Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

For- And Ztr-files


  • This topic is locked This topic is locked
10 replies to this topic

#1 thomcats

thomcats

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 07 July 2007 - 07:20 AM

Hello,

Referring to my initial post on this site in another forum:

http://www.bleepingcomputer.com/forums/t/98899/for-and-ztr-files-are-they-sings-of-infection/

I’m now ready to post my HijackThis log. I have performed all recommended actions and scans, which resulted in SUPERAntiSpyware removing 2 tracking cookies and Bitdefender 10 reporting about the presences of a Trojan – Trojan.Spy.Banker.CNQ – in the restore system volume. However, it doesn’t seem to me that this Trojan is present on any other part of the comp but there and Bitdefender has reported that it cannot do any harm anymore. I hope that this is true.

For easier viewing and understanding of the log, I will also post the initial question and worry once more:


“ …Using:
Window Professional Service Pack 2, on
Intel Pentium 4
CPU 3000 GHz
RAM 2 GB…..

…..there has the last days turned up a couple of files that I don't know from where they come or what they intend to do on the comp. It is WinPatrol which reports on them and tells me that they are Hidden files, which want to start some action or other. I have not agreed to proceed but deleted them since WinPatrol has not been able to give any information on what is behind these hidden files. Since they are recent, I have a hard time believing that they belong to the System, where they claim to reside. Although deleting them, they continue to re-occur and I continue to delete them. A rather unsatisfactory situation.

They look slightly different every time but certain elements are always present.

Thus I've seen one day:
FORD6.tmp
FORD8.tmp
ZTRD5.tmp, and
ZTRD7.tmp

And on another day they can look like this:
FOR3D.tmp
ZTR5D.tmp

And I've also seen:
Z@TR6.tmp

Does anyone know about these files, what they are meant to do and who issues them?

Are they harmful to my comp?”


Thanks in advance for the views and comments of the experts!

Thomcats

The log:

Logfile of HijackThis v1.99.1
Scan saved at 14:13:03, on 2007-07-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Acronis\Schedule2\schedul2.exe
E:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program\Delade filer\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\Softwin\BitDefender10\bdagent.exe
C:\Program\Java\jre1.5.0_10\bin\jusched.exe
E:\Program\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
E:\Program\1stClock\1stClock.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
E:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
E:\Program\Azureus\Azureus.exe
C:\Program\Delade filer\Softwin\BitDefender Scan Server\bdss.exe
C:\Program\Softwin\BitDefender10\vsserv.exe
C:\Program\Softwin\BitDefender10\bdmcon.exe
E:\Program\Microsoft Office\OFFICE11\OSA.EXE
C:\Program\Internet Explorer\iexplore.exe
E:\Program\HIJACK\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program\Delade filer\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [BDMCon] "C:\Program\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] E:\Program\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: 1st Clock.lnk = E:\Program\1stClock\1stClock.exe
O4 - Startup: ERUNT AutoBackup.lnk = E:\Program\ERUNT\AUTOBACK.EXE
O4 - Global Startup: DeskColor.lnk = E:\Program\DeskColor\DeskColor.exe
O8 - Extra context menu item: Anpassa meny - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - C:\WINDOWS\Installer\$PatchCache$\Managed\D140111900063D11C8EF10054038389C\11.0.5614\EXCEL.exe
O8 - Extra context menu item: Fyll i formulär - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RF verktygsfält - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Spara formulär - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Fyll i formulär - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fyll i formulär - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Spara - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Spara formulär - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF verktygsfält - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Program\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} -
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135369955515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135881980890
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{023177B7-8853-4418-8ECA-538E4CD54C1E}: NameServer = 195.54.122.200,195.54.122.204
O20 - Winlogon Notify: !SASWinLogon - E:\Program\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program\Delade filer\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program\Delade filer\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program\Delade filer\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program\Delade filer\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:04:57 PM

Posted 16 July 2007 - 08:48 PM

Hi thomcats,

Sorry for the delay, this forum is very busy right now.

If the Banker trojan is only found in the System Restore files, it cannot do any harm. We will be flushing your System Restore after we are sure your computer is clean.

Your log looks clean, but those hidden .tmp files are a cause for concern.

First thing I want you to do is Unhide files and folders:

1. Close all programs so that you are at your desktop.
2. Click Start, My Computer.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and close out My Computer.
9. Now your computer is configured to show all hidden files.
Now, go to the folder where those FOR and ZTR files are located. (C:\Windows\system32? -- you did not mention the file location in your post. Since you say you keep deleting them I assume you know where they are.). Submit one of the files to Virustotal.

To submit, go to this webpage:

Virustotal

Near the top of the webpage there is a white text box with a Browse button, just click it and navigate to the file, select it, click Open, then back on the web page, click Send.

Virustotal puts the file in a queue and will estimate how long it should take before your file is analyzed. During the analysis you will see the report grow as the file is scanned by each of the programs.

To save the report, highlight the relevant block of text on the web page, then press <Ctrl> - C. Open Notepad and press <Ctrl> - V. Give the file a catchy name like Virustotal.txt and save it to your desktop. I need to see it.

I would like to see a combofix log.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Finally, I need to see a fresh HijackThis log.

Before you run the HijackThis scan I want you to replace your old version of the program with a new one. Please delete the version currently on your computer, then click here and download the new version to your desktop.

To use HijackThis, double-click on the icon. When it runs it will prompt you to extract hijackthis.exe to C:\Program Files\Trend Micro\HijackThis. If you would like to extract it to another location you can change the directory. When it is done installing, HijackThis will automatically launch. When the license agreement appears, select I accept and then click on the Do a system scan only button. When the scan is complete, click on the Save Log button to create a log of your information.

Post the HijackThis log, the Combofix report, and the Virustotal report to a reply here.

Dave

#3 thomcats

thomcats
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 17 July 2007 - 11:15 AM

Hello DaveM59

And thanks for taking care of me.

Here are the results of the scanning actions, which I've performed according to recommendations.

Since I've been deleting the FOR- and ZTR-files when they have showed up, I couldn't find them in Windows System32 - at least not to my "naked" eye. There was however references at least to them present in C:\Document and Settings\username\Application Data\WinPatrol\vault. In there I found QTFont.qfn, FOR4F, FOR25, FOR27 and FOR51 all of them *.tmp files and ZTR4E, ZTR24, ZTR26 and ZTR50, all of them *.tmp files.

I scanned the QTFont-file and two files, randomely picked, from the FOR- and ZTR-lot with Virustotal.

VIRUSTOTAL LOG:
File QTFont.qfn received on 07.17.2007 17:07:28 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 58 seconds.
Do not close the window untill scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Print results

Your file has expired or do not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.17 no virus found
AntiVir 7.4.0.42 2007.07.17 no virus found
Authentium 4.93.8 2007.07.17 no virus found
Avast 4.7.997.0 2007.07.16 no virus found
AVG 7.5.0.476 2007.07.16 no virus found
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.16 no virus found
ClamAV devel-20070416 2007.07.17 no virus found
DrWeb 4.33 2007.07.17 no virus found
eSafe 7.0.15.0 2007.07.17 no virus found
eTrust-Vet 30.8.3789 2007.07.17 no virus found
Ewido 4.0 2007.07.17 no virus found
FileAdvisor 1 2007.07.17 no virus found
Fortinet 2.91.0.0 2007.07.17 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
Ikarus T3.1.1.8 2007.07.17 no virus found
Kaspersky 4.0.2.24 2007.07.17 no virus found
McAfee 5075 2007.07.16 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2402 2007.07.17 no virus found
Norman 5.80.02 2007.07.17 no virus found
Panda 9.0.0.4 2007.07.17 no virus found
Sophos 4.19.0 2007.07.16 no virus found
Sunbelt 2.2.907.0 2007.07.16 no virus found
Symantec 10 2007.07.17 no virus found
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.16 no virus found
VirusBuster 4.3.23:9 2007.07.16 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 no virus found
Aditional information
File size: 54156 bytes
MD5: dba91cd5a3a68302967c03213e52bde8
SHA1: 8188a5832590c810b08ee3a2f1567afcdd094108

File FOR27.tmp received on 07.17.2007 17:48:01 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 54 seconds.
Do not close the window untill scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Print results

Your file has expired or do not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.17 no virus found
AntiVir 7.4.0.42 2007.07.17 no virus found
Authentium 4.93.8 2007.07.17 no virus found
Avast 4.7.997.0 2007.07.17 no virus found
AVG 7.5.0.476 2007.07.16 no virus found
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.17 no virus found
ClamAV devel-20070416 2007.07.17 no virus found
DrWeb 4.33 2007.07.17 no virus found
eSafe 7.0.15.0 2007.07.17 no virus found
eTrust-Vet 30.8.3789 2007.07.17 no virus found
Ewido 4.0 2007.07.17 no virus found
FileAdvisor 1 2007.07.17 no virus found
Fortinet 2.91.0.0 2007.07.17 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
Ikarus T3.1.1.8 2007.07.17 no virus found
Kaspersky 4.0.2.24 2007.07.17 no virus found
McAfee 5075 2007.07.16 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2403 2007.07.17 no virus found
Norman 5.80.02 2007.07.17 no virus found
Panda 9.0.0.4 2007.07.17 no virus found
Sophos 4.19.0 2007.07.16 no virus found
Sunbelt 2.2.907.0 2007.07.16 no virus found
Symantec 10 2007.07.17 no virus found
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.16 no virus found
VirusBuster 4.3.23:9 2007.07.16 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 no virus found
Aditional information
File size: 1409 bytes
MD5: cb49545c92704da34a7e642645056568
SHA1: 00a1a018621875df63cdc979d2448ca654c81b97


COMBOFIX LOG:
"AT" - 2007-07-17 17:19:13 - ComboFix 07-07-10.5 - Service Pack 2


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\DOWNLO~1.\ODCTOOLS


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NM
-------\LEGACY_NPF
-------\nm
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 )))))))))))))))))))))))))))))))


2007-07-14 23:47 15,204,352 --a------ C:\DOCUME~1\AT\ntuser.dat
2007-07-14 10:58 <KAT> d-------- C:\DOTNET
2007-07-12 20:15 <KAT> d-------- C:\WINDOWS\system32\URTTemp
2007-07-12 15:34 <KAT> d-------- C:\Program\Windows Installer Clean Up
2007-07-12 15:34 <KAT> d-------- C:\Program\MSECACHE
2007-07-11 20:43 <KAT> d-------- C:\DOCUME~1\AT\DoctorWeb
2007-07-11 20:11 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-11 18:07 <KAT> d-------- C:\VundoFix Backups
2007-07-11 15:06 <KAT> d-------- C:\DOCUME~1\Nero\APPLIC~1\Bitdefender
2007-07-08 00:08 <KAT> d-------- C:\DOCUME~1\AT\APPLIC~1\Bitdefender
2007-07-08 00:07 <KAT> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-07-04 09:44 <KAT> d-------- C:\DOCUME~1\Nero\APPLIC~1\InterVideo
2007-07-04 08:56 <KAT> d-------- C:\DOCUME~1\Nero\APPLIC~1\DVD Flick
2007-06-30 13:27 <KAT> d-------- C:\WINDOWS\Cache
2007-06-27 23:00 <KAT> d-------- C:\DOCUME~1\Nero\APPLIC~1\Winamp
2007-06-27 22:18 <KAT> d-------- C:\DOCUME~1\Nero\APPLIC~1\Lavasoft
2007-06-27 22:16 <KAT> d-------- C:\DOCUME~1\Nero\APPLIC~1\DivX
2007-06-27 22:15 <KAT> d-------- C:\DOCUME~1\Nero\APPLIC~1\LEAPS
2007-06-27 22:12 <KAT> d-------- C:\DOCUME~1\Nero\APPLIC~1\Pegasys Inc
2007-06-27 21:42 1,310,720 --ah----- C:\DOCUME~1\Nero\ntuser.dat
2007-06-27 21:42 <KAT> dr------- C:\DOCUME~1\Nero\Start-meny
2007-06-27 21:42 <KAT> dr------- C:\DOCUME~1\Nero\Favoriter
2007-06-27 21:42 <KAT> d--h----- C:\DOCUME~1\Nero\Skrivare
2007-06-27 21:42 <KAT> d--h----- C:\DOCUME~1\Nero\N„tverket
2007-06-27 21:42 <KAT> d--h----- C:\DOCUME~1\Nero\Mallar
2007-06-27 21:42 <KAT> d--h----- C:\DOCUME~1\Nero\Lokala inst„llningar
2007-06-27 21:42 <KAT> d-------- C:\DOCUME~1\Nero\Skrivbord
2007-06-27 21:42 <KAT> d-------- C:\DOCUME~1\Nero\APPLIC~1\WinPatrol
2007-06-27 21:42 <KAT> d-------- C:\DOCUME~1\Nero\APPLIC~1\ATI
2007-06-23 08:46 <KAT> d-------- C:\WINDOWS\SxsCaPendDel


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-17 15:26:17 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2007-07-17 15:05:36 -------- d-----w C:\Program\Mozilla Thunderbird
2007-07-17 10:36:52 -------- d-----w C:\DOCUME~1\AT\APPLIC~1\Azureus
2007-07-16 22:24:39 -------- d-----w C:\DOCUME~1\AT\APPLIC~1\UseNeXT
2007-07-13 21:06:03 79,522 ----a-w C:\WINDOWS\system32\perfc01D.dat
2007-07-13 21:06:03 49,098 ----a-w C:\WINDOWS\system32\perfc041.dat
2007-07-13 21:06:03 376,366 ----a-w C:\WINDOWS\system32\perfh01D.dat
2007-07-13 21:06:03 317,872 ----a-w C:\WINDOWS\system32\perfh041.dat
2007-07-13 17:40:46 -------- d-----w C:\DOCUME~1\AT\APPLIC~1\DVD Flick
2007-07-11 15:55:28 -------- d-----w C:\DOCUME~1\AT\APPLIC~1\AdobeUM
2007-07-10 18:24:24 -------- d-----w C:\DOCUME~1\AT\APPLIC~1\Canon
2007-07-07 21:48:59 -------- d-----w C:\Program\Delade filer\Wise Installation Wizard
2007-06-08 15:18:32 -------- d-----w C:\DOCUME~1\AT\APPLIC~1\WinPatrol
2007-06-08 10:57:40 -------- d-----w C:\DOCUME~1\AT\APPLIC~1\dvdcss
2007-05-31 06:45:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-31 06:44:55 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 06:44:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 06:44:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 06:44:54 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-05-20 08:55:05 -------- d-----w C:\DOCUME~1\AT\APPLIC~1\eMule
2007-05-16 15:20:05 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 14:41:09 1 ----a-w C:\WINDOWS\system32\ps.dat
2007-05-07 10:27:48 56,976 ----a-w C:\WINDOWS\system32\GenSvcInst.exe
2007-05-07 10:27:48 122,512 ----a-w C:\WINDOWS\system32\bgsvcgen.exe
2007-04-25 14:22:55 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:16:47 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 14:17 54248 --a------ E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 02:04 853672 --------- E:\Program\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
2007-05-25 11:41 5600312 --------- C:\Program\Siber Systems\AI RoboForm\roboform.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-06-14 18:32 509592 --a------ C:\Program\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program\ATI Technologies\ATI.ACE\cli.exe" [2005-06-29 02:09]
"OSSelectorReinstall"="C:\Program\Delade filer\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-11-29 14:22]
"WinPatrol"="E:\Program\BillP Studios\WinPatrol\winpatrol.exe" [2007-04-19 19:33]
"BDMCon"="C:\Program\Softwin\BitDefender10\bdmcon.exe" [2007-04-02 16:48]
"BDAgent"="C:\Program\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-14 18:32]
"ATIPTA"="C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 22:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"MaxRecentDocs"=99 (0x63)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"="E:\Program\DVDREG~1\DVDShell.dll" [2004-10-09 15:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Canon LASER SHOT LBP-1120 Statusfönster.LNK]
backup=C:\WINDOWS\pss\Canon LASER SHOT LBP-1120 Statusfönster.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Systemfältet för ATI CATALYST.lnk]
backup=C:\WINDOWS\pss\Systemfältet för ATI CATALYST.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^AT^Start-meny^Program^Autostart^stunnel-4.09.exe.lnk]
backup=C:\WINDOWS\pss\stunnel-4.09.exe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^AT^Start-meny^Program^Autostart^TClock.lnk]
backup=C:\WINDOWS\pss\TClock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]
"E:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVD43]
E:\Program\DVDREG~1\DVDRegionFree.exe /hidden

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"E:\Program\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
C:\Program\Analog Devices\SoundMAX\SMTray.exe


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CF27C812-0CA0-11d4-A672-00605205B0B3}
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\1stcllt.inf,ACL.Install.PerUser.NT

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-17 17:27:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-17 17:29:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-17 17:29

--- E O F ---

and lastly here is a NEW HIJACKTHIS SCAN LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:04:01, on 2007-07-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Acronis\Schedule2\schedul2.exe
E:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program\Delade filer\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ATI Technologies\ATI.ACE\cli.exe
E:\Program\BillP Studios\WinPatrol\winpatrol.exe
C:\Program\Softwin\BitDefender10\bdmcon.exe
C:\Program\Softwin\BitDefender10\bdagent.exe
C:\Program\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program\DeskColor\DeskColor.exe
E:\Program\1stClock\1stClock.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\Internet Explorer\iexplore.exe
E:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program\Delade filer\Softwin\BitDefender Scan Server\bdss.exe
C:\Program\Softwin\BitDefender10\vsserv.exe
E:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program\Delade filer\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [WinPatrol] E:\Program\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 1st Clock.lnk = E:\Program\1stClock\1stClock.exe
O4 - Startup: ERUNT AutoBackup.lnk = E:\Program\ERUNT\AUTOBACK.EXE
O4 - Global Startup: DeskColor.lnk = E:\Program\DeskColor\DeskColor.exe
O8 - Extra context menu item: Anpassa meny - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - C:\WINDOWS\Installer\$PatchCache$\Managed\D140111900063D11C8EF10054038389C\11.0.5614\EXCEL.exe
O8 - Extra context menu item: Fyll i formulär - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RF verktygsfält - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Spara formulär - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fyll i formulär - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fyll i formulär - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Spara - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Spara formulär - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF verktygsfält - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Program\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} -
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135369955515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135881980890
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{023177B7-8853-4418-8ECA-538E4CD54C1E}: NameServer = 195.54.122.200,195.54.122.204
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program\Delade filer\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program\Delade filer\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program\Delade filer\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program\Delade filer\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 10153 bytes


Cheers!
Thomcats

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:04:57 PM

Posted 17 July 2007 - 10:23 PM

Hi again Thomcats,

I am not certain yet, but I am inclined to think that what you have here is a false positive from Winpatrol. I think so because the files are not identified as malware by any of the scanners that Virustotal uses. If a few of them -- perhaps even only one -- had said the files were bad, I would not be so inclined to doubt the Winpatrol result.

I am still working my way through your Combofix log, but so far I have not found anything suspicious.

Could you look at the properties of one of these files? right click the file icon and select Properties, then click both the general and summary tabs and see if they give you any information.

More tomorrow, right now I have to get some sleep.

Dave

#5 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:04:57 PM

Posted 18 July 2007 - 11:41 AM

Hi again,

I have been through your Combofix log and nothing malicious appears to be showing in it.

In addition to the file properties information I asked for, I would like you to run an online scan and post the report.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Dave

#6 thomcats

thomcats
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 18 July 2007 - 03:27 PM

Hello Dave,

Here is the Kaspersky log:

KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 18, 2007 10:19:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 18/07/2007
Kaspersky Anti-Virus database records: 364896


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 107138
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 01:23:46

Infected Object Name Virus Name Last Action
C:\Documents and Settings\AT\Application Data\Bitdefender\Desktop\Profiles\asdict.dat Object is locked skipped

C:\Documents and Settings\AT\Application Data\Lavasoft\Ad-Aware\Logs\AWEVLOG.txt Object is locked skipped

C:\Documents and Settings\AT\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\AT\Lokala inställningar\Application Data\ApplicationHistory\CLI.exe.65d44588.ini.inuse Object is locked skipped

C:\Documents and Settings\AT\Lokala inställningar\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\AT\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\AT\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\AT\Lokala inställningar\Temp\Perflib_Perfdata_584.dat Object is locked skipped

C:\Documents and Settings\AT\Lokala inställningar\Temp\Perflib_Perfdata_5e4.dat Object is locked skipped

C:\Documents and Settings\AT\Lokala inställningar\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\AT\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\AT\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\AT\Lokala inställningar\Tidigare\History.IE5\MSHist012007071820070719\index.dat Object is locked skipped

C:\Documents and Settings\AT\ntuser.dat Object is locked skipped

C:\Documents and Settings\AT\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program\Softwin\BitDefender10\aspdict.dat Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{AA213DA4-9EFB-4278-9877-FD43FB299B32}\RP40\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\bdss.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Tasks\SCHEDLGU.TXT Object is locked skipped

C:\WINDOWS\temp\tmp00004dfa\tmp00000000 Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

E:\1Mina Dokument\readme1.doc Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


I looked into the properties of all the files in question and none of them had any additional interesting info. The were said to be "unknown programs". QTFont 53 Kb large and all the FOR-files 45/44 Kb each and the ZTR-files only 2 Kb each.

I'm beginning to think like you, that this is a false positive.

Cheers!
Thomcats

#7 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:04:57 PM

Posted 18 July 2007 - 08:20 PM

Hi again,

The weakness of a program like WinPatrol is that it relies on heuristics -- it looks for certain patterns of behavior similar to those that spyware or malware might engage in. But it might make a mistake. Legitimate programs can do things that are very similar to spyware.

I have been googling the filenames in your various logs, many of the mysterious ones seem to be associated with Macromedia/Adobe. I don't know whether those .tmp files that WinPatrol warned you about are created by an Adobe program but it might be possible.

Well, let's do a general system cleanup and look at a couple more logs.

Get ATF Cleaner here . It does not require installation, just download it to your desktop.
Double-click the ATFCleaner icon on your desktop to launch the program. For this first run, check the select all box on the main page, then click Empty selected. Then, if you use Firefox or Opera, click on the appropriate tab and repeat the same drill.

I would like to see a Superantispyware log. Here is the canned speech for this. I know you already have the program installed, so you can ignore the instructions for downloading and installation, just begin with the update step and go from there.

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
I would like to see a special HJT log.

Open HijackThis, click Config, then click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
More information with a screenshot, can be found here.


Also, besides the logs, tell me how your computer is running. Are you noticing any performance problems?


Dave

#8 thomcats

thomcats
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 19 July 2007 - 07:35 AM

Hello again!

Here are the results of the last scans. The result from the SUPERAntiSpyware is interesting. Because what it's found, are in files installed long, long ago and which I haven't touched for ages. I wonder if the mal-ware was there from the start of if it was added recently?

Here is the SUPER scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/19/2007 at 02:16 PM

Application Version : 3.9.1008

Core Rules Database Version : 3271
Trace Rules Database Version: 1282

Scan type : Complete Scan
Total Scan Time : 01:31:01

Memory items scanned : 625
Memory threats detected : 0
Registry items scanned : 5955
Registry threats detected : 0
File items scanned : 104440
File threats detected : 11

Adware.GloboLook
E:\IKONER\ICOHOLIC\PILL2.ICO
E:\IKONER\ICONMANIA\MISC\VISA.ICO
E:\IKONER\ICONMANIA\MUSIC\LES PAUL.ICO
E:\IKONER\ICONMANIA\SCIENCE & MEDICINE\HOSPITAL.ICO
E:\IKONER\ICONMANIA\SEASONS & HOLIDAYS\AUGUST.ICO
E:\IKONER\ICONMANIA\SPORTS & RECREATION\BASKETBALL.ICO
E:\IKONER\ICONMANIA\SPORTS & RECREATION\BLACKJACK.ICO
E:\IKONER\ICONMANIA\SPORTS & RECREATION\KING.ICO
E:\IKONER\ICONMANIA\TRANSPORTATION\58 CORVETTE.ICO
E:\IKONER\ICONMANIA\TRANSPORTATION\747.ICO
E:\IKONER\ICONMANIA\WEBSITES\GAMESPY.ICO

And lastly is the special Hijackthis uninstall_list log:

1st Clock Light 1.0 (freeware)
AC3Filter (remove only)
Acronis Disk Director Suite
Acronis True Image
Ad-Aware SE Professional
Adobe Flash Player ActiveX
Adobe Reader 6.0.1 - Svenska
Adobe Shockwave Player
AI RoboForm Adapter for Firefox/Mozilla/Netscape
ArcSoft PhotoBase 3
ArcSoft PhotoStudio 5
ATI - Hjälp för avinstallation av program
ATI Catalyst Control Center
ATI Display Driver
ATI Kontrollpanel
Audio Converter
AVG Anti-Spyware 7.5
Axialis IconWorkshop 6.0
Azureus
BitDefender Internet Security v10
Canon CanoScan Toolbox 4.1
Canon LASER SHOT LBP-1120
CanoScan LiDE20,30 Manual
CCleaner (remove only)
CleanCache 3.5
CoreFLAC Audio Decoder+Source Filter (remove only)
CustomIcons
Dark Solar System ScreenSaver
DeskColor 3.0
Desktop Architect
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DriverGuide Toolkit
DVD Decrypter (Remove Only)
DVD Flick
DVD Region+CSS Free 5.9.8.3
DVD Shrink 3.2
eMule
EO Video 1.36
ERUNT 1.1j
FLV Player 1.3.3
GetMail 3.25
GoldWave v5.04
Google Earth
Helix YUV Codecs (remove only)
HijackThis 2.0.2
Hogia Support
HogiaArt
HogiaArt 2005.1, Servicepack 1
HPDF Printer
ICQ 5.1
Image Merger .EXE 1.0.0.19
Images of Ireland Theme for Windows XP
InterActual Player
InterVideo WinDVD 7
IrfanView (remove only)
IsoBuster 2.1
Java™ 6 Update 2
jv16 PowerTools 2005
Kaspersky Online Scanner
Kyodai
Logitech SetPoint
MediaWare Solutions MyFlix
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Mobile Media Converter
Monkey's Audio
Moyea FLV to Video Converter version 1.15.2.11
Mozilla Firefox (2.0.0.2)
Mozilla Thunderbird (1.5.0.9)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Nero 6
Nero BurnRights (Ahead Software)
O&O Defrag Professional Edition
OmniPage SE
Panda ActiveScan
Pop-a-BMP-to-ICO
QuickPar 0.9
QuickTime Alternative 1.67
RadLight MPC DirectShow Filter (remove only)
Real Alternative 1.46
Realtek RTL8139/810x Fast Ethernet NIC Driver Setup
River Past Audio Converter
Security Update för Microsoft .NET Framework 2.0 (kB928365)
Snabbkorrigering för Windows XP (KB927891)
SnagIt 6
Sony Sound Forge 7.0
SoulSeek Client 156c
SoundMAX
Spybot - Search & Destroy 1.4
STunnel
Subtitle Workshop 2.51
SubtitleCreator
Super Jigsaw
SUPERAntiSpyware Free Edition
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB928090)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB931768)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB933566)
Säkerhetsuppdatering för Windows XP (KB918118)
Säkerhetsuppdatering för Windows XP (KB924667)
Säkerhetsuppdatering för Windows XP (KB925902)
Säkerhetsuppdatering för Windows XP (KB926436)
Säkerhetsuppdatering för Windows XP (KB927779)
Säkerhetsuppdatering för Windows XP (KB927802)
Säkerhetsuppdatering för Windows XP (KB928255)
Säkerhetsuppdatering för Windows XP (KB928843)
Säkerhetsuppdatering för Windows XP (KB929123)
Säkerhetsuppdatering för Windows XP (KB930178)
Säkerhetsuppdatering för Windows XP (KB931261)
Säkerhetsuppdatering för Windows XP (KB931784)
Säkerhetsuppdatering för Windows XP (KB932168)
Säkerhetsuppdatering för Windows XP (KB935839)
Säkerhetsuppdatering för Windows XP (KB935840)
TMPGEnc 3.0 XPress
TMPGEnc 4.0 XPress
TMPGEnc DVD Author 3 with DivX Authoring
TMPGEnc Sound Player
TPTEST 5.0.1
Tweak UI
Uniblue RegistryBooster2
Uniblue System Tweaker
Update for Windows Internet Explorer 7 (KB928089)
Uppdatering för Windows XP (KB929338)
Uppdatering för Windows XP (KB930916)
Uppdatering för Windows XP (KB931836)
URL Snooper v2.03.09
UseNeXT
VideoLAN VLC media player 0.8.5
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 9 Series SDK
Windows Media Format Runtime
Windows Media Player 10
Windows Vista Upgrade Advisor
WinPac 2 (remove only)
WinPatrol 2007
WinPcap 3.1 beta4
WinRAR
WinTasks
VobSub v2.23 (Remove Only)
XQDC X-Setup Pro 7.2.360.Final1
Xvid 1.1.2 final uninstall
Yahoo! Messenger

And on top of this, I'd like to tell that the computer is working to what seems normal to me. No abnormal long times in general to surf and browse - there are pages of course that will take longer to unwrap, but that isn't all uncommon I think. And the computer doesn't seem to be sluggish to me.

Cheers!
Thomcats

#9 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:04:57 PM

Posted 19 July 2007 - 05:16 PM

Hi again thomcats,

I don't see anything worrisome in your Uninstall list either. Not that I expected to -- you seem to be security conscious and pretty knowledgeable.

Well, the files that SAS found are associated with Adware.GloboLook which from what I can find, is a pretty straightforward adware program. But it did not find the executable program that actually serves up the ads. Since you are not complaining of popups or other ads, I suspect that your antispyware programs already took care of that. These are icon files and are really incidental, you might call them leftovers. I suspect they have been on the computer for some time, you could check the file creation dates to verify that. If they were recent they would have been listed in your Combofix log: it lists all files created in the last 30 days and all files modified in the last 90 days.

If you are concerned about them, you can delete the whole IKONER folder.

Other than that, from your description of how the computer is running, I am convinced that it is clean.

Here is the standard all-clear speech:

Not much left except final cleanup. You should delete any specialized tools I asked you to download. Standard antispyware scanners you may keep and use for occasional scans as you see fit, but tools like Gmer, combofix, smitfraudfix et.al. are updated very frequently, and if God forbid you ever need them again, you will need to re-download them anyway. Since you already have CCleaner, you can get rid of ATFCleaner too.

The next step is to delete all temp files, but you already did that with ATFCleaner.

Now you need to Flush your System Restore files and set a clean restore point. To do this, you must first disable System Restore, then reboot your computer, and finally, turn System Restore back on...For the details, I refer you to this tutorial:

http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/


Then, please read and implement the recommendations found here.

http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

There are more tips found here:

http://users.telenet.be/bluepatchy/miekiem...prevention.html

I cannot tell whether you have the Bitdefender firewall enabled. If not, please read the firewall article that Grinler links to, and consider implementing it. A two-way firewall is a major improvement over the built in Windows firewall.

That's about all I have for you. Any questions, just ask.

Dave

#10 thomcats

thomcats
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 20 July 2007 - 07:11 AM

Hello again Dave!

Thank you for all the care you have lavished on this issue. I feel full of confidence over that all corners of my comp has been searched and that no threats are present for the moment.

I shall read all recommendations and engage in all actions to safely close this matter.

Again MANY Thanks!

Thomcats

#11 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:04:57 PM

Posted 20 July 2007 - 06:17 PM

Hi again thomcats,

Glad I could help.

Best wishes for safe and trouble free computing :thumbsup:

Dave

Because this issue appears to be resolved, this topic is now closed. If you need it re-opened, please PM me and include the URL in your message.

This applies to the original poster only. Everyone else please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users