-------- C:\Program\Sony Ericsson
2006-11-19 11:06 -------- d-------- C:\Program\Delade filer\Teleca Shared
2006-11-19 01:35 -------- d-------- C:\Program\MSXML 4.0
2006-11-18 19:54 -------- d--h----- C:\Program\InstallShield Installation Information
2006-11-18 19:54 -------- d-------- C:\Program\Nokia
2006-11-13 17:18 -------- d-------- C:\Program\AusLogics Disk Defrag
2006-11-08 06:07 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-06 17:18 -------- d-------- C:\Documents and Settings\HP_ˇgaren\Application Data\AdobeUM
2006-11-05 12:59 -------- d-------- C:\Program\eRightSoft
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-20 02:39 712192 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 13:41 141824 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HPHUPD06"="c:\\Program\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Home Theater SchSvr"="\"C:\\Program\\Delade filer\\InterVideo\\SchSvr\\SchSvr.exe\""
"WINREMOTE"="C:\\Program\\InterVideo\\Common\\Bin\\WinRemote.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"AGRSMMSG"="AGRSMMSG.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"CTDVDDET"="C:\\Program\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDet.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"WINCINEMAMGR"="C:\\Program\\InterVideo\\Common\\Bin\\WinRemote.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NWEReboot"=""
"ISUSPM Startup"="C:\\Program\\DELADE~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program\\Delade filer\\InstallShield\\UpdateService\\issch.exe\" -start"
"CTHelper"="CTHELPER.EXE"
"CTXFIREG"="CTxfiReg.exe"
"avast!"="C:\\Program\\ALWILS~1\\Avast4\\ashDisp.exe"
"Zone Labs Client"="\"C:\\Program\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"!AVG Anti-Spyware"="\"C:\\Program\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"SetDefaultMIDI"="MIDIDef.exe"
"Windows installer"="C:\\winstall.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"="MIDIDEF.EXE"
"StartMS"="\"C:\\Program\\Creative\\Shared Files\\Media Sniffer\\StartMS.EXE\" /s"
"CMSRegOW.exe"="\"C:\\Program\\InstallShield Installation Information\\{56F3E1FF-54FE-4384-A153-6CCABA097814}\\CMSRegOW.exe\" /r"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"SetDefaultMIDI"="MIDIDef.exe"
"Windows installer"="C:\\winstall.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"="MIDIDEF.EXE"
"StartMS"="\"C:\\Program\\Creative\\Shared Files\\Media Sniffer\\StartMS.EXE\" /s"
"CMSRegOW.exe"="\"C:\\Program\\InstallShield Installation Information\\{56F3E1FF-54FE-4384-A153-6CCABA097814}\\CMSRegOW.exe\" /r"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=dword:00000002
"SPTISRV"=dword:00000003
"PACSPTISVR"=dword:00000003
"ose"=dword:00000003
"NetMDSB"=dword:00000003
"LightScribeService"=dword:00000002
"iPodService"=dword:00000003
"Creative Service for CDROM Access"=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll"

Completion time: 06-12-27 2:02:28.64
C:\ComboFix.txt ... 06-12-27 02:02
C:\ComboFix2.txt ... 06-12-27 00:13

#15 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:29 AM

Posted 26 December 2006 - 08:08 PM

Please run Notepad and paste the following text into a new file:
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

* After that, reboot and post a new hijackthis log here with a new log from combofix.
Greets Jürgenv

Donation: Click me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users