Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Rdll Backdoor?


  • This topic is locked This topic is locked
24 replies to this topic

#1 kimgeni

kimgeni

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NO
  • Local time:07:24 PM

Posted 02 April 2007 - 06:39 AM

Hey,

I scaned my pc with Bazooka scanner and it found a RDLL backdoor and gave me a link to this page http://www.kephyr.com/spywarescanner/libra...html?source=app
I don't know if I can trust this scanner so I just wannted to check with you. Lavasoft, Spybot and AVG-Antispyware found nothing.

According to Wikipedia (http://en.wikipedia.org/wiki/Nyxem_Worm) this worm tries to disable security related software, and yesterday my AVG-Antispyware were disable, so Bazooka might be right. Anyway here's my log, I hope you can tell me its clean.
By the way, my Norton antiviurs has also been disabled a couple of times during the last months, and I haven't been able to work out why. Could there bee a link?


Logfile of HijackThis v1.99.1
Scan saved at 13:18:43, on 02.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Norton Internet Security\ISSVC.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe
C:\Programfiler\Dell\Media Experience\DMXLauncher.exe
C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programfiler\Dell Photo AIO Printer 924\dlccmon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programfiler\BillP Studios\WinPatrol\winpatrol.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programfiler\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Programfiler\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Programfiler\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Bazooka Scanner\spywarescanner.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Programfiler\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Programfiler\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Programfiler\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VolPanel] "C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147348959093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programfiler\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Programfiler\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks

Kimgeni

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 02 April 2007 - 07:25 AM

Welcome to the BleepingComputer HijackThis forum kimgeni :thumbsup:

Your log looks clean,lets see if we can find anything.

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste the contents of that file into your next reply.

***************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the Kaspersky scan report,the C:\ComboFix.txt,and a new Hijackthis log into your next reply please.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#3 kimgeni

kimgeni
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NO
  • Local time:07:24 PM

Posted 02 April 2007 - 10:42 AM

Hey again.

Here's the Kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 02, 2007 5:03:07 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 2/04/2007
Kaspersky Anti-Virus database records: 273471
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 152620
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:32:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\LiveUpdate\2007-04-02_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Lokale innstillinger\Logg\History.IE5\MSHist012007040220070403\index.dat Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Lokale innstillinger\Temp\Perflib_Perfdata_654.dat Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Lokale innstillinger\Temporary Internet Files\Content.IE5\QG69JRM3\p[3].swf Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDCON.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDFW.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SPStart.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SPStop.log Object is locked skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\00FB21CE.exe Infected: P2P-Worm.Win32.VB.dw skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\216650B3.EXE Infected: Trojan.BAT.Delwin.ci skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\216650B3.tmp Infected: Trojan.BAT.Delwin.ci skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\61B83C5B.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\67D4419F.tmp Infected: P2P-Worm.Win32.VB.dw skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3E0C683E-89DF-4C61-BBDB-4266F97EC915}\RP35\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{89C76F88-7CA8-48CF-9CA6-0837BD0AF7E7}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



The comboFix log

"Kim Andr‚ Johnsen" - 07-04-02 17:16:09 Service Pack 2
ComboFix 07-04-01 - Running from: "C:\Documents and Settings\Kim Andr‚ Johnsen\Skrivebord"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\tmp58.tmp
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\vbuzip10.dll
C:\WINDOWS\system32\vbzip11.dll
C:\WINDOWS\regedit.com


((((((((((((((((((((((((((((((( Files Created from 2007-03-02 to 2007-04-02 ))))))))))))))))))))))))))))))))))


2007-04-02 15:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-04-02 15:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Kaspersky Lab
2007-03-28 15:36 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2007-03-28 15:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\MAGIX
2007-03-28 15:35 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-03-28 15:35 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-03-28 15:34 94,208 --a------ C:\WINDOWS\system32\DLLCPY32.dll
2007-03-28 15:34 65,536 --a------ C:\WINDOWS\system32\DLLPTL32.dll
2007-03-28 15:34 61,440 --a------ C:\WINDOWS\system32\DLLCDF32.dll
2007-03-28 15:34 57,344 --a------ C:\WINDOWS\system32\DLLTPO32.dll
2007-03-28 15:34 53,248 --a------ C:\WINDOWS\system32\DLLPRJ32.dll
2007-03-28 15:34 49,152 --a------ C:\WINDOWS\system32\mgxasio2.dll
2007-03-28 15:34 49,152 --a------ C:\WINDOWS\system32\DLLPRF32.dll
2007-03-28 15:34 49,152 --a------ C:\WINDOWS\system32\DLLIO32.dll
2007-03-28 15:34 462,848 --a------ C:\WINDOWS\system32\DLLAV32.dll
2007-03-28 15:34 45,056 --a------ C:\WINDOWS\system32\DLLIMG32.dll
2007-03-28 15:34 430,080 --a------ C:\WINDOWS\system32\MXRestore.exe
2007-03-28 15:34 40,960 --a------ C:\WINDOWS\system32\DLLRD32.dll
2007-03-28 15:34 36,864 --a------ C:\WINDOWS\system32\DLLPNT32.dll
2007-03-28 15:34 32,768 --a------ C:\WINDOWS\system32\STRING32.dll
2007-03-28 15:34 32,768 --a------ C:\WINDOWS\system32\DLLMSC32.dll
2007-03-28 15:34 32,768 --a------ C:\WINDOWS\system32\DLLISO32.dll
2007-03-28 15:34 32,768 --a------ C:\WINDOWS\system32\DLLDIR32.dll
2007-03-28 15:34 24,576 --a------ C:\WINDOWS\system32\TTIC32.dll
2007-03-28 15:34 24,576 --a------ C:\WINDOWS\system32\TTI32.dll
2007-03-28 15:34 24,576 --a------ C:\WINDOWS\system32\DLLIX.dll
2007-03-28 15:34 188,416 --a------ C:\WINDOWS\system32\DLLRES32.dll
2007-03-28 15:34 163,840 --a------ C:\WINDOWS\system32\DLLDEV32.dll
2007-03-28 15:34 151,552 --a------ C:\WINDOWS\system32\DLLDRV32.dll
2007-03-28 15:34 114,688 --a------ C:\WINDOWS\system32\DLLCDA32.dll
2007-03-28 15:34 <DIR> d-------- C:\Programfiler\Fellesfiler\MAGIX Shared
2007-03-28 15:33 85,504 --a------ C:\WINDOWS\system32\HtmlWH.dll
2007-03-28 15:31 655,360 --a------ C:\WINDOWS\system32\mgxoschk.dll
2007-03-28 15:31 <DIR> d-------- C:\WINDOWS\system32\MAGIX
2007-03-27 23:38 73,728 -ra------ C:\WINDOWS\MIDIDEF.EXE
2007-03-27 23:38 21,504 -ra------ C:\WINDOWS\system32\sfman32.dll
2007-03-27 23:38 162,176 -ra------ C:\WINDOWS\system32\drivers\ctusfsyn.sys
2007-03-27 23:38 142,336 -ra------ C:\WINDOWS\system32\drivers\ctsfm2k.sys
2007-03-27 23:38 120,832 -ra------ C:\WINDOWS\system32\sfms32.dll
2007-03-27 23:38 114,688 -ra------ C:\WINDOWS\system32\drivers\ctoss2k.sys
2007-03-27 23:37 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-03-27 23:37 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-03-27 23:37 11,264 -ra------ C:\WINDOWS\InRes.DLL
2007-03-27 22:41 <DIR> dr-h----- C:\DOCUME~1\NETWOR~1\Siste
2007-03-27 22:41 <DIR> d-------- C:\DOCUME~1\NETWOR~1\PROGRA~1\Adobe
2007-03-27 22:40 <DIR> dr------- C:\DOCUME~1\NETWOR~1\Favoritter
2007-03-27 22:40 <DIR> d-------- C:\DOCUME~1\NETWOR~1\PROGRA~1\Google
2007-03-27 21:53 <DIR> d-------- C:\Programfiler\iTunes
2007-03-27 21:53 <DIR> d-------- C:\Programfiler\iPod
2007-03-13 09:57 <DIR> d-------- C:\DOCUME~1\KIMAND~1\PROGRA~1\AdobeAUM
2007-03-12 17:36 <DIR> d-------- C:\Programfiler\Windows Media Connect 2
2007-03-12 17:35 <DIR> d-------- C:\bc153dd9daf109d37c549cce78
2007-03-12 17:34 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-03-12 17:34 <DIR> d-------- C:\f6d7f922cd8451aecead795b5e8ff8
2007-03-10 15:53 <DIR> d-------- C:\DOCUME~1\KIMAND~1\PROGRA~1\Creative
2007-03-10 15:49 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-03-10 15:48 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2007-03-10 15:48 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2007-03-10 15:47 <DIR> d--h----- C:\Programfiler\Creative Installation Information
2007-03-10 15:47 <DIR> d-------- C:\Programfiler\Fellesfiler\Creative
2007-03-10 15:42 <DIR> d-------- C:\Programfiler\Creative
2007-03-10 15:40 8,704 -ra------ C:\WINDOWS\system32\drivers\Pfmodnt.sys
2007-03-10 15:40 65,536 -ra------ C:\WINDOWS\system32\A3d.dll
2007-03-10 15:40 53,248 -ra------ C:\WINDOWS\system32\P17CPI.dll
2007-03-10 15:40 137,728 -ra------ C:\WINDOWS\system32\P17res.dll
2007-03-10 15:40 137,728 -ra------ C:\WINDOWS\system32\OemSpi.dll
2007-03-10 15:40 133,632 -ra------ C:\WINDOWS\system32\CtDvInst.dll
2007-03-10 15:40 10,752 -ra------ C:\WINDOWS\system32\SPIRun.dll
2007-03-10 15:40 1,587,712 --a------ C:\WINDOWS\system32\drivers\p17xfilt.sys
2007-03-10 15:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Creative
2007-03-09 02:11 <DIR> d-------- C:\Programfiler\Fellesfiler\Java
2007-03-08 22:04 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-03-08 22:04 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-03-08 22:04 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-03-08 22:04 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2007-03-08 22:04 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2007-03-08 22:04 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2007-03-08 22:03 147,456 --a------ C:\WINDOWS\R.COM
2007-03-08 22:03 136,704 --a------ C:\WINDOWS\system32\T.COM
2007-03-07 22:41 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-07 20:35 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-07 20:26 <DIR> d-------- C:\avg
2007-03-07 20:22 <DIR> d-------- C:\HJT
2007-03-07 15:38 <DIR> d-------- C:\DOCUME~1\KIMAND~1\PROGRA~1\Webroot
2007-03-07 10:56 <DIR> d-------- C:\DOCUME~1\KIMAND~1\PROGRA~1\Tenebril
2007-03-07 10:50 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-03-07 10:50 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-03-07 00:44 80 -r-hs---- C:\WINDOWS\system32\4D4A084F51.dll
2007-03-07 00:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Protexis
2007-03-07 00:38 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2007-03-07 00:38 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2007-03-07 00:38 <DIR> d-------- C:\Programfiler\Spy Cleaner Gold
2007-03-07 00:21 <DIR> d-------- C:\Programfiler\BillP Studios
2007-03-07 00:21 <DIR> d-------- C:\DOCUME~1\KIMAND~1\PROGRA~1\WinPatrol
2007-03-06 22:34 <DIR> d-------- C:\Programfiler\WinClamAVShield
2007-03-06 22:32 <DIR> d-------- C:\Programfiler\Spyware Terminator
2007-03-06 22:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Spyware Terminator
2007-03-05 20:22 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware
2007-03-05 20:22 <DIR> d-------- C:\DOCUME~1\KIMAND~1\PROGRA~1\SUPERAntiSpyware.com
2007-03-05 20:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SUPERAntiSpyware.com
2007-03-05 15:02 1,024,000 --a------ C:\WINDOWS\system32\ewmpegco.dll
2007-03-05 15:01 <DIR> d-------- C:\DOCUME~1\KIMAND~1\PROGRA~1\Video DVD Maker FREE
2007-03-05 15:00 <DIR> d-------- C:\Programfiler\Video DVD Maker FREE
2007-03-05 12:14 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-03-04 21:19 3,534 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-04 21:15 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-04 21:15 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Siste
2007-03-04 21:15 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Programdata
2007-03-04 21:15 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Start-meny
2007-03-04 21:15 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Mine dokumenter
2007-03-04 21:15 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Favoritter
2007-03-04 21:15 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Skrivere
2007-03-04 21:15 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Maler
2007-03-04 21:15 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Lokale innstillinger
2007-03-04 21:15 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\AndrMask
2007-03-04 21:15 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Skrivebord
2007-03-04 21:15 <DIR> d-------- C:\DOCUME~1\ADMINI~1\PROGRA~1\Symantec
2007-03-04 21:15 <DIR> d-------- C:\DOCUME~1\ADMINI~1\PROGRA~1\Sun
2007-03-04 21:15 <DIR> d-------- C:\DOCUME~1\ADMINI~1\PROGRA~1\Jasc Software Inc
2007-03-04 16:50 <DIR> d-------- C:\Programfiler\Enigma Software Group
2007-03-04 14:39 <DIR> d-------- C:\Programfiler\Bazooka Scanner
2007-03-04 12:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Spybot - Search & Destroy
2007-03-03 13:38 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-03-03 13:38 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-03-03 13:38 <DIR> d-------- C:\Programfiler\Xvid
2007-03-03 13:18 <DIR> d-------- C:\Programfiler\Ace Utilities
2007-03-03 13:08 <DIR> d-------- C:\Programfiler\CCleaner


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-02 12:04 -------- d-------- C:\Programfiler\spywareblaster
2007-04-02 12:04 -------- d-------- C:\Programfiler\spywareblaster
2007-04-01 14:14 -------- d-------- C:\Programfiler\Fellesfiler\symantec shared
2007-03-28 21:23 -------- d-------- C:\Programfiler\dl_cats
2007-03-28 21:23 -------- d-------- C:\Programfiler\dl_cats
2007-03-27 23:42 72704 --a------ C:\WINDOWS\system32\perfc014.dat
2007-03-27 23:42 409210 --a------ C:\WINDOWS\system32\perfh014.dat
2007-03-27 23:33 -------- d--h----- C:\Programfiler\installshield installation information
2007-03-27 23:33 -------- d--h----- C:\Programfiler\installshield installation information
2007-03-27 15:50 -------- d-------- C:\Programfiler\norton internet security
2007-03-27 15:50 -------- d-------- C:\Programfiler\norton internet security
2007-03-25 16:41 -------- d-------- C:\Programfiler\dvdsanta
2007-03-25 16:41 -------- d-------- C:\Programfiler\dvdsanta
2007-03-10 00:24 -------- d-------- C:\Programfiler\quicktime
2007-03-10 00:24 -------- d-------- C:\Programfiler\quicktime
2007-03-09 02:11 -------- d-------- C:\Programfiler\java
2007-03-09 02:11 -------- d-------- C:\Programfiler\java
2007-03-07 23:34 -------- d-------- C:\Programfiler\messenger
2007-03-07 23:34 -------- d-------- C:\Programfiler\messenger
2007-03-07 23:30 -------- d-------- C:\Programfiler\google
2007-03-07 23:30 -------- d-------- C:\Programfiler\google
2007-03-07 23:21 -------- d-------- C:\Programfiler\dell photo aio printer 924
2007-03-07 23:21 -------- d-------- C:\Programfiler\dell photo aio printer 924
2007-03-05 20:21 -------- d-------- C:\Programfiler\Fellesfiler\wise installation wizard
2007-03-03 14:11 -------- d-------- C:\Programfiler\winamp
2007-03-03 14:11 -------- d-------- C:\Programfiler\winamp
2007-02-24 15:22 -------- d-------- C:\Programfiler\symantec
2007-02-24 15:22 -------- d-------- C:\Programfiler\symantec
2007-02-18 19:18 -------- d-------- C:\Programfiler\common files
2007-02-18 19:18 -------- d-------- C:\Programfiler\common files
2007-02-13 21:18 -------- d-------- C:\Programfiler\utorrent
2007-02-13 21:18 -------- d-------- C:\Programfiler\utorrent
2007-02-11 18:30 50 --------- C:\AUTOEXEC.BAT
2007-02-11 18:29 -------- d-------- C:\Programfiler\pixela
2007-02-11 18:29 -------- d-------- C:\Programfiler\pixela
2007-02-11 18:26 -------- d-------- C:\Programfiler\sony corporation
2007-02-11 18:26 -------- d-------- C:\Programfiler\sony corporation
2007-02-11 18:26 -------- d-------- C:\Programfiler\Fellesfiler\muvee technologies
2007-02-07 13:39 517840 --a------ C:\WINDOWS\system32\symneti.dll
2007-02-07 13:39 269616 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-02-07 13:39 132816 --a------ C:\WINDOWS\system32\symredir.dll
2007-02-07 13:38 47184 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-02-07 13:38 36976 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-02-07 13:38 17968 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-02-07 13:38 173392 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-02-07 13:38 11536 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-02-03 20:58 -------- d-------- C:\Programfiler\electronic arts
2007-02-03 20:58 -------- d-------- C:\Programfiler\electronic arts
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Programfiler\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SigmatelSysTrayApp"="stsystra.exe"
"ATIPTA"="\"C:\\Programfiler\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"DVDLauncher"="\"C:\\Programfiler\\filer\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"DMXLauncher"="C:\\Programfiler\\Dell\\Media Experience\\DMXLauncher.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\FELLES~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Programfiler\\Fellesfiler\\InstallShield\\UpdateService\\issch.exe\" -start"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"DLCCCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLCCtime.dll,_RunDLLEntry@16"
"dlccmon.exe"="\"C:\\Programfiler\\Dell Photo AIO Printer 924\\dlccmon.exe\""
"ccApp"="\"C:\\Programfiler\\Fellesfiler\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Adobe Photo Downloader"="\"C:\\Programfiler\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"RegistryMechanic"=""
"WinPatrol"="C:\\Programfiler\\BillP Studios\\WinPatrol\\winpatrol.exe"
"!AVG Anti-Spyware"="\"C:\\Programfiler\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Programfiler\\Java\\jre1.6.0\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Programfiler\\QuickTime\\qttask.exe\" -atboottime"
"VolPanel"="\"C:\\Programfiler\\Creative\\Sound Blaster X-Fi\\Volume Panel\\VolPanlu.exe\" /r"
"iTunesHelper"="\"C:\\Programfiler\\iTunes\\iTunesHelper.exe\""
"P17Helper"="Rundll32 SPIRun.dll,RunDLLEntry"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Autorun.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - S›k p† min datamaskin - Kim Andr‚ Johnsen.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-02 17:26:13



I don't know if you wanted this, but here's the ComboFix quarantined files log


03-01-26 16:48 147456 --a------ C:\Qoobox\Quarantine\07-04-02\WINDOWS\system32\Vbzip11.dll.vir
04-08-04 14:00 136704 --a------ C:\Qoobox\Quarantine\07-04-02\WINDOWS\system32\TASKMGR.COM.vir
04-08-04 14:00 147456 --a------ C:\Qoobox\Quarantine\07-04-02\WINDOWS\REGEDIT.COM.vir
06-04-20 11:32 663675 --a------ C:\Qoobox\Quarantine\07-04-02\WINDOWS\system32\tmp58.tmp.vir
98-12-02 10:11 143360 --a------ C:\Qoobox\Quarantine\07-04-02\WINDOWS\system32\vbuzip10.dll.vir


S›kebane
Volumserienummeret er E8DF-3FA1
C:\QOOBOX
\---Quarantine
\---07-04-02
+---Registry_backups
\---WINDOWS
| REGEDIT.COM.vir
|
\---system32
TASKMGR.COM.vir
tmp58.tmp.vir
vbuzip10.dll.vir
Vbzip11.dll.vir



Hijack

Logfile of HijackThis v1.99.1
Scan saved at 17:30:15, on 02.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Norton Internet Security\ISSVC.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe
C:\Programfiler\Dell\Media Experience\DMXLauncher.exe
C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programfiler\Dell Photo AIO Printer 924\dlccmon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\BillP Studios\WinPatrol\winpatrol.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programfiler\Java\jre1.6.0\bin\jusched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Programfiler\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Programfiler\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Programfiler\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Programfiler\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Programfiler\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VolPanel] "C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147348959093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programfiler\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Programfiler\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe



Thanks

Kimgeni

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 02 April 2007 - 11:01 AM

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\4D4A084F51.dll
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply please.

If Jotti's too busy,try here:
Go here:http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\4D4A084F51.dll
Then click on 'Send'.
Post the results into your next reply please.

******************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

******************

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete:
C:\WINDOWS\zts2.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe
C:\WINDOWS\R.COM
C:\WINDOWS\system32\T.COM
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll

Reboot normally.

Scan with Bazooka,let me know if it's still finding anything now or not please.
Posted Image
Posted Image

#5 kimgeni

kimgeni
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NO
  • Local time:07:24 PM

Posted 02 April 2007 - 12:15 PM

Here's the virusscan
Service load: 0% 100%

File: 4D4A084F51.dll
Status: OK
MD5 dae79c85daa6c259c08b04a4d37d13aa
Packers detected: -

Scanner results
Scan taken on 02 Apr 2007 16:58:09 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


I've looked for the files you said I should delete with Windows explorer in normal mode. I can't find the last 2. Will I see these in Safe Mode, or should I use another method than windows explorer? I haven't deleted anything yet. When you say delete you just mean right click and delete, right?

Thanks

#6 kimgeni

kimgeni
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NO
  • Local time:07:24 PM

Posted 02 April 2007 - 12:33 PM

I found the last 2. They were listed as folders, I tought they were listed as dll.
By the way everything but R.com and T.com are listed as empty folders.

I still wounder if I should delete with right click and delete.


Thanks

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 02 April 2007 - 12:57 PM

Leave those two files for now,scan with Bazooka,let me know if it's still finding anything now or not please.
Posted Image
Posted Image

#8 kimgeni

kimgeni
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NO
  • Local time:07:24 PM

Posted 02 April 2007 - 01:01 PM

Yes it still finds RDLL backdoor, but I haven't deleted any of the 8 files you said I should delete. I supose I should delete them? I've found all 8.

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 02 April 2007 - 01:06 PM

Delete all those eight files then do the following:

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Posted Image
Posted Image

#10 kimgeni

kimgeni
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NO
  • Local time:07:24 PM

Posted 02 April 2007 - 01:26 PM

I've deleted the 8 files.
Now Bazooka finds nothing. Should I still proceed with DrWeb-CureIt?

Thanks

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 02 April 2007 - 02:33 PM

Now Bazooka finds nothing. Should I still proceed with DrWeb-CureIt?

Don't bother,there's no point now :thumbsup:

If all's ok,please do the following:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading unselect 'Show hidden files and folders'.
* Re-check the 'Hide file extensions for known types' option.
* Re-check the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Posted Image
Posted Image

#12 kimgeni

kimgeni
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NO
  • Local time:07:24 PM

Posted 02 April 2007 - 04:37 PM

I've deleted the old system restore points, created a new one and changed the folder options.

I visited the link, and I just wanted to say that some of the information about IE probably is out of date. Point 13 includes some advices aboute the security options in IE. I run IE7, and as far as I could see all the 6 points are either set to "disable" or "aske the user" in my settings. This is no big deal, but I see its written in aug 2004, so perhaps you shuld have a look at IE7 and see if the default settings are OK? Then you could ad that IE7 includes these options, if thats the case?

Is there an automatic upgrade function in Java?

Thank you very much for helping me remove these threats. :thumbsup:

Kimgeni

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 02 April 2007 - 06:17 PM

You're most welcome Kimgeni :thumbsup:

Is there an automatic upgrade function in Java?

Click on Start/Control Panel/Java Control Panel.
Under the 'Update' tab, make sure the box 'Check for updates automatically' is checked.
Press Apply/Ok.

Since your problem appears to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter.
Everyone else please begin a New Topic.

*This topic has been reopened at the request of Kimgeni*

Edited by RichieUK, 07 April 2007 - 06:55 AM.

Posted Image
Posted Image

#14 kimgeni

kimgeni
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NO
  • Local time:07:24 PM

Posted 07 April 2007 - 08:14 AM

Summary: I started this topic because Bazooka scanner said I was infected with RDLL backdoor. I scaned with Kaspersky, run ComboFix and deleted the 8 files manually. Then Bazooka found nothing.

Yesterday my Sonic Digital Media wouldn't start, and Windows didn't respond to some of the things I wanted to do after I tried to open Sonic. (I tried to open a mp3 file in Windows Media Player, and the whole system froze for a minute or so. It woudn't even open the task manager). Because of this I scaned my PC with Kaspersky, to make sure it wasn't any viruses. I ran the extended scan, and as far as I can see it found the same 8 threats as it did when I tried to remove the Rdll backdoor.

I will post my Sonic problem in another topic, but since you probably know these viruses best, I just wanted to ask you if any of these worms/viruses can cause problems for Sonic? Could ComboFix cause problems by acident?


Here's my Kaspersky log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 07, 2007 12:45:16 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 7/04/2007
Kaspersky Anti-Virus database records: 292280
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 149798
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:25:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\LiveUpdate\2007-04-07_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Lokale innstillinger\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kim André Johnsen\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDCON.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDFW.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SPStart.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SPStop.log Object is locked skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\00FB21CE.exe Infected: P2P-Worm.Win32.VB.dw skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\216650B3.EXE Infected: Trojan.BAT.Delwin.ci skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\216650B3.tmp Infected: Trojan.BAT.Delwin.ci skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\61B83C5B.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\67D4419F.tmp Infected: P2P-Worm.Win32.VB.dw skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3E0C683E-89DF-4C61-BBDB-4266F97EC915}\RP41\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{AF67B97F-B8BB-4C72-A70F-F8B5965A8D5B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



Here's the Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 14:50:31, on 07.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Norton Internet Security\ISSVC.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe
C:\Programfiler\Dell\Media Experience\DMXLauncher.exe
C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programfiler\Dell Photo AIO Printer 924\dlccmon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programfiler\BillP Studios\WinPatrol\winpatrol.exe
C:\Programfiler\Java\jre1.6.0\bin\jusched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Programfiler\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programfiler\filer\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Programfiler\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Programfiler\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Programfiler\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VolPanel] "C:\Programfiler\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147348959093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programfiler\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Programfiler\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe


Thanks

Kimgeni

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 07 April 2007 - 08:53 AM

Hello kimgeni :thumbsup:

C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\00FB21CE.exe Infected: P2P-Worm.Win32.VB.dw skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\216650B3.EXE Infected: Trojan.BAT.Delwin.ci skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\216650B3.tmp Infected: Trojan.BAT.Delwin.ci skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\61B83C5B.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\Quarantine\67D4419F.tmp Infected: P2P-Worm.Win32.VB.dw skipped

All the objects detected by Kaspersky are safe inside the Norton AntiVirus\Quarantine folder,so there's no need for concern there.
Your Hijackthis log is still clean.

***************************

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

****************************

Please download Sophos Anti-Rootkit,and save it on your desktop.
1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste: %temp%\sarscan.log then press Enter.
7. This should open the log from the rootkit scan.
Post this log into your next reply.

Note:
If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.
It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100
So if you have Trojan Hunter installed you will need to disable it prior to running a scan.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users